Hello i try to setup a firewall for my lan. i want to be invissible to the internet (no respond to a ping), but i want to allow some specific connects. my script i have so far makes me invissible and i can surf the web..., but nobody can connect to my server.
maybe you easiely find some errors: -------------------------------------------------------------------- # Firewall Skript #!/bin/sh DEV_LAN=eth0 IP_LAN=192.168.99.10 LAN=192.168.99.0/255.255.255.0 DEV_INET=ippp0 INET=0.0.0.0/0.0.0.0 insmod ip_masq_cuseeme insmod ip_masq_ftp insmod ip_masq_irc insmod ip_masq_quake insmod ip_masq_raudio insmod ip_masq_user insmod ip_masq_vdolive #----- IP Forwarding und Unterstuetzung dynamisch zugeteilter IP Adressen aktivieren ----- echo "1" > /proc/sys/net/ipv4/ip_dynaddr echo "1" > /proc/sys/net/ipv4/ip_forward #----- Alle Regeln loeschen ----- ipchains -F #----- Default Policy auf DENY setzen ----- ipchains -P input DENY ipchains -P forward DENY ipchains -P output DENY #----- ip-spoofing verhindern ----- ipchains -A input -i $DEV_INET -p tcp -s $LAN -j DENY -l #----- Loopback erlauben ----- ipchains -A input -i lo -j ACCEPT ipchains -A output -i lo -j ACCEPT #----- alle Intranet Verbindungen erlauben ----- ipchains -A input -i $DEV_LAN -s $LAN -j ACCEPT ipchains -A output -i $DEV_LAN -d $LAN -j ACCEPT #----- DNS Abfragen ins Internet erlauben, sowohl UDP als auch TCP ----- ipchains -A output -i $DEV_INET -p udp -d $INET 53 -j ACCEPT ipchains -A input -i $DEV_INET -p udp -s $INET 53 -j ACCEPT ipchains -A output -i $DEV_INET -p tcp -d $INET 53 -j ACCEPT ipchains -A input -i $DEV_INET -p tcp -s $INET 53 -j ACCEPT ! -y #----- HTTP erlauben ----- ipchains -A output -i $DEV_INET -p tcp -d $INET 80 -j ACCEPT ipchains -A input -i $DEV_INET -p tcp -s $INET 80 -j ACCEPT ! -y #----- HTTPS erlauben ----- ipchains -A output -i $DEV_INET -p tcp -d $INET 443 -j ACCEPT ipchains -A input -i $DEV_INET -p tcp -s $INET 443 -j ACCEPT ! -y #----- FTP erlauben ----- ipchains -A output -i $DEV_INET -p tcp -d $INET 21 -j ACCEPT ipchains -A input -i $DEV_INET -p tcp -s $INET 21 -j ACCEPT ! -y #----- Erweiterung fuer aktives FTP ----- ipchains -A output -i $DEV_INET -p tcp -d $INET 20 -j ACCEPT ipchains -A input -i $DEV_INET -p tcp -s $INET 20 -j ACCEPT #----- SSH ins Internet erlauben ----- ipchains -A output -i $DEV_INET -p tcp -d $INET 22 -j ACCEPT ipchains -A input -i $DEV_INET -p tcp -s $INET 22 -j ACCEPT ! -y #----- SMTP ins Internet erlauben ----- ipchains -A output -i $DEV_INET -p tcp -d $INET 25 -j ACCEPT ipchains -A input -i $DEV_INET -p tcp -s $INET 25 -j ACCEPT ! -y #----- POP3 ins Internet erlauben ----- ipchains -A output -i $DEV_INET -p tcp -d $INET 110 -j ACCEPT ipchains -A input -i $DEV_INET -p tcp -s $INET 110 -j ACCEPT ! -y #-------------highports--------------- ipchains -A output -i $DEV_INET -p tcp -d $INET 1023:65535 -j ACCEPT ipchains -A input -i $DEV_INET -p tcp -s $INET 1023:65535 -j ACCEPT ! -y ipchains -A output -i $DEV_INET -p udp -d $INET 1023:65535 -j ACCEPT ipchains -A input -i $DEV_INET -p udp -d $INET 1023:65535 -j ACCEPT #----- Chain fuer ICMP erstellen ----- ipchains -N icmp-out ipchains -A icmp-out -p icmp --icmp-type echo-reply -j DENY ipchains -A icmp-out -p icmp --icmp-type echo-request -j ACCEPT ipchains -A icmp-out -p icmp --icmp-type destination-unreachable -j ACCEPT ipchains -A icmp-out -p icmp --icmp-type source-quench -j ACCEPT ipchains -A icmp-out -p icmp --icmp-type time-exceeded -j ACCEPT ipchains -A icmp-out -p icmp --icmp-type parameter-problem -j ACCEPT ipchains -N icmp-in ipchains -A icmp-in -p icmp --icmp-type echo-reply -j ACCEPT ipchains -A icmp-in -p icmp --icmp-type echo-request -j DENY ipchains -A icmp-in -p icmp --icmp-type destination-unreachable -j ACCEPT ipchains -A icmp-in -p icmp --icmp-type source-quench -j ACCEPT ipchains -A icmp-in -p icmp --icmp-type time-exceeded -j ACCEPT ipchains -A icmp-in -p icmp --icmp-type parameter-problem -j ACCEPT #----- ICMP Pakete an Output Chain uebergeben ----- ipchains -A output -p icmp -j icmp-out #----- ICMP Pakete an Input Chain uebergeben ----- ipchains -A input -p icmp -j icmp-in #----- Masquerading aktivieren ----- ipchains -A forward -s 192.168.99.0/24 -d 0.0.0.0/0 -j MASQ echo Firewall is up ------------------------------------------------------------------------------- again the problem is nobody cant connect except from inside the lan thanks in advance -- Best regards, tim mailto:[EMAIL PROTECTED]
