hello all
Thomas Lussnig
tlussnig@bewegungsmelder.de
Fri, 06 Jul 2001 01:57:14 +0200
This is a multi-part message in MIME format.
--------------030205010006090003070801
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
Matt Daniels wrote:
>New to the list, I was wondering how active it's been lately? I wanted =
to
>replace my ipchains/ipmasqadm (portforwarding) with the new IPtables.
>Anybody give me some reading to do?
>
here my script
tips:
1. log mean not any more drop
2. lock at the contrckt and sate tools
3. look at my script
4. i can promise you that you can much more from examples posted and=20
commented here than from dokus.
Cu Thomas Lu=DFnig
>
--------------030205010006090003070801
Content-Type: text/plain;
name="iptables"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline;
filename="iptables"
#!/bin/sh
iptables -L -n -v >> /root/fw.1 ; iptables -L -n -v -t nat >> /root/fw.=
1
function log_info() {
test 2 =3D 1 && echo $1
}
# EXTERN=3D"eth1 ppp+ ippp+"
# INTERN=3D"eth0 lo"
LIMIT=3D"-m limit --limit 1/s --limit-burst 10"
# Zugelassen auf Firewall abgefangen von Firewall von Extern
# 1 f=FCr portsentry ( ganz dumme )
# 22 ( SSH )
# 25 ( SMTP )
# 80 ( HTTP )
# 113 ( IDENT )
# 443 ( HTTPS )
# 00:e0:4c:69:1e:2a Gery
# Zugelassen von Extern nach intern
# 7000:7100 Starwars
# 7200:7300 Wasserfee
# 7400:7500 Gery2000
# 3100 Camp
# 3200 Champ
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -F
# ::%s/\(URGP\|MAC\|TTL\|PREC\|LEN\|ID\|TOS\|WINDOW\|RES\)=3D[^ ]* //g
# ::%s/\(SYN\|ACK\|PSH\|FIN\|DF\) //g
# sort log|uniq >log.1;mv log.1 log
# dmesg | sed "s/\(URGP\|MAC\|TTL\|PREC\|LEN\|ID\|TOS\|WINDOW\|RES\)=3D[^=
]* //g;s/\(SYN\|ACK\|PSH\|FIN\|DF\) //g"|sort|uniq >log
#PSD=3D"#"
#DROP=3D"#"
PUB_TCP_SRV=3D'22,25,80,113'
echo m_p_n
iptables -t mangle -X m_p_n &>/dev/null
iptables -t mangle -N m_p_n
iptables -t mangle -A m_p_n -j ACCEPT -p tcp --dport 22
iptables -t mangle -A m_p_n -j ACCEPT -p tcp -m multiport --dport $PUB_=
TCP_SRV
iptables -t mangle -A m_p_n -j ACCEPT -p udp --dport 1024:65535 --sport=
1024:65535 -s 193.126.85.29
iptables -t mangle -A m_p_n -j ACCEPT -p 41 -s 193.126.85.29
$PSD iptables -t mangle -A m_p_n -j DROP -p tcp --dport 1:1024 -m psd -=
-psd-weight-threshold 1 --psd-delay-threshold 9000 --psd-lo-ports-weight =
3 -i ppp0
$PSD iptables -t mangle -A m_p_n -j DROP -p udp --dport 1:1024 -m psd -=
-psd-weight-threshold 1 --psd-delay-threshold 9000 --psd-lo-ports-weight =
3 -i ppp0
iptables -t mangle -A m_p_n --set-counters 0 0 -j ACCEPT -p udp --sp=
ort 68 --dport 67
iptables -t mangle -A m_p_n --set-counters 0 0 -j ACCEPT -p udp --dp=
ort 68 --sport 67
$DROP iptables -t mangle -A m_p_n -j DROP -p tcp -m multiport --dpor=
t 1214,3306,6667,2000,10000,9002 -i ppp0
$DROP iptables -t mangle -A m_p_n -j DROP -p tcp -m multiport --dpor=
t 2186,6667,10000,1150 -i ppp0
$DROP iptables -t mangle -A m_p_n --set-counters 0 0 -j DROP -p udp -=
d ! 10.0.0.2 --dport 137:138
iptables -t mangle -A m_p_n --set-counters 0 0 -j ACCEPT -p tcp --dpo=
rt 1024:65535 --sport 1024:65535
iptables -t mangle -A m_p_n --set-counters 0 0 -j ACCEPT -p tcp --dport=
111 -i lo
iptables -t mangle -A m_p_n --set-counters 0 0 -j ACCEPT -p tcp --sport=
993 --dport 1024:65535
iptables -t mangle -A m_p_n --set-counters 0 0 -j ACCEPT -p tcp --spo=
rt 443 --dport 1024:65535
iptables -t mangle -A m_p_n --set-counters 0 0 -j ACCEPT -p tcp -m mp=
ort --dport 21,53,79,139,110,143,443,993,1080,6665,6669
iptables -t mangle -A m_p_n --set-counters 0 0 -j ACCEPT -p udp --spor=
t 53 -i lo
iptables -t mangle -A m_p_n --set-counters 0 0 -j ACCEPT -p udp -m mu=
ltiport --dport 53,123,161
iptables -t mangle -A m_p_n --set-counters 0 0 -j ACCEPT -p icmp --icmp=
-type 8/0 -i eth0 # ICMP_ECHO
iptables -t mangle -A m_p_n --set-counters 0 0 -j ACCEPT -p icmp --icmp=
-type 8/0 -i lo # ICMP_ECHO
$DROP iptables -t mangle -A m_p_n --set-counters 0 0 -j DROP -p icmp --=
icmp-type 8/0 # ICMP_ECHO
$DROP iptables -t mangle -A m_p_n --set-counters 0 0 -j DROP -p tcp =
--tcp-flags RST RST
$DROP iptables -t mangle -A m_p_n --set-counters 0 0 -j DROP -p =
tcp --sport 80
iptables -t mangle -A m_p_n --set-counters 0 0 -j ACCEPT -p udp --=
dport 1024:65535
iptables -t mangle -A m_p_n --set-counters 0 0 -j ACCEPT -p 41
$DROP iptables -t mangle -A m_p_n --set-counters 0 0 -j DROP -p =
udp --dport 137:139 -d 10.255.255.255 # win broadcast mist
$DROP iptables -t mangle -A m_p_n --set-counters 0 0 -j DROP -p =
udp --sport 137 -d ! 10.0.0.2
iptables -t mangle -A m_p_n --set-counters 0 0 -j LOG --log-prefix =
'm_p_n '
$DROP iptables -t mangle -A m_p_n --set-counters 0 0 -j DROP
echo m_p_e_su
iptables -t mangle -X m_p_e_su &>/dev/null
iptables -t mangle -N m_p_e_su
iptables -t mangle -A m_p_e_su --set-counters 0 0 -j ACCEPT -p tcp --=
dport 22
iptables -t mangle -A m_p_e_su --set-counters 0 0 -j ACCEPT -p tcp -m=
mport --dport $PUB_TCP_SRV
iptables -t mangle -A m_p_e_su --set-counters 0 0 -j ACCEPT -p tcp -m mp=
ort --dport 20,21,53,79,110,139,143,443,993,1024:65535
iptables -t mangle -A m_p_e_su --set-counters 0 0 -j ACCEPT -m multiport=
-p udp --dport 53,123,161
iptables -t mangle -A m_p_e_su --set-counters 0 0 -j ACCEPT -p tcp --dp=
ort 6000 -i lo
iptables -t mangle -A m_p_e_su --set-counters 0 0 -j ACCEPT -p tcp --sp=
ort 6000 --dport 1024:65535 -i lo
iptables -t mangle -A m_p_e_su --set-counters 0 0 -j ACCEPT -p udp --sp=
ort 27000:27999 --dport 1024:65535
iptables -t mangle -A m_p_e_su --set-counters 0 0 -j ACCEPT -p udp --dp=
ort 27000:27999 --sport 1024:65535
iptables -t mangle -A m_p_e_su --set-counters 0 0 -j ACCEPT -p udp --dp=
ort 1024:65535 --sport 1024:65535
iptables -t mangle -A m_p_e_su --set-counters 0 0 -j LOG --log-prefix 'm=
_p_e_su '
$DROP iptables -t mangle -A m_p_e_su --set-counters 0 0 -j DROP
echo m_p_e_du
iptables -t mangle -X m_p_e_du &>/dev/null
iptables -t mangle -N m_p_e_du
iptables -t mangle -A m_p_e_du --set-counters 0 0 -j ACCEPT -p tcp --=
sport 22
iptables -t mangle -A m_p_e_du --set-counters 0 0 -j ACCEPT -p tcp -m=
mport --sport $PUB_TCP_SRV
iptables -t mangle -A m_p_e_du --set-counters 0 0 -j ACCEPT -p tcp -m mp=
ort --sport 20,21,53,79,110,443,993
iptables -t mangle -A m_p_e_du --set-counters 0 0 -j ACCEPT -m multiport=
-p udp --sport 53,123,161
iptables -t mangle -A m_p_e_du --set-counters 0 0 -j ACCEPT -p tcp --=
sport 143
iptables -t mangle -A m_p_e_du --set-counters 0 0 -j LOG --log-prefix 'm=
_p_e_du '
$DROP iptables -t mangle -A m_p_e_du --set-counters 0 0 -j DROP
echo m_p_e
iptables -t mangle -X m_p_e &>/dev/null
iptables -t mangle -N m_p_e
iptables -t mangle -A m_p_e --set-counters 0 0 -j m_p_e_su -p tcp --=
sport 1024:65535
iptables -t mangle -A m_p_e --set-counters 0 0 -j m_p_e_su -p udp --=
sport 1024:65535
iptables -t mangle -A m_p_e --set-counters 0 0 -j m_p_e_du -p tcp --=
dport 1024:65535
iptables -t mangle -A m_p_e --set-counters 0 0 -j m_p_e_du -p udp --=
dport 1024:65535
iptables -t mangle -A m_p_e --set-counters 0 0 -j ACCEPT -p icmp --icmp=
-type 0/0 # ICMP_ECHOREPLY
iptables -t mangle -A m_p_e --set-counters 0 0 -j ACCEPT -p 41
iptables -t mangle -A m_p_e --set-counters 0 0 -j LOG --log-prefix '=
m_p_e '
$DROP iptables -t mangle -A m_p_e --set-counters 0 0 -j DROP
$DROP iptables -t mangle -A PREROUTING --set-counters 0 0 -j DROP -m st=
ate --state INVALID
$DROP iptables -t mangle -A PREROUTING --set-counters 0 0 -j DROP -p tc=
p --tcp-flags FIN,ACK,SYN FIN
$PSD iptables -t mangle -A PREROUTING -j DROP -m psd --psd-weight-thresho=
ld 1 --psd-delay-threshold 9999 --psd-lo-ports-weight 0 --psd-hi-ports-we=
ight 0 -i ppp0
$DROP iptables -t mangle -A PREROUTING --set-counters 0 0 -j DROP =
-p icmp --icmp-type 5/1 # ICMP_REDIRECT
iptables -t mangle -A PREROUTING --set-counters 0 0 -j ACCEPT -m state --=
state RELATED -p icmp --icmp-type 3/0 # ICMP_DEST_UNREACH / ICMP_NET_UNR=
EACH
iptables -t mangle -A PREROUTING --set-counters 0 0 -j ACCEPT -m state --=
state RELATED -p icmp --icmp-type 3/1 # ICMP_DEST_UNREACH / ICMP_HOST_UN=
REACH
iptables -t mangle -A PREROUTING --set-counters 0 0 -j ACCEPT -m state --=
state RELATED -p icmp --icmp-type 3/2 # ICMP_DEST_UNREACH / ICMP_PROT_UN=
REACH
iptables -t mangle -A PREROUTING --set-counters 0 0 -j ACCEPT -m state --=
state RELATED -p icmp --icmp-type 3/3 # ICMP_DEST_UNREACH / ICMP_PORT_UN=
REACH
iptables -t mangle -A PREROUTING --set-counters 0 0 -j ACCEPT -m state --=
state RELATED -p icmp --icmp-type 3/9 # ICMP_DEST_UNREACH / ICMP_NET_ANO=
iptables -t mangle -A PREROUTING --set-counters 0 0 -j ACCEPT -m state --=
state RELATED -p icmp --icmp-type 3/13 # ICMP_DEST_UNREACH / ICMP_PKT_FI=
LTERED
iptables -t mangle -A PREROUTING --set-counters 0 0 -j ACCEPT -m state --=
state RELATED -p icmp --icmp-type 11/0 # ICMP_TIME_EXCEEDED / ICMP_EXC_TT=
L
iptables -t mangle -A PREROUTING --set-counters 0 0 -j ACCEPT -m state --=
state RELATED -p tcp --sport 20 --dport 1024:65535
iptables -t mangle -A PREROUTING --set-counters 0 0 -j ACCEPT -m state --=
state RELATED -p tcp --sport 1024:65535 --dport 1024:65535 -i eth0
iptables -t mangle -A PREROUTING --set-counters 0 0 -j LOG -m state --=
state RELATED --log-prefix 'm_p_r '
iptables -t mangle -A PREROUTING --set-counters 0 0 -j m_p_e -m state --=
state ESTABLISHED
iptables -t mangle -A PREROUTING --set-counters 0 0 -j m_p_n -m state --=
state NEW
iptables -t mangle -A PREROUTING --set-counters 0 0 -j LOG --log-prefix '=
m_p '
$DROP iptables -t mangle -P PREROUTING DROP
echo 1
# -----------------------------------------------------------------------=
-------
# n a t
# -----------------------------------------------------------------------=
-------
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -F
iptables -t nat -X pre_ext &>/dev/null
iptables -t nat -N pre_ext
iptables -t nat -X pre_http &>/dev/null # Behandlung von Banner Serv=
ern :-)
iptables -t nat -N pre_http
iptables -t nat -X n_p_n_su &>/dev/null
iptables -t nat -N n_p_n_su
iptables -t nat -A n_p_n_su --set-counters 0 0 -j REDIRECT -s 10.0.0.=
95 -p tcp -m mport -d ! 10.0.0.2 --dport 6665:6669,9000 --to-port 9002
iptables -t nat -A n_p_n_su --set-counters 0 0 -j ACCEPT -p tcp --d=
port 22
iptables -t nat -A n_p_n_su --set-counters 0 0 -j ACCEPT -p tcp -m =
multiport --dport $PUB_TCP_SRV
iptables -t nat -A n_p_n_su --set-counters 0 0 -j ACCEPT -p tcp -m =
multiport --dport 21,53,79,110,139,143,443,993 -i eth0
iptables -t nat -A n_p_n_su --set-counters 0 0 -j ACCEPT -p tcp -m =
multiport --dport 1080,3128,8080 -i eth0 -m limit --limit 3/s
iptables -t nat -A n_p_n_su --set-counters 0 0 -j ACCEPT -p udp =
--dport 53 -i eth0
iptables -t nat -A n_p_n_su --set-counters 0 0 -j ACCEPT -p udp =
--dport 123 -i eth0
iptables -t nat -A n_p_n_su --set-counters 0 0 -j ACCEPT -p udp =
--dport 58888 -s 193.126.85.29
$DROP iptables -t nat -A n_p_n_su --set-counters 0 0 -j DROP -p t=
cp -m multiport --dport 1080,3128,8080
iptables -t nat -A n_p_n_su --set-counters 0 0 -j ACCEPT -p tcp -=
-dport 1024:65535
iptables -t nat -A n_p_n_su --set-counters 0 0 -j ACCEPT -p udp -=
-dport 1024:65535
iptables -t nat -A n_p_n_su --set-counters 0 0 -j DROP -p tcp -m mpor=
t --sport 443,993
iptables -t nat -A n_p_n_su --set-counters 0 0 -j LOG --log-pref=
ix 'n_p_n_su '
$DROP iptables -t nat -A n_p_n_su --set-counters 0 0 -j DROP
iptables -t nat -X n_p_n &>/dev/null
iptables -t nat -N n_p_n
iptables -t nat -A n_p_n -j ACCEPT -p 41 -s 193.126.85.29
iptables -t nat -A n_p_n -j ACCEPT -p udp --sport 68 --dport 67 =
-i eth0
iptables -t nat -A n_p_n -j n_p_n_su -p tcp --sport 1024:65535
iptables -t nat -A n_p_n -j n_p_n_su -p udp --sport 1024:65535
iptables -t nat -A n_p_n -j ACCEPT -p tcp --sport 80 --dport 1024:=
65535
$DROP iptables -t nat -A n_p_n -j DROP -p tcp -m multiport --=
dport 1080,3128,8080
$DROP iptables -t nat -A n_p_n -j DROP -p udp --dport 53 =
--sport 137
$DROP iptables -t nat -A n_p_n -j DROP -p tcp --dport 53 =
--sport 137
$DROP iptables -t nat -A n_p_n -j DROP -p udp --dport 137:139 =
-d 10.255.255.255 # win broadcast mist
iptables -t nat -A n_p_n -j ACCEPT -p icmp -i eth0 --icmp-type 8=
/0 # ICMP_ECHO
iptables -t nat -A n_p_n -j ACCEPT -p icmp --icmp-type 8/0 -m limit =
--limit 1/s -i eth0 # ICMP_ECHO
$DROP iptables -t nat -A n_p_n -j DROP -p icmp --icmp-type 8/0 =
# ICMP_ECHO
$DROP iptables -t nat -A n_p_n -j DROP -p udp --dport 137 -d !=
10.0.0.2
$DROP iptables -t nat -A n_p_n -j DROP -p tcp --dport 443
iptables -t nat -A n_p_n -j LOG --log-prefix 'n_p_n '
$DROP iptables -t nat -A n_p_n -j DROP
iptables -t nat -A PREROUTING -j n_p_n -m state --state NEW
iptables -t nat -A PREROUTING -j ACCEPT -m state --state RELATED -p tc=
p --sport 20 --dport 1024:65535
iptables -t nat -A PREROUTING --set-counters 0 0 -j ACCEPT -i eth0 -=
p udp -d 255.255.255.255 --sport 68 --dport 67
iptables -t nat -A PREROUTING --set-counters 0 0 -j ACCEPT -m state =
--state ESTABLISHED,RELATED
iptables -t nat -A PREROUTING --set-counters 0 0 -j pre_ext -i ppp+
iptables -t nat -A PREROUTING --set-counters 0 0 -j pre_ext -i eth1
iptables -t nat -A PREROUTING --set-counters 0 0 -j pre_ext -i ippp+=
iptables -t nat -A PREROUTING --set-counters 0 0 -j pre_http -p tcp -=
-dport 80
iptables -t nat -A PREROUTING --set-counters 0 0 -j ACCEPT -s 10.0.0.=
95 -d 194.125.103.0/24
iptables -t nat -A PREROUTING --set-counters 0 0 -j ACCEPT -i eth0
iptables -t nat -A PREROUTING --set-counters 0 0 -j ACCEPT -i lo
iptables -t nat -A PREROUTING -j LOG -m state --state RELATED --log=
-prefix 'n_p_r '
iptables -t nat -A PREROUTING -j LOG -m state --state ESTABLISHED -=
-log-prefix 'n_p_e '
iptables -t nat -A PREROUTING --set-counters 0 0 -j LOG --log-prefix =
'n_p '
$DROP iptables -t nat -P PREROUTING DROP
echo nat_OUTPUT
iptables -t nat -A OUTPUT --set-counters 0 0 -j ACCEPT -m state --st=
ate ESTABLISHED,RELATED
iptables -t nat -A OUTPUT --set-counters 0 0 -j ACCEPT -o eth0
iptables -t nat -A OUTPUT --set-counters 0 0 -j ACCEPT -o lo
iptables -t nat -A OUTPUT --set-counters 0 0 -j ACCEPT -p tcp -m m=
ultiport --sport $PUB_TCP_SRV
iptables -t nat -A OUTPUT --set-counters 0 0 -j ACCEPT -p tcp -m m=
ultiport --dport 21,22,25,53,43,80,443,143,5000
iptables -t nat -A OUTPUT --set-counters 0 0 -j ACCEPT -p udp -m m=
ultiport --dport 53,123
iptables -t nat -A OUTPUT --set-counters 0 0 -j ACCEPT -p icmp --ic=
mp-type 8/0 # ICMP_ECHO
iptables -t nat -A OUTPUT --set-counters 0 0 -j pre_http -p tcp -=
-dport 80
iptables -t nat -A OUTPUT --set-counters 0 0 -j ACCEPT -p all -d =
193.126.85.29
iptables -t nat -A OUTPUT --set-counters 0 0 -j ACCEPT -p tcp -o =
ppp0 --sport 1024:65535 --dport 79
iptables -t nat -A OUTPUT --set-counters 0 0 -j ACCEPT -p tcp -o =
ppp0 --sport 1024:65535 --dport 113
iptables -t nat -A OUTPUT --set-counters 0 0 -j ACCEPT -p tcp -o =
ppp0 --sport 1024:65535 --dport 993
iptables -t nat -A OUTPUT --set-counters 0 0 -j ACCEPT -p udp -o =
ppp0 --sport 1024:65535 --dport 1024:65535
iptables -t nat -A OUTPUT --set-counters 0 0 -j ACCEPT -p tcp --dp=
ort 2000:65525
iptables -t nat -A OUTPUT --set-counters 0 0 -j LOG --log-prefix 'n=
_o '
$DROP iptables -t nat -P OUTPUT DROP
iptables -t nat -A POSTROUTING --set-counters 0 0 -j MASQUERADE -o ppp=
+
iptables -t nat -A POSTROUTING --set-counters 0 0 -j MASQUERADE -o eth=
1
iptables -t nat -A POSTROUTING --set-counters 0 0 -j MASQUERADE -o ipp=
p+
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p tc=
p -d 62.26.220.2 --to-destination 10.0.0.200
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p tc=
p -d 62.27.38.2 --to-destination 10.0.0.200
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p tc=
p -d 192.85.241.143 --to-destination 10.0.0.200
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p tc=
p -d 194.221.66.0/24 --to-destination 10.0.0.200
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p=
tcp -d 194.221.183.223/32 --to-destination 10.0.0.200=09
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p=
tcp -d 194.221.183.224/30 --to-destination 10.0.0.200
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p=
tcp -d 195.27.70.124 --to-destination 10.0.0.200
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p=
tcp -d 207.35.172.153 --to-destination 10.0.0.200
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p=
tcp -d 212.172.60.39 --to-destination 10.0.0.200
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p=
tcp -d 212.172.60.43 --to-destination 10.0.0.200
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p tc=
p -d 213.164.1.9 --to-destination 10.0.0.200
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p=
tcp -d 213.165.64.39/32 --to-destination 10.0.0.200
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p tc=
p -d 213.165.64.40/30 --to-destination 10.0.0.200
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p=
tcp -d 213.165.64.44/32 --to-destination 10.0.0.200
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p=
tcp -d 194.175.173.23 --to-destination 10.0.0.200
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p=
tcp -d 212.6.90.71 --to-destination 10.0.0.200
echo 3
iptables -t nat -A pre_ext --set-counters 0 0 -j DNAT -p tcp --dpo=
rt 7000:7100 --to-destination 10.0.0.97
iptables -t nat -A pre_ext --set-counters 0 0 -j ACCEPT -p all -s 19=
3.126.85.29 # IPv6
iptables -t nat -A pre_ext --set-counters 0 0 -j DNAT -p tcp --dp=
ort 7200:7300 --to-destination 10.0.0.96
iptables -t nat -A pre_ext --set-counters 0 0 -j DNAT -p tcp --dp=
ort 7400:7500 --to-destination 10.0.0.99
iptables -t nat -A pre_ext --set-counters 0 0 -j DNAT -p tcp --dpo=
rt 3100 --to-destination 10.0.0.95
iptables -t nat -A pre_ext --set-counters 0 0 -j DNAT -p tcp --dpo=
rt 3200 --to-destination 10.0.0.95
iptables -t nat -A pre_ext --set-counters 0 0 -j REDIRECT -p tcp =
-m multiport --dport $PUB_TCP_SRV
$DROP iptables -t nat -A pre_ext --set-counters 0 0 -j DROP -p tcp=
-m multiport --dport 137,138,139,8000,12345
$DROP iptables -t nat -A pre_ext --set-counters 0 0 -j DROP -p tcp=
-m mport --sport 21,22,80,110,443,500,1080,44444,6665:6669
$DROP iptables -t nat -A pre_ext --set-counters 0 0 -j DROP -p udp=
--sport 2213
$DROP iptables -t nat -A pre_ext --set-counters 0 0 -j DROP -p udp=
-m multiport --dport 137,138,139,27015
$DROP iptables -t nat -A pre_ext --set-counters 0 0 -j DROP -p icm=
p --icmp-type 8/0 # ICMP_ECHO
$DROP iptables -t nat -A pre_ext --set-counters 0 0 -j DROP -s 63.=
147.197.184
iptables -t nat -A pre_ext --set-counters 0 0 -j ACCEPT -p udp --=
sport 53
iptables -t nat -A pre_ext --set-counters 0 0 -j ACCEPT -p tcp --=
sport 20
iptables -t nat -A pre_ext --set-counters 0 0 -j ACCEPT -m state=
--state RELATED -p icmp --icmp-type 3/1 # ICMP_DEST_UNREACH / ICMP_HOST_=
UNREACH
iptables -t nat -A pre_ext --set-counters 0 0 -j ACCEPT -m state=
--state RELATED -p icmp --icmp-type 3/3 # ICMP_DEST_UNREACH / ICMP_PORT_=
UNREACH
iptables -t nat -A pre_ext --set-counters 0 0 -j ACCEPT -p tcp -m=
multiport --dport 1,21,23,53,79,110,111,1080,1214,6699 # portsentry
iptables -t nat -A pre_ext --set-counters 0 0 -j ACCEPT -p udp -m=
multiport --dport 1,53,161,1029 # portsentry
# -----------------------------------------------------------------------=
-------
# f i l t e r
# -----------------------------------------------------------------------=
-------
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT # Selber gesendete Packete
iptables -t filter -F
echo f_f_n_su
iptables -t filter -X f_f_n_su &>/dev/null # Von intern=3D>fw Zugelass=
ene Ports
iptables -t filter -N f_f_n_su=20
iptables -t filter -A f_f_n_su --set-counters 0 0 -j ACCEPT -p tcp --=
dport 22 =09
iptables -t filter -A f_f_n_su --set-counters 0 0 -j ACCEPT -p tcp -m=
mport --dport 21,25,79,80,110,443,993,1024:65535
iptables -t filter -A f_f_n_su --set-counters 0 0 -j ACCEPT -p udp -m=
mport --dport 53,123=20
iptables -t filter -A f_f_n_su --set-counters 0 0 -j ACCEPT -p udp --=
dport 1024:65535 # traceroute
iptables -t filter -A f_f_n_su --set-counters 0 0 -j LOG --log-prefix=
'f_f_n_su '
$DROP iptables -t filter -A f_f_n_su --set-counters 0 0 -j DROP
echo f_f_n
iptables -t filter -X f_f_n &>/dev/null # Von intern=3D>fw Zugelassene=
Ports
iptables -t filter -N f_f_n=20
iptables -t filter -A f_f_n --set-counters 0 0 -j f_f_n_su -p tcp =
--sport 1024:65535 -o ppp0 -i eth0
iptables -t filter -A f_f_n --set-counters 0 0 -j f_f_n_su -p udp =
--sport 1024:65535 -o ppp0 -i eth0
iptables -t filter -A f_f_n --set-counters 0 0 -j ACCEPT -p icmp -=
-icmp-type 8/0 -o ppp0 -i eth0 # ICMP_ECHO
iptables -t filter -A f_f_n --set-counters 0 0 -j ACCEPT -p tcp -m=
mport --dport 1080,8080 -i eth0 -m limit --limit 2/s
$DROP iptables -t filter -A f_f_n --set-counters 0 0 -j DROP -p =
tcp -m mport --dport 1080,8080
$DROP iptables -t filter -A f_f_n --set-counters 0 0 -j DROP -p =
udp --dport 137 -d ! 10.0.0.2
iptables -t filter -A f_f_n --set-counters 0 0 -j ACCEPT -p 41 -i =
eth0 -o ppp0
iptables -t filter -A f_f_n --set-counters 0 0 -j LOG --log-prefix=
'f_f_n '
$DROP iptables -t filter -A f_f_n --set-counters 0 0 -j DROP
echo f_f_e_su
iptables -t filter -X f_f_e_su &>/dev/null
iptables -t filter -N f_f_e_su=20
iptables -t filter -A f_f_e_su --set-counters 0 0 -j ACCEPT -p tcp --d=
port 22
iptables -t filter -A f_f_e_su --set-counters 0 0 -j ACCEPT -p tcp -m =
mport --dport 20,21,25,79,80,110,443,993,1024:65535
iptables -t filter -A f_f_e_su --set-counters 0 0 -j ACCEPT -p udp -m =
mport --dport 53,123 =09
iptables -t filter -A f_f_e_su --set-counters 0 0 -j ACCEPT -p udp --=
sport 1024:65535 --dport 1024:65535 -s 10.0.0.99
iptables -t filter -A f_f_e_su --set-counters 0 0 -j ACCEPT -p udp --=
sport 1024:65535 --dport 1024:65535 -d 10.0.0.99
iptables -t filter -A f_f_e_su --set-counters 0 0 -j ACCEPT -p udp --=
sport 1024:65535 --dport 1024:65535 -s 10.0.0.96
iptables -t filter -A f_f_e_su --set-counters 0 0 -j ACCEPT -p udp --=
sport 1024:65535 --dport 1024:65535 -d 10.0.0.96
iptables -t filter -A f_f_e_su --set-counters 0 0 -j ACCEPT -p udp --=
sport 1024:65535 --dport 1024:65535 -s 10.0.0.40
iptables -t filter -A f_f_e_su --set-counters 0 0 -j ACCEPT -p udp --=
sport 1024:65535 --dport 1024:65535 -d 10.0.0.40
iptables -t filter -A f_f_e_su --set-counters 0 0 -j LOG --log-prefix =
'f_f_e_su '
$DROP iptables -t filter -A f_f_e_su --set-counters 0 0 -j DROP
echo f_f_e_du
iptables -t filter -X f_f_e_du &>/dev/null
iptables -t filter -N f_f_e_du=20
iptables -t filter -A f_f_e_du --set-counters 0 0 -j ACCEPT -p tcp -m =
mport --sport 20,21,22,25,79,80,110,443,993,1024:65535
iptables -t filter -A f_f_e_du --set-counters 0 0 -j ACCEPT -p tcp -m =
multiport --sport 1080,2339,3128,8080 # 2339 ( gerry )
iptables -t filter -A f_f_e_du --set-counters 0 0 -j ACCEPT -p udp --s=
port 123 =09
iptables -t filter -A f_f_e_du --set-counters 0 0 -j ACCEPT -p udp --=
sport 27000:27999 --dport 1024:65535
iptables -t filter -A f_f_e_du --set-counters 0 0 -j ACCEPT -p udp --=
dport 27000:27999 --sport 1024:65535
iptables -t filter -A f_f_e_du --set-counters 0 0 -j ACCEPT -p udp --=
dport 1024:65535 --sport 1024:65535
iptables -t filter -A f_f_e_du --set-counters 0 0 -j LOG --log-prefix =
'f_f_e_du '=20
$DROP iptables -t filter -A f_f_e_du --set-counters 0 0 -j DROP
echo f_f_e
iptables -t filter -X f_f_e &>/dev/null # Von intern=3D>fw Zugelassene=
Ports
iptables -t filter -N f_f_e=20
iptables -t filter -A f_f_e --set-counters 0 0 -j f_f_e_su -p tcp =
--sport 1024:65535 -o ppp0 -i eth0
iptables -t filter -A f_f_e --set-counters 0 0 -j f_f_e_su -p udp =
--sport 1024:65535 -o ppp0 -i eth0
iptables -t filter -A f_f_e --set-counters 0 0 -j f_f_e_du -p tcp =
--dport 1024:65535 -i ppp0 -o eth0
iptables -t filter -A f_f_e --set-counters 0 0 -j f_f_e_du -p udp =
--dport 1024:65535 -i ppp0 -o eth0
iptables -t filter -A f_f_e --set-counters 0 0 -j ACCEPT -p icmp -=
-icmp-type 0/0 -i ppp0 -o eth0 # ICMP_ECHO
iptables -t filter -A f_f_e --set-counters 0 0 -j ACCEPT -p 41 -i =
eth0
iptables -t filter -A f_f_e --set-counters 0 0 -j ACCEPT -p 41 -o =
eth0
iptables -t filter -A f_f_e --set-counters 0 0 -j LOG --log-prefi=
x 'f_f_e '
$DROP iptables -t filter -A f_f_e --set-counters 0 0 -j DROP
echo filter_FORWARD
iptables -t filter -A FORWARD --set-counters 0 0 -j TCPMSS -o ppp+ -=
p tcp --tcp-flags SYN,RST SYN --clamp-mss-to-pmtu
iptables -t filter -A FORWARD --set-counters 0 0 -j ACCEPT -m state --=
state RELATED -p tcp --sport 20 --dport 1024:65535 -i ppp0
iptables -t filter -A FORWARD --set-counters 0 0 -j ACCEPT -m state =
--state RELATED -p tcp --sport 1024:65535 --dport 1024:65535 -i eth0
iptables -t filter -A FORWARD --set-counters 0 0 -j ACCEPT -m state --=
state RELATED -p icmp --icmp-type 3/0 # ICMP_DEST_UNREACH / ICMP_NET_UNR=
EACH
iptables -t filter -A FORWARD --set-counters 0 0 -j ACCEPT -m state --=
state RELATED -p icmp --icmp-type 3/1 # ICMP_DEST_UNREACH / ICMP_HOST_UN=
REACH
iptables -t filter -A FORWARD --set-counters 0 0 -j ACCEPT -m state --=
state RELATED -p icmp --icmp-type 3/3 # ICMP_DEST_UNREACH / ICMP_PORT_UN=
REACH
iptables -t filter -A FORWARD --set-counters 0 0 -j ACCEPT -m state --=
state RELATED -p icmp --icmp-type 3/13 # ICMP_DEST_UNREACH / ICMP_PKT_FI=
LTERED
iptables -t filter -A FORWARD --set-counters 0 0 -j ACCEPT -m state --=
state RELATED -p icmp --icmp-type 11/0 # ICMP_TIME_EXCEEDED / ICMP_EXC_TT=
L
iptables -t filter -A FORWARD --set-counters 0 0 -j LOG --log-prefi=
x 'f_f_r ' -m state --state RELATED
iptables -t filter -A FORWARD --set-counters 0 0 -j f_f_e -m state =
--state ESTABLISHED
iptables -t filter -A FORWARD --set-counters 0 0 -j f_f_n -m state =
--state NEW
iptables -t filter -A FORWARD --set-counters 0 0 -j LOG --log-prefi=
x 'f_f '
$DROP iptables -t filter -P FORWARD DROP # Durchgangsverkehr
echo f_i_e_su
iptables -t filter -X f_i_e_su &>/dev/null
iptables -t filter -N f_i_e_su
iptables -t filter -A f_i_e_su --set-counters 0 0 -j ACCEPT -p tcp --=
dport 22
iptables -t filter -A f_i_e_su --set-counters 0 0 -j ACCEPT -p tcp -m=
multiport --dport $PUB_TCP_SRV
iptables -t filter -A f_i_e_su --set-counters 0 0 -j ACCEPT -p tcp --=
sport 1024:65535 --dport 1024:65535
$DROP iptables -t filter -A f_i_e_su --set-counters 0 0 -j DROP -p=
tcp -i ppp0
iptables -t filter -A f_i_e_su --set-counters 0 0 -j ACCEPT -p tcp -m=
multiport --dport 53,110,139,143,443,993
iptables -t filter -A f_i_e_su --set-counters 0 0 -j ACCEPT -p tcp =
--dport 6665:6669
iptables -t filter -A f_i_e_su --set-counters 0 0 -j ACCEPT -p tcp =
--dport 9002 -i eth0 -s 10.0.0.95
iptables -t filter -A f_i_e_su --set-counters 0 0 -j ACCEPT -p udp -m=
multiport --dport 53,123,161
iptables -t filter -A f_i_e_su --set-counters 0 0 -j ACCEPT -p tcp --=
sport 6000 --dport 1024:65535 -i eth0
iptables -t filter -A f_i_e_su --set-counters 0 0 -j ACCEPT -p tcp --=
sport 6000 --dport 1024:65535 -i lo
iptables -t filter -A f_i_e_su --set-counters 0 0 -j ACCEPT -p tcp --=
dport 6000 --sport 1024:65535 -i lo
iptables -t filter -A f_i_e_su --set-counters 0 0 -j ACCEPT -p tcp --=
sport 6660:6669
iptables -t filter -A f_i_e_su --set-counters 0 0 -j LOG --log-prefix =
'f_i_e_su '
$DROP iptables -t filter -A f_i_e_su --set-counters 0 0 -j DROP
echo f_i_e_du
iptables -t filter -X f_i_e_du &>/dev/null
iptables -t filter -N f_i_e_du
iptables -t filter -A f_i_e_du --set-counters 0 0 -j ACCEPT -p tcp --=
sport 22
iptables -t filter -A f_i_e_du --set-counters 0 0 -j ACCEPT -p tcp -m=
multiport --sport $PUB_TCP_SRV
iptables -t filter -A f_i_e_du --set-counters 0 0 -j ACCEPT -p tcp -m=
multiport --sport 53,123,443
iptables -t filter -A f_i_e_du --set-counters 0 0 -j ACCEPT -p tcp -=
-sport 1024:65535
iptables -t filter -A f_i_e_du --set-counters 0 0 -j ACCEPT -p udp -=
-sport 1024:65535
iptables -t filter -A f_i_e_du --set-counters 0 0 -j ACCEPT -p udp -=
m multiport --sport 53,123
iptables -t filter -A f_i_e_du --set-counters 0 0 -j ACCEPT -p tcp -=
m multiport --sport 21,79,110,143,993
iptables -t filter -A f_i_e_du --set-counters 0 0 -j ACCEPT -p udp -=
-sport 161 -i lo
iptables -t filter -A f_i_e_du --set-counters 0 0 -j LOG --log-prefix =
'f_i_e_du '
$DROP iptables -t filter -A f_i_e_du --set-counters 0 0 -j DROP
echo f_i_e
iptables -t filter -X f_i_e &>/dev/null
iptables -t filter -N f_i_e
iptables -t filter -A f_i_e --set-counters 0 0 -j f_i_e_su -p tcp -=
-sport 1024:65535
iptables -t filter -A f_i_e --set-counters 0 0 -j f_i_e_su -p udp -=
-sport 1024:65535
iptables -t filter -A f_i_e --set-counters 0 0 -j f_i_e_du -p tcp -=
-dport 1024:65535
iptables -t filter -A f_i_e --set-counters 0 0 -j f_i_e_du -p udp -=
-dport 1024:65535
iptables -t filter -A f_i_e --set-counters 0 0 -j ACCEPT -p 41
iptables -t filter -A f_i_e --set-counters 0 0 -j LOG --log-p=
refix 'f_i_e '
$DROP iptables -t filter -A f_i_e --set-counters 0 0 -j DROP
echo f_i_n_su
iptables -t filter -X f_i_n_su &>/dev/null
iptables -t filter -N f_i_n_su
iptables -t filter -A f_i_n_su --set-counters 0 0 -j ACCEPT -p udp -m=
mport --dport 53,161
$DROP iptables -t filter -A f_i_n_su --set-counters 0 0 -j DROP -p=
tcp -m mport --dport 6660:6669
iptables -t filter -A f_i_n_su --set-counters 0 0 -j ACCEPT -p tcp -m=
mport --dport 53,443,110,143,993,6660:6669
iptables -t filter -A f_i_n_su --set-counters 0 0 -j ACCEPT -p tcp -m=
mport --dport 3306,6000 -i lo
$DROP iptables -t filter -A f_i_n_su --set-counters 0 0 -j DROP -=
p tcp -m mport --dport 20,21
# iptables -t filter -A f_i_n_su --set-counters 0 0 -j DROP -s 217=
=2E110.115.168
iptables -t filter -A f_i_n_su --set-counters 0 0 -j ACCEPT -p tcp -=
s 10.0.0.95 -d 10.0.0.2 --dport 9002
iptables -t filter -A f_i_n_su --set-counters 0 0 -j LOG --log-prefi=
x 'f_i_n_su '
$DROP iptables -t filter -A f_i_n_su --set-counters 0 0 -j DROP
echo f_i_n
iptables -t filter -X f_i_n &>/dev/null
iptables -t filter -N f_i_n
$DROP iptables -t filter -A f_i_n --set-counters 0 0 -j DROP -p tcp=
--dport 3306
iptables -t filter -A f_i_n --set-counters 0 0 -j ACCEPT -p tcp --dport=
22
iptables -t filter -A f_i_n --set-counters 0 0 -j ACCEPT -p tcp -m mpor=
t --dport $PUB_TCP_SRV
iptables -t filter -A f_i_n --set-counters 0 0 -j ACCEPT -p udp --d=
port 58888 -s 193.126.85.29
iptables -t filter -A f_i_n --set-counters 0 0 -j ACCEPT -p 41 -s=
193.126.85.29
$PSD iptables -t filter -A f_i_n -j DROP -m psd --psd-weight-threshold 1 =
--psd-delay-threshold 9000 --psd-lo-ports-weight 7 --psd-hi-ports-weight =
3 -i ppp+
# iptables -t filter -A f_i_n_su --set-counters 0 0 -j DROP -p tcp=
-i ppp0
iptables -t filter -A f_i_n --set-counters 0 0 -j ACCEPT -p udp --s=
port 68 --dport 67 -i eth0
iptables -t filter -A f_i_n --set-counters 0 0 -j ACCEPT -p udp --d=
port 68 --sport 67 -i eth0
iptables -t filter -A f_i_n --set-counters 0 0 -j f_i_n_su -p tcp =
--sport 1024:65535
iptables -t filter -A f_i_n --set-counters 0 0 -j f_i_n_su -p udp =
--sport 1024:65535
iptables -t filter -A f_i_n --set-counters 0 0 -j ACCEPT -p icmp =
--icmp-type 8/0 -i eth0 # ICMP_ECHO
$DROP iptables -t filter -A f_i_n --set-counters 0 0 -j DROP -p=
tcp --sport 80
iptables -t filter -A f_i_n --set-counters 0 0 -j ACCEPT -p udp -=
-sport 53 --dport 1024:65535 -i lo
$DROP iptables -t filter -A f_i_n --set-counters 0 0 -j DROP -p=
udp --sport 137 --dport 53
iptables -t filter -A f_i_n --set-counters 0 0 -j LOG --log-pre=
fix 'f_i_n '
$DROP iptables -t filter -A f_i_n --set-counters 0 0 -j DROP
echo filter_INPUT
iptables -t filter -A INPUT --set-counters 0 0 -j f_i_e -m state --=
state ESTABLISHED
iptables -t filter -A INPUT --set-counters 0 0 -j f_i_n -m state --=
state NEW
iptables -t filter -A INPUT --set-counters 0 0 -j ACCEPT -m state =
--state RELATED -p icmp --icmp-type 3/1 # ICMP_DEST_UNREACH / ICMP_HOST_U=
NREACH
iptables -t filter -A INPUT --set-counters 0 0 -j ACCEPT -m state =
--state RELATED -p icmp --icmp-type 3/2 # ICMP_DEST_UNREACH / ICMP_
iptables -t filter -A INPUT --set-counters 0 0 -j ACCEPT -m state =
--state RELATED -p icmp --icmp-type 3/3 # ICMP_DEST_UNREACH / ICMP_PORT_U=
NREACH
iptables -t filter -A INPUT --set-counters 0 0 -j ACCEPT -m state =
--state RELATED -p icmp --icmp-type 3/13 # ICMP_DEST_UNREACH / ICMP_PKT_F=
ILTERED
iptables -t filter -A INPUT --set-counters 0 0 -j ACCEPT -m state =
--state RELATED -p icmp --icmp-type 11/0 # ICMP_TIME_EXCEEDED / ICMP_EXC_=
TTL
iptables -t filter -A INPUT --set-counters 0 0 -j LOG --log-p=
refix 'f_i_r ' -m state --state RELATED
iptables -t filter -A INPUT --set-counters 0 0 -j ACCEPT -p 41
iptables -t filter -A INPUT --set-counters 0 0 -j LOG --log-p=
refix 'f_i '
$DROP iptables -t filter -P INPUT DROP
# iptables -t filter -A INPUT --set-counters 0 0 -j DROP -p tcp -m =
multiport --dport 90,443
# iptables -t filter -A for_ext --set-counters 0 0 -j ACCEPT -p tcp -=
d 10.0.0.97 --dport 7000:7100
# iptables -t filter -A for_ext --set-counters 0 0 -j ACCEPT -p tcp -=
d 10.0.0.96 --dport 7200:7300
# iptables -t filter -A for_ext --set-counters 0 0 -j ACCEPT -p tcp -=
d 10.0.0.99 --dport 7400:7500
# iptables -t filter -A for_ext --set-counters 0 0 -j ACCEPT -p tcp -=
d 10.0.0.95 -m multiport --dport 3100,3200
--------------030205010006090003070801--