[Debian] Firewall

Sun, 11 Nov 2001 07:50:35 -0800 

Hai,

hab, da mal ne Frage warum funst das nicht

frank
-- 
Sei nicht eingebildet auf dein Wissen und verlasse dich nicht
darauf, dasS du ein Weiser seist,sondern besprich dich mit dem
Unwissenden so gut wie mit dem Weisen.
Ptahhotep 2350 v.Chr.

#####################
##Alles nur geklaut##
#####################
#
#!/bin/sh
#
echo "Initialisiere die Firewall"
#
#einige 
difinitionen-------------------------------------------------------------------------------------------------------
#
ext_int="eth1"
EXTERNAL_INTERFACE="eth1"
#Schnittstelle zum Internet
#
int_int="eth0"
#Schnittstelle zum lokalen Netz
#
ip_adr=$PPP_LOCAL
ip_adr_ext=$PPP_REMOTE
#Die vom Provider vergebene IP-Adresse der Internetverbindung
#
ip_adr_lan="192.168.54.100"
#IP-Adresse der internen Schnittstelle, der Netzwerkkarte zum lokalen Netz
#
lan="192.168.54.0/24"
#Der Adre�bereich des lokalen Netzes
#
alles="any/0"
#Alle IP-Adressen
#
lo_int="lo"
#Das Loopback Interface, die interne lokale Netzwerkschnittstelle
#
class_a="10.0.0.0/8"
#Reservierter Bereich eines Klasse A Netzes.
#
class_b="172.16.0.0/12"
#Reservierter Bereich eines Klasse B Netzes.
#
class_c="192.168.0.0/16"
#Reservierter Bereich eines Klasse C Netzes. 
#
class_d="224.0.0.0/4"
#Reservierter Bereich eines Klasse D Netzes
#
class_e="240.0.0.0/5"
#Reservierter Bereich eines Klasse E Netzes
#
bcast_src="0.0.0.0"
#
bcast_dest="255.255.255.255"
#
priv_ports="0:1023"
#Alle privilegierten Ports (0-1023)
#
unpriv_ports="1024:65535"
#Alle unprivilegierten Ports (1024-65535)
#
DNS_1="194.25.2.129"
DNS_2="62.225.244.197"
#Nameserver des Providers
#
POP3="194.25.134.90"
#POP3 Server des Providers
#
SMTP="194.25.134.91"
#SMTP Server des Providers
#
news="62.153.159.134"
#news Server des Providers
#--------------------------------------------------------------------------------------------------------------------------
#Chains loe�schen
#
ipchains input -F
ipchains output -F
ipchains forward -F
#
#Die Chains sind nun geloe�scht. Es gelten keine Regeln mehr. Die Firewall ist 
sozusagen "nackt".
#Default Policy definieren
#
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward REJECT
#
#--------------------------------------------------------------------------------------------------------------------------
#
#Loopback Interface aktivieren
#
ipchains -A input -i $lo_int -j ACCEPT
ipchains -A output -i $lo_int -j ACCEPT
#
#Datenverkehr auf dem Loopback-Interface wird wieder m�oeglich.
#
#Schutz vor SYN Flooding
#Folgende Zeilen aktivieren den im Kernel enthaltenen Schutz vor SYN Flooding 
DoS-Angriffen:3
#
Echo 1 > /proc/sys/net/ipv4/tcp_syncookies
For f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done 
#
#IP Forwarding aktivieren
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
#IP Spoofing: eigene IP-Adresse
#
ipchains -A input -i $ext_int -s $ip_adr -j DENY -l
#
#IP Spoofing: Loopback Interface
#
ipchains -A input $ext_int -s $lo_int -j DENY
ipchains -A output $ext_int -s $lo_int -j DENY -l
#
#--------------------------------------------------------------------------------------------------------------------------
#
#IP Spoofing: reservierte Adre�bereiche
#
ipchains -A input -i $ext_int -s $class_a -j DENY
ipchains -A input -i $ext_int -d $class_a -j DENY
ipchains -A output -i $ext_int -s $class_a -j DENY -l
ipchains -A output -i $ext_int -d $class_a -j DENY -l
#
ipchains -A input -i $ext_int -s $class_b -j DENY
ipchains -A input -i $ext_int -d $class_b -j DENY
ipchains -A output -i $ext_int -s $class_b -j DENY -l
ipchains -A output -i $ext_int -d $class_b -j DENY -l
#
ipchains -A input -i $ext_int -s $class_c -j DENY
ipchains -A input -i $ext_int -d $class_c -j DENY
ipchains -A output -i $ext_int -s $class_c -j DENY -l
ipchains -A output -i $ext_int -d $class_c -j DENY -l
#
ipchains -A input -i $ext_int -s $class_d -j DENY -l
ipchains -A output -i $ext_int -s $class_d -j REJECT -l
#
ipchains -A output -i $ext_int -d $class_d -j REJECT -l
ipchains -A input -i $ext_int -d $class_d -j REJECT -l
#
#Sae�mtlichen Multicast Netzwerkverkehr zu blocken
#
Ipchains -A input -i $ext_int -s $class_e -j DENY -l
#
#IP Spoofing: IANA Adre�bereiche
#
ipchains -A input -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 58.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 65.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 66.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 68.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 69.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 70.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 71.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 72.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 73.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 74.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 75.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 76.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 77.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 78.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 79.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 96.0.0.0/4 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 112.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 113.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 114.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 115.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 116.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 117.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 118.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 119.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 120.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 121.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 122.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 123.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 124.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 125.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 126.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 217.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 218.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 219.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -j DENY -l
#
#--------------------------------------------------------------------------------------------------------------------------
#
#IP Spoofing: Broadcast Adressen
#
ipchains -A input -i $ext_int -s $bcast_dest -j DENY -l
ipchains -A output -i $ext_int -d $bcast_src -j DENY -l
#
#ICMP Pakete
#
ipchains -A input -i $ext_int -p icmp -s $alles 4 -d $ip_adr -j ACCEPT
ipchains -A output -i $ext_int -p icmp -s $ip_adr 4 -d $alles -j ACCEPT
#
ipchains -A input -i $ext_int -p icmp -s $alles 12 -d $ip_adr -j ACCEPT
ipchains -A output -i $ext_int -p icmp -s $ip_adr 12 -d $alles -j ACCEPT
#
ipchains -A input -i $ext_int -p icmp -s $alles 3 -d $ip_adr -j ACCEPT
ipchains -A output -i $ext_int -p icmp -s $ip_adr 3 -d $alles -j ACCEPT
#
#Domain Name Service
#
ipchains -A input -i $ext_int -p udp -s $DNS_1 53 -d $ip_adr $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p udp -s $ip_adr $unpriv_ports -d $DNS_1 -j ACCEPT
#
ipchains -A input -i $ext_int -p tcp -s $DNS_1 53 -d $ip_adr $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p tcp -s $ip_adr $unpriv_ports -d $DNS_1 53 -j ACCEPT
#
ipchains -A input -i $ext_int -p udp -s $DNS_2 53 -d $ip_adr $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p udp -s $ip_adr $unpriv_ports -d $DNS_2 -j ACCEPT
#
ipchains -A input -i $ext_int -p tcp -s $DNS_2 53 -d $ip_adr $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p tcp -s $ip_adr $unpriv_ports -d $DNS_2 53 -j ACCEPT
#
#Simple Mail Transfer Protocol
#
ipchains -A input -i $ext_int -p tcp ! -y -s $SMTP 25 -d $ip_adr $unpriv_ports -j 
ACCEPT
ipchains -A output -i $ext_int -p tcp -s $ip_adr $unpriv_ports -d $SMTP 25 -j ACCEPT
#
#Post Office Protocol 3
#
ipchains -A input -i $ext_int -p tcp ! -y -s $POP 110 -d $ip_adr $unpriv_ports -j 
ACCEPT
ipchains -A output -i $ext_int -p tcp -s $ip_adr $unpriv_ports -d $POP 110 -j ACCEPT
#
#news lesen und schreiben
ipchains -A output -i $ext_int -p tcp -s ip_adr $unpriv_ports -d $news 119 -j ACCEPT
ipchains -A input -i $ext_int -p tcp ! -y -s $news 119 -d $unpriv_ports -j ACCEPT
#
#Webzugriff und Secure Socket Layer
#
ipchains -A input -i $ext_int -p tcp ! -y -s $alles 80 -d $ip_adr $unpriv_ports -j 
ACCEPT
ipchains -A output -i $ext_int -p tcp -s $ip_adr $unpriv_ports -d $alles 80 -j ACCEPT
#
#SSL verschlue�sselte Ressourcen abrufen
#
ipchains -A input -i $ext_int -p tcp ! -y -s $alles 443 -d $ip_adr $unpriv_ports -j 
ACCEPT
ipchains -A output -i $ext_int -p tcp -s $ip_adr $unpriv_ports -d $alles 443 -j ACCEPT
#
#File Transfer Protocol
#Die folgenden Regeln erlauben eine Verbindung zu einem beliebigen FTP Server:
#
ipchains -A input -i $ext_int -p tcp ! -y -s $alles 21 -d $ip_adr $unpriv_ports -j 
ACCEPT
ipchains -A output -i $ext_int -p tcp -s $ip_adr $unpriv_ports -d $alles 21 -j ACCEPT
#
#Die Regeln f�r den normalen Modus:
ipchains -A input -i $ext_int -p tcp -s $alles 20 -d $ip_adr $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p tcp ! -y -s $ip_adr $unpriv_ports -d $alles 20 -j 
ACCEPT
#
#Die Regeln fue�r den passiven Modus:
ipchains -A input -i $ext_int -p tcp ! -y -s $alles $unpriv_ports -d $ip_adr 
$unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p tcp -s $ip_adr $unpriv_ports -d $alles $unpriv_ports 
-j ACCEPT
#
#Datenverkehr aus dem LAN ins Internet
#oe�ffnen der Firewall f�uer Pakete aus dem lokalen Netz:
#
ipchains -A input -i $int_int -s $lan -j ACCEPT
ipchains -A output -i $int_int -s $lan -j ACCEPT
#
#NAT
#
ipchains -A forward -i $ext_int -s $lan -j MASQ
#
#
#
#
echo "die Firewall ist oben"
#
#
#
#
#
#
#Ende im 
Gelaende----------------------------------------------------------------------------------------------------------

Antwort per Email an