Benutzer-Werkzeuge
firewall
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
|
firewall [2010/06/18 23:11] |
firewall [2010/06/18 23:11] (aktuell) |
||
|---|---|---|---|
| Zeile 1: | Zeile 1: | ||
| + | ====== Firewall ====== | ||
| + | <code> | ||
| + | #! /bin/sh | ||
| + | # Copyright (c) 1995-2004 SUSE Linux AG, Nuernberg, Germany. | ||
| + | # All rights reserved. | ||
| + | # | ||
| + | # Author: Matthias Praunegger | ||
| + | # Please send feedback to http://bgweiz.at | ||
| + | |||
| + | ### BEGIN INIT INFO | ||
| + | # Provides: | ||
| + | # Required-Start: | ||
| + | # Should-Start: | ||
| + | # Required-Stop: | ||
| + | # Should-Stop: | ||
| + | # Default-Start: 3 5 | ||
| + | # Default-Stop: 0 1 2 6 | ||
| + | # Short-Description: Firewall | ||
| + | # Description: Firewall for BG/BRG Weiz | ||
| + | ### END INIT INFO | ||
| + | |||
| + | IPTABLES=/sbin/iptables | ||
| + | test -x $IPTABLES_BIN || { echo "$IPTABLES_BIN not installed"; | ||
| + | if [ "$1" = "stop" ]; then exit 0; | ||
| + | else exit 5; fi; } | ||
| + | |||
| + | . /etc/rc.status | ||
| + | |||
| + | # Reset status of this service | ||
| + | rc_reset | ||
| + | |||
| + | case "$1" in | ||
| + | start) | ||
| + | echo -n "Starting firewall " | ||
| + | |||
| + | # Variablen | ||
| + | OUT="-m physdev --physdev-in eth0 --physdev-out eth1 " | ||
| + | IN="-m physdev --physdev-in eth1 --physdev-out eth0 " | ||
| + | IPT="iptables -A FORWARD " | ||
| + | TCP="-p tcp " | ||
| + | UDP="-p udp " | ||
| + | DPORT="--destination-port " | ||
| + | IP1d="-d 193.170.221.1 " | ||
| + | IP2d="-d 193.170.221.2 " | ||
| + | IP3d="-d 193.170.221.3 " | ||
| + | IP4d="-d 193.170.221.4 " | ||
| + | IP5d="-d 193.170.221.5 " | ||
| + | IP1s="-s 193.170.221.1 " | ||
| + | IP2s="-s 193.170.221.2 " | ||
| + | IP3s="-s 193.170.221.3 " | ||
| + | IP4s="-s 193.170.221.4 " | ||
| + | IP5s="-s 193.170.221.5 " | ||
| + | |||
| + | ### .1 | ||
| + | #$IPT $IN $TCP $DPORT 21 $IP1d -j ACCEPT | ||
| + | ##$IPT $IN $TCP $DPORT 22 $IP1d -j ACCEPT | ||
| + | $IPT $IN $TCP $DPORT 25 $IP1d -j ACCEPT | ||
| + | $IPT $IN $TCP $DPORT 123 $IP1d -j ACCEPT | ||
| + | $IPT $IN $UDP $DPORT 123 $IP1d -j ACCEPT | ||
| + | $IPT $IN $TCP $DPORT 53 $IP1d -j ACCEPT | ||
| + | $IPT $IN $UDP $DPORT 53 $IP1d -j ACCEPT | ||
| + | $IPT $IN $TCP $DPORT 80 $IP1d -j ACCEPT | ||
| + | $IPT $IN $TCP $DPORT 110 $IP1d -j ACCEPT | ||
| + | $IPT $IN $TCP $DPORT 995 $IP1d -j ACCEPT | ||
| + | $IPT $IN $TCP $DPORT 443 $IP1d -j ACCEPT | ||
| + | $IPT $IN $TCP $DPORT 31337 $IP1d -j ACCEPT | ||
| + | $IPT $IN -p icmp --icmp-type 8 $IP1d -j ACCEPT | ||
| + | |||
| + | #$IPT $OUT $TCP $DPORT 21 $IP1s -j ACCEPT | ||
| + | ##$IPT $OUT $TCP $DPORT 22 $IP1s -j ACCEPT | ||
| + | $IPT $OUT $TCP $DPORT 25 $IP1s -j ACCEPT | ||
| + | $IPT $OUT $TCP $DPORT 123 $IP1s -j ACCEPT | ||
| + | $IPT $OUT $UDP $DPORT 123 $IP1s -j ACCEPT | ||
| + | $IPT $OUT $TCP $DPORT 53 $IP1s -j ACCEPT | ||
| + | $IPT $OUT $UDP $DPORT 53 $IP1s -j ACCEPT | ||
| + | $IPT $OUT $TCP $DPORT 80 $IP1s -j ACCEPT | ||
| + | $IPT $OUT $TCP $DPORT 110 $IP1s -j ACCEPT | ||
| + | $IPT $OUT $TCP $DPORT 443 $IP1s -j ACCEPT | ||
| + | $IPT $OUT $TCP $DPORT 31337 $IP1s -j ACCEPT | ||
| + | $IPT $OUT -p icmp --icmp-type 8 $IP1s -j ACCEPT | ||
| + | |||
| + | ### .2 | ||
| + | $IPT $IN $TCP $DPORT 22 $IP2d -j ACCEPT | ||
| + | #$IPT $IN $TCP $DPORT 53 $IP2d -j ACCEPT | ||
| + | #$IPT $IN $UDP $DPORT 53 $IP2s -j ACCEPT | ||
| + | #$IPT $IN $TCP $DPORT 80 $IP2d -j ACCEPT | ||
| + | $IPT $IN -p icmp --icmp-type 8 $IP2d -j ACCEPT | ||
| + | |||
| + | $IPT $OUT $TCP $DPORT 22 $IP2s -j ACCEPT | ||
| + | #$IPT $OUT $TCP $DPORT 53 $IP2s -j ACCEPT | ||
| + | #$IPT $OUT $UDP $DPORT 53 $IP2s -j ACCEPT | ||
| + | $IPT $OUT $TCP $DPORT 80 $IP2s -j ACCEPT | ||
| + | $IPT $OUT -p icmp --icmp-type 8 $IP2s -j ACCEPT | ||
| + | |||
| + | ### .3 | ||
| + | ##$IPT $IN $TCP $DPORT 22 $IP3d -j ACCEPT | ||
| + | $IPT $IN $TCP $DPORT 25 $IP3d -j ACCEPT | ||
| + | $IPT $IN $TCP $DPORT 110 $IP3d -j ACCEPT | ||
| + | $IPT $IN $TCP $DPORT 143 $IP3d -j ACCEPT | ||
| + | #$IPT $IN $TCP $DPORT 80 $IP3d -j ACCEPT | ||
| + | $IPT $IN -p icmp --icmp-type 8 $IP3d -j ACCEPT | ||
| + | |||
| + | ##$IPT $OUT $TCP $DPORT 22 $IP3s -j ACCEPT | ||
| + | $IPT $OUT $TCP $DPORT 25 $IP3s -j ACCEPT | ||
| + | $IPT $OUT $TCP $DPORT 110 $IP3s -j ACCEPT | ||
| + | $IPT $OUT $TCP $DPORT 143 $IP3s -j ACCEPT | ||
| + | #$IPT $OUT $TCP $DPORT 80 $IP3s -j ACCEPT | ||
| + | $IPT $OUT -p icmp --icmp-type 8 $IP3s -j ACCEPT | ||
| + | |||
| + | ### .4 | ||
| + | #$IPT $IN $TCP $DPORT 20 $IP4d -j ACCEPT | ||
| + | #$IPT $IN $UDP $DPORT 20 $IP4d -j ACCEPT | ||
| + | #$IPT $IN $TCP $DPORT 21 $IP4d -j ACCEPT | ||
| + | #$IPT $IN $UDP $DPORT 21 $IP4d -j ACCEPT | ||
| + | #$IPT $OUT $TCP $DPORT 1024:65535 $IP4d -j ACCEPT | ||
| + | ##$IPT $OUT $TCP $DPORT 20000:20120 $IP4d -j ACCEPT | ||
| + | #$IPT $OUT $UDP $DPORT 1024:65535 $IP4d -j ACCEPT | ||
| + | ##$IPT $OUT $UDP $DPORT 20000:20120 $IP4d -j ACCEPT | ||
| + | ##$IPT $IN $TCP $DPORT 22 $IP4d -j ACCEPT | ||
| + | #$IPT $IN $TCP $DPORT 25 $IP4d -j ACCEPT | ||
| + | #$IPT $IN $TCP $DPORT 123 $IP4d -j ACCEPT | ||
| + | #$IPT $IN $UDP $DPORT 123 $IP4d -j ACCEPT | ||
| + | #$IPT $IN $TCP $DPORT 53 $IP4d -j ACCEPT | ||
| + | #$IPT $IN $UDP $DPORT 53 $IP4d -j ACCEPT | ||
| + | #$IPT $IN $TCP $DPORT 80 $IP4d -j ACCEPT | ||
| + | #$IPT $IN $TCP $DPORT 81 $IP4d -j ACCEPT | ||
| + | #$IPT $IN $TCP $DPORT 902 $IP4d -j ACCEPT | ||
| + | #$IPT $IN $TCP $DPORT 110 $IP4d -j ACCEPT | ||
| + | #$IPT $IN $TCP $DPORT 995 $IP4d -j ACCEPT | ||
| + | #$IPT $IN $TCP $DPORT 443 $IP4d -j ACCEPT | ||
| + | #$IPT $IN $TCP $DPORT 31337 $IP4d -j ACCEPT | ||
| + | #$IPT $IN $TCP $DPORT 5801 $IP4d -j ACCEPT | ||
| + | #$IPT $IN $TCP $DPORT 5802 $IP4d -j ACCEPT | ||
| + | #$IPT $IN $TCP $DPORT 5803 $IP4d -j ACCEPT | ||
| + | #$IPT $IN $TCP $DPORT 5804 $IP4d -j ACCEPT | ||
| + | #$IPT $IN $TCP $DPORT 5901 $IP4d -j ACCEPT | ||
| + | #$IPT $IN $TCP $DPORT 5902 $IP4d -j ACCEPT | ||
| + | #$IPT $IN $TCP $DPORT 5903 $IP4d -j ACCEPT | ||
| + | #$IPT $IN $TCP $DPORT 5904 $IP4d -j ACCEPT | ||
| + | #$IPT $IN $TCP $DPORT 6001 $IP4d -j ACCEPT | ||
| + | #$IPT $IN $TCP $DPORT 6002 $IP4d -j ACCEPT | ||
| + | #$IPT $IN $TCP $DPORT 6003 $IP4d -j ACCEPT | ||
| + | #$IPT $IN $TCP $DPORT 6004 $IP4d -j ACCEPT | ||
| + | #$IPT $IN $TCP $DPORT 9090 $IP4d -j ACCEPT | ||
| + | #$IPT $IN $TCP $DPORT 8080 $IP4d -j ACCEPT | ||
| + | #$IPT $IN $TCP $DPORT 1234 $IP4d -j ACCEPT | ||
| + | $IPT $IN -p icmp --icmp-type 8 $IP4d -j ACCEPT | ||
| + | |||
| + | #$IPT $OUT $TCP $DPORT 20 $IP4s -j ACCEPT | ||
| + | #$IPT $OUT $UDP $DPORT 20 $IP4s -j ACCEPT | ||
| + | #$IPT $OUT $TCP $DPORT 21 $IP4s -j ACCEPT | ||
| + | #$IPT $OUT $UDP $DPORT 21 $IP4s -j ACCEPT | ||
| + | #$IPT $OUT $TCP $DPORT 1024:65535 $IP4s -j ACCEPT | ||
| + | ##$IPT $OUT $TCP $DPORT 20000:20120 $IP4s -j ACCEPT | ||
| + | ##$IPT $OUT $UDP $DPORT 1024:65535 $IP4s -j ACCEPT | ||
| + | ##$IPT $OUT $UDP $DPORT 20000:20120 $IP4s -j ACCEPT | ||
| + | ##$IPT $OUT $TCP $DPORT 22 $IP4s -j ACCEPT | ||
| + | #$IPT $OUT $TCP $DPORT 25 $IP4s -j ACCEPT | ||
| + | #$IPT $OUT $TCP $DPORT 123 $IP4s -j ACCEPT | ||
| + | #$IPT $OUT $UDP $DPORT 123 $IP4s -j ACCEPT | ||
| + | #$IPT $OUT $TCP $DPORT 53 $IP4s -j ACCEPT | ||
| + | #$IPT $OUT $UDP $DPORT 53 $IP4s -j ACCEPT | ||
| + | #$IPT $OUT $TCP $DPORT 80 $IP4s -j ACCEPT | ||
| + | #$IPT $OUT $TCP $DPORT 81 $IP4s -j ACCEPT | ||
| + | #$IPT $OUT $TCP $DPORT 902 $IP4s -j ACCEPT | ||
| + | #$IPT $OUT $TCP $DPORT 110 $IP4s -j ACCEPT | ||
| + | #$IPT $OUT $TCP $DPORT 443 $IP4s -j ACCEPT | ||
| + | #$IPT $OUT $TCP $DPORT 5801 $IP4s -j ACCEPT | ||
| + | #$IPT $OUT $TCP $DPORT 5802 $IP4s -j ACCEPT | ||
| + | #$IPT $OUT $TCP $DPORT 5803 $IP4s -j ACCEPT | ||
| + | #$IPT $OUT $TCP $DPORT 5804 $IP4s -j ACCEPT | ||
| + | #$IPT $OUT $TCP $DPORT 5901 $IP4s -j ACCEPT | ||
| + | #$IPT $OUT $TCP $DPORT 5902 $IP4s -j ACCEPT | ||
| + | #$IPT $OUT $TCP $DPORT 5903 $IP4s -j ACCEPT | ||
| + | #$IPT $OUT $TCP $DPORT 5904 $IP4s -j ACCEPT | ||
| + | #$IPT $OUT $TCP $DPORT 6001 $IP4s -j ACCEPT | ||
| + | #$IPT $OUT $TCP $DPORT 6002 $IP4s -j ACCEPT | ||
| + | #$IPT $OUT $TCP $DPORT 6003 $IP4s -j ACCEPT | ||
| + | #$IPT $OUT $TCP $DPORT 6004 $IP4s -j ACCEPT | ||
| + | #$IPT $OUT $TCP $DPORT 31337 $IP4s -j ACCEPT | ||
| + | $IPT $OUT -p icmp --icmp-type 8 $IP4s -j ACCEPT | ||
| + | |||
| + | ### .5 | ||
| + | |||
| + | #ftp | ||
| + | #HIGH="1024:65535" | ||
| + | # | ||
| + | # $IPT $IN $TCP $DPORT 20 $IP5d -j ACCEPT | ||
| + | # $IPT $IN $UDP $DPORT 20 $IP5d -j ACCEPT | ||
| + | # $IPT $IN $TCP $DPORT 21 $IP5d -j ACCEPT | ||
| + | # $IPT $IN $UDP $DPORT 21 $IP5d -j ACCEPT | ||
| + | # #$IPT $IN $TCP $DPORT $HIGH $IP5d -j ACCEPT | ||
| + | # #$IPT $IN $UDP $DPORT $HIGH $IP5d -j ACCEPT | ||
| + | | ||
| + | $IPT $IN $TCP $DPORT 8080 $IP5d -j ACCEPT | ||
| + | # poesi | ||
| + | $IPT $IN $TCP $DPORT 110 $IP5d -j ACCEPT | ||
| + | $IPT $IN $TCP $DPORT 6885 $IP5d -j ACCEPT | ||
| + | $IPT $IN $TCP $DPORT 16063 $IP5d -j ACCEPT | ||
| + | $IPT $IN $UDP $DPORT 16063 $IP5d -j ACCEPT | ||
| + | $IPT $IN $TCP $DPORT 4346 $IP5d -j ACCEPT | ||
| + | |||
| + | $IPT $IN $TCP $DPORT 7924 $IP5d -j ACCEPT | ||
| + | $IPT $IN $UDP $DPORT 7924 $IP5d -j ACCEPT | ||
| + | |||
| + | # $IPT $OUT $TCP $DPORT 20 $IP5s -j ACCEPT | ||
| + | # $IPT $OUT $UDP $DPORT 21 $IP5s -j ACCEPT | ||
| + | # $IPT $OUT $TCP $DPORT 21 $IP5s -j ACCEPT | ||
| + | # $IPT $OUT $UDP $DPORT 21 $IP5s -j ACCEPT | ||
| + | # #$IPT $OUT $TCP $DPORT $HIGH $IP5s -j ACCEPT | ||
| + | # #$IPT $OUT $UDP $DPORT $HIGH $IP5s -j ACCEPT | ||
| + | |||
| + | $IPT $OUT $TCP $DPORT 22 $IP5s -j ACCEPT | ||
| + | $IPT $OUT $TCP $DPORT 25 $IP5s -j ACCEPT | ||
| + | $IPT $OUT $TCP $DPORT 53 $IP5s -j ACCEPT | ||
| + | $IPT $OUT $UDP $DPORT 53 $IP5s -j ACCEPT | ||
| + | $IPT $OUT $TCP $DPORT 80 $IP5s -j ACCEPT | ||
| + | $IPT $OUT $TCP $DPORT 110 $IP5s -j ACCEPT | ||
| + | $IPT $OUT $TCP $DPORT 143 $IP5s -j ACCEPT | ||
| + | $IPT $OUT $TCP $DPORT 443 $IP5s -j ACCEPT | ||
| + | $IPT $OUT $TCP $DPORT 1755 $IP5s -j ACCEPT | ||
| + | |||
| + | $IPT $OUT $TCP $DPORT 6667 $IP5s -j ACCEPT | ||
| + | $IPT $OUT $TCP $DPORT 5190 $IP5s -j ACCEPT | ||
| + | $IPT $OUT $TCP $DPORT 8000 $IP5s -j ACCEPT | ||
| + | $IPT $OUT $TCP $DPORT 8080 $IP5s -j ACCEPT | ||
| + | |||
| + | # www.portal.at | ||
| + | $IPT $OUT $TCP $DPORT 9080 $IP5s -j ACCEPT | ||
| + | # telebanking psk | ||
| + | $IPT $OUT $TCP $DPORT 3048 $IP5s -j ACCEPT | ||
| + | |||
| + | # poesi | ||
| + | $IPT $OUT $TCP $DPORT 4346 $IP5s -j ACCEPT | ||
| + | $IPT $OUT $TCP $DPORT 16063 $IP5s -j ACCEPT | ||
| + | $IPT $OUT $UDP $DPORT 16063 $IP5s -j ACCEPT | ||
| + | $IPT $OUT $TCP $DPORT 6885 $IP5s -j ACCEPT | ||
| + | |||
| + | $IPT $OUT $TCP $DPORT 7924 $IP5s -j ACCEPT | ||
| + | $IPT $OUT $UDP $DPORT 7924 $IP5s -j ACCEPT | ||
| + | |||
| + | # FTP | ||
| + | |||
| + | HIGH_PORTS="1024:65535" | ||
| + | ##rückwand | ||
| + | iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
| + | ## verbindungsaufbau ftp: | ||
| + | iptables -A FORWARD -o eth0 -p tcp --sport $HIGH_PORTS --dport ftp -m state --state NEW -j ACCEPT | ||
| + | ## passives ftp: | ||
| + | iptables -A FORWARD -o eth0 -p tcp --sport $HIGH_PORTS --dport $HIGH_PORTS -m state --state NEW -j ACCEPT | ||
| + | # | ||
| + | # verbindungsaufbau ftp: | ||
| + | iptables -A FORWARD -o eth0 -p udp --sport $HIGH_PORTS --dport ftp -m state --state NEW -j ACCEPT | ||
| + | ## passives ftp: | ||
| + | iptables -A FORWARD -o eth0 -p udp --sport $HIGH_PORTS --dport $HIGH_PORTS -m state --state NEW -j ACCEPT | ||
| + | # | ||
| + | # PTF | ||
| + | |||
| + | |||
| + | |||
| + | iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 16063 -j DNAT --to-destination 193.170.221.5:16063 | ||
| + | |||
| + | iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4346 -j DNAT --to-destination 193.170.221.5:6346 | ||
| + | # webmail klockwork | ||
| + | $IPT $OUT $TCP $DPORT 8888 $IP5s -j ACCEPT | ||
| + | |||
| + | $IPT $OUT -p icmp --icmp-type 8 $IP5s -j ACCEPT | ||
| + | |||
| + | ### alle | ||
| + | $IPT -m physdev --physdev-is-bridged -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
| + | |||
| + | ### dropall | ||
| + | $IPT -j DROP | ||
| + | |||
| + | rc_status -v | ||
| + | ;; | ||
| + | stop) | ||
| + | echo -n "Shutting down firewall " | ||
| + | |||
| + | iptables -F | ||
| + | |||
| + | rc_status -v | ||
| + | ;; | ||
| + | restart) | ||
| + | $0 stop | ||
| + | $0 start | ||
| + | rc_status | ||
| + | ;; | ||
| + | status) | ||
| + | echo -n "Checking for service firewall " | ||
| + | |||
| + | iptables -L | ||
| + | |||
| + | rc_status -v | ||
| + | ;; | ||
| + | *) | ||
| + | echo "Usage: $0 {start|stop|status|restart}" | ||
| + | exit 1 | ||
| + | ;; | ||
| + | esac | ||
| + | rc_exit | ||
| + | </code> | ||
firewall.txt · Zuletzt geändert: 2010/06/18 23:11 (Externe Bearbeitung)
Seiten-Werkzeuge
Falls nicht anders bezeichnet, ist der Inhalt dieses Wikis unter der folgenden Lizenz veröffentlicht: CC Attribution-Noncommercial-Share Alike 4.0 International
