hi stpe,
kann man dann wenigstens solche einstellungen standardmäßig vergeben, wie sie in fli4l in dieser base.txt steht?
habe da nochwas gefunden, was hältst du davon:
#!/bin/sh
# --------------------------------------------------------------------
# © ipchains rc.firewall for an Individual System or Home LAN from Chapter 3
#
# Chapter 3 covers the application protocols and firewall rules for the types of
# services most likely to be used on an individual, standalone Linux box. If a
# small LAN of personal, client computers were attached to an internal LAN, the
# firewall forwards and masquerades all traffic between the LAN and the
# Internet. As an example, Chapter 3 demonstrates numerous safeguards and
# logging events that aren't strictly necessary in a fully functional firewall.
# Additionally, both client and server rules are presented for services not
# everyone will use. The complete firewall script, as it would appear in
# /etc/rc.d/rc.firewall, and built upon ipchains, follows:
# --------------------------------------------------------------------
echo "Starting firewalling... "
# Some definitions for easy maintenance:
# --------------------------------------------------------------------
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
EXTERNAL_INTERFACE="eth0" # Internet connected interface
LOOPBACK_INTERFACE="lo" # or your local naming convention
LAN_INTERFACE_1="eth1" # internal LAN interface
IPADDR="my.ip.address" # your IP address
LAN_1="192.168.1.0/24" # whatever (private) range you use
LAN_IPADDR_1="192.168.1.1" # your internal interface address
ANYWHERE="any/0" # match any IP address
DHCP_SERVER="my.dhcp.server" # if you use one
MY_ISP="my.isp.address.range" # ISP & NOC address range
NAMESERVER_1="my.name.server.1" # everyone must have at least one
SMTP_SERVER="any/0" # external mail server
SMTP_GATEWAY="my.isp.server" # external mail relay
POP_SERVER="my.pop.server" # external pop server, if any
IMAP_SERVER="my.isp.imap.server" # external imap server, if any
NEWS_SERVER="my.news.server" # external news server, if any
WEB_PROXY_SERVER="my.www.proxy" # ISP web proxy server, if any
WEB_PROXY_PORT="www.proxy.port" # ISP web proxy port, if any
# typically 8008 or 8080
LOOPBACK="127.0.0.0/8" # reserved loopback address range
CLASS_A="10.0.0.0/8" # class A private networks
CLASS_B="172.16.0.0/12" # class B private networks
CLASS_C="192.168.0.0/16" # class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address
PRIVPORTS="0:1023" # well known, privileged port range
UNPRIVPORTS="1024:65535" # unprivileged port range
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
# ....................................................................
# If your IP address is dynamically assigned by a DHCP server, then
# nameservers are found in /etc/dhcpc/resolv.conf. If used, the
# example ifdhcpc-done script updates these automatically and
# appends them to /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE or
# /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info.
# If using the example ifdhcpc-done script, the following NAMESERVER
# definitions (one per server, up to 3) will be overridden correctly
# here.
# The IP address, $IPADDR, is defined by dhcp
# Otherwise, if you have a static IP address, then define both
# your static IP address and the IP address of your external name
# server(s).
if [ -f /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE ]; then
. /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE
elif [ -f /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info ]; then
. /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info
elif [ -f /etc/dhcpc/pump.info ]; then
. /etc/dhcpc/pump.info
else
echo "rc.firewall: dhcp is not configured."
ipchains -F
ipchains -P input DENY
ipchains -P output DENY
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A input -i $LAN_INTERFACE_1 -j ACCEPT
ipchains -A output -i $LAN_INTERFACE_1 -j ACCEPT
exit 1
fi
# If using the example ifdhcpc-done script, any previous definitions of
# IPADDR and NAMESERVER will be overridden correctly here.
DHCP_SERVER=$DHCPSIADDR
# ....................................................................
# EDIT THESE TO MATCH THE NUMBER OF SERVERS OR CONNECTIONS
# YOU SUPPORT.
# X Windows port allocation begins at 6000 and increments
# for each additional server running from 6000 to 6063.
XWINDOW_PORTS="6000:6063" # (TCP) X windows
# SSH starts at 1023 and works down to 513 for
# each additional simultaneous incoming connection.
SSH_PORTS="1020:1023" # simultaneous connections
# --------------------------------------------------------------------
SOCKS_PORT="1080" # (TCP) socks
OPENWINDOWS_PORT="2000" # (TCP) openwindows
NFS_PORT="2049" # (TCP/UDP) NFS
# --------------------------------------------------------------------
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Enable always defragging Protection
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Enable bad error message Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Enable IP spoofing protection
# turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
# These are now necessary for masquerading the services
#/sbin/modprobe ip_masq_ftp
#/sbin/modprobe ip_masq_raudio
#/sbin/modprobe ip_masq_irc
#/sbin/modprobe ip_masq_vdolive
#/sbin/modprobe ip_masq_cuseeme
#/sbin/modprobe ip_masq_quake
# --------------------------------------------------------------------
# Flush any existing rules from all chains
ipchains -F
# Set the default policy to deny
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward REJECT
# Set masquerade timeout to 10 hours for TCP connections.
ipchains -M -S 36000 0 0
# Disallow Fragmented Packets
ipchains -A input -f -i $EXTERNAL_INTERFACE -j DENY
# --------------------------------------------------------------------
# LOOPBACK
# Unlimited traffic on the loopback interface
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
# --------------------------------------------------------------------
# Unlimited traffic within the local network.
# All internal machines have access to the fireall machine.
ipchains -A input -i $LAN_INTERFACE_1 \
-s $LAN_1 -j ACCEPT
ipchains -A output -i $LAN_INTERFACE_1 \
-d $LAN_1 -j ACCEPT
# --------------------------------------------------------------------
# Masquerade internal traffic.
# All internal traffic is masqueraded externally.
ipchains -A forward -i $EXTERNAL_INTERFACE -s $LAN_1 -j MASQ
# --------------------------------------------------------------------
# Refuse any connections from problem sites
# /etc/rc.d/rc.firewall.blocked contains a list of
# ipchains -A input -i $EXTERNAL_INTERFACE -s <address/mask> -j DENY
# rules to block all access.
# Refuse packets claiming to be from the banned list
if [ -f /etc/rc.d/rc.firewall.blocked ]; then
. /etc/rc.d/rc.firewall.blocked
fi
# --------------------------------------------------------------------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.
# Refuse spoofed packets pretending to be from
# the external interface's IP address
ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY -l
# Refuse packets claiming to be to or from a Class A private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY -l
# Refuse packets claiming to be to or from a Class B private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY -l
# Refuse packets claiming to be to or from a Class C private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY -l
# Refuse packets claiming to be to the loopback interface
ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l
# block directed broadcasts:
# Network base address
# Network broadcast address
# SUBNET_BROADCAST="you.you.you.255"
# SUBNET_BASE="you.you.you.0"
# ipchains -A input -i $EXTERNAL_INTERFACE -d $SUBNET_BASE -j DENY -l
# ipchains -A input -i $EXTERNAL_INTERFACE -d $SUBNET_BROADCAST -j DENY -l
# Refuse malformed broadcast packets
ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l
# Refuse Class D multicast addresses
# Multicast is only illegal as a source address.
# Multicast uses UDP
# incoming blocked below
# ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST \
-j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST \
-j REJECT -l
# Refuse Class E reserved IP addresses
# incoming blocked below
# ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET \
-j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_E_RESERVED_NET \
-j REJECT
# Refuse addresses defined as reserved by the IANA.
# Note: The reserved addresses are allocated periodically.
# Filtering them requires checking the IANA address lists,
# preferably monthly.
# The following matches the IANA list on October 14, 2000.
# 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*
# 31.*.*.*, 36.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*
# 49-50.*.*.*, 58-60.*.*.*
# 67-127.*.*.*
# 169.254.0.0/16 - Link Local Networks
# 192.0.2.0/24 - TEST-NET
# 197.*.*.*, 218-255.*.*.*
# 0.*.*.* - Can't be blocked for DHCP users.
# ipchains -A input -i $EXTERNAL_INTERFACE -s 0.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 36.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 49.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 50.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 68.0.0.0/6 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 72.0.0.0/5 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY -l
# 96-126
ipchains -A input -i $EXTERNAL_INTERFACE -s 96.0.0.0/3 -j DENY -l
# Link local networks
ipchains -A input -i $EXTERNAL_INTERFACE -s 169.254.0.0/16 -j DENY -l
# Test NET
ipchains -A input -i $EXTERNAL_INTERFACE -s 192.0.2.0/24 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 197.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 218.0.0.0/7 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -j DENY -l
# includes multicast, reserved and unallocated addresses
ipchains -A input -i $EXTERNAL_INTERFACE -s 224.0.0.0/3 -j DENY -l
# --------------------------------------------------------------------
# UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.
# Open Windows: establishing a connection
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
-s $IPADDR \
-d $ANYWHERE $OPENWINDOWS_PORT -j REJECT
# Open Windows incoming connection
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
-d $IPADDR $OPENWINDOWS_PORT -j DENY
# X Windows: establishing a remote connection
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
-s $IPADDR \
-d $ANYWHERE $XWINDOW_PORTS -j REJECT
# X Windows: incoming connection attempt
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
-d $IPADDR $XWINDOW_PORTS -j DENY -l
# SOCKS: establishing a connection
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
-s $IPADDR \
-d $ANYWHERE $SOCKS_PORT -j REJECT -l
# SOCKS incoming connection
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
-d $IPADDR $SOCKS_PORT -j DENY
# NFS: TCP connections
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
-d $IPADDR $NFS_PORT -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
-d $ANYWHERE $NFS_PORT -j REJECT -l
# NFS: UDP connections
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-d $IPADDR $NFS_PORT -j DENY -l
# NFS incoming request (normal UDP mode)
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-d $ANYWHERE $NFS_PORT -j REJECT -l
# --------------------------------------------------------------------
# NOTE:
# The symbolic names used in /etc/services for the port numbers
# vary by supplier. Using them is less error prone and more
# meaningful.
# --------------------------------------------------------------------
# Required Services
# DNS client modes (53)
# ---------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# TCP client to server requests are allowed by the protocol
# if UDP requests fail. This is rarely seen. Usually, clients
# use TCP as a secondary nameserver for zone transfers from
# their primary nameservers, and as hackers.
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# DNS server modes (53)
# ---------------------
# DNS caching & forwarding nameserver
# -----------------------------------
# server to server query or response
# Caching only name server uses UDP, not TCP
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 53 \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_1 53 \
-d $IPADDR 53 -j ACCEPT
# DNS full nameserver
# -------------------
# client to server DNS transaction
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s <my.dns.clients> $UNPRIVPORTS \
-d $IPADDR 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 53 \
-d <my.dns.clients> $UNPRIVPORTS -j ACCEPT
# peer-to-peer server DNS transaction
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s <my.dns.clients> 53 \
-d $IPADDR 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 53 \
-d <my.dns.clients> 53 -j ACCEPT
# Zone Transfers
# due to the potential danger of zone transfers,
# only allow TCP traffic to specific secondaries.
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s <my.dns.secondaries> $UNPRIVPORTS \
-d $IPADDR 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 53 \
-d <my.dns.secondaries> $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# AUTH (113) - Allowing Your Outgoing AUTH Requests as a Client
# -------------------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 113 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 113 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# AUTH server (113)
# -----------------
# Accepting Incoming AUTH Requests
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 113 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 113 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# OR
# Rejecting Incoming AUTH Requests
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-d $IPADDR 113 -j REJECT
# --------------------------------------------------------------------
# TCP services on selected ports
# Sending Mail through a remote SMTP gateway (25)
# -----------------------------------------------
# SMTP client to an ISP account without a local server
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $SMTP_GATEWAY 25 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $SMTP_GATEWAY 25 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# OR
# Sending Mail through a local SMTP server
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 25 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 25 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# Receiving Mail as a Local SMTP server (25)
# ------------------------------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 25 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 25 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# POP (110) - Retrieving Mail as a POP Client
# -------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $POP_SERVER 110 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $POP_SERVER 110 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# POP (110) - Hosting a POP Server for Remote Clients
# ---------------------------------------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s <my.pop.clients> $UNPRIVPORTS \
-d $IPADDR 110 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 110 \
-d <my.pop.clients> $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# IMAP (143) - Retrieving Mail as an IMAP Client
# ----------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d <my.imap.server> 143 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s <my.imap.server> 143 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# IMAP (143) - Hosting an IMAP Server for Remote Clients
# ------------------------------------------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s <my.imap.clients> $UNPRIVPORTS \
-d $IPADDR 143 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 143 \
-d <my.imap.clients> $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# NNTP (119) - Reading and Posting News as a Usenet Client
# --------------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NEWS_SERVER 119 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NEWS_SERVER 119 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# NNTP (119) - Hosting a Usenet News Server for Remote Clients
# ------------------------------------------------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s <my.news.clients> $UNPRIVPORTS \
-d $IPADDR 119 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 119 \
-d <my.news.clients> $UNPRIVPORTS -j ACCEPT
# NNTP (119) - Allowing Peer News Feeds for a Local Usenet Server
# ---------------------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d <my.news.feed> 119 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s <my.news.feed> 119 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# TELNET (23) - Allowing Outgoing Client Access to Remote Sites
# -------------------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 23 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 23 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# TELNET (23) - Allowing Incoming Access to Your Local Server
# -----------------------------------------------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 23 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 23 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# SSH client (22) - Allowing Client Access to Remote SSH Servers
# --------------------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 22 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 22 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $SSH_PORTS \
-d $ANYWHERE 22 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 22 \
-d $IPADDR $SSH_PORTS -j ACCEPT
# SSH (22) - Allowing Remote Client Access to Your Local SSH Server
# -----------------------------------------------------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 22 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 22 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $SSH_PORTS \
-d $IPADDR 22 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 22 \
-d $ANYWHERE $SSH_PORTS -j ACCEPT
# --------------------------------------------------------------------
# FTP (20, 21) - Allowing Outgoing Client Access to Remote FTP Servers
# --------------------------------------------------------------------
# outgoing request
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 21 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 21 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# Normal Port Mode FTP Data Channels
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE 20 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 20 -j ACCEPT
# Passive Mode FTP Data Channels
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# FTP (20, 21) - Allowing Incoming Access to Your Local FTP Server
# ----------------------------------------------------------------
# incoming request
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 21 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 21 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# Normal Port Mode FTP Data Channel Responses
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR 20 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 20 -j ACCEPT
# Passive Mode FTP Data Channel Responses
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# HTTP (80) - Accessing Remote Web Sites as a Client
# --------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 80 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 80 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# HTTP (80) - Allowing Remote Access to a Local Web Server
# --------------------------------------------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 80 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 80 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# HTTPS (443) - Accessing Remote Web Sites Over SSL as a Client
# -------------------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 443 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 443 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# HTTPS (443) - Allowing Remote Access to a Local SSL Web Server
# --------------------------------------------------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 443 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 443 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# HTTP Proxy client (8008/8080)
# -----------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $WEB_PROXY_SERVER $WEB_PROXY_PORT -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $WEB_PROXY_SERVER $WEB_PROXY_PORT \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# FINGER (79) - Accessing Remote finger Servers as a Client
# ---------------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 79 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 79 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# FINGER (79) - Allowing Remote Client Access to a Local finger Server
# --------------------------------------------------------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s <my.finger.clients> $UNPRIVPORTS \
-d $IPADDR 79 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 79 \
-d <my.finger.clients> $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# WHOIS client (43)
# -----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 43 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 43 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# Gopher client (70)
# ------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 70 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 70 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# WAIS client (210)
# -----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 210 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 210 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# UDP accept only on selected ports
# TRACEROUTE
# traceroute usually uses -S 32769:65535 -D 33434:33523
# -----------------------------------------------------
# Enabling Outgoing traceroute Requests
# -------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $TRACEROUTE_SRC_PORTS \
-d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT
# incoming query from the ISP.
# All others are denied by default.
# ---------------------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $MY_ISP 32769:65535 \
-d $IPADDR 33434:33523 -j ACCEPT
# --------------------------------------------------------------------
# DHCP client (67, 68)
# --------------------
# INIT or REBINDING: No lease or Lease time expired.
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $BROADCAST_SRC 68 \
-d $BROADCAST_DEST 67 -j ACCEPT
# Getting renumbered
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $BROADCAST_SRC 67 \
-d $BROADCAST_DEST 68 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $DHCP_SERVER 67 \
-d $BROADCAST_DEST 68 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $BROADCAST_SRC 68 \
-d $DHCP_SERVER 67 -j ACCEPT
# As a result of the above, we're supposed to change our IP
# address with this message, which is addressed to our new
# address before the dhcp client has received the update.
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $DHCP_SERVER 67 \
-d $MY_ISP 68 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $DHCP_SERVER 67 \
-d $IPADDR 68 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 68 \
-d $DHCP_SERVER 67 -j ACCEPT
# --------------------------------------------------------------------
# NTP (123) - Accessing Remote Network Time Servers
# -------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d <my.time.provider> 123 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s <my.time.provider> 123 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 123 \
-d <my.time.provider> 123 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s <my.time.provider> 123 \
-d $IPADDR 123 -j ACCEPT
# --------------------------------------------------------------------
# ICMP
# (4) Source_Quench
# incoming & outgoing requests to slow down (flow control)
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 4 -d $IPADDR -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 4 -d $ANYWHERE -j ACCEPT
# (12) Parameter_Problem
# incoming & outgoing error messages
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 12 -d $IPADDR -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 12 -d $ANYWHERE -j ACCEPT
# (3) Dest_Unreachable, Service_Unavailable
# incoming & outgoing size negotiation, service or
# destination unavailability, final traceroute response
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 3 -d $IPADDR -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 3 -d $MY_ISP -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR fragmentation-needed -d $ANYWHERE -j ACCEPT
# (11) Time_Exceeded
# incoming & outgoing time out conditions,
# also intermediate TTL response to traceroutes
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 11 -d $IPADDR -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 11 -d $MY_ISP -j ACCEPT
# allow outgoing pings to anywhere
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 8 -d $ANYWHERE -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 0 -d $IPADDR -j ACCEPT
# allow incoming pings from trusted hosts
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $MY_ISP 8 -d $IPADDR -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 0 -d $MY_ISP -j ACCEPT
# ----------------------------------------------------------------------------
# Enable logging for selected denied packets
# Note that these ports are blocked by default.
# The following rules merely enable logging for blocked packets.
# TCP
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -j DENY -l
* Useful for debugging
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -j REJECT -l
# UDP
ipchains -A input -i $EXTERNAL_INTERFACE -p udp -j DENY -l
* Useful for debugging
ipchains -A output -i $EXTERNAL_INTERFACE -p udp -j REJECT -l
# ICMP
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -j REJECT -l
# --------------------------------------------------------------------
echo "done"
exit 0
---------------------------------------------
könnte ich dies 1:1 in meiner firewallconfig eintragen? also mit meiner ipchainversion?
mfg
gnoovy