Gateway Firewall Script
Im Folgenden seht ihr ein Skript, das alle nötigen Einstellungen für eine grobe Firewall und Gateway-Funktionalität bietet.
#!/bin/sh
/sbin/modprobe ip_conntrack_ftp
CONNECTION_TRACKING="1"
ACCEPT_AUTH="0"
DHCP_SERVER="1"
IPT="/sbin/iptables" # Location of iptables on your system
DMZ_INTERFACE="eth0" # network interface to the DMZ
LAN_INTERFACE="eth1" # network interface to the LAN
LOOPBACK_INTERFACE="lo" # however your system names it
DMZ_IPADDR="192.168.1.126" # DMZ IP address
GATEWAY_IPADDR="192.168.1.65" # gateway firewall - the router
DMZ_ADDRESSES="192.168.1.64/26" # DMZ IP address range
DMZ_NETWORK="192.168.1.64" # DMZ subnet base address
DMZ_BROADCAST="192.168.1.127" # DMZ broadcast address
LAN_IPADDR="192.168.1.129" # LAN IP address
LAN_ADDRESSES="192.168.1.128/26" # LAN IP address range
LAN_NETWORK="192.168.1.128" # DMZ subnet base address
LAN_BROADCAST="192.168.1.191" # DMZ broadcast address
LAN_NETMASK="255.255.255.192"
NAMESERVER="isp.name.server.1" # address of a remote name server
POP_SERVER="isp.pop.server" # address of a remote pop server
MAIL_SERVER="isp.mail.server" # address of a remote mail gateway
NEWS_SERVER="isp.news.server" # address of a remote news server
TIME_SERVER="some.timne.server" # address of a remote time server
DHCP_SERVER="isp.dhcp.server" # address of your ISP dhcp server
SSH_CLIENT="some.ssh.client"
PRINTER_ADDRESS="local networked printer"
LOOPBACK="127.0.0.0/8" # reserved loopback address range
CLASS_A="10.0.0.0/8" # Class A private networks
CLASS_B="172.16.0.0/12" # Class B private networks
CLASS_C="192.168.0.0/16" # Class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # Class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E reserved addresses
BROADCAST_src="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address
PRIVPORTS="0:1023" # well-known, privileged port range
UNPRIVPORTS="1024:65535" # unprivileged port range
###############################################################
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Don't send Redirect Messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
# Drop Spoofed Packets coming in on an interface, which, if replied to,
# would result in the reply going out a different interface.
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Log packets with impossible addresses.
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
###############################################################
# Remove any existing rules from all chains
$IPT --flush
$IPT -t nat --flush
$IPT -t mangle --flush
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
$IPT --policy INPUT ACCEPT
$IPT --policy OUTPUT ACCEPT
$IPT --policy FORWARD ACCEPT
$IPT -t nat --policy PREROUTING ACCEPT
$IPT -t nat --policy OUTPUT ACCEPT
$IPT -t nat --policy POSTROUTING ACCEPT
$IPT -t mangle --policy PREROUTING ACCEPT
$IPT -t mangle --policy OUTPUT ACCEPT
if [ "$1" = "stop" ]
then
echo "Firewall completely stopped! WARNING: THIS HOST HAS NO FIREWALL RUNNING."
exit 0
fi
# Unlimited traffic on the loopback interface
$IPT -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
$IPT -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
# Set the default policy to drop
$IPT --policy INPUT REJECT
$IPT --policy OUTPUT REJECT
$IPT --policy FORWARD REJECT
###############################################################
# Stealth Scans and TCP State Flags
# All of the bits are cleared
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
# SYN and FIN are both set
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN and RST are both set
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST are both set
$IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPT -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# FIN is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
$IPT -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP
# PSH is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPT -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP
# URG is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
$IPT -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP
###############################################################
# Using Connection State to By-pass Rule Checking
# Using the state module alone, INVALID will break protocols that use
# bidirectional connections or multiple connections or exchanges,
# unless an ALG is provided for the protocol. At this time, FTP is the
# only protocol with ALG support.
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -m state --state INVALID -j LOG \
--log-prefix "INVALID input: "
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A OUTPUT -m state --state INVALID -j LOG \
--log-prefix "INVALID output: "
$IPT -A OUTPUT -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state INVALID -j LOG \
--log-prefix "INVALID forward: "
$IPT -A FORWARD -m state --state INVALID -j DROP
###############################################################
# Source Address Spoofing and Other Bad Addresses
# Refuse spoofed packets pretending to be from you
$IPT -A INPUT -s $DMZ_IPADDR -j DROP
$IPT -A INPUT -s $LAN_IPADDR -j DROP
$IPT -A FORWARD -s $DMZ_IPADDR -j DROP
$IPT -A FORWARD -s $LAN_IPADDR -j DROP
$IPT -A INPUT -i $DMZ_INTERFACE \
-s $LAN_ADDRESSES -j DROP
$IPT -A FORWARD -i $DMZ_INTERFACE \
-s $LAN_ADDRESSES -j DROP
$IPT -A FORWARD -i $LAN_INTERFACE \
-s ! $LAN_ADDRESSES -j DROP
$IPT -A OUTPUT -o $DMZ_INTERFACE -s ! $DMZ_IPADDR -j DROP
$IPT -A OUTPUT -o $LAN_INTERFACE -s ! $LAN_IPADDR -j DROP
if [ "$DHCP_SERVER" = "1" ]; then
$IPT -A OUTPUT -o $LAN_INTERFACE -p udp \
-s $BROADCAST_SRC --sport 67 \
-d $BROADCAST_DEST --dport 68 -j ACCEPT
fi
$IPT -A OUTPUT -o $LAN_INTERFACE -s ! $LAN_IPADDR -j DROP
# Refuse malformed broadcast packets
$IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE \
-d $BROADCAST_SRC -j DROP
$IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE \
-d $BROADCAST_SRC -j DROP
# Don't forward directed broadcasts
$IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE \
-d $DMZ_NETWORK -j DROP
$IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE \
-d $DMZ_BROADCAST -j DROP
# Don't forward limited broadcasts in either direction
$IPT -A FORWARD -d $BROADCAST_DEST -j DROP
$IPT -A INPUT -p ! udp -d $CLASS_D_MULTICAST -j DROP
$IPT -A FORWARD -p ! udp -d $CLASS_D_MULTICAST -j DROP
###############################################################
# ICMP Control and Status Messages
# Log and drop initial ICMP fragments
$IPT -A INPUT --fragment -p icmp -j LOG \
--log-prefix "Fragmented incoming ICMP: "
$IPT -A INPUT --fragment -p icmp -j DROP
$IPT -A OUTPUT --fragment -p icmp -j LOG \
--log-prefix "Fragmented outgoing ICMP: "
$IPT -A OUTPUT --fragment -p icmp -j DROP
$IPT -A FORWARD --fragment -p icmp -j LOG \
--log-prefix "Fragmented forwarded ICMP: "
$IPT -A FORWARD --fragment -p icmp -j DROP
$IPT -A INPUT -p icmp \
--icmp-type source-quench -d $DMZ_IPADDR -j ACCEPT
$IPT -A OUTPUT -p icmp \
--icmp-type source-quench -j ACCEPT
$IPT -A FORWARD -p icmp \
--icmp-type source-quench -j ACCEPT
$IPT -A INPUT -p icmp \
--icmp-type parameter-problem -j ACCEPT
$IPT -A OUTPUT -p icmp \
--icmp-type parameter-problem -j ACCEPT
$IPT -A FORWARD -p icmp \
--icmp-type parameter-problem -j ACCEPT
$IPT -A INPUT -p icmp \
--icmp-type destination-unreachable -j ACCEPT
$IPT -A OUTPUT -o $LAN_INTERFACE -p icmp \
--icmp-type destination-unreachable -d $LAN_ADDRESSES -j ACCEPT
$IPT -A FORWARD -o $LAN_INTERFACE -p icmp \
--icmp-type destination-unreachable -d $LAN_ADDRESSES -j ACCEPT
$IPT -A OUTPUT -p icmp \
--icmp-type fragmentation-needed -j ACCEPT
$IPT -A FORWARD -p icmp \
--icmp-type fragmentation-needed -j ACCEPT
# Don't log dropped outgoing ICMP error messages
$IPT -A OUTPUT -p icmp \
--icmp-type destination-unreachable -j DROP
$IPT -A FORWARD -o $DMZ_INTERFACE -p icmp \
--icmp-type destination-unreachable -j DROP
# Intermediate traceroute responses
$IPT -A INPUT -p icmp \
--icmp-type time-exceeded -j ACCEPT
$IPT -A FORWARD -o $LAN_INTERFACE -p icmp \
--icmp-type time-exceeded -d $LAN_ADDRESSES -j ACCEPT
# allow outgoing pings to anywhere
if [ "$CONNECTION_TRACKING" = "1" ]; then
$IPT -A OUTPUT -p icmp \
--icmp-type echo-request \
-m state --state NEW -j ACCEPT
$IPT -A FORWARD -o $DMZ_INTERFACE -p icmp \
--icmp-type echo-request -s $LAN_ADDRESSES \
-m state --state NEW -j ACCEPT
fi
# allow incoming pings from trusted hosts
if [ "$CONNECTION_TRACKING" = "1" ]; then
$IPT -A INPUT -i $DMZ_INTERFACE -p icmp \
-s $GATEWAY_IPADDR --icmp-type echo-request -d $DMZ_IPADDR \
-m state --state NEW -j ACCEPT
$IPT -A INPUT -i $LAN_INTERFACE -p icmp \
-s $LAN_ADDRESSES --icmp-type echo-request -d $LAN_IPADDR \
-m state --state NEW -j ACCEPT
fi
###############################################################
# DNS Name Server
# DNS LAN clients to private server (53)
$IPT -A INPUT -i $LAN_INTERFACE -p udp \
-s $LAN_ADDRESSES --sport $UNPRIVPORTS \
-d $LAN_IPADDR --dport 53 \
-m state --state NEW -j ACCEPT
$IPT -A INPUT -i $LAN_INTERFACE -p tcp \
-s $LAN_ADDRESSES --sport $UNPRIVPORTS \
-d $LAN_IPADDR --dport 53 \
-m state --state NEW -j ACCEPT
$IPT -A INPUT -i $DMZ_INTERFACE -p udp \
-s $DMZ_ADDRESSES --sport $UNPRIVPORTS \
-d $DMZ_IPADDR --dport 53 \
-m state --state NEW -j ACCEPT
# DNS caching & forwarding name server (53)
$IPT -A OUTPUT -o $DMZ_INTERFACE -p udp \
-s $DMZ_IPADDR --sport 53 \
-d $NAMESERVER --dport 53 \
-m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $DMZ_INTERFACE -p udp \
-s $DMZ_IPADDR --sport $UNPRIVPORTS \
-d $NAMESERVER --dport 53 \
-m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $DMZ_INTERFACE -p tcp \
-s $DMZ_IPADDR --sport $UNPRIVPORTS \
-d $NAMESERVER --dport 53 \
-m state --state NEW -j ACCEPT
###############################################################
# Filtering the AUTH User Identification Service (TCP Port 113)
$IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \
-s $LAN_ADDRESSES --sport $UNPRIVPORTS --dport 113 \
-m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $DMZ_INTERFACE -o $LAN_INTERFACE -p tcp \
--sport $UNPRIVPORTS -d $LAN_ADDRESSES --dport 113 \
-m state --state NEW -j ACCEPT
$IPT -A INPUT -i $LAN_INTERFACE -p tcp \
-s $LAN_ADDRESSES --sport $UNPRIVPORTS -d $LAN_IPADDR --dport 113 \
-m state --state NEW -j ACCEPT
$IPT -A INPUT -i $DMZ_INTERFACE -p tcp \
-s $DMZ_ADDRESSES --sport $UNPRIVPORTS -d $DMZ_IPADDR --dport 113 \
-m state --state NEW -j ACCEPT
###############################################################
# Sending Mail to the Mail Gateway Server (TCP Port 25)
$IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \
-s $LAN_ADDRESSES --sport $UNPRIVPORTS \
-d $MAIL_SERVER --dport 25 \
-m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $DMZ_INTERFACE -p tcp \
-s $DMZ_IPADDR --sport $UNPRIVPORTS \
-d $MAIL_SERVER --dport 25 \
-m state --state NEW -j ACCEPT
###############################################################
# Retrieving Mail as a POP Client (TCP Port 110)
$IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \
-s $LAN_ADDRESSES --sport $UNPRIVPORTS \
-d $POP_SERVER --dport 110 \
-m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $DMZ_INTERFACE -p tcp \
-s $DMZ_IPADDR --sport $UNPRIVPORTS \
-d $POP_SERVER --dport 110 \
-m state --state NEW -j ACCEPT
###############################################################
# Accessing Usenet News Services (TCP NNTP Port 119)
$IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \
-s $LAN_ADDRESSES --sport $UNPRIVPORTS \
-d $NEWS_SERVER --dport 119 \
-m state --state NEW -j ACCEPT
###############################################################
# ssh (TCP Port 22)
$IPT -A OUTPUT -o $DMZ_INTERFACE -p tcp \
-s $DMZ_IPADDR --sport $UNPRIVPORTS \
-d $DMZ_ADDRESSES --dport 22 \
-m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \
-s $LAN_ADDRESSES --sport $UNPRIVPORTS --dport 22 \
-m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $DMZ_INTERFACE -o $LAN_INTERFACE -p tcp \
-s $SSH_CLIENT --sport $UNPRIVPORTS \
-d $SSH_CLIENT --dport 22 \
-m state --state NEW -j ACCEPT
###############################################################
# ftp (TCP Ports 21, 20)
# Outgoing Local Client Requests to Remote Servers
$IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \
-s $LAN_ADDRESSES --sport $UNPRIVPORTS --dport 21 \
-m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $DMZ_INTERFACE -p tcp \
-s $DMZ_IPADDR --sport $UNPRIVPORTS --dport 21 \
-m state --state NEW -j ACCEPT
###############################################################
# HTTP Web Traffic (TCP Port 80)
$IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \
-s $LAN_ADDRESSES --sport $UNPRIVPORTS --dport 80 \
-m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $DMZ_INTERFACE -p tcp \
-s $DMZ_IPADDR --sport $UNPRIVPORTS --dport 80 \
-m state --state NEW -j ACCEPT
###############################################################
# SSL Web Traffic (TCP Port 443)
$IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \
-s $LAN_ADDRESSES --sport $UNPRIVPORTS --dport 443 \
-m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $DMZ_INTERFACE -p tcp \
-s $DMZ_IPADDR --sport $UNPRIVPORTS --dport 443 \
-m state --state NEW -j ACCEPT
###############################################################
# whois (TCP Port 43)
$IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \
-s $LAN_ADDRESSES --sport $UNPRIVPORTS --dport 43 \
-m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $DMZ_INTERFACE -p tcp \
-s $DMZ_IPADDR --sport $UNPRIVPORTS --dport 43 \
-m state --state NEW -j ACCEPT
###############################################################
# Networked Printer (TCP Port 515)
$IPT -A OUTPUT -o $LAN_INTERFACE -p tcp \
-s $LAN_IPADDR --sport $PRIVPORTS \
-d $PRINTER_ADDRESS --dport 515 \
-m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $DMZ_INTERFACE -o $LAN_INTERFACE -p tcp \
-s $DMZ_ADDRESSES --sport $UNPRIVPORTS \
-d $PRINTER_ADDRESS --dport 515 \
-m state --state NEW -j ACCEPT
###############################################################
# Accessing Network Time Server (UDP 123)
# Note: Some client and servers use source port 123
# when querying a remote server on destination port 123.
$IPT -A OUTPUT -o $DMZ_INTERFACE -p udp \
-s $DMZ_IPADDR --sport $UNPRIVPORTS \
-d $GATEWAY_IPADDR --dport 123 \
-m state --state NEW -j ACCEPT
$IPT -A INPUT -i $LAN_INTERFACE -p udp \
-s $LAN_ADDRESSES --sport $UNPRIVPORTS \
-d $LAN_IPADDR --dport 123 \
-m state --state NEW -j ACCEPT
$IPT -A INPUT -i $LAN_INTERFACE -p udp \
-s $LAN_ADDRESSES --sport 123 \
-d $LAN_IPADDR --dport 123 \
-m state --state NEW -j ACCEPT
###############################################################
# Accessing a Local DHCP Server (UDP Ports 67, 68)
$IPT -A INPUT -i $LAN_INTERFACE -p udp \
-s $BROADCAST_SRC --sport 68 \
-d $BROADCAST_DEST --dport 67 -j ACCEPT
$IPT -A OUTPUT -o $LAN_INTERFACE -p udp \
-s $BROADCAST_SRC --sport 67 \
-d $BROADCAST_DEST --dport 68 -j ACCEPT
$IPT -A OUTPUT -o $LAN_INTERFACE -p udp \
-s $LAN_IPADDR --sport 67 \
-d $BROADCAST_DEST --dport 68 -j ACCEPT
$IPT -A INPUT -i $LAN_INTERFACE -p udp \
-s $BROADCAST_SRC --sport 68 \
-d $LAN_IPADDR --dport 67 -j ACCEPT
$IPT -A OUTPUT -o $LAN_INTERFACE -p udp \
-s $LAN_IPADDR --sport 67 \
-d $LAN_ADDRESSES --dport 68 -j ACCEPT
$IPT -A OUTPUT -o $LAN_INTERFACE -p udp \
-s $LAN_IPADDR --sport 67 \
-d $LAN_ADDRESSES --dport 68 -j ACCEPT
$IPT -A INPUT -i $LAN_INTERFACE -p udp \
-s $LAN_ADDRESSES --sport 68 \
-d $LAN_IPADDR --dport 67 -j ACCEPT
$IPT -A OUTPUT -o $LAN_INTERFACE -j LOG
###############################################################
# Logging Dropped Packets
$IPT -A INPUT -i $LAN_INTERFACE -j LOG
$IPT -A OUTPUT -o $LAN_INTERFACE -j LOG
$IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE -j LOG
$IPT -A FORWARD -i $DMZ_INTERFACE -o $LAN_INTERFACE -j LOG
exit 0