o.open/Office_Networks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Christoph
2018-05-08 03:01:03 +02:00
commit 1c4c595cd6
3256 changed files with 417972 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

982
AK/ipt-firewall.AK Executable file
View File

@@ -0,0 +1,982 @@
#!/bin/sh
### BEGIN INIT INFO
# Provides: ipt-firewall
# Required-Start: $local_fs $remote_fs $syslog $network
# Required-Stop: $local_fs $remote_fs $syslog $network
# Should-Start:
# Should-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: IPv4 Firewall
### END INIT INFO
# Load appropriate modules.
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat > /dev/null 2>&1
## -Load modules for FTP Connection tracking and NAT
## -
/sbin/modprobe ip_conntrack > /dev/null 2>&1
/sbin/modprobe ip_conntrack_ftp > /dev/null 2>&1
/sbin/modprobe ip_nat_ftp > /dev/null 2>&1
log_all=false
log_syn_flood=false
log_fragments=false
log_new_not_sync=false
log_invalid_state=false
log_invalid_flags=false
log_spoofed=false
log_to_lo=false
log_blocked=false
log_rejected=false
# IP's / IP-Ranges to block
#
# 222.184.0.0 CHINANET-JS
# 61.160.0.0/16 - CHINANET-JS
# 116.8.0.0/14 CHINANET-GX
# 70.42.149.69 - ssh attack 30.06.2014
#
blocked_ips="222.184.0.0/13 61.160.0.0/16 116.8.0.0/14 70.42.149.69"
ipt="/sbin/iptables"
## - external interface
## -
ext_if="eth0"
ext_ip="172.16.0.1"
## - VPN interface
## -
vpn_if="tun+"
## - local interfaces
## -
local_if_1="eth1+"
local_if_2="eth2+"
local_ip="192.168.0.254"
local_net_1="192.168.0.0/24"
## - local Services
## -
webmail="192.168.0.44"
mail_server="192.168.0.44"
mail_server_alt="192.168.0.1"
ak_web="192.168.0.44"
at_10="192.168.0.10"
ftp_server="192.168.0.44"
ldap_server="192.168.0.44"
## - Ports
## -
ssh_port=22
mail_user_ports="465,587,58736,995,993"
www_ports="80,443"
www_ports_akweb="81"
www_extra_ports="8080,8443"
# unpriviligierte Ports
unprivports="1024:65535"
loopback="127.0.0.0/8"
priv_class_a="10.0.0.0/8"
priv_class_b="172.16.0.0/12"
priv_class_c="192.168.0.0/16"
class_d_multicast="224.0.0.0/4"
class_e_reserved="240.0.0.0/5"
broadcast_addr="83.223.85.255"
## - IP Forwarding aktivieren
## -
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 5 > /proc/sys/net/ipv4/ip_dynaddr
## - Reduce DoS'ing ability by reducing timeouts
## -
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog
## - SYN COOKIES
## -
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
## - Schutz gegen gefälschte Fehlermeldungen einschalten.
## -
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
## - Ignorieren von broadcast Pings
## -
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
## - NO SOURCE ROUTE
## -
## - Sperren von quellbasierendem Paket-Routing
## -
for asr in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $asr
done
## - Keine ICMP Umleitungspakete akzeptieren.
## -
## - Diese können zur Veränderung der Routing Tables verwendet
## - werden, möglicherweise mit einem böswilligen Ziel.
## -
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
## - ANTISPOOFING
## -
## - Reverse Pfadfilterung aktivieren. Dies hilft durch automatisches Ablehnen
## - von Quelladressen, die nicht mit dem Netzwerkinterface übereinstimmen,
## - sicherzustellen, dass Pakete legitime Quelladressen benutzen. Dies hat
## - Sicherheitsvorteile, da es IP Spoofing verhindert. Wir müssen es für
## - alle net/ipv4/conf/* aktivieren, da sonst die Validierung der Quelle
## - nicht voll funktionsfähig ist.
## -
for rp_filter in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $rp_filter
done
## - NUMBER OF CONNECTIONS TO TRACK
## -
echo "65535" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
## - Protokollieren von Paketen die gespoofed sind, quellbasierendes
## - Routing verwenden oder Umleitungen sind.
## -
#echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
while read p; do
case $p in
-*) $ipt $p;;
esac
done << EOR
## - flush chains
## -
-F
-F INPUT
-F OUTPUT
-F FORWARD
-F -t mangle
-F -t nat
-X
-Z
## - default policies
## -
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P FORWARD ACCEPT
-t nat -P PREROUTING ACCEPT
-t nat -P POSTROUTING ACCEPT
#-t nat -A POSTROUTING -o $ext_if -j MASQUERADE
-I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
## - Fritz!BOX 7390 via VPN
## -
-t nat -A POSTROUTING -o $ext_if -p tcp -s 10.0.0.0/8 -d 172.16.0.254 --dport 80 -j MASQUERADE
## - Fritz!BOX (AcccessPoint) via VPN
## -
-t nat -A POSTROUTING -o $local_if_2 -p tcp -s 10.0.0.0/24 -d 192.168.128.103 --dport 80 -j MASQUERADE
EOR
case $1 in
sto*) exit 0;;
esac
#$ipt -A FORWARD -i $local_if_1 -o $local_if_2 -p ALL -m state --state NEW -j ACCEPT
#$ipt -A FORWARD -i $local_if_2 -o $local_if_1 -p ALL -m state --state NEW -j ACCEPT
$ipt -A INPUT -s 192.168.63.0/24 -j ACCEPT
$ipt -A FORWARD -s 192.168.63.0/24 -j ACCEPT
$ipt -A FORWARD -d 192.168.63.0/24 -j ACCEPT
$ipt -A OUTPUT -d 192.168.63.0/24 -j ACCEPT
## - Protection against syn-flooding
## -
## - chains to DROP too many SYNs
## -
$ipt -N syn-flood
$ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
if $log_syn_flood || $log_all ; then
$ipt -A syn-flood -j LOG --log-prefix "IPv4: SYN flood: " --log-level debug
fi
$ipt -A syn-flood -j DROP
## FRAGMENTS
# I have to say that fragments scare me more than anything.
# Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown"
# Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such
# fragments is very OS-dependent (see this paper for details).
# I am not going to trust any fragments.
# Log fragments just to see if we get any, and deny them too.
if $log_fragments || $log_all ; then
$ipt -A INPUT -i $ext_if -f -j LOG --log-prefix "IPv4: IPTABLES FRAGMENTS: " --log-level debug
fi
$ipt -A INPUT -i $ext_if -f -j DROP
## - drop new packages without syn flag
## -
if $log_new_not_sync || $log_all ; then
$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "IPv4: New but not SYN: " --log-level debug
$ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "IPv4: New but not SYN: " --log-level debug
fi
$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
## - drop invalid packages
## -
if $log_invalid_state || $log_all ; then
$ipt -A INPUT -m state --state INVALID -j LOG --log-prefix "IPv4: Invalid state: " --log-level debug
fi
$ipt -A INPUT -m state --state INVALID -j DROP
## - ungewöhnliche Flags verwerfen
## -
if $log_invalid_flags || $log_all ; then
$ipt -A INPUT -i $ext_if -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "IPv4: Invalid flags: " --log-level debug
$ipt -A INPUT -i $ext_if -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "IPv4: Invalid flags: " --log-level debug
$ipt -A INPUT -i $ext_if -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "IPv4: Invalid flags: " --log-level debug
fi
$ipt -A INPUT -i $ext_if -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$ipt -A INPUT -i $ext_if -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$ipt -A INPUT -i $ext_if -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
## - private Adressen auf externen interface verwerfen
## -
# Refuse spoofed packets pretending to be from your IP address.
if $log_spoofed || $log_all ; then
$ipt -A INPUT -i $ext_if -s $ext_ip -j LOG --log-prefix "IPv4: Spoofed (own ip): " --log-level debug
fi
$ipt -A INPUT -i $ext_if -s $ext_ip -j DROP
# Refuse packets claiming to be from a
# Class A private network
# Class B private network
# Class C private network
# loopback interface
# Class D multicast address
# Class E reserved IP address
# broadcast address
if $log_spoofed || $log_all ; then
$ipt -A INPUT -i $ext_if -s $priv_class_a -j LOG --log-prefix "IPv4: Class A private net: " --log-level debug
#$ipt -A INPUT -i $ext_if -s $priv_class_b -j LOG --log-prefix "IPv4: Class B private net: " --log-level debug
$ipt -A INPUT -i $ext_if -s $priv_class_c -j LOG --log-prefix "IPv4: Class C private net: " --log-level debug
$ipt -A INPUT -i $ext_if -s $loopback -j LOG --log-prefix "IPv4: From Loopback: " --log-level debug
$ipt -A INPUT -i $ext_if -s $class_d_multicast -j LOG --log-prefix "IPv4: Class D Multicast: " --log-level debug
$ipt -A INPUT -i $ext_if -s $class_e_reserved -j LOG --log-prefix "IPv4: Class E reserved: " --log-level debug
$ipt -A INPUT -i $ext_if -d $broadcast_addr -j LOG --log-prefix "IPv4: Broadcast Address: " --log-level debug
fi
# Refuse packets claiming to be from a Class A private network.
$ipt -A INPUT -i $ext_if -s $priv_class_a -j DROP
# Refuse packets claiming to be from a Class B private network.
#$ipt -A INPUT -i $ext_if -s $priv_class_b -j DROP
# Refuse packets claiming to be from a Class C private network.
$ipt -A INPUT -i $ext_if -s $priv_class_c -j DROP
# Refuse packets claiming to be from loopback interface.
$ipt -A INPUT -i $ext_if -s $loopback -j DROP
# Refuse Class D multicast addresses. Multicast is illegal as a source address.
$ipt -A INPUT -i $ext_if -s $class_d_multicast -j DROP
# Refuse Class E reserved IP addresses.
$ipt -A INPUT -i $ext_if -s $class_e_reserved -j DROP
# Refuse broadcast address packets.
$ipt -A INPUT -i $ext_if -d $broadcast_addr -j DROP
# Refuse packets claiming to be to the loopback interface.
# Refusing packets claiming to be to the loopback interface protects against
# source quench, whereby a machine can be told to slow itself down by an icmp source
# quench to the loopback.
if $log_to_lo || $log_all ; then
$ipt -A INPUT -i $ext_if -d $loopback -j LOG --log-prefix "IPv4: To Loopback: " --log-level debug
fi
$ipt -A INPUT -i $ext_if -d $loopback -j DROP
# Don't allow spoofing from that server
$ipt -A OUTPUT -o $ext_if -s $priv_class_a -j DROP
#$ipt -A OUTPUT -o $ext_if -s $priv_class_b -j DROP
#$ipt -A OUTPUT -o $ext_if -s $priv_class_c -j DROP
$ipt -A OUTPUT -o $ext_if -s $loopback -j DROP
# ------------- CHINANET-JS 222.184.0.0 - 222.191.255.255 -------------
#
for _ip in $blocked_ips ; do
if $log_blocked || $log_all ; then
$ipt -A INPUT -i $ext_if -s $_ip -j LOG --log-prefix "IPv4: Blocked ${_ip}: " --log-level debug
fi
$ipt -A INPUT -p ALL -s $_ip -j DROP
done
#
# ------------- Ende: CHINANET-JS 222.184.0.0 - 222.191.255.255 -------------
## - We don't want these packages on gatewy
#
# --- We are not a cups server
$ipt -A INPUT -i $local_if_1 -p tcp --sport 631 -j DROP
$ipt -A INPUT -i $local_if_1 -p udp --sport 631 -j DROP
# --- No NETBIOS Packages
# -- LAN
$ipt -A INPUT -p udp -i $local_if_1 --dport 137:139 -j DROP
$ipt -A INPUT -p tcp -i $local_if_1 --dport 137:139 -j DROP
$ipt -A INPUT -p tcp -i $local_if_1 --dport 445 -j DROP
## - WLAN (LAN2)
$ipt -A INPUT -p udp -i $local_if_2 --dport 137:139 -j DROP
$ipt -A INPUT -p tcp -i $local_if_2 --dport 137:139 -j DROP
$ipt -A INPUT -p tcp -i $local_if_2 --dport 445 -j DROP
echo "Starting firewall iptables (IpV4).."
while read r; do
case $r in
-*) $ipt $r;;
esac
done << EOR
# ------------- das loopbackdevice -------------
# alles erlaubt
#
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
#
# ---------- Ende: das loopbackdevice ----------
# ---------- alle Anfragen aus den internen Netzen nach draussen -------------
#
-A FORWARD -o $ext_if -p ALL -m state --state NEW -j ACCEPT
#
# ---------- Ende: alle Anfragen aus den internen Netzen nach draussen ----------
# ------------- Zugriffe zwischen WLAN und LAN -------------
#
# Drucker IP-Adressen freigeben
# - hp-lj5000
#-A FORWARD -i $local_if_2 -d 192.168.0.249 -p ALL -m state --state NEW -j ACCEPT
-A FORWARD -i $local_if_2 -d 192.168.0.249 -p ALL -j ACCEPT
-A FORWARD -o $local_if_2 -s 192.168.0.249 -p ALL -j ACCEPT
# - canon-c5030i
#-A FORWARD -i $local_if_2 -d 192.168.0.253 -p ALL -m state --state NEW -j ACCEPT
-A FORWARD -i $local_if_2 -d 192.168.0.253 -p ALL -j ACCEPT
-A FORWARD -o $local_if_2 -s 192.168.0.253 -p ALL -j ACCEPT
#
# Samba Ports auf at-44
-A FORWARD -i $local_if_2 -p udp -d 192.168.0.44 --dport 137:139 -m state --state NEW -j ACCEPT
-A FORWARD -i $local_if_2 -p tcp -d 192.168.0.44 --dport 137:139 -m state --state NEW -j ACCEPT
-A FORWARD -i $local_if_2 -p tcp -d 192.168.0.44 --dport 445 -m state --state NEW -j ACCEPT
#
#
# ---------- Ende: Zugriffe zwischen WLAN und LAN ----------
# ------------- zwischen lokalen Netzen -------------
#
#
#-A FORWARD -i $local_if_1 -o $local_if_2 -p ALL -m state --state NEW -j ACCEPT
#-A FORWARD -i $local_if_2 -o $local_if_1 -p ALL -m state --state NEW -j ACCEPT
#
# - needed because sometimes i add temporarily other networks to that interface
#
#-A FORWARD -i $local_if_1 -o $local_if_1 -j ACCEPT
#
# ---------- Ende: zwischen lokalen Netzen ----------
# ------------- betsehende Verbindungen -------------
# bereits bestehende Verbindungen durchlassen
#
# -- rein --
#
-A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# -- raus --
#
-A OUTPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# foreward
#
-A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# ---------- Ende betsehende Verbindungen -----------
#############################################################
# ----------------- Konfiguration VPN ------------------ #
# -- initial via internet
#
-A INPUT -p udp -i $ext_if --dport 1194 -m state --state NEW -j ACCEPT
-A INPUT -p udp -i $ext_if --dport 1195 -m state --state NEW -j ACCEPT
#
# -- initial via lan1
-A INPUT -p udp -i $local_if_1 --dport 1194 -m state --state NEW -j ACCEPT
#
# -- initial via lan2
-A INPUT -p udp -i $local_if_2 --dport 1194 -m state --state NEW -j ACCEPT
#
# ausgehende Anfragen
#
#-A OUTPUT -o $ext_if -p udp --dport 1194 -m state --state NEW -j ACCEPT
#
# forward
#
-A FORWARD -o $ext_if -p udp --dport 1194 -m state --state NEW -j ACCEPT
#
# -- alles via vpn device zulassen/durchrouten
#
-A INPUT -i $vpn_if -j ACCEPT
-A OUTPUT -o $vpn_if -j ACCEPT
-A FORWARD -i $vpn_if -j ACCEPT
-A FORWARD -o $vpn_if -j ACCEPT
# ------------ Ende Konfiguration VPN -------------------- #
#############################################################
# ------------- smbclient / smbmount -------------
#
-A OUTPUT -o $local_if_1 -p tcp --dport 445 -j ACCEPT
-A OUTPUT -o $local_if_1 -p tcp --dport 137:139 -j ACCEPT
#
# ---------- Ende smbclient / smbmount -----------
# ------------- grundsaetzlich ablehnen -------------
# reinlaufenden windows kram
#
-A INPUT -p udp -i $ext_if --dport 137:139 -j DROP
-A INPUT -p tcp -i $ext_if --dport 137:139 -j DROP
-A INPUT -p tcp -i $ext_if --dport 445 -j DROP
#
# .. und forwards
#
-A FORWARD -i $local_if_1 -o $ext_if -p tcp --dport 137:139 -j DROP
-A FORWARD -i $local_if_1 -o $ext_if -p tcp --dport 445 -j DROP
#
#
# authentication tap ident
#
-A INPUT -p tcp -i $ext_if --dport 113 -j REJECT --reject-with tcp-reset
-A FORWARD -p tcp -i $ext_if --dport 113 -j REJECT --reject-with tcp-reset
#
#
# Location Service
#
-A INPUT -p tcp -i $ext_if --dport 135 -j DROP
-A INPUT -p udp -i $ext_if --dport 135 -j DROP
#
# ---------- Ende: grundsaetzlich ablehnen -------------
# ------------- SSH -------------
# reingehende Anfragen
#
-A INPUT -i $ext_if -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -i $local_if_1 -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -i $local_if_2 -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
#
# ausgehende Anfragen
#
-A OUTPUT -o $ext_if -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
-A OUTPUT -o $local_if_1 -p tcp --dport 22 -m state --state NEW -j ACCEPT
-A OUTPUT -o $local_if_2 -p tcp --dport 22 -m state --state NEW -j ACCEPT
#
-A FORWARD -o $ext_if -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
-A FORWARD -i $ext_if -o $local_if_1 -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
-A FORWARD -o $local_if_2 -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
#
# ---------- Ende SSH ------------
# ------------- DHCP -------------
# reingehende Anfragen
#
-A INPUT -p udp -i $local_if_1 -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT
-A INPUT -p udp -i $local_if_2 -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT
#
# ausgehende Anfragen
#
-A OUTPUT -p udp -o $local_if_1 --sport 67 -d 0/0 --dport 68 -j ACCEPT
-A OUTPUT -p udp -o $local_if_2 --sport 67 -d 0/0 --dport 68 -j ACCEPT
#
# ---------- Ende DHCP ------------
# ------------- DNS -------------
#
# nameserver
#
# -- rein --
#
-A INPUT -i $local_if_1 -p udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -i $local_if_2 -p tcp --dport 53 -m state --state NEW -j ACCEPT
#
-A INPUT -i $local_if_1 -p udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -i $local_if_2 -p udp --dport 53 -m state --state NEW -j ACCEPT
#
# -- raus --
#
-A OUTPUT -o $ext_if -p udp --dport 53 -m state --state NEW -j ACCEPT
#
-A OUTPUT -o $ext_if -p udp --dport 53 -m state --state NEW -j ACCEPT
#
# forward
#
-A FORWARD -o $ext_if -p udp --dport 53 -m state --state NEW -j ACCEPT
#
-A FORWARD -o $ext_if -p udp --dport 53 -m state --state NEW -j ACCEPT
#
# ---------- Ende DNS -----------
# ------------- MAIL -------------
# rausgehende SMTP-Verbindungen akzeptieren
#
-A OUTPUT -p tcp --syn -o $ext_if --dport 25 -m state --state NEW -j ACCEPT
#
# ansonsten nur forward
#
# -- SMTP
# rausschicken dürfen alle
-A FORWARD -p tcp --syn -o $ext_if --dport 25 -m state --state NEW -j ACCEPT
# von ueberall zum internen mailserver
-A FORWARD -p tcp --syn -d $mail_server --dport 25 -m state --state NEW -j ACCEPT
-A FORWARD -p tcp --syn -d $mail_server_alt --dport 25 -m state --state NEW -j ACCEPT
#
# -- SUBMISSION
# rausschicken dürfen alle
-A FORWARD -p tcp --syn -o $ext_if --dport 587 -m state --state NEW -j ACCEPT
# von ueberall zum internen mailserver
-A FORWARD -p tcp --syn -d $mail_server --dport 587 -m state --state NEW -j ACCEPT
-A FORWARD -p tcp --syn -d $mail_server_alt --dport 587 -m state --state NEW -j ACCEPT
#
# -- SMTPS
# rausschicken dürfen alle
-A FORWARD -p tcp --syn -o $ext_if --dport 465 -m state --state NEW -j ACCEPT
# von ueberall zum internen mailserver
-A FORWARD -p tcp --syn -d $mail_server --dport 465 -m state --state NEW -j ACCEPT
-A FORWARD -p tcp --syn -d $mail_server_alt --dport 465 -m state --state NEW -j ACCEPT
#
# POP
# nach draussen dürfen alle
-A FORWARD -p tcp --syn -o $ext_if --dport 110 -m state --state NEW -j ACCEPT
# von ueberall zum internen mailserver
-A FORWARD -p tcp --syn -d $mail_server --dport 110 -m state --state NEW -j ACCEPT
-A FORWARD -p tcp --syn -d $mail_server_alt --dport 110 -m state --state NEW -j ACCEPT
#
# -- POP/SSL
# nach draussen dürfen alle
-A FORWARD -p tcp --syn -o $ext_if --dport 995 -m state --state NEW -j ACCEPT
# von ueberall zum internen mailserver
-A FORWARD -p tcp --syn -d $mail_server --dport 995 -m state --state NEW -j ACCEPT
-A FORWARD -p tcp --syn -d $mail_server_alt --dport 995 -m state --state NEW -j ACCEPT
#
# -- IMAP
# nach draussen dürfen alle
-A FORWARD -p tcp --syn -o $ext_if --dport 143 -m state --state NEW -j ACCEPT
# von ueberall zum internen mailserver
-A FORWARD -p tcp --syn -d $mail_server --dport 143 -m state --state NEW -j ACCEPT
-A FORWARD -p tcp --syn -d $mail_server_alt --dport 143 -m state --state NEW -j ACCEPT
#
# -- IMAP/SSL
# nach draussen dürfen alle
-A FORWARD -p tcp --syn -o $ext_if --dport 993 -m state --state NEW -j ACCEPT
# von ueberall zum internen mailserver
-A FORWARD -p tcp --syn -d $mail_server --dport 993 -m state --state NEW -j ACCEPT
-A FORWARD -p tcp --syn -d $mail_server_alt --dport 993 -m state --state NEW -j ACCEPT
#
# ---------- Ende MAIL -----------
# ------------- HTTP -------------
#
# rausgehende Verbindungen vom Gateway akzeptieren
# ( update clamav/freshclam, dyndns, apt-get )
#
-A OUTPUT -p tcp --syn -o $local_if_1 --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp --syn -o $ext_if --dport 80 -m state --state NEW -j ACCEPT
#
# ansonsten nach draussen nur forward
#
-A FORWARD -p tcp --syn -o $ext_if -m multiport --dports $www_ports -m state --state NEW -j ACCEPT
#
# -- interne Webservices
# webmailer
-A FORWARD -p tcp --syn -d $webmail -m multiport --dports $www_ports -m state --state NEW -j ACCEPT
# akweb lokal
-A FORWARD -p tcp --syn -d $ak_web -m multiport --dports $www_ports -m state --state NEW -j ACCEPT
# at-10
-A FORWARD -p tcp --syn -d $at_10 -m multiport --dports $www_ports -m state --state NEW -j ACCEPT
#
# ---------- Ende HTTP -----------
# ------------- FTP -------------
#
# ftp ( lokaler Client remote ftp-Server )
#
# (Datenkanal aktiv)
-A INPUT -i $ext_if -p tcp --sport 20 -m state --state NEW -j ACCEPT
-A FORWARD -i $ext_if -p tcp --sport 20 -m state --state NEW -j ACCEPT
#
# (Datenkanal passiv)
-A OUTPUT -o $ext_if -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT
-A FORWARD -o $ext_if -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT
#
# (Kontrollverbindung)
-A OUTPUT -o $ext_if -p tcp --dport 21 -m state --state NEW -j ACCEPT
-A FORWARD -o $ext_if -p tcp --dport 21 -m state --state NEW -j ACCEPT
#
# ftp (Server)
#
# Datenkanal (aktiver modus)
-A FORWARD -o $ext_if -p tcp -s $ftp_server --sport 20 -m state --state NEW -j ACCEPT
#
# Datenkanal (passiver modus)
-A FORWARD -i $ext_if -p tcp -d $ftp_server --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
#
# - Kontrollverbindung
-A FORWARD -i $ext_if -p tcp -d $ftp_server --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
#
# ftp-tls ? ( keine Ahnung warum )
#
-A OUTPUT -p tcp --sport $unprivports -o $ext_if -m state --state NEW -j ACCEPT
-A FORWARD -p tcp --sport $unprivports -i $ext_if -o $ext_if -m state --state NEW -j ACCEPT
#
# ---------- Ende FTP -----------
# ------------- NTP -------------
# (network time protokoll)
#
# rein
#
-A INPUT -i $local_if_1 -p tcp --sport 123 -m state --state NEW -j ACCEPT
-A INPUT -i $local_if_2 -p tcp --sport 123 -m state --state NEW -j ACCEPT
#
-A INPUT -i $local_if_1 -p udp --sport 123 -m state --state NEW -j ACCEPT
-A INPUT -i $local_if_2 -p udp --sport 123 -m state --state NEW -j ACCEPT
#
# raus
#
-A OUTPUT -o $ext_if -p tcp --dport 123 -m state --state NEW -j ACCEPT
#
-A OUTPUT -o $ext_if -p udp --dport 123 -m state --state NEW -j ACCEPT
#
# forward
#
-A FORWARD -o $ext_if -p udp --dport 123 -j ACCEPT
#
-A FORWARD -o $ext_if -p tcp --dport 123 -j ACCEPT
#
# ---------- Ende NTP -----------
# ------------- pgpkeyserver -------------
#
# Forward -- nur Anfragen nach draussen
#
-A FORWARD -p tcp --syn -o $ext_if --dport 11370:11371 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp --syn -o $ext_if --dport 11370:11371 -m state --state NEW -j ACCEPT
#
# ---------- Ende pgpkeyserver ------------
# ------------- ldap / (z.Bsp. einige pgpkeyserver) -------------
#
# Forward -- nur Anfragen nach draussen
#
-A FORWARD -p tcp -o $ext_if --dport 389 -m state --state NEW -j ACCEPT
-A FORWARD -p udp -o $ext_if --dport 389 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -o $ext_if --dport 389 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -o $ext_if --dport 389 -m state --state NEW -j ACCEPT
#
# ldaps LDAP over SSL
#
-A FORWARD -p tcp --syn -o $ext_if --dport 636 -j ACCEPT
-A FORWARD -p udp -o $ext_if --dport 636 -j ACCEPT
-A OUTPUT -p tcp --syn -o $ext_if --dport 636 -j ACCEPT
-A OUTPUT -p udp -o $ext_if --dport 636 -j ACCEPT
#
# ---------- Ende ldap ------------
# ------------- Newsserver nntp -------------
#
# Forward -- nur Anfragen nach draussen
#
-A FORWARD -p tcp --syn -o $ext_if --dport 119 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp --syn -o $ext_if --dport 119 -m state --state NEW -j ACCEPT
#
# ---------- Ende Newsserver nntp ------------
# ------------- Whois -------------
# nur ausgehende Anfragen und forward
#
#
-A OUTPUT -o $ext_if -p tcp --dport 43 -j ACCEPT
-A FORWARD -o $ext_if -p tcp --dport 43 -j ACCEPT
#
# ---------- Ende Whois ----------
# ------------- Chat -------------
# --- silc ---
#
# Forward und Anfragen nach draussen
#
-A FORWARD -p tcp --syn -o $ext_if --dport 706 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp --syn -o $ext_if --dport 706 -m state --state NEW -j ACCEPT
#
# --- irc ---
#
# forward und Anfragen nach draussen
#
-A FORWARD -p tcp --syn -o $ext_if --dport 194 -m state --state NEW -j ACCEPT
-A FORWARD -p udp -o $ext_if --dport 194 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp --syn -o $ext_if --dport 194 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -o $ext_if --dport 194 -m state --state NEW -j ACCEPT
#
# ---jabber ---
#
-A FORWARD -p tcp --syn -o $ext_if --dport 5222:5223 -m state --state NEW -j ACCEPT
#
# ---------- Ende chat ------------
# ------------- HBCI -------------
# hbci - port 3000/tcp
#
-A FORWARD -o $ext_if -p tcp --syn --dport 3000 -m state --state NEW -j ACCEPT
#
# ---------- Ende HBCI -----------
# ------------- Hylafax (Port 4559) -------------
# reingehende Verbindungen zum Hylafax-Server
#
-A INPUT -i $local_if_1 -p tcp --dport 4559 -m state --state NEW -j ACCEPT
-A INPUT -i $local_if_2 -p tcp --dport 4559 -m state --state NEW -j ACCEPT
#
# ---------- Ende Hylafax -----------
# ------------- CUPS -------------
# (cupssys printer system)
#
-A FORWARD -i $local_if_1 -p tcp --dport 631 -m state --state NEW -j ACCEPT
-A FORWARD -i $local_if_2 -p tcp --dport 631 -m state --state NEW -j ACCEPT
#
# ---------- Ende CUPS -----------
# ------------- Drucken Port 9100 -------------
#
-A FORWARD -i $local_if_1 -p tcp --dport 9100 -m state --state NEW -j ACCEPT
-A FORWARD -i $local_if_2 -p tcp --dport 9100 -m state --state NEW -j ACCEPT
#
# ---------- Ende Drucken Port 9100 -----------
# ---------- SNMP ----------
#
#-A FORWARD -i $local_if_1 -p tcp --dport 161 -m state --state NEW -j ACCEPT
#-A FORWARD -i $local_if_2 -p tcp --dport 161 -m state --state NEW -j ACCEPT
#
# ---------- SNMP ----------
# ------------- VOIP -------------
#
# SIP
#
# Standard:
# Port: 5060 / UDP (SIP-Signalisierung)
# Port: 5004 / UDP (RTP, Sprache)
# Port: 10000 UDP (STUN)
#
# X-Lite:
# Port 5060 / UDP
# Port 8000 - 8019 / UDP
# Port 10000 /UDP
# reingehende Anfragen
#
-A INPUT -p tcp --syn -i $ext_if --dport 5060 -j ACCEPT
-A INPUT -p udp -i $ext_if --dport 5060 -j ACCEPT
#
# ausgehende Anfragen
#
-A OUTPUT -p tcp --syn -o $ext_if --dport 5060 -j ACCEPT
-A OUTPUT -p udp -o $ext_if --dport 5060 -j ACCEPT
#
# Forward -- nur Anfragen nach draussen
#
-A FORWARD -p tcp --syn -o $ext_if --dport 5060 -j ACCEPT
-A FORWARD -p udp -o $ext_if --dport 5060 -j ACCEPT
-A FORWARD -p udp -i $ext_if --dport 5060 -j ACCEPT
-A FORWARD -p udp -o $ext_if --dport 5004 -j ACCEPT
-A FORWARD -p udp -i $ext_if --dport 5004 -j ACCEPT
-A FORWARD -p tcp --syn -o $ext_if --dport 10000 -j ACCEPT
-A FORWARD -p udp -o $ext_if --dport 10000 -j ACCEPT
-A FORWARD -p udp -i $ext_if --dport 10000 -j ACCEPT
-A FORWARD -p udp -o $ext_if --sport 8000:8019 -j ACCEPT
-A FORWARD -p udp -i $ext_if --sport 8000:8019 -j ACCEPT
-A FORWARD -p udp -o $ext_if --sport 32700:32799 -j ACCEPT
#
# SKIPE
#
# reingehende Anfragen
#
# -A INPUT -p tcp --syn -i $ext_if --dport 54196 -j ACCEPT
# -A INPUT -p udp -i $ext_if --dport 54196 -j ACCEPT
#
# ausgehende Anfragen
#
#
# Forward -- Anfragen von draussen
#
# -- Linux
-A FORWARD -p tcp --syn -i $ext_if --dport 34957 -j ACCEPT
-A FORWARD -p tcp --syn -o $ext_if --sport 34957 -j ACCEPT
-A FORWARD -p udp -i $ext_if --dport 34957 -j ACCEPT
-A FORWARD -p udp -o $ext_if --sport 34957 -j ACCEPT
# -- Windows --
-A FORWARD -p tcp --syn -i $ext_if --dport 54196 -j ACCEPT
-A FORWARD -p tcp --syn -o $ext_if --dport 54196 -j ACCEPT
-A FORWARD -p udp -i $ext_if --dport 54196 -j ACCEPT
-A FORWARD -p udp -o $ext_if --sport 54196 -j ACCEPT
#
# ---------- Ende VOIP ------------
# ------------- Traceroute -------------
#
-A OUTPUT -p udp --dport 33434:33530 -o $local_if_1 -j ACCEPT
-A INPUT -p udp --dport 33434:33530 -i $local_if_1 -j ACCEPT
-A FORWARD -p udp --dport 33434:33530 -o $ext_if -j ACCEPT
#
# -------- Ende Traceroute -------------
## -------- WakeOnLAN --------
#
-A OUTPUT -p udp -o $local_if_1 --dport 9 -j ACCEPT
-A OUTPUT -p udp -o $local_if_2 --dport 9 -j ACCEPT
#
## -------- Ende WakeOnLAN --------
# ------------ Ping ------------
#
-A INPUT -i $ext_if -p icmp --icmp-type destination-unreachable -j ACCEPT
-A INPUT -i $ext_if -p icmp --icmp-type time-exceeded -j ACCEPT
-A INPUT -i $ext_if -p icmp --icmp-type echo-reply -j ACCEPT
-A INPUT -i $ext_if -p icmp --icmp-type echo-request -j ACCEPT
#-A INPUT -i $ext_if -p icmp -j ACCEPT
-A INPUT -i $local_if_1 -j ACCEPT
-A INPUT -i $local_if_2 -j ACCEPT
#-A OUTPUT -o $ext_if -p icmp -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
#-A FORWARD -o $ext_if -p icmp -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
#
# ------- Ende Ping ------------
# ------------ Portforwarding ------------- #
# -
# -- VNC pcbuero1 ---
#
#-t nat -A PREROUTING -i $ext_if -p tcp --syn \
# --dport 80 -j DNAT --to 172.16.0.254:80
#-t filter -A FORWARD -p tcp --dport 5900 -d 192.168.4.101 \
# -i $ext_if -o $local_if_1 -j ACCEPT
#
# -- VNC pcbuero2 ---
#
#-t nat -A PREROUTING -i $ext_if -p tcp --syn \
# --dport 5902 -j DNAT --to 192.168.4.4:5900
#-t filter -A FORWARD -p tcp --dport 5900 -d 192.168.4.102 \
# -i $ext_if -o $local_if_1 -j ACCEPT
#
# ---------- Ende Portforwarding ---------- #
EOR
# ------------- Loggen -------------
#
if $log_rejected || $log_all ; then
#$ipt -A OUTPUT -j LOG --log-level debug
#$ipt -A INPUT -j LOG --log-level debug
#$ipt -A INPUT -j LOG --log-level debug
$ipt -A OUTPUT -m limit --limit-burst 5 -j LOG --log-prefix "IPv4: Rejected: " --log-level debug
$ipt -A INPUT -m limit --limit-burst 5 -j LOG --log-prefix "IPv4: Rejected: " --log-level debug
$ipt -A FORWARD -m limit --limit-burst 5 -j LOG --log-prefix "IPv4: Rejected: " --log-level debug
fi
#
# ---------- Ende: Loggen ----------
# ------------- DROP -------------
# drop all other for all interfaces..
#
$ipt -A INPUT -j DROP
$ipt -A OUTPUT -j DROP
$ipt -A FORWARD -j DROP
#
# ---------- Ende: DROP ----------
exit 0