hello all
Radel
netfilter@radel.yi.org
Fri, 6 Jul 2001 08:34:05 +0200
I think your firewall is full of weakness, and not readable at all.
Moreover I think isn't too correct do filtering in the mangle table or in
the nat table. I think Packet filtering should be done in the filter table,
hence the name...
There are too much --set-counters 0 0, that are useless:--set-counters was
written to allow people doing accounting to save accounting info even while
reloading the rules. By default adding a rule without setting counters means
zeroing the counters. So --set-counters 0 0 is time waste typing on the
keyboard.
...
Radel
----- Original Message -----
From: Thomas Lussnig <tlussnig@bewegungsmelder.de>
To: Matt Daniels <anakin@glorytoad.net>
Cc: Netfilter <netfilter@lists.samba.org>
Sent: Friday, July 06, 2001 1:57 AM
Subject: Re: hello all
Matt Daniels wrote:
>New to the list, I was wondering how active it's been lately? I wanted to
>replace my ipchains/ipmasqadm (portforwarding) with the new IPtables.
>Anybody give me some reading to do?
>
here my script
tips:
1. log mean not any more drop
2. lock at the contrckt and sate tools
3. look at my script
4. i can promise you that you can much more from examples posted and
commented here than from dokus.
Cu Thomas Lußnig
>
----------------------------------------------------------------------------
----
#!/bin/sh
iptables -L -n -v >> /root/fw.1 ; iptables -L -n -v -t nat >> /root/fw.1
function log_info() {
test 2 = 1 && echo $1
}
# EXTERN="eth1 ppp+ ippp+"
# INTERN="eth0 lo"
LIMIT="-m limit --limit 1/s --limit-burst 10"
# Zugelassen auf Firewall abgefangen von Firewall von Extern
# 1 für portsentry ( ganz dumme )
# 22 ( SSH )
# 25 ( SMTP )
# 80 ( HTTP )
# 113 ( IDENT )
# 443 ( HTTPS )
# 00:e0:4c:69:1e:2a Gery
# Zugelassen von Extern nach intern
# 7000:7100 Starwars
# 7200:7300 Wasserfee
# 7400:7500 Gery2000
# 3100 Camp
# 3200 Champ
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -F
# ::%s/\(URGP\|MAC\|TTL\|PREC\|LEN\|ID\|TOS\|WINDOW\|RES\)=[^ ]* file://g
# ::%s/\(SYN\|ACK\|PSH\|FIN\|DF\) file://g
# sort log|uniq >log.1;mv log.1 log
# dmesg | sed "s/\(URGP\|MAC\|TTL\|PREC\|LEN\|ID\|TOS\|WINDOW\|RES\)=[^ ]*
file://g;s/\(SYN\|ACK\|PSH\|FIN\|DF\) file://g"|sort|uniq >log
#PSD="#"
#DROP="#"
PUB_TCP_SRV='22,25,80,113'
echo m_p_n
iptables -t mangle -X m_p_n &>/dev/null
iptables -t mangle -N m_p_n
iptables -t mangle -A m_p_n -j ACCEPT -p tcp --dport 22
iptables -t mangle -A m_p_n -j ACCEPT -p tcp -m multiport --dport
$PUB_TCP_SRV
iptables -t mangle -A m_p_n -j ACCEPT -p udp --dport 1024:65535 --sport
1024:65535 -s 193.126.85.29
iptables -t mangle -A m_p_n -j ACCEPT -p 41 -s 193.126.85.29
$PSD iptables -t mangle -A m_p_n -j DROP -p tcp --dport 1:1024 -m
psd --psd-weight-threshold 1 --psd-delay-threshold
9000 --psd-lo-ports-weight 3 -i ppp0
$PSD iptables -t mangle -A m_p_n -j DROP -p udp --dport 1:1024 -m
psd --psd-weight-threshold 1 --psd-delay-threshold
9000 --psd-lo-ports-weight 3 -i ppp0
iptables -t mangle -A m_p_n --set-counters 0 0 -j ACCEPT -p udp --sport
68 --dport 67
iptables -t mangle -A m_p_n --set-counters 0 0 -j ACCEPT -p udp --dport
68 --sport 67
$DROP iptables -t mangle -A m_p_n -j DROP -p tcp -m multiport --dport
1214,3306,6667,2000,10000,9002 -i ppp0
$DROP iptables -t mangle -A m_p_n -j DROP -p tcp -m multiport --dport
2186,6667,10000,1150 -i ppp0
$DROP iptables -t mangle -A m_p_n --set-counters 0 0 -j DROP -p udp -d !
10.0.0.2 --dport 137:138
iptables -t mangle -A m_p_n --set-counters 0 0 -j ACCEPT -p tcp --dport
1024:65535 --sport 1024:65535
iptables -t mangle -A m_p_n --set-counters 0 0 -j ACCEPT -p tcp --dport
11 -i lo
iptables -t mangle -A m_p_n --set-counters 0 0 -j ACCEPT -p tcp --sport
993 --dport 1024:65535
iptables -t mangle -A m_p_n --set-counters 0 0 -j ACCEPT -p tcp --sport
443 --dport 1024:65535
iptables -t mangle -A m_p_n --set-counters 0 0 -j ACCEPT -p tcp -m
mport --dport 21,53,79,139,110,143,443,993,1080,6665,6669
iptables -t mangle -A m_p_n --set-counters 0 0 -j ACCEPT -p udp --sport
53 -i lo
iptables -t mangle -A m_p_n --set-counters 0 0 -j ACCEPT -p udp -m
multiport --dport 53,123,161
iptables -t mangle -A m_p_n --set-counters 0 0 -j ACCEPT -p icmp --icmp-type
8/0 -i eth0 # ICMP_ECHO
iptables -t mangle -A m_p_n --set-counters 0 0 -j ACCEPT -p icmp --icmp-type
8/0 -i lo # ICMP_ECHO
$DROP iptables -t mangle -A m_p_n --set-counters 0 0 -j DROP -p
icmp --icmp-type 8/0 # ICMP_ECHO
$DROP iptables -t mangle -A m_p_n --set-counters 0 0 -j DROP -p
tcp --tcp-flags RST RST
$DROP iptables -t mangle -A m_p_n --set-counters 0 0 -j DROP -p
tcp --sport 80
iptables -t mangle -A m_p_n --set-counters 0 0 -j ACCEPT -p
udp --dport 1024:65535
iptables -t mangle -A m_p_n --set-counters 0 0 -j ACCEPT -p 41
$DROP iptables -t mangle -A m_p_n --set-counters 0 0 -j DROP -p
udp --dport 137:139 -d 10.255.255.255 # win broadcast mist
$DROP iptables -t mangle -A m_p_n --set-counters 0 0 -j DROP -p
udp --sport 137 -d ! 10.0.0.2
iptables -t mangle -A m_p_n --set-counters 0 0 -j LOG --log-prefix 'm_p_n
'
$DROP iptables -t mangle -A m_p_n --set-counters 0 0 -j DROP
echo m_p_e_su
iptables -t mangle -X m_p_e_su &>/dev/null
iptables -t mangle -N m_p_e_su
iptables -t mangle -A m_p_e_su --set-counters 0 0 -j ACCEPT -p
tcp --dport 22
iptables -t mangle -A m_p_e_su --set-counters 0 0 -j ACCEPT -p tcp -m
mport --dport $PUB_TCP_SRV
iptables -t mangle -A m_p_e_su --set-counters 0 0 -j ACCEPT -p tcp -m
mport --dport 20,21,53,79,110,139,143,443,993,1024:65535
iptables -t mangle -A m_p_e_su --set-counters 0 0 -j ACCEPT -m multiport -p
udp --dport 53,123,161
iptables -t mangle -A m_p_e_su --set-counters 0 0 -j ACCEPT -p tcp --dport
6000 -i lo
iptables -t mangle -A m_p_e_su --set-counters 0 0 -j ACCEPT -p tcp --sport
6000 --dport 1024:65535 -i lo
iptables -t mangle -A m_p_e_su --set-counters 0 0 -j ACCEPT -p udp --sport
27000:27999 --dport 1024:65535
iptables -t mangle -A m_p_e_su --set-counters 0 0 -j ACCEPT -p udp --dport
27000:27999 --sport 1024:65535
iptables -t mangle -A m_p_e_su --set-counters 0 0 -j ACCEPT -p udp --dport
1024:65535 --sport 1024:65535
iptables -t mangle -A m_p_e_su --set-counters 0 0 -j LOG --log-prefix
'm_p_e_su '
$DROP iptables -t mangle -A m_p_e_su --set-counters 0 0 -j DROP
echo m_p_e_du
iptables -t mangle -X m_p_e_du &>/dev/null
iptables -t mangle -N m_p_e_du
iptables -t mangle -A m_p_e_du --set-counters 0 0 -j ACCEPT -p
tcp --sport 22
iptables -t mangle -A m_p_e_du --set-counters 0 0 -j ACCEPT -p tcp -m
mport --sport $PUB_TCP_SRV
iptables -t mangle -A m_p_e_du --set-counters 0 0 -j ACCEPT -p tcp -m
mport --sport 20,21,53,79,110,443,993
iptables -t mangle -A m_p_e_du --set-counters 0 0 -j ACCEPT -m multiport -p
udp --sport 53,123,161
iptables -t mangle -A m_p_e_du --set-counters 0 0 -j ACCEPT -p
tcp --sport 143
iptables -t mangle -A m_p_e_du --set-counters 0 0 -j LOG --log-prefix
'm_p_e_du '
$DROP iptables -t mangle -A m_p_e_du --set-counters 0 0 -j DROP
echo m_p_e
iptables -t mangle -X m_p_e &>/dev/null
iptables -t mangle -N m_p_e
iptables -t mangle -A m_p_e --set-counters 0 0 -j m_p_e_su -p
tcp --sport 1024:65535
iptables -t mangle -A m_p_e --set-counters 0 0 -j m_p_e_su -p
udp --sport 1024:65535
iptables -t mangle -A m_p_e --set-counters 0 0 -j m_p_e_du -p
tcp --dport 1024:65535
iptables -t mangle -A m_p_e --set-counters 0 0 -j m_p_e_du -p
udp --dport 1024:65535
iptables -t mangle -A m_p_e --set-counters 0 0 -j ACCEPT -p icmp --icmp-type
0/0 # ICMP_ECHOREPLY
iptables -t mangle -A m_p_e --set-counters 0 0 -j ACCEPT -p 41
iptables -t mangle -A m_p_e --set-counters 0 0 -j LOG --log-prefix 'm_p_e
'
$DROP iptables -t mangle -A m_p_e --set-counters 0 0 -j DROP
$DROP iptables -t mangle -A PREROUTING --set-counters 0 0 -j DROP -m
state --state INVALID
$DROP iptables -t mangle -A PREROUTING --set-counters 0 0 -j DROP -p
tcp --tcp-flags FIN,ACK,SYN FIN
$PSD iptables -t mangle -A PREROUTING -j DROP -m psd --psd-weight-threshold
1 --psd-delay-threshold 9999 --psd-lo-ports-weight 0 --psd-hi-ports-weight
0 -i ppp0
$DROP iptables -t mangle -A PREROUTING --set-counters 0 0 -j
-p icmp --icmp-type 5/1 # ICMP_REDIRECT
iptables -t mangle -A PREROUTING --set-counters 0 0 -j ACCEPT -m
state --state RELATED -p icmp --icmp-type 3/0 # ICMP_DEST_UNREACH /
ICMP_NET_UNREACH
iptables -t mangle -A PREROUTING --set-counters 0 0 -j ACCEPT -m
state --state RELATED -p icmp --icmp-type 3/1 # ICMP_DEST_UNREACH /
ICMP_HOST_UNREACH
iptables -t mangle -A PREROUTING --set-counters 0 0 -j ACCEPT -m
state --state RELATED -p icmp --icmp-type 3/2 # ICMP_DEST_UNREACH /
ICMP_PROT_UNREACH
iptables -t mangle -A PREROUTING --set-counters 0 0 -j ACCEPT -m
state --state RELATED -p icmp --icmp-type 3/3 # ICMP_DEST_UNREACH /
ICMP_PORT_UNREACH
iptables -t mangle -A PREROUTING --set-counters 0 0 -j ACCEPT -m
state --state RELATED -p icmp --icmp-type 3/9 # ICMP_DEST_UNREACH /
ICMP_NET_ANO
iptables -t mangle -A PREROUTING --set-counters 0 0 -j ACCEPT -m
state --state RELATED -p icmp --icmp-type 3/13 # ICMP_DEST_UNREACH /
ICMP_PKT_FILTERED
iptables -t mangle -A PREROUTING --set-counters 0 0 -j ACCEPT -m
state --state RELATED -p icmp --icmp-type 11/0 # ICMP_TIME_EXCEEDED /
ICMP_EXC_TTL
iptables -t mangle -A PREROUTING --set-counters 0 0 -j ACCEPT -m
state --state RELATED -p tcp --sport 20 --dport 1024:65535
iptables -t mangle -A PREROUTING --set-counters 0 0 -j ACCEPT -m
state --state RELATED -p tcp --sport 1024:65535 --dport 1024:65535 -i eth0
iptables -t mangle -A PREROUTING --set-counters 0 0 -j LOG -m
state --state RELATED --log-prefix 'm_p_r '
iptables -t mangle -A PREROUTING --set-counters 0 0 -j m_p_e -m
state --state ESTABLISHED
iptables -t mangle -A PREROUTING --set-counters 0 0 -j m_p_n -m
state --state NEW
iptables -t mangle -A PREROUTING --set-counters 0 0 -j LOG --log-prefix 'm_p
'
$DROP iptables -t mangle -P PREROUTING DROP
echo 1
# --------------------------------------------------------------------------
----
# n a t
# --------------------------------------------------------------------------
----
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -F
iptables -t nat -X pre_ext &>/dev/null
iptables -t nat -N pre_ext
iptables -t nat -X pre_http &>/dev/null # Behandlung von Banner Servern
:-)
iptables -t nat -N pre_http
iptables -t nat -X n_p_n_su &>/dev/null
iptables -t nat -N n_p_n_su
iptables -t nat -A n_p_n_su --set-counters 0 0 -j REDIRECT -s
10.0.0.95 -p tcp -m mport -d ! 10.0.0.2 --dport 6665:6669,9000 --to-port
9002
iptables -t nat -A n_p_n_su --set-counters 0 0 -j ACCEPT -p
tcp --dport 22
iptables -t nat -A n_p_n_su --set-counters 0 0 -j ACCEPT -p tcp -m
multiport --dport $PUB_TCP_SRV
iptables -t nat -A n_p_n_su --set-counters 0 0 -j ACCEPT -p tcp -m
multiport --dport 21,53,79,110,139,143,443,993 -i eth0
iptables -t nat -A n_p_n_su --set-counters 0 0 -j ACCEPT -p tcp -m
multiport --dport 1080,3128,8080 -i eth0 -m limit --limit 3/s
iptables -t nat -A n_p_n_su --set-counters 0 0 -j ACCEPT -p
udp --dport 53 -i eth0
iptables -t nat -A n_p_n_su --set-counters 0 0 -j ACCEPT -p
udp --dport 123 -i eth0
iptables -t nat -A n_p_n_su --set-counters 0 0 -j ACCEPT -p
udp --dport 58888 -s 193.126.85.29
$DROP iptables -t nat -A n_p_n_su --set-counters 0 0 -j DROP -p
tcp -m multiport --dport 1080,3128,8080
iptables -t nat -A n_p_n_su --set-counters 0 0 -j ACCEPT -p
tcp --dport 1024:65535
iptables -t nat -A n_p_n_su --set-counters 0 0 -j ACCEPT -p
udp --dport 1024:65535
iptables -t nat -A n_p_n_su --set-counters 0 0 -j DROP -p tcp -m
mport --sport 443,993
iptables -t nat -A n_p_n_su --set-counters 0 0 -j LOG --log-prefix
'n_p_n_su '
$DROP iptables -t nat -A n_p_n_su --set-counters 0 0 -j DROP
iptables -t nat -X n_p_n &>/dev/null
iptables -t nat -N n_p_n
iptables -t nat -A n_p_n -j ACCEPT -p 41 -s 193.126.85.29
iptables -t nat -A n_p_n -j ACCEPT -p udp --sport 68 --dport 67 -i
eth0
iptables -t nat -A n_p_n -j n_p_n_su -p tcp --sport 1024:65535
iptables -t nat -A n_p_n -j n_p_n_su -p udp --sport 1024:65535
iptables -t nat -A n_p_n -j ACCEPT -p tcp --sport 80 --dport 1024:65535
$DROP iptables -t nat -A n_p_n -j DROP -p tcp -m
multiport --dport 1080,3128,8080
$DROP iptables -t nat -A n_p_n -j DROP -p udp --dport
--sport 137
$DROP iptables -t nat -A n_p_n -j DROP -p tcp --dport
--sport 137
$DROP iptables -t nat -A n_p_n -j DROP -p udp --dport 137:139 -d
10.255.255.255 # win broadcast mist
iptables -t nat -A n_p_n -j ACCEPT -p icmp -i eth0 --icmp-type 8/0
# ICMP_ECHO
iptables -t nat -A n_p_n -j ACCEPT -p icmp --icmp-type 8/0 -m
limit --limit 1/s -i eth0 # ICMP_ECHO
$DROP iptables -t nat -A n_p_n -j DROP -p icmp --icmp-type 8/0 #
ICMP_ECHO
$DROP iptables -t nat -A n_p_n -j DROP -p udp --dport 137 -d !
10.0.0.2
$DROP iptables -t nat -A n_p_n -j DROP -p tcp --dport 443
iptables -t nat -A n_p_n -j LOG --log-prefix 'n_p_n '
$DROP iptables -t nat -A n_p_n -j DROP
iptables -t nat -A PREROUTING -j n_p_n -m state --state NEW
iptables -t nat -A PREROUTING -j ACCEPT -m state --state RELATED -p
tcp --sport 20 --dport 1024:65535
iptables -t nat -A PREROUTING --set-counters 0 0 -j ACCEPT -i eth0 -p
udp -d 255.255.255.255 --sport 68 --dport 67
iptables -t nat -A PREROUTING --set-counters 0 0 -j ACCEPT -m
state --state ESTABLISHED,RELATED
iptables -t nat -A PREROUTING --set-counters 0 0 -j pre_ext -i ppp+
iptables -t nat -A PREROUTING --set-counters 0 0 -j pre_ext -i eth1
iptables -t nat -A PREROUTING --set-counters 0 0 -j pre_ext -i ippp+
iptables -t nat -A PREROUTING --set-counters 0 0 -j pre_http -p
tcp --dport 80
iptables -t nat -A PREROUTING --set-counters 0 0 -j ACCEPT -s
10.0.0.95 -d 194.125.103.0/24
iptables -t nat -A PREROUTING --set-counters 0 0 -j ACCEPT -i eth0
iptables -t nat -A PREROUTING --set-counters 0 0 -j ACCEPT -i lo
iptables -t nat -A PREROUTING -j LOG -m state --state
RELATED --log-prefix 'n_p_r '
iptables -t nat -A PREROUTING -j LOG -m state --state
ESTABLISHED --log-prefix 'n_p_e '
iptables -t nat -A PREROUTING --set-counters 0 0 -j LOG --log-prefix
'n_p '
$DROP iptables -t nat -P PREROUTING DROP
echo nat_OUTPUT
iptables -t nat -A OUTPUT --set-counters 0 0 -j ACCEPT -m state --state
ESTABLISHED,RELATED
iptables -t nat -A OUTPUT --set-counters 0 0 -j ACCEPT -o eth0
iptables -t nat -A OUTPUT --set-counters 0 0 -j ACCEPT -o lo
iptables -t nat -A OUTPUT --set-counters 0 0 -j ACCEPT -p tcp -m
multiport --sport $PUB_TCP_SRV
iptables -t nat -A OUTPUT --set-counters 0 0 -j ACCEPT -p tcp -m
multiport --dport 21,22,25,53,43,80,443,143,5000
iptables -t nat -A OUTPUT --set-counters 0 0 -j ACCEPT -p udp -m
multiport --dport 53,123
iptables -t nat -A OUTPUT --set-counters 0 0 -j ACCEPT -p
icmp --icmp-type 8/0 # ICMP_ECHO
iptables -t nat -A OUTPUT --set-counters 0 0 -j pre_http -p
cp --dport 80
iptables -t nat -A OUTPUT --set-counters 0 0 -j ACCEPT -p all -d
193.126.85.29
iptables -t nat -A OUTPUT --set-counters 0 0 -j ACCEPT -p tcp -o
ppp0 --sport 1024:65535 --dport 79
iptables -t nat -A OUTPUT --set-counters 0 0 -j ACCEPT -p tcp -o
ppp0 --sport 1024:65535 --dport 113
iptables -t nat -A OUTPUT --set-counters 0 0 -j ACCEPT -p tcp -o
ppp0 --sport 1024:65535 --dport 993
iptables -t nat -A OUTPUT --set-counters 0 0 -j ACCEPT -p udp -o
ppp0 --sport 1024:65535 --dport 1024:65535
iptables -t nat -A OUTPUT --set-counters 0 0 -j ACCEPT -p tcp --dport
2000:65525
iptables -t nat -A OUTPUT --set-counters 0 0 -j LOG --log-prefix 'n_o '
$DROP iptables -t nat -P OUTPUT DROP
iptables -t nat -A POSTROUTING --set-counters 0 0 -j MASQUERADE -o ppp+
iptables -t nat -A POSTROUTING --set-counters 0 0 -j MASQUERADE -o eth1
iptables -t nat -A POSTROUTING --set-counters 0 0 -j MASQUERADE -o ippp+
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p
tcp -d 62.26.220.2 --to-destination 10.0.0.200
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p
tcp -d 62.27.38.2 --to-destination 10.0.0.200
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p
tcp -d 192.85.241.143 --to-destination 10.0.0.200
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p
tcp -d 194.221.66.0/24 --to-destination 10.0.0.200
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p
tcp -d 194.221.183.223/32 --to-destination 10.0.0.200
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p
tcp -d 194.221.183.224/30 --to-destination 10.0.0.200
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p
tcp -d 195.27.70.124 --to-destination 10.0.0.200
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p
tcp -d 207.35.172.153 --to-destination 10.0.0.200
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p
tcp -d 212.172.60.39 --to-destination 10.0.0.200
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p
tcp -d 212.172.60.43 --to-destination 10.0.0.200
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p
tcp -d 213.164.1.9 --to-destination 10.0.0.200
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p
tcp -d 213.165.64.39/32 --to-destination 10.0.0.200
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p
tcp -d 213.165.64.40/30 --to-destination 10.0.0.200
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p
tcp -d 213.165.64.44/32 --to-destination 10.0.0.200
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p
tcp -d 194.175.173.23 --to-destination 10.0.0.200
iptables -t nat -A pre_http --set-counters 0 0 -j DNAT -i eth0 -p
tcp -d 212.6.90.71 --to-destination 10.0.0.200
echo 3
iptables -t nat -A pre_ext --set-counters 0 0 -j DNAT -p tcp --dport
7000:7100 --to-destination 10.0.0.97
iptables -t nat -A pre_ext --set-counters 0 0 -j ACCEPT -p all -s
193.126.85.29 # IPv6
iptables -t nat -A pre_ext --set-counters 0 0 -j DNAT -p tcp --dport
7200:7300 --to-destination 10.0.0.96
iptables -t nat -A pre_ext --set-counters 0 0 -j DNAT -p tcp --dport
7400:7500 --to-destination 10.0.0.99
iptables -t nat -A pre_ext --set-counters 0 0 -j DNAT -p tcp --dport
3100 --to-destination 10.0.0.95
iptables -t nat -A pre_ext --set-counters 0 0 -j DNAT -p tcp --dport
3200 --to-destination 10.0.0.95
iptables -t nat -A pre_ext --set-counters 0 0 -j REDIRECT -p tcp -m
multiport --dport $PUB_TCP_SRV
$DROP iptables -t nat -A pre_ext --set-counters 0 0 -j DROP -p tcp -m
multiport --dport 137,138,139,8000,12345
$DROP iptables -t nat -A pre_ext --set-counters 0 0 -j DROP -p tcp -m
mport --sport 21,22,80,110,443,500,1080,44444,6665:6669
$DROP iptables -t nat -A pre_ext --set-counters 0 0 -j DROP -p
--sport 2213
$DROP iptables -t nat -A pre_ext --set-counters 0 0 -j DROP -p udp -m
multiport --dport 137,138,139,27015
$DROP iptables -t nat -A pre_ext --set-counters 0 0 -j DROP -p
icmp --icmp-type 8/0 # ICMP_ECHO
$DROP iptables -t nat -A pre_ext --set-counters 0 0 -j DROP -s
63.147.197.184
iptables -t nat -A pre_ext --set-counters 0 0 -j ACCEPT -p
dp --sport 53
iptables -t nat -A pre_ext --set-counters 0 0 -j ACCEPT -p
cp --sport 20
iptables -t nat -A pre_ext --set-counters 0 0 -j ACCEPT -m
state --state RELATED -p icmp --icmp-type 3/1 # ICMP_DEST_UNREACH /
ICMP_HOST_UNREACH
iptables -t nat -A pre_ext --set-counters 0 0 -j ACCEPT -m
state --state RELATED -p icmp --icmp-type 3/3 # ICMP_DEST_UNREACH /
ICMP_PORT_UNREACH
iptables -t nat -A pre_ext --set-counters 0 0 -j ACCEPT -p tcp -m
multiport --dport 1,21,23,53,79,110,111,1080,1214,6699 # portsentry
iptables -t nat -A pre_ext --set-counters 0 0 -j ACCEPT -p udp -m
multiport --dport 1,53,161,1029 # portsentry
# --------------------------------------------------------------------------
----
# f i l t e r
# --------------------------------------------------------------------------
----
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT # Selber gesendete Packete
iptables -t filter -F
echo f_f_n_su
iptables -t filter -X f_f_n_su &>/dev/null # Von intern=>fw Zugelassene
Ports
iptables -t filter -N f_f_n_su
iptables -t filter -A f_f_n_su --set-counters 0 0 -j ACCEPT -p
tcp --dport 22
iptables -t filter -A f_f_n_su --set-counters 0 0 -j ACCEPT -p tcp -m
mport --dport 21,25,79,80,110,443,993,1024:65535
iptables -t filter -A f_f_n_su --set-counters 0 0 -j ACCEPT -p udp -m
mport --dport 53,123
iptables -t filter -A f_f_n_su --set-counters 0 0 -j ACCEPT -p
udp --dport 1024:65535 # traceroute
iptables -t filter -A f_f_n_su --set-counters 0 0 -j LOG --log-prefix
'f_f_n_su '
$DROP iptables -t filter -A f_f_n_su --set-counters 0 0 -j DROP
echo f_f_n
iptables -t filter -X f_f_n &>/dev/null # Von intern=>fw Zugelassene Ports
iptables -t filter -N f_f_n
iptables -t filter -A f_f_n --set-counters 0 0 -j f_f_n_su -p
tcp --sport 1024:65535 -o ppp0 -i eth0
iptables -t filter -A f_f_n --set-counters 0 0 -j f_f_n_su -p
udp --sport 1024:65535 -o ppp0 -i eth0
iptables -t filter -A f_f_n --set-counters 0 0 -j ACCEPT -p
icmp --icmp-type 8/0 -o ppp0 -i eth0 # ICMP_ECHO
iptables -t filter -A f_f_n --set-counters 0 0 -j ACCEPT -p tcp -m
mport --dport 1080,8080 -i eth0 -m limit --limit 2/s
$DROP iptables -t filter -A f_f_n --set-counters 0 0 -j DROP -p
tcp -m mport --dport 1080,8080
$DROP iptables -t filter -A f_f_n --set-counters 0 0 -j DROP -p
udp --dport 137 -d ! 10.0.0.2
iptables -t filter -A f_f_n --set-counters 0 0 -j ACCEPT -p 41 -i
eth0 -o ppp0
iptables -t filter -A f_f_n --set-counters 0 0 -j LOG --log-prefix
'f_f_n '
$DROP iptables -t filter -A f_f_n --set-counters 0 0 -j DROP
echo f_f_e_su
iptables -t filter -X f_f_e_su &>/dev/null
iptables -t filter -N f_f_e_su
iptables -t filter -A f_f_e_su --set-counters 0 0 -j ACCEPT -p
tcp --dport 22
iptables -t filter -A f_f_e_su --set-counters 0 0 -j ACCEPT -p tcp -m
mport --dport 20,21,25,79,80,110,443,993,1024:65535
iptables -t filter -A f_f_e_su --set-counters 0 0 -j ACCEPT -p udp -m
mport --dport 53,123
iptables -t filter -A f_f_e_su --set-counters 0 0 -j ACCEPT -p
udp --sport 1024:65535 --dport 1024:65535 -s 10.0.0.99
iptables -t filter -A f_f_e_su --set-counters 0 0 -j ACCEPT -p
udp --sport 1024:65535 --dport 1024:65535 -d 10.0.0.99
iptables -t filter -A f_f_e_su --set-counters 0 0 -j ACCEPT -p
udp --sport 1024:65535 --dport 1024:65535 -s 10.0.0.96
iptables -t filter -A f_f_e_su --set-counters 0 0 -j ACCEPT -p
udp --sport 1024:65535 --dport 1024:65535 -d 10.0.0.96
iptables -t filter -A f_f_e_su --set-counters 0 0 -j ACCEPT -p
udp --sport 1024:65535 --dport 1024:65535 -s 10.0.0.40
iptables -t filter -A f_f_e_su --set-counters 0 0 -j ACCEPT -p
udp --sport 1024:65535 --dport 1024:65535 -d 10.0.0.40
iptables -t filter -A f_f_e_su --set-counters 0 0 -j LOG --log-prefix
'f_f_e_su '
$DROP iptables -t filter -A f_f_e_su --set-counters 0 0 -j DROP
echo f_f_e_du
iptables -t filter -X f_f_e_du &>/dev/null
iptables -t filter -N f_f_e_du
iptables -t filter -A f_f_e_du --set-counters 0 0 -j ACCEPT -p tcp -m
mport --sport 20,21,22,25,79,80,110,443,993,1024:65535
iptables -t filter -A f_f_e_du --set-counters 0 0 -j ACCEPT -p tcp -m
multiport --sport 1080,2339,3128,8080 # 2339 ( gerry )
iptables -t filter -A f_f_e_du --set-counters 0 0 -j ACCEPT -p
udp --sport 123
iptables -t filter -A f_f_e_du --set-counters 0 0 -j ACCEPT -p
udp --sport 27000:27999 --dport 1024:65535
iptables -t filter -A f_f_e_du --set-counters 0 0 -j ACCEPT -p
udp --dport 27000:27999 --sport 1024:65535
iptables -t filter -A f_f_e_du --set-counters 0 0 -j ACCEPT -p
udp --dport 1024:65535 --sport 1024:65535
iptables -t filter -A f_f_e_du --set-counters 0 0 -j LOG --log-prefix
'f_f_e_du '
$DROP iptables -t filter -A f_f_e_du --set-counters 0 0 -j DROP
echo f_f_e
iptables -t filter -X f_f_e &>/dev/null # Von intern=>fw Zugelassene Ports
iptables -t filter -N f_f_e
iptables -t filter -A f_f_e --set-counters 0 0 -j f_f_e_su -p
tcp --sport 1024:65535 -o ppp0 -i eth0
iptables -t filter -A f_f_e --set-counters 0 0 -j f_f_e_su -p
udp --sport 1024:65535 -o ppp0 -i eth0
iptables -t filter -A f_f_e --set-counters 0 0 -j f_f_e_du -p
tcp --dport 1024:65535 -i ppp0 -o eth0
iptables -t filter -A f_f_e --set-counters 0 0 -j f_f_e_du -p
udp --dport 1024:65535 -i ppp0 -o eth0
iptables -t filter -A f_f_e --set-counters 0 0 -j ACCEPT -p
icmp --icmp-type 0/0 -i ppp0 -o eth0 # ICMP_ECHO
iptables -t filter -A f_f_e --set-counters 0 0 -j ACCEPT -p 41 -i
eth0
iptables -t filter -A f_f_e --set-counters 0 0 -j ACCEPT -p 41 -o
eth0
iptables -t filter -A f_f_e --set-counters 0 0 -j LOG --log-prefix
'f_f_e '
$DROP iptables -t filter -A f_f_e --set-counters 0 0 -j DROP
echo filter_FORWARD
iptables -t filter -A FORWARD --set-counters 0 0 -j TCPMSS -o ppp+ -p
tcp --tcp-flags SYN,RST SYN --clamp-mss-to-pmtu
iptables -t filter -A FORWARD --set-counters 0 0 -j ACCEPT -m
state --state RELATED -p tcp --sport 20 --dport 1024:65535 -i ppp0
iptables -t filter -A FORWARD --set-counters 0 0 -j ACCEPT -m
state --state RELATED -p tcp --sport 1024:65535 --dport 1024:65535 -i eth0
iptables -t filter -A FORWARD --set-counters 0 0 -j ACCEPT -m
state --state RELATED -p icmp --icmp-type 3/0 # ICMP_DEST_UNREACH /
ICMP_NET_UNREACH
iptables -t filter -A FORWARD --set-counters 0 0 -j ACCEPT -m
state --state RELATED -p icmp --icmp-type 3/1 # ICMP_DEST_UNREACH /
ICMP_HOST_UNREACH
iptables -t filter -A FORWARD --set-counters 0 0 -j ACCEPT -m
state --state RELATED -p icmp --icmp-type 3/3 # ICMP_DEST_UNREACH /
ICMP_PORT_UNREACH
iptables -t filter -A FORWARD --set-counters 0 0 -j ACCEPT -m
state --state RELATED -p icmp --icmp-type 3/13 # ICMP_DEST_UNREACH /
ICMP_PKT_FILTERED
iptables -t filter -A FORWARD --set-counters 0 0 -j ACCEPT -m
state --state RELATED -p icmp --icmp-type 11/0 # ICMP_TIME_EXCEEDED /
ICMP_EXC_TTL
iptables -t filter -A FORWARD --set-counters 0 0 -j LOG --log-prefix
'f_f_r ' -m state --state RELATED
iptables -t filter -A FORWARD --set-counters 0 0 -j f_f_e -m
state --state ESTABLISHED
iptables -t filter -A FORWARD --set-counters 0 0 -j f_f_n -m
state --state NEW
iptables -t filter -A FORWARD --set-counters 0 0 -j LOG --log-prefix
'f_f '
$DROP iptables -t filter -P FORWARD DROP # Durchgangsverkehr
echo f_i_e_su
iptables -t filter -X f_i_e_su &>/dev/null
iptables -t filter -N f_i_e_su
iptables -t filter -A f_i_e_su --set-counters 0 0 -j ACCEPT -p
tcp --dport 22
iptables -t filter -A f_i_e_su --set-counters 0 0 -j ACCEPT -p tcp -m
multiport --dport $PUB_TCP_SRV
iptables -t filter -A f_i_e_su --set-counters 0 0 -j ACCEPT -p
tcp --sport 1024:65535 --dport 1024:65535
$DROP iptables -t filter -A f_i_e_su --set-counters 0 0 -j DROP -p
tcp -i ppp0
iptables -t filter -A f_i_e_su --set-counters 0 0 -j ACCEPT -p tcp -m
multiport --dport 53,110,139,143,443,993
iptables -t filter -A f_i_e_su --set-counters 0 0 -j ACCEPT -p
--dport 6665:6669
iptables -t filter -A f_i_e_su --set-counters 0 0 -j ACCEPT -p
--dport 9002 -i eth0 -s 10.0.0.95
iptables -t filter -A f_i_e_su --set-counters 0 0 -j ACCEPT -p udp -m
multiport --dport 53,123,161
iptables -t filter -A f_i_e_su --set-counters 0 0 -j ACCEPT -p
tcp --sport 6000 --dport 1024:65535 -i eth0
iptables -t filter -A f_i_e_su --set-counters 0 0 -j ACCEPT -p
tcp --sport 6000 --dport 1024:65535 -i lo
iptables -t filter -A f_i_e_su --set-counters 0 0 -j ACCEPT -p
tcp --dport 6000 --sport 1024:65535 -i lo
iptables -t filter -A f_i_e_su --set-counters 0 0 -j ACCEPT -p
tcp --sport 6660:6669
iptables -t filter -A f_i_e_su --set-counters 0 0 -j LOG --log-prefix
'f_i_e_su '
$DROP iptables -t filter -A f_i_e_su --set-counters 0 0 -j DROP
echo f_i_e_du
iptables -t filter -X f_i_e_du &>/dev/null
iptables -t filter -N f_i_e_du
iptables -t filter -A f_i_e_du --set-counters 0 0 -j ACCEPT -p
tcp --sport 22
iptables -t filter -A f_i_e_du --set-counters 0 0 -j ACCEPT -p tcp -m
multiport --sport $PUB_TCP_SRV
iptables -t filter -A f_i_e_du --set-counters 0 0 -j ACCEPT -p tcp -m
multiport --sport 53,123,443
iptables -t filter -A f_i_e_du --set-counters 0 0 -j ACCEPT -p
cp --sport 1024:65535
iptables -t filter -A f_i_e_du --set-counters 0 0 -j ACCEPT -p
dp --sport 1024:65535
iptables -t filter -A f_i_e_du --set-counters 0 0 -j ACCEPT -p udp -m
multiport --sport 53,123
iptables -t filter -A f_i_e_du --set-counters 0 0 -j ACCEPT -p tcp -m
multiport --sport 21,79,110,143,993
iptables -t filter -A f_i_e_du --set-counters 0 0 -j ACCEPT -p
dp --sport 161 -i lo
iptables -t filter -A f_i_e_du --set-counters 0 0 -j LOG --log-prefix
'f_i_e_du '
$DROP iptables -t filter -A f_i_e_du --set-counters 0 0 -j DROP
echo f_i_e
iptables -t filter -X f_i_e &>/dev/null
iptables -t filter -N f_i_e
iptables -t filter -A f_i_e --set-counters 0 0 -j f_i_e_su -p
tcp --sport 1024:65535
iptables -t filter -A f_i_e --set-counters 0 0 -j f_i_e_su -p
udp --sport 1024:65535
iptables -t filter -A f_i_e --set-counters 0 0 -j f_i_e_du -p
tcp --dport 1024:65535
iptables -t filter -A f_i_e --set-counters 0 0 -j f_i_e_du -p
udp --dport 1024:65535
iptables -t filter -A f_i_e --set-counters 0 0 -j ACCEPT -p 41
iptables -t filter -A f_i_e --set-counters 0 0 -j
--log-prefix 'f_i_e '
$DROP iptables -t filter -A f_i_e --set-counters 0 0 -j DROP
echo f_i_n_su
iptables -t filter -X f_i_n_su &>/dev/null
iptables -t filter -N f_i_n_su
iptables -t filter -A f_i_n_su --set-counters 0 0 -j ACCEPT -p udp -m
mport --dport 53,161
$DROP iptables -t filter -A f_i_n_su --set-counters 0 0 -j DROP -p
tcp -m mport --dport 6660:6669
iptables -t filter -A f_i_n_su --set-counters 0 0 -j ACCEPT -p tcp -m
mport --dport 53,443,110,143,993,6660:6669
iptables -t filter -A f_i_n_su --set-counters 0 0 -j ACCEPT -p tcp -m
mport --dport 3306,6000 -i lo
$DROP iptables -t filter -A f_i_n_su --set-counters 0 0 -j DROP -p
tcp -m mport --dport 20,21
# iptables -t filter -A f_i_n_su --set-counters 0 0 -j DROP -s
217.110.115.168
iptables -t filter -A f_i_n_su --set-counters 0 0 -j ACCEPT -p tcp -s
10.0.0.95 -d 10.0.0.2 --dport 9002
iptables -t filter -A f_i_n_su --set-counters 0 0 -j LOG --log-prefix
'f_i_n_su '
$DROP iptables -t filter -A f_i_n_su --set-counters 0 0 -j DROP
echo f_i_n
iptables -t filter -X f_i_n &>/dev/null
iptables -t filter -N f_i_n
$DROP iptables -t filter -A f_i_n --set-counters 0 0 -j DROP -p
tcp --dport 3306
iptables -t filter -A f_i_n --set-counters 0 0 -j ACCEPT -p tcp --dport 22
iptables -t filter -A f_i_n --set-counters 0 0 -j ACCEPT -p tcp -m
mport --dport $PUB_TCP_SRV
iptables -t filter -A f_i_n --set-counters 0 0 -j ACCEPT -p
udp --dport 58888 -s 193.126.85.29
iptables -t filter -A f_i_n --set-counters 0 0 -j ACCEPT -p 41 -s
193.126.85.29
$PSD iptables -t filter -A f_i_n -j DROP -m psd --psd-weight-threshold
1 --psd-delay-threshold 9000 --psd-lo-ports-weight 7 --psd-hi-ports-weight
3 -i ppp+
# iptables -t filter -A f_i_n_su --set-counters 0 0 -j DROP -p tcp -i
ppp0
iptables -t filter -A f_i_n --set-counters 0 0 -j ACCEPT -p
udp --sport 68 --dport 67 -i eth0
iptables -t filter -A f_i_n --set-counters 0 0 -j ACCEPT -p
udp --dport 68 --sport 67 -i eth0
iptables -t filter -A f_i_n --set-counters 0 0 -j f_i_n_su -p
cp --sport 1024:65535
iptables -t filter -A f_i_n --set-counters 0 0 -j f_i_n_su -p
dp --sport 1024:65535
iptables -t filter -A f_i_n --set-counters 0 0 -j ACCEPT -p
icmp --icmp-type 8/0 -i eth0 # ICMP_ECHO
$DROP iptables -t filter -A f_i_n --set-counters 0 0 -j DROP -p
tcp --sport 80
iptables -t filter -A f_i_n --set-counters 0 0 -j ACCEPT -p
udp --sport 53 --dport 1024:65535 -i lo
$DROP iptables -t filter -A f_i_n --set-counters 0 0 -j DROP -p
udp --sport 137 --dport 53
iptables -t filter -A f_i_n --set-counters 0 0 -j LOG --log-prefix
'f_i_n '
$DROP iptables -t filter -A f_i_n --set-counters 0 0 -j DROP
echo filter_INPUT
iptables -t filter -A INPUT --set-counters 0 0 -j f_i_e -m
state --state ESTABLISHED
iptables -t filter -A INPUT --set-counters 0 0 -j f_i_n -m
state --state NEW
iptables -t filter -A INPUT --set-counters 0 0 -j ACCEPT -m
state --state RELATED -p icmp --icmp-type 3/1 # ICMP_DEST_UNREACH /
ICMP_HOST_UNREACH
iptables -t filter -A INPUT --set-counters 0 0 -j ACCEPT -m
state --state RELATED -p icmp --icmp-type 3/2 # ICMP_DEST_UNREACH / ICMP_
iptables -t filter -A INPUT --set-counters 0 0 -j ACCEPT -m
state --state RELATED -p icmp --icmp-type 3/3 # ICMP_DEST_UNREACH /
ICMP_PORT_UNREACH
iptables -t filter -A INPUT --set-counters 0 0 -j ACCEPT -m
state --state RELATED -p icmp --icmp-type 3/13 # ICMP_DEST_UNREACH /
ICMP_PKT_FILTERED
iptables -t filter -A INPUT --set-counters 0 0 -j ACCEPT -m
state --state RELATED -p icmp --icmp-type 11/0 # ICMP_TIME_EXCEEDED /
ICMP_EXC_TTL
iptables -t filter -A INPUT --set-counters 0 0 -j
--log-prefix 'f_i_r ' -m state --state RELATED
iptables -t filter -A INPUT --set-counters 0 0 -j ACCEPT -p 41
iptables -t filter -A INPUT --set-counters 0 0 -j
--log-prefix 'f_i '
$DROP iptables -t filter -P INPUT DROP
# iptables -t filter -A INPUT --set-counters 0 0 -j DROP -p tcp -m
multiport --dport 90,443
# iptables -t filter -A for_ext --set-counters 0 0 -j ACCEPT -p tcp -d
10.0.0.97 --dport 7000:7100
# iptables -t filter -A for_ext --set-counters 0 0 -j ACCEPT -p tcp -d
10.0.0.96 --dport 7200:7300
# iptables -t filter -A for_ext --set-counters 0 0 -j ACCEPT -p tcp -d
10.0.0.99 --dport 7400:7500
# iptables -t filter -A for_ext --set-counters 0 0 -j ACCEPT -p tcp -d
10.0.0.95 -m multiport --dport 3100,3200