Nachfolgend ist ein ~~ausführlicheres~~ iptables Firewall Startup Skript dargestellt.
#!/bin/bash
#
# firewall.sh Start/Stop iptables firewall
#
# chkconfig: 2345 15 55
# description: Idea from PMFirewall, TrinityOS, \
# and various other documents/articles on the Net
#
# Iptables / Netfilter Paketfilter
# einzelne Verbindungen vom internen Netzwerk zulassen
# Absichern und Logging
# Dynamische Paket Filterung
# LOG macht kein DROP oder REJECT, daher -j LOG vor der DROP Zeile
# Alternative: -j DROP,LOG
#Parameter SCANIT ist für die Freischaltung von ausgehenden Scans
SCANIT=$2
PATH=/sbin:$PATH
# set -x
if /sbin/lsmod 2>/dev/null |grep -q ipchains ; then
# Don't do both
/etc/rc.d/init.d/ipchains stop
rmmod ipchains
fi
# Load appropriate modules.
modprobe ip_tables
# fuer NAT: conntrack
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# Source function library.
. /etc/rc.d/init.d/functions
IPTABLES=/sbin/iptables
INTERNALIF=eth0
INTERNALIP=`ifconfig $INTERNALIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
#INTERNALMASK=`ifconfig $INTERNALIF | grep Mas | cut -d : -f 4`
INTERNALMASK=`ifconfig $INTERNALIF | grep Mas | cut -d : -f 4`
INTERNALNET=0.0.0.0/0
# ntpb1.ptb.de
TIMESTRAT1=192.53.103.103
# hora.cs.tu-berlin.de
TIMESTRAT2=130.149.17.21
BACKUPSERV=192.168.101.2
# check we have the iptables executable
if [ ! -x $IPTABLES ]; then
exit 0
fi
# check we have the right kernel version
KERNELMAJ=`uname -r | sed -e 's,\..*,,'`
KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`
if [ "$KERNELMAJ" -lt 2 ] ; then
exit 0
fi
if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then
exit 0
fi
case "$1" in
start)
echo "Applying iptables firewall rules:"
# regeln flushen
$IPTABLES -F
# benutzerdefinierte Regeln entfernen
$IPTABLES -X
$IPTABLES -t nat -F
# default policy
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
# Schutzmassnahmen
# siehe dazu auch: /usr/src/linux/Documentation/networking/ip-sysctl.txt
# Schutz gegen IP-Spoofing
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $i
done
fi
# Disable response to broadcasts. http://www.cert.org/advisories/CA-1998-01.html
# You don't want yourself becoming a Smurf amplifier.
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# SYN-FLOOD-Protection
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
# Source Route Quench Protection
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $i
done
# IP_Forwarding einschalten
# Make sure that IP forwarding is turned off. We only want this for a multi-homed host.
# echo 1 > /proc/sys/net/ipv4/ip_forward
# IP_Forwarding ausschalten
echo 0 > /proc/sys/net/ipv4/ip_forward
# DYN_IP fuer ppp und dhcp clients
# echo 1 > /proc/sys/net/ipv4/ip_dynaddr
# Disable response to ping.
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Don't accept source routed packets. Attackers can use source routing to generate
# traffic pretending to be from inside your network, but which is routed back along
# the path from which it came, namely outside, so attackers can compromise your
# network. Source routing is rarely used for legitimate purposes.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Disable ICMP redirect acceptance. ICMP redirects can be used to alter your routing
# tables, possibly to a bad end.
for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > ${interface}
done
# Enable bad error message protection.
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Turn on reverse path filtering. This helps make sure that packets use
# legitimate source addresses, by automatically rejecting incoming packets
# if the routing table entry for their source address doesn't match the network
# interface they're arriving on. This has security advantages because it prevents
# so-called IP spoofing, however it can pose problems if you use asymmetric routing
# (packets from you to a host take a different path than packets from that host to you)
# or if you operate a non-routing host which has several IP addresses on different
# interfaces. (Note - If you turn on IP forwarding, you will also get this).
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > ${interface}
done
# Log spoofed packets, source routed packets, redirect packets.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# Loopback-Device freischalten
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
#iptables -A INPUT -i eth0 -p TCP --syn -m limit --limit 1/s -j ACCEPT
#iptables -A INPUT -i eth0 -p TCP --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# Schutz vor Portscans
$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A FORWARD -p tcp -m tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A FORWARD -p tcp -m tcp --tcp-flags ALL NONE -j DROP
# Dienste fuers Lan freischalten
# Allow world to send ICMP packets (limited)
$IPTABLES -A INPUT -p icmp --icmp-type destination-unreachable -m limit --limit 10/s -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type source-quench -m limit --limit 10/s -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -m limit --limit 10/s -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type parameter-problem -m limit --limit 10/s -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5/s -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -m limit --limit 5/s -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 110 -i $INTERNALIF -s $INTERNALNET -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 995 -i $INTERNALIF -s $INTERNALNET -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 143 -i $INTERNALIF -s $INTERNALNET -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 993 -i $INTERNALIF -s $INTERNALNET -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 -i $INTERNALIF -s $INTERNALNET -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 443 -i $INTERNALIF -s $INTERNALNET -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 25 -i $INTERNALIF -s $INTERNALNET -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 465 -i $INTERNALIF -s $INTERNALNET -m state --state NEW -j ACCEPT
# $IPTABLES -A INPUT -p udp --dport 37 -i $INTERNALIF -s $INTERNALNET -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -i $INTERNALIF -s $INTERNALNET -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 23 -i $INTERNALIF -s $INTERNALNET -m state --state NEW -j ACCEPT
#FTP incoming
$IPTABLES -A INPUT -p tcp --dport 21 -i $INTERNALIF -s $INTERNALNET -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 20 -j ACCEPT
# AMANDA BACKUP
#$IPTABLES -A INPUT -p tcp --dport 10080:10083 -i $INTERNALIF -s $BACKUPSERV -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 10080:10083 -i $INTERNALIF -s $BACKUPSERV -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
#$IPTABLES -A INPUT -p tcp --sport 980 -i $INTERNALIF -s $BACKUPSERV -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 10080:10083 -i $INTERNALIF -s $BACKUPSERV -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
#$IPTABLES -A INPUT -s $BACKUPSERV -j LOG --log-prefix "nwe BACKUP IN:"
#$IPTABLES -A OUTPUT -d $BACKUPSERV -j LOG --log-prefix "nwe BACKUP OUT:"
$IPTABLES -A INPUT -s $BACKUPSERV -j ACCEPT
$IPTABLES -A OUTPUT -d $BACKUPSERV -j ACCEPT
$IPTABLES -A INPUT -p tcp -i $INTERNALIF -s $BACKUPSERV -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp -s $BACKUPSERV -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d $BACKUPSERV -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d $BACKUPSERV -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
# FTP outgoing freischalten und identd lookups rejecten
$IPTABLES -A INPUT -p tcp --dport 113 -j REJECT
$IPTABLES -A INPUT -p tcp --sport 20 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
# Ping, traceroute , HTTP, DNS, FTP, IMAP, POP3, SMTP, SSL, SSH nach aussen lassen
TR_SRC_PORTS="32769:65535"
TR_DEST_PORTS="33434:33523"
$IPTABLES -A OUTPUT -p udp --sport $TR_SRC_PORTS --dport $TR_DEST_PORTS -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 8080 -m state --state NEW -j REJECT
$IPTABLES -A OUTPUT -p tcp --dport 88 -m state --state NEW -j REJECT
$IPTABLES -A OUTPUT -p tcp --dport 8081 -m state --state NEW -j REJECT
# pyzor
$IPTABLES -A OUTPUT -p udp -d 66.250.40.33 --dport 24441 -m state --state NEW,ESTABLISHED -j ACCEPT
# DCC
$IPTABLES -A OUTPUT -p udp --dport 6277 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 2703 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $INTERNALIF -p udp --dport 6277 -m state --state NEW,ESTABLISHED -j ACCEPT
# $IPTABLES -A OUTPUT -p tcp --sport 80 -m state --state NEW,RELATED,ESTABLISHED -j REJECT
$IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -d 195.226.126.66 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -d 195.226.127.77 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 113 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 143 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 2525 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
# whois erlauben
$IPTABLES -A OUTPUT -p tcp --dport 43 -m state --state NEW -j ACCEPT
# NTP
$IPTABLES -A OUTPUT -p udp --dport 37 -d $TIMESTRAT1 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 123 -d $TIMESTRAT1 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 37 -d $TIMESTRAT2 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 123 -d $TIMESTRAT2 -m state --state NEW -j ACCEPT
if [ "X${SCANIT}" != "X" ] ; then
echo "output rule for ${SCANIT} set"
$IPTABLES -A OUTPUT -d ${SCANIT} -j ACCEPT
fi
# Vorhandene Verbindungen zulassen
$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# rueckkehrende pakete sind ok
$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags ! SYN,ACK,RST SYN -j ACCEPT
# Stillhalteregeln fuer Hochvolumige Protokolle
$IPTABLES -A INPUT -p tcp -m tcp --destination-port 137:139 -j DROP
$IPTABLES -A INPUT -p udp -m udp --destination-port 137:139 -j DROP
# xdmcp
$IPTABLES -A INPUT -p udp -m udp --destination-port 177 -j DROP
# routed
$IPTABLES -A INPUT -p udp -m udp --destination-port 520 -j DROP
# ospf
$IPTABLES -A INPUT -p 89 -j DROP
$IPTABLES -A INPUT -d 255.255.255.255 -j DROP
# Logging von externen Verbindungsversuchen
#$IPTABLES -A INPUT -s 195.226.126.0/24 -j LOG --log-prefix "nwe PACKET INPUT DENY :"
#$IPTABLES -A OUTPUT -d 195.226.126.0/24 -j LOG --log-prefix "nwe PACKET OUTPUT DENY :"
#$IPTABLES -A INPUT -j LOG --log-prefix "INPUT Packet DENY :"
$IPTABLES -A OUTPUT -j LOG --log-prefix "OUTPUT Packet DENY :"
touch /var/lock/subsys/iptables
touch /var/lock/subsys/firewall
;;
stop)
action "Flushing all chains:" $IPTABLES -F
action "Removing user defined chains:" $IPTABLES -X
echo $"Resetting built-in chains to the default ACCEPT policy:"
$IPTABLES -P INPUT ACCEPT && \
$IPTABLES -P FORWARD ACCEPT && \
$IPTABLES -P OUTPUT ACCEPT && \
success "Resetting built-in chains to the default ACCEPT policy" || \
failure "Resetting built-in chains to the default ACCEPT policy"
echo
rm -f /var/lock/subsys/iptables
rm -f /var/lock/subsys/firewall
# IP_Forwarding ausschalten
echo "0" > /proc/sys/net/ipv4/ip_forward
;;
status)
$IPTABLES --list
;;
restart)
$0 stop
$0 start $2
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
esac
exit 0