Da hab ich Volldepp doch den Anhang vergessen....
#!/bin/sh
#=============================================
# ALIASES
#=============================================
echo -n "setting aliases .."
IPTABLES=/sbin/iptables
#---------------------------------------------
# Interfaces
EXTINT="ippp0"
INTINT="eth0"
LOOPINT="lo"
#---------------------------------------------
# Wird nun beim Waehlen gesetzt.
#EXTIP="`/sbin/ifconfig $EXTINT | grep 'inet addr' | awk '{print $2}' | sed -e
's/.*://'`"
INTIP="192.168.99.10/32"
LOOPIP="127.0.0.1/32"
#---------------------------------------------
# NETs
INTNET="192.168.99.0/24"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"
UNIVERSE="0/0"
#---------------------------------------------
# Port Ranges
WELLKNOWN=0:1023
REGISTERED=1024:49151
PRIVATE=49152:65535
# here we have to continue ;)
#---------------------------------------------
# Internal Hosts
DONMARTIN="192.168.99.40/32"
INGE="192.168.99.20/32"
MAILREADER="192.168.99.45/32"
MATT="192.168.99.69/32"
#GUESTS="192.168.99.10/32 192.168.99.69/32 192.168.99.20/32 192.168.99.21/32
192.168.99.22/32 192.168.99.23/32 192.168.99.24/32 192.168.99.25/32"
#---------------------------------------------
# Internal hostgroups
SAMBAUSERS="$DONMARTIN $INGE $MAILREADER"
HTTPUSERS="$DONMARTIN $INGE $MAILREADER"
GAMEUSERS="$DONMARTIN $INGE $MAILREADER"
FTPUSERS="$DONMARTIN $INGE $MAILREADER"
DNSUSERS="$DONMARTIN $INGE $MAILREADER"
SSHUSERS="$DONMARTIN $INGE $MAILREADER"
NEWSUSERS="$DONMARTIN $INGE"
NFSUSERS="$DONMARTIN $INGE"
MAILUSERS="$DONMARTIN"
VNCUSERS="$DONMARTIN $INGE"
WEBMINUSERS="DONMARTIN"
#---------------------------------------------
# forwarded Ports
DONMARTINPORTS="10000 10001 10002 10003 10004 10005 10006 10007 10008 10009 10010"
INGEPORTS=""
echo "DONE"
#=============================================
# MODULES/PROC-SETTINGS
#=============================================
echo -n "Loading Modules ... "
modprobe iptable_nat
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
#modprobe ipt_LOG
echo "DONE"
#---------------------------------------------
echo -n "Enabling IP Forwarding ... "
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "DONE"
echo -n "Enabling dynamic IP addressing ... "
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "DONE"
#echo "1" >/proc/sys/net/ipv4/tcp_syncookies
#=============================================
# FLUSH ALL RULES
#=============================================
echo -n "Flushing all Rules ... "
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
$IPTABLES -t nat -X
echo "DONE"
#=============================================
# SET DEFAULT POLICIES
#=============================================
echo -n "Setting up default policies ... "
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
echo "DONE"
#$IPTABLES -A FORWARD -j LOG
#$IPTABLES -A OUTPUT -j LOG
#$IPTABLES -A INPUT -j LOG
#=============================================
# ENABLE MASQUERADING
#=============================================
echo -n "Setting up FORWARD chain and MASQUERADE ... "
$IPTABLES -t nat -A POSTROUTING -o $EXTINT -s $INTNET -d ! $INTNET -j MASQUERADE
$IPTABLES -A FORWARD -s $INTNET -d ! $INTNET -i $INTINT -o $EXTINT -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -s ! $INTNET -d $INTNET -i
$EXTINT -o $INTINT -j ACCEPT
#$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level
DEBUG --log-prefix "IPT FORWARD packet died: "
$IPTABLES -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
echo "DONE"
#=============================================
# SET TOS FLAGS
#=============================================
echo -n "Setting TOS flags ... "
#---------------------------------------------
# Minimal Delay for http, ftp, ssh, telnet and quake
$IPTABLES -t mangle -A OUTPUT -m tcp -p tcp -d 0/0 --dport 80 -j TOS --set-tos 16
$IPTABLES -t mangle -A OUTPUT -m tcp -p tcp -d 0/0 --dport 21 -j TOS --set-tos 16
$IPTABLES -t mangle -A OUTPUT -m tcp -p tcp -d 0/0 --dport 22 -j TOS --set-tos 16
$IPTABLES -t mangle -A OUTPUT -m tcp -p tcp -d 0/0 --dport 23 -j TOS --set-tos 16
#$IPTABLES -t mangle -A OUTPUT -m udp -p udp -d 0/0 --dport 27960 -j TOS --set-tos 16
#---------------------------------------------
# Maximum Throughput for ftp-data, haha, ISDN..
$IPTABLES -t mangle -A OUTPUT -m tcp -p tcp -d 0/0 --dport 20 -j TOS --set-tos 8
echo "DONE"
#=============================================
# CREATE CHAINS FOR ICMP, TCP, UDP
#=============================================
echo -n "Creating ICMP, TCP and UDP accepting chains ... "
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets_int
$IPTABLES -N tcp_packets_ext
$IPTABLES -N udp_packets_int
$IPTABLES -N udp_packets_ext
echo "DONE"
#=============================================
# CREATE tcp_allowed CHAIN
#=============================================
echo -n "Creating tcp_allowed chain ... "
$IPTABLES -N tcp_allowed
$IPTABLES -A tcp_allowed -p TCP --syn -j ACCEPT
$IPTABLES -A tcp_allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A tcp_allowed -p TCP -j DROP
echo "DONE"
#=============================================
# ICMP RULES
#=============================================
echo -n "Setting up icmp_packets chain ... "
$IPTABLES -A icmp_packets -p ICMP -s $UNIVERSE --icmp-type 0 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s $UNIVERSE --icmp-type 3 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s $UNIVERSE --icmp-type 5 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s $UNIVERSE --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s $UNIVERSE --icmp-type 11 -j ACCEPT
echo "DONE"
#=============================================
# INTERNAL TCP RULES
#=============================================
# allow ssh
echo -n "Setting up tcp_packets_int chain ... "
for i in $SSHUSERS
do
$IPTABLES -A tcp_packets_int -p TCP -s $i --dport 22 -j tcp_allowed
done
#---------------------------------------------
# allow pop3
for i in $MAILUSERS
do
$IPTABLES -A tcp_packets_int -p TCP -s $i --dport 110 -j tcp_allowed
done
#---------------------------------------------
# allow smtp
for i in $MAILUSERS
do
$IPTABLES -A tcp_packets_int -p TCP -s $i --dport 25 -j tcp_allowed
done
#---------------------------------------------
# allow ident/auth
$IPTABLES -A tcp_packets_int -p TCP -s $INTNET --dport 113 -j tcp_allowed
#---------------------------------------------
# allow http
for i in $HTTPUSERS
do
$IPTABLES -A tcp_packets_int -p TCP -s $i --dport 80 -j tcp_allowed
done
#---------------------------------------------
# allow ftp
for i in $FTPUSERS
do
$IPTABLES -A tcp_packets_int -p TCP -s $i --dport 20 -j tcp_allowed
$IPTABLES -A tcp_packets_int -p TCP -s $i --dport 21 -j tcp_allowed
done
#----------------------------------------
# allow samba
for i in $SAMBAUSERS
do
$IPTABLES -A tcp_packets_int -p TCP -s $i --dport 137 -j tcp_allowed
$IPTABLES -A tcp_packets_int -p TCP -s $i --dport 138 -j tcp_allowed
$IPTABLES -A tcp_packets_int -p TCP -s $i --dport 139 -j tcp_allowed
done
#---------------------------------------------
# allow nfs
for i in $NFSUSERS
do
$IPTABLES -A tcp_packets_int -p TCP -s $i --dport 111 -j tcp_allowed
$IPTABLES -A tcp_packets_int -p TCP -s $i --dport 2049 -j tcp_allowed
$IPTABLES -A tcp_packets_int -p TCP -s $i --dport 827 -j tcp_allowed
done
#---------------------------------------------
# allow quake
for i in $QUAKEUSERS
do
$IPTABLES -A tcp_packets_int -p TCP -s $i --dport 27015 -j tcp_allowed
$IPTABLES -A tcp_packets_int -p TCP -s $i --dport 27016 -j tcp_allowed
$IPTABLES -A tcp_packets_int -p TCP -s $i --dport 27017 -j tcp_allowed
$IPTABLES -A tcp_packets_int -p TCP -s $i --dport 27018 -j tcp_allowed
$IPTABLES -A tcp_packets_int -p TCP -s $i --dport 27019 -j tcp_allowed
$IPTABLES -A tcp_packets_int -p TCP -s $i --dport 27020 -j tcp_allowed
done
#---------------------------------------------
# allow dns
for i in $DNSUSERS
do
$IPTABLES -A tcp_packets_int -p TCP -s $i --dport 53 -j tcp_allowed
done
#---------------------------------------------
# allow vnc
for i in $VNCUSERS
do
# mein VNC auf :0
$IPTABLES -A tcp_packets_int -p TCP -s $i --dport 6000 -j tcp_allowed
$IPTABLES -A tcp_packets_int -p TCP -s $i --dport 5900 -j tcp_allowed
# VNC auf :9 von Inge
$IPTABLES -A tcp_packets_int -p TCP -s $i --dport 6009 -j tcp_allowed
$IPTABLES -A tcp_packets_int -p TCP -s $i --dport 5909 -j tcp_allowed
done
#---------------------------------------------
#allow Webmin
for i in $WEBMINUSERS
do
$IPTABLES -A tcp_packets_int -p TCP -s $i --dport 20000 -j tcp_allowed
done
#---------------------------------------------
#allow ICQ
#for i in $ICQUSERS
#do
# $IPTABLES -A tcp_packets_int -p TCP -s $i --dport 1080 -j tcp_allowed
#
#done
#---------------------------------------------
#
# allow telnet only from Mailreader. (MAC)
#$IPTABLES -A tcp_packets_int -p TCP -s 192.168.99.40 --dport 23 -j tcp_allowed
echo "DONE"
# allow news
for i in $NEWSUSERS
do
$IPTABLES -A tcp_packets_int -p TCP -s $i --dport 119 -j tcp_allowed
done
#---------------------------------------------
#=============================================
# INTERNAL UDP RULES
#=============================================
# allow ssh
echo -n "Setting up udp_packets_int ... "
for i in $SSHUSERS
do
$IPTABLES -A udp_packets_int -p UDP -s $i --dport 22 -j ACCEPT
done
#---------------------------------------------
# allow smtp
for i in $MAILUSERS
do
$IPTABLES -A udp_packets_int -p UDP -s $i --dport 110 -j ACCEPT
done
#---------------------------------------------
# allow http
for i in $HTTPUSERS
do
$IPTABLES -A udp_packets_int -p UDP -s $i --dport 80 -j ACCEPT
done
#---------------------------------------------
# allow nfs
for i in $NFSUSERS
do
$IPTABLES -A udp_packets_int -p UDP -s $i --dport 1026 -j ACCEPT
$IPTABLES -A udp_packets_int -p UDP -s $i --dport 111 -j ACCEPT
$IPTABLES -A udp_packets_int -p UDP -s $i --dport 2049 -j ACCEPT
$IPTABLES -A udp_packets_int -p UDP -s $i --dport 1613 -j ACCEPT
done
#---------------------------------------------
# allow samba
for i in $SAMBAUSERS
do
$IPTABLES -A udp_packets_int -p UDP -s $i --dport 137 -j ACCEPT
$IPTABLES -A udp_packets_int -p UDP -s $i --dport 138 -j ACCEPT
$IPTABLES -A udp_packets_int -p UDP -s $i --dport 139 -j ACCEPT
done
#---------------------------------------------
# allow dns
for i in $DNSUSERS
do
$IPTABLES -A udp_packets_int -p UDP -s $i --dport 53 -j ACCEPT
done
echo "DONE"
#---------------------------------------------
# allow ICQ
for i in $ICQUSERS
do
$IPTABLES -A udp_packets_int -p UDP -s $i --dport 1080 -j ACCEPT
done
#=============================================
# EXTERNAL TCP RULES
#=============================================
# allow ssh
echo -n "Setting up tcp_packets_ext chain ... "
$IPTABLES -A tcp_packets_ext -p TCP -s ! $INTNET --dport 22 -j tcp_allowed
#---------------------------------------------
# allow ident/auth
$IPTABLES -A tcp_packets_ext -p TCP -s ! $INTNET --dport 113 -j tcp_allowed
#---------------------------------------------
# allow ftp
$IPTABLES -A tcp_packets_ext -p TCP -s ! $INTNET --dport 20 -j tcp_allowed
$IPTABLES -A tcp_packets_ext -p TCP -s ! $INTNET --dport 21 -j tcp_allowed
#---------------------------------------------
# allow quake
#$IPTABLES -A tcp_packets_int -p TCP -s ! $INTNET --dport 27015 -j tcp_allowed
#$IPTABLES -A tcp_packets_int -p TCP -s ! $INTNET --dport 27016 -j tcp_allowed
#$IPTABLES -A tcp_packets_int -p TCP -s ! $INTNET --dport 27017 -j tcp_allowed
#$IPTABLES -A tcp_packets_int -p TCP -s ! $INTNET --dport 27018 -j tcp_allowed
#$IPTABLES -A tcp_packets_int -p TCP -s ! $INTNET --dport 27019 -j tcp_allowed
#---------------------------------------------
# don't log connection-attempts on port 80
#$IPTABLES -A INPUT -p TCP -i $EXTINT --dport 80 -j DROP
# allow connects to fake deamons opened by PortSentry:
# have a look at /usr/local/psionic/portsentry for details.
$IPTABLES -A tcp_packets_ext -p TCP -s ! $INTNET --dport 7 -j tcp_allowed
$IPTABLES -A tcp_packets_ext -p TCP -s ! $INTNET --dport 9 -j tcp_allowed
$IPTABLES -A tcp_packets_ext -p TCP -s ! $INTNET --dport 79 -j tcp_allowed
$IPTABLES -A tcp_packets_ext -p TCP -s ! $INTNET --dport 110 -j tcp_allowed
$IPTABLES -A tcp_packets_ext -p TCP -s ! $INTNET --dport 512 -j tcp_allowed
$IPTABLES -A tcp_packets_ext -p TCP -s ! $INTNET --dport 540 -j tcp_allowed
$IPTABLES -A tcp_packets_ext -p TCP -s ! $INTNET --dport 6667 -j tcp_allowed
$IPTABLES -A tcp_packets_ext -p TCP -s ! $INTNET --dport 31337 -j tcp_allowed
echo "DONE"
#=============================================
# EXTERNAL UDP RULES
#=============================================
# allow ssh
echo -n "Setting up udp_packets_ext ... "
$IPTABLES -A udp_packets_ext -p UDP -s ! $INTNET --dport 22 -j ACCEPT
echo "DONE"
#=============================================
# PREROUTING CHAIN
#=============================================
# Do some checks for obviously spoofed IP's coming to the external Interface
echo -n "Blocking private networks ... "
$IPTABLES -t nat -A PREROUTING -i $EXTINT -s 192.168.99.0/16 -j DROP
$IPTABLES -t nat -A PREROUTING -i $EXTINT -s 10.0.0.0/8 -j DROP
$IPTABLES -t nat -A PREROUTING -i $EXTINT -s 172.16.0.0/12 -j DROP
echo "DONE"
#---------------------------------------------
#=============================================
# INPUT CHAIN
#=============================================
echo -n "Associating packet types with their chains ... "
$IPTABLES -A INPUT -p ICMP -i $INTINT -j icmp_packets
$IPTABLES -A INPUT -p ICMP -i $EXTINT -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INTINT -j tcp_packets_int
$IPTABLES -A INPUT -p TCP -i $EXTINT -j tcp_packets_ext
$IPTABLES -A INPUT -p UDP -i $INTINT -j udp_packets_int
$IPTABLES -A INPUT -p UDP -i $EXTINT -j udp_packets_ext
echo "DONE"
#---------------------------------------------
echo -n "Setting up the INPUT chain ..."
$IPTABLES -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $INTINT -d 192.168.99.255/32 -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $INTINT -d 255.255.255.255/32 -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $LOOPIP -j ACCEPT
$IPTABLES -A INPUT -m limit --limit 10/minute --limit-burst 10 -j LOG --log-level
DEBUG --log-prefix "INPUT : "
echo "DONE"
#=============================================
# OUTPUT CHAIN
#=============================================
echo -n "Setting up OUTPUT chain ... "
$IPTABLES -A OUTPUT -p ALL -s $LOOPIP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INTIP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -d $LOOPIP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -d $INTIP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $EXTINT -j ACCEPT
#$IPTABLES -A OUTPUT -m limit --limit 10/minute --limit-burst 10 -j LOG --log-level
DEBUG --log-prefix "OUTPUT: "
echo "DONE"
echo " "
