[PUG] iptables

Sat, 18 Jan 2003 00:14:09 -0800 

hi,

ich benutze dieses Script im Anhang, f�r die Firewall. Das Problem ist,
das sie au�er ihr eigentliches Netz 192.168.1.0 auch noch in 53.101.48.0
zu routen hat.

Starte ich da Script, so passiert genau das was ich will, nach au�en
hin. Aber die Clients die im 53.101.48.0'er Netz k�nnen dann nicht mehr
�ber diesen Router ins Internet, bzw, �ber den darauf laufenden Proxy
Server.
Sprich der Router ist aus dem internen Netz 53.101.48.0 nicht mehr
erreichbar (nicht von uns eingerichtet worden, war nen Mercedes Werk)

eth0 192.168.1.2 (intern) route -net > 53.101.48.0 gw 192.168.1.1
eth1 xxx.xxx.xxx (extern) 

gibt es da einen sinnvollen weg, dass das 53.101.48.0'er Netz auch noch
l�uft, wenn ich das Script starte?
Welche Regeln w�ren sinnvoll, ohne es doppelt f�rhren zu m�ssen...

-- 
Denny Schierz <[EMAIL PROTECTED]>

#!/bin/sh

#Iptable firewall v0.82
#updated 09/24/01

#Define some constants
echo "Seting up firewall....."
LOCALNETWORK="192.168.1.0/255.255.255.0"
INTINT="eth0" #The internal interface
EXTINT="eth1" #The external interface
#INTIP="192.168.1.1" #The internal interface address - Not used
#DHCPSERVER="208.191.175.254/32"
#DHCPSERVER2="192.168.100.6/32"
SQUID="192.168.1.2:3128"
# User should not have to change anything below here
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
MULTICAST="224.0.0.0/4"
CLASS_E="240.0.0.0/5"
ANYWHERE="any/0"
BROADCAST_SRC="0.0.0.0/32"
BROADCAST_DEST="255.255.255.255/32"
PRIVPORTS="0:1023"
#You can change the local unprivileged port range 
#with: net.ipv4.ip_local_port_range = 32768 61000
#for example

PUBLICPORTS="1024:65535"
NFS_PORT="2049"
SOCKS_PORT="1080"
XWINDOW_PORTS="6000:6023"
# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"

#=============================================
# Non iptables stuff
#=============================================
# TCP syncookie protection
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then
  echo -n "Enabling TCP syncookie protection..."
  echo 1 > /proc/sys/net/ipv4/tcp_syncookies
  echo "done."
else
  echo "Problem enabling TCP syncookie protection.  Be worried."
fi


# Disable source routed packets
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
   echo -n "Disabling source routed packets...."
   for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f
   done
   echo "done."
else
   echo "Problems disabling source routed packets, be worried."
fi


# Disable ICMP Redirect Acceptance
if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then
   echo -n "Disabling ICMP Redirect Acceptance..."
   for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f
   done
   echo "done."
else
   echo "Problems disabling ICMP Redirect Acceptance, be worried."
fi


# Turn on IP Spoof protection by using IP Source Address Verification
# This is from the IPChains-HOWTO, but it works for iptables too.
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
   echo -n "Setting up IP spoofing protection..."
   for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f
   done
   echo "done."
else
   echo PROBLEMS SETTING UP IP SPOOFING PROTECTION.  BE WORRIED.
fi


# Don't respond to broadcast pings.
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
  echo -n "Stopping broacast pings..."
  echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  echo "done."
else
  echo "Problem stopping broadcast pings.  Be worried."
fi


# Activate the forwarding!
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
  echo -n "Turning on forwarding..."
  echo 1 >/proc/sys/net/ipv4/ip_forward
  echo "done."
else
  echo "Forwarding not turned on!  Be worried."
fi


# Enable bad error message protection
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ] ; then
  echo -n "Turning on bad error message protection..."
  echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
  echo "done."
else
  echo "Problem turing on bad error message protection.  Be worried."
fi

# Insert the required kernel modules
# Note if iptables is compiled in, this will
# generate error messages.  These can be safely
# ignored.
#modprobe iptable_nat
#modprobe ip_conntrack
#modprobe ip_conntrack_ftp

#=============================================
# Flush the old rules and set default policies
#=============================================
echo "Setting defaults"
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT REJECT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT

#=============================================
# Filter rules
#=============================================
# Filter out some troublesome things I would drop anyway
#/sbin/iptables -t nat -A PREROUTING -i ppp+ \
# -s 192.168.0.2 -j DROP

#Test transparent proxying
# Uncomment if you want to use, but read the howto first!
#/sbin/iptables -t nat -A PREROUTING -i $INTINT -p tcp --dport 80 \
# -j DNAT --to $SQUID

# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -s $LOCALNETWORK \
 -j MASQUERADE
echo "Masquerading enabled"

#Allow all loopback interface traffic.  If there are bad
#packets here, a firewall won't protect you.
#BTW, traffic from an ip addresses on this machine to any
#ip address on this machine goes through lo, not the
#interface you would expect.
/sbin/iptables -A INPUT  -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o lo -j ACCEPT
#/sbin/iptables -t nat -A POSTROUTING -o lo -j ACCEPT
#Since loopback should never be routed, no PREROUTING or
#POSTROUTING rules are needed.
echo "Unlimited traffic on Loopback setup"

#Allow unlimited LAN traffic
/sbin/iptables -A INPUT  -i $INTINT -s $LOCALNETWORK -j ACCEPT
/sbin/iptables -A OUTPUT -o $INTINT -s $LOCALNETWORK -j ACCEPT

#This next allows local broadcasts from this machine.
/sbin/iptables -t nat -A OUTPUT -s $LOCALNETWORK -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $INTINT -s $LOCALNETWORK \
 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -s $LOCALNETWORK -j ACCEPT
echo "LAN traffic allowed"

# Anything coming from our internal network should have only our 
# address
/sbin/iptables -A FORWARD -i $INTINT -s ! $LOCALNETWORK -j LOG \
        --log-level info --log-prefix "Forwarding problem..."
/sbin/iptables -A FORWARD -i $INTINT -s ! $LOCALNETWORK -j DROP

#Allow forwarding from inside to out and vice versa
/sbin/iptables -A FORWARD -i $INTINT -s $LOCALNETWORK -j ACCEPT
/sbin/iptables -A FORWARD -o $INTINT -d $LOCALNETWORK -j ACCEPT

# remote inteface, claiming to be local machines gets dropped
/sbin/iptables -A INPUT -i $EXTINT -s $LOCALNETWORK -j DROP

# Drop incoming on remote interface from known bad IPs (probably
# an attempted spoof or misconfigured machine, just in case the rules above don't stop this.)
/sbin/iptables -A INPUT -i $EXTINT -s $LOOPBACK -j DROP
/sbin/iptables -A INPUT -i $EXTINT -d $LOOPBACK -j DROP
/sbin/iptables -A INPUT -i $EXTINT -s $CLASS_A -j DROP
/sbin/iptables -A INPUT -i $EXTINT -d $CLASS_A -j DROP
/sbin/iptables -A INPUT -i $EXTINT -s $CLASS_B -j DROP
/sbin/iptables -A INPUT -i $EXTINT -d $CLASS_B -j DROP
/sbin/iptables -A INPUT -i $EXTINT -s $CLASS_C -j DROP
/sbin/iptables -A INPUT -i $EXTINT -d $CLASS_C -j DROP
echo "Done with private addresses"

# Refuse multicast/anycast/broadcast address (from NET-3-HOWTO)
# Multicast (224.0.0.0/4) is an illegal source address (it uses UDP)
# They are 100% likely to be spoofed or a misconfiguration.  This range is only
# valid as a destination address, never a source.
/sbin/iptables -A INPUT -i $EXTINT -s $MULTICAST -j DROP

# Refuse Class E reserved addresses.  They are 99.99%+ likely to be spoofed or a misconfiguration.
/sbin/iptables -A INPUT -i $EXTINT -s $CLASS_E -j DROP

#DHCP works here


# The IANA has defined some sets of addresses as reserved.  Therefore
# these addresses should never be a source address.  The reserved
# addresses are: 0-2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.* 27.*.*.*,
# 31.*.*.*, 36-37.*.*.* 39.*.*.* 41.*.*.*, 42.*.*.*, 58-60.*.*.*,
# 69-79.*.*.*, 82-127.*.*.*, 197.*.*.*, 201.*.*.*, 219-223.*.*.*, 
# 240-255.*.*.*
# One location of the current list as of 07/20/2001 is at
# http://www.iana.org/assignments/ipv4-address-space
#Note this one is different to allow for an internal DHCP server
/sbin/iptables -A INPUT -i $EXTINT -s 0.0.0.0/8  -j DROP
#Yes this is a little redundant
/sbin/iptables -A INPUT -s 1.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 2.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 5.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 7.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 23.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 27.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 31.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 36.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 37.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 39.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 41.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 42.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 58.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 59.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 60.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 69.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 70.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 71.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 72.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 73.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 74.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 75.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 76.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 77.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 78.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 79.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 82.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 83.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 84.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 85.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 86.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 87.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 88.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 89.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 90.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 91.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 92.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 93.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 94.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 95.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 96.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 97.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 98.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 99.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 100.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 101.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 102.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 103.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 104.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 105.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 106.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 107.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 108.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 109.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 110.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 110.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 111.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 112.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 113.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 114.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 115.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 116.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 117.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 118.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 119.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 120.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 121.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 122.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 123.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 124.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 125.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 126.0.0.0/8  -j DROP
#Redundent?
/sbin/iptables -A INPUT -i $EXTINT -s 127.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 197.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 219.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 220.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 221.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 222.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 223.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 224.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 225.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 226.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 227.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 228.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 229.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 230.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 231.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 232.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 233.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 234.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 235.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 236.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 237.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 238.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 239.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 240.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 241.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 242.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 243.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 244.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 245.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 246.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 247.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 248.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 249.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 250.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 251.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 252.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 253.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 254.0.0.0/8  -j DROP
/sbin/iptables -A INPUT -s 255.0.0.0/8  -j DROP
echo "Done with reserved addresses"

#Allow some ICMP messages
#Allow source quench (type 4)
/sbin/iptables -A INPUT  -i $EXTINT -p ICMP --icmp-type source-quench \
 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p ICMP --icmp-type source-quench \
 -m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow parameter problem status (type 12)
/sbin/iptables -A INPUT  -i $EXTINT -p ICMP --icmp-type parameter-problem \
 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p ICMP --icmp-type parameter-problem \
 -m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow Destination unreachable (type 3)
/sbin/iptables -A INPUT -i $EXTINT -p ICMP --icmp-type \
 destination-unreachable -m state --state ESTABLISHED,RELATED \
 -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p ICMP --icmp-type \
 destination-unreachable -m state --state ESTABLISHED,RELATED \
 -j ACCEPT
#Allow time exceeded (type 11) messages
/sbin/iptables -A INPUT -i $EXTINT -p ICMP --icmp-type \
 time-exceeded -m state --state ESTABLISHED,RELATED \
 -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p ICMP --icmp-type \
 time-exceeded -m state --state ESTABLISHED,RELATED \
 -j ACCEPT
#Allow outgoing pings (type 8 and type 0)
#/sbin/iptables -t nat -A PREROUTING -i $INTINT -p ICMP --icmp-type \
# echo-reply -j DROP

/sbin/iptables -A INPUT -i $EXTINT -p ICMP --icmp-type \
 echo-reply -m state --state ESTABLISHED,RELATED \
 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p ICMP --icmp-type \
 echo-request -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p ICMP --icmp-type \
 echo-request -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p ICMP --icmp-type \
 echo-request -m state --state NEW \
 -j ACCEPT

echo "Some ICMP allowed"

#Allow traceroute
#By default, it uses UDP packets, and tends (for Linux at least)
#to use source ports 32769-65536 and destination ports
# 33434:33523.  It can be made to any port, however.
# Note that the input is handles by the icmp type 3 above.
/sbin/iptables -A OUTPUT -o $EXTINT -p UDP --sport $TRACEROUTE_SRC_PORTS \
 --dport $TRACEROUTE_DEST_PORTS -m state --state NEW -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p UDP \
 --sport $TRACEROUTE_SRC_PORTS \
 --dport $TRACEROUTE_DEST_PORTS -j ACCEPT
echo "traceroute allowed"

# Kill malformed packets -- enhance this list yourself!
# Block XMAS packets
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
# Block NULL packets
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
echo "Some malformed packets blocked"

# Anything coming from the Internet should have a real Internet address
/sbin/iptables -A FORWARD -i $EXTINT -s 192.168.0.0/16 -j DROP
/sbin/iptables -A FORWARD -i $EXTINT -s 172.16.0.0/12 -j DROP
/sbin/iptables -A FORWARD -i $EXTINT -s 10.0.0.0/8 -j DROP

# Block outgoing network filesharing protocols that aren't designed 
# to leave the LAN -- log the SMB ones

# SMB / Windows filesharing
/sbin/iptables -t nat -A PREROUTING -p TCP --dport 137:139 \
 -i $EXTINT -j LOG --log-level info \
 --log-prefix "SMB tried to come in..."
/sbin/iptables -t nat -A PREROUTING -p TCP --dport 137:139 \
 -i $EXTINT -j DROP
/sbin/iptables -t nat -A PREROUTING -p UDP --dport 137:139 \
 -i $EXTINT -j LOG --log-level info \
 --log-prefix "SMB tried to come in..."
/sbin/iptables -t nat -A PREROUTING -p UDP --dport 137:139 \
 -i $EXTINT -j DROP
/sbin/iptables -A FORWARD -p tcp --sport 137:139 -j LOG \
 --log-level info --log-prefix "SMB tried to cross."
/sbin/iptables -A FORWARD -p udp --sport 137:139 -j LOG \
 --log-level info --log-prefix "SMB tried to cross."
/sbin/iptables -A FORWARD -p tcp --sport 137:139 -j DROP
/sbin/iptables -A FORWARD -p udp --sport 137:139 -j DROP
/sbin/iptables -A OUTPUT -o $EXTINT -p tcp --sport 137:139 -j DROP
/sbin/iptables -A OUTPUT -o $EXTINT -p udp --sport 137:139 -j DROP


#Allow DHCP traffic
#/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p UDP -s $DHCPSERVER \
# --sport 67 --dport 68 -j ACCEPT
#/sbin/iptables -A OUTPUT -o $EXTINT -p UDP -s $BROADCAST_SRC --sport 68 \
# -d $BROADCAST_DEST --dport 67 -m state --state NEW,ESTABLISHED \
# -j ACCEPT
#/sbin/iptables -A INPUT  -i $EXTINT -p UDP -s $BROADCAST_SRC --sport 67 \
# -d $BROADCAST_DEST --dport 68 -m state --state ESTABLISHED -j ACCEPT
#/sbin/iptables -A OUTPUT -o $EXTINT -p UDP -s $ANYWHERE --sport 68 \
# -d $DHCPSERVER --dport 67 -m state --state NEW,ESTABLISHED \
# -j ACCEPT
#/sbin/iptables -A INPUT  -i $EXTINT -p UDP -s $DHCPSERVER --sport 67 \
# -d $ANYWHERE --dport 68 -m state --state ESTABLISHED -j ACCEPT
#Internal DHCP server
#/sbin/iptables -t nat -A PREROUTING -i $INTINT -p UDP -s $DHCPSERVER2 \
# --sport 68 --dport 67 -j ACCEPT
#/sbin/iptables -t nat -A PREROUTING -i $INTINT -p UDP -s $BROADCAST_SRC \
# --sport 68 -d $BROADCAST_DEST --dport 67 -j ACCEPT
#/sbin/iptables -A INPUT  -i $INTINT -p UDP -s $BROADCAST_SRC --sport 68 \
# -d $BROADCAST_DEST --dport 67 -m state --state NEW,ESTABLISHED -j ACCEPT
#/sbin/iptables -A OUTPUT -o $INTINT -p UDP -s $DHCPSERVER2 --sport 67 \
# -d $BROADCAST_DEST --dport 68 -m state --state NEW,ESTABLISHED \
# -j ACCEPT
#Note rules to allow renewals for those clients who already have addresses is
#covered by unlimited LAN traffic rules

#echo "DHCP allowed"

# Refuse all 0.0.0.0 source packets.  The only legitimate use is for DHCP (already covered).
/sbin/iptables -A INPUT -i $EXTINT -s $BROADCAST_SRC -j DROP

# Refuse all broadcasts (except DHCP which is already covered).
/sbin/iptables -A INPUT -i $EXTINT -d $BROADCAST_DEST -j DROP

## Ads remove
/sbin/iptables -A OUTPUT -o $EXTINT -d 130.94.135.17/24    -j DROP
/sbin/iptables -A OUTPUT -o $EXTINT -d 199.95.208.0/24     -j DROP
/sbin/iptables -A OUTPUT -o $EXTINT -d 199.95.206.210/24   -j DROP

#Allow DNS (port 53 TCP and UDP)
/sbin/iptables -A OUTPUT -o $EXTINT -p UDP --sport $PUBLICPORTS \
 --dport 53 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p UDP --sport $PUBLICPORTS \
 --dport 53 -j ACCEPT
/sbin/iptables -A INPUT  -i $EXTINT -p UDP --sport 53 \
 --dport $PUBLICPORTS -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
 --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
 --dport 53 -j ACCEPT
/sbin/iptables -A INPUT  -i $EXTINT -p TCP --sport 53 \
 --dport $PUBLICPORTS -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p UDP --sport $PUBLICPORTS \
 --dport 53 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p UDP --sport \
 $PUBLICPORTS --dport 53 -j ACCEPT
echo "DNS queries allowed"

#Allow Web access (ports 80 and 443)
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP --sport 80 \
 --dport $PUBLICPORTS -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP --sport 443 \
 --dport $PUBLICPORTS -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
 --dport 80 -j ACCEPT
/sbin/iptables -A INPUT  -i $EXTINT -p TCP --sport 80 \
 --dport $PUBLICPORTS -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
 --dport 443 -j ACCEPT
/sbin/iptables -A INPUT  -i $EXTINT -p TCP --sport 443 \
 --dport $PUBLICPORTS -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
 --dport 80 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP --sport $PUBLICPORTS \
 --dport 80 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
 --dport 443 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP --sport $PUBLICPORTS \
 --dport 443 -j ACCEPT
#Limit logging of incoming http packets.  Most seem to be cookie placement
#attempts
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 80 \
 -m limit -j LOG --log-level info --log-prefix "Port 80 dropped.."
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 80 -j DROP
echo "Web and Secure Web allowed"


#Allow WWW server access (Port 80)
/sbin/iptables -A INPUT -i $EXTINT -p TCP --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport 80 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP --dport 80 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP --sport 80 -j ACCEPT
echo "WWW server allowed"
    
#Allow Email (port 25 and 110)
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
 --dport 25 -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
 --dport 25 -j ACCEPT
/sbin/iptables -A INPUT  -i $EXTINT -p TCP --sport 25 \
 --dport $PUBLICPORTS -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP --dport 25 \
 --sport $PUBLICPORTS -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
 --dport 110 -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
 --dport 110 -j ACCEPT
/sbin/iptables -A INPUT  -i $EXTINT -p TCP --sport 110 \
 --dport $PUBLICPORTS -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP --dport 110 \
 --sport $PUBLICPORTS -j ACCEPT
echo "Email allowed (except IMAP)"

#Allow SMTP server access (Port 25)
/sbin/iptables -A INPUT -i $EXTINT -p TCP --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 25 -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport 25 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP --dport 25 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP --sport 25 -j ACCEPT
    
echo "SMTP server allowed"
    
#Allow ssh (port 22 - client access)
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP \
 --dport 22 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP \
 --dport 22 -j ACCEPT
/sbin/iptables -A INPUT  -i $EXTINT -p TCP --sport 22 \
  -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP \
 --dport 22 -j ACCEPT
echo "SSH client allowed"

#Allow SSH server access (Port 22)
/sbin/iptables -A INPUT -i $EXTINT -p TCP \
 --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP \
 --sport 22 -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP \
 --sport 22 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP \
 --dport 22 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP \
 --sport 22 -j ACCEPT

echo "SSH server allowed"

#Allow outgoing whois(port 43)
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
 --dport 43 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
 --dport 43 -j ACCEPT
/sbin/iptables -A INPUT  -i $EXTINT -p TCP --sport 43 \
 --dport $PUBLICPORTS -m state --state ESTABLISHED -j ACCEPT
echo "whois allowed"

#Allow FTP
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
 --dport 21 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
 --dport $PUBLICPORTS -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP \
 --sport $PUBLICPORTS --dport $PUBLICPORTS -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP \
 --sport $PUBLICPORTS --dport 21 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP \
 --sport $PUBLICPORTS --dport 21 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP \
 --dport $PUBLICPORTS --sport 21 -j ACCEPT


/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
 --dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP \
 --sport $PUBLICPORTS --dport 20 -m state --state \
 ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP \
 --sport $PUBLICPORTS --dport 20 -m state --state \
 ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
 --dport 21 -j ACCEPT
/sbin/iptables -A INPUT  -i $EXTINT -p TCP --sport 21 \
 --dport $PUBLICPORTS -j ACCEPT

/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
 --dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT  -i $EXTINT -p TCP --sport 20 \
 --dport $PUBLICPORTS -m state --state ESTABLISHED,RELATED \
 -j ACCEPT

echo "FTP allowed"

#Allow pptpd connections (port 1723)
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP \
 --sport $PUBLICPORTS --dport 1723 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p 47 -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p 47 -j ACCEPT
/sbin/iptables -A INPUT  -i $EXTINT -p 47 -j ACCEPT
/sbin/iptables -A INPUT  -i ppp+ \
 -s $LOCALNETWORK -d $LOCALNETWORK -j ACCEPT 
/sbin/iptables -A OUTPUT -o ppp+ \
 -s $LOCALNETWORK -d $LOCALNETWORK -j ACCEPT 
/sbin/iptables -A FORWARD -i ppp+ -o $EXTINT -p 47 \
 -s $LOCALNETWORK -d $LOCALNETWORK -j ACCEPT
/sbin/iptables -A FORWARD -o ppp+ -i $EXTINT -p 47 \
 -s $LOCALNETWORK -d $LOCALNETWORK -j ACCEPT
#Rules to allow surfing
/sbin/iptables -A FORWARD -i ppp+ -o $EXTINT -s $LOCALNETWORK \
 -j ACCEPT
/sbin/iptables -A FORWARD -o ppp+ -i $EXTINT -d $LOCALNETWORK \
 -j ACCEPT
echo "PPTPD allowed"

#Reject port 113
#I can't reject in nat, so let it through.  The next rule will block.
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP \
 --dport 113 -j ACCEPT
/sbin/iptables -A INPUT  -i $EXTINT -p TCP --sport $PUBLICPORTS \
 --dport 113 -j REJECT

#Limit logging of pings.
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p ICMP --icmp-type \
 echo-request -m limit -j LOG --log-level info \
 --log-prefix "Ping dropped.."
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p ICMP --icmp-type \
 echo-request -j DROP

#Log everything else (which would be dropped anyway)
#/sbin/iptables -A INPUT -j LOG --log-level info \
# --log-prefix "Input packet dropped"
#/sbin/iptables -A INPUT -j DROP
#/sbin/iptables -A OUTPUT -j LOG --log-level info \
# --log-prefix "Output packet dropped"
#/sbin/iptables -A OUTPUT -j REJECT
#/sbin/iptables -A FORWARD -j LOG --log-level info \
# --log-prefix "Forward packet dropped"
#/sbin/iptables -A FORWARD -j DROP
#/sbin/iptables -t nat -A PREROUTING -j LOG --log-level info \
# --log-prefix "PreNat logging."
#/sbin/iptables -t nat -A POSTROUTING -j LOG \
# --log-level info --log-prefix "PostNat logging."
#/sbin/iptables -t nat -A OUTPUT -j LOG \
# --log-level info --log-prefix "Out NAT logging."

Attachment: signature.asc
Description: This is a digitally signed message part

Antwort per Email an