Gentoo Forums :: View topic - [OT]firewallscript mit iptables

[OT]firewallscript mit iptables

View unanswered posts
View posts from last 24 hours
View posts from last 7 days

Gentoo Forums Forum Index

Deutsches Forum (German)

Diskussionsforum

View previous topic :: View next topic

Author

Message

calvin-gr
Tux's lil' helper

Joined: 25 Sep 2004
Posts: 94
Location: Germany

Posted: Sat Oct 09, 2004 3:17 pm Post subject: [OT]firewallscript mit iptables

ich habe mal dieses kleine firewallscript geschrieben(die variablen sind in /etc/conf.d definiert):

Code:

#!/sbin/runscript

depend() {
before net
}

checkconfig() {
if test -x /sbin/iptables
then
R=/sbin/iptables
else
eerror "Iptables nicht installiert!!!"
return 1
fi
}

start() {
checkconfig || return 1
ebegin "Starten der Firewall"

$R -F INPUT
$R -F FORWARD
$R -F OUTPUT

$R -P INPUT DROP
$R -P FORWARD DROP
$R -P OUTPUT DROP

# loopback erlauben
$R -A INPUT -i lo -j ACCEPT
$R -A OUTPUT -o lo -j ACCEPT

# spoofing erkennen
$R -A INPUT ! -i lo -s 127.0.0.1 -j LOG \
--log-prefix "Loopback gespooft: "
$R -A INPUT ! -i lo -s 127.0.0.1 -j DROP

# ICMP
if [[ $allowout_icmp == all ]]; then
$R -A OUTPUT -p icmp -j ACCEPT
else
for typ in $allowout_icmp
do
$R -A OUTPUT -p icmp --icmp-type $typ -j ACCEPT
done
fi

if [[ $allowin_icmp == all ]]; then
$R -A INPUT -p icmp -j ACCEPT
else
for typ in $allowin_icmp
do
$R -A INPUT -p icmp --icmp-type $typ -j ACCEPT
done
fi

# DNS
for dns in $allowdns
do
$R -A INPUT -p udp -s $dns --sport 53 --dport 1024:65535 -j ACCEPT
$R -A OUTPUT -p udp --sport 1024:65535 -d $dns --dport 53 -j ACCEPT
$R -A INPUT -p tcp -s $dns --sport 53 --dport 1024:65535 ! --syn -j ACCEPT
$R -A OUTPUT -p tcp --sport 1024:65535 -d $dns --dport 53 -j ACCEPT
done

# erlaubte ausgehende tcp verbindungen
if [[ $allowout_tcp == all ]]; then
$R -A OUTPUT -p tcp --sport 1024:65535 -j ACCEPT
$R -A INPUT -p tcp --dport 1024:65535 ! --syn -j ACCEPT
else
for port in $allowout_tcp
do
$R -A OUTPUT -p tcp --sport 1024:65535 --dport $port -j ACCEPT
$R -A INPUT -p tcp --sport $port --dport 1024:65535 ! --syn -j ACCEPT
done
fi

# erlaubte ausgehende udp pakete
if [[ $allowout_udp == all ]]; then
$R -A OUTPUT -p udp --sport 1024:65535 -j ACCEPT
else
for port in $allowout_udp
do
$R -A OUTPUT -p udp --sport 1024:65535 --dport $port -j ACCEPT
done
fi

# erlaubte eingehende tcp verbindungen
if [[ $allowin_tcp == all ]]; then
$R -A OUTPUT -p tcp --dport 1024:65535 ! --syn -j ACCEPT
$R -A INPUT -p tcp --sport 1024:65535 -j ACCEPT
else
for port in $allowin_tcp
do
$R -A OUTPUT -p tcp --sport $port --dport 1024:65535 ! --syn -j ACCEPT
$R -A INPUT -p tcp --dport $port -sport 1024:65535 -j ACCEPT
done
fi

# erlaubte eingehende udp pakete
if [[ allowin_udp == all ]]; then
$R -A INPUT -p udp --sport 1024:65535 -j ACCEPT
else
for port in $allowin_udp
do
$R -A INPUT -p udp --sport 1024:65535 --dport -j ACCEPT
done
fi

eend 0
}

stop() {
checkconfig || return 1
ebegin "Stoppen der Firewall"

$R -F INPUT
$R -F FORWARD
$R -F OUTPUT
$R -P INPUT ACCEPT
$R -P FORWARD ACCEPT
$R -P OUTPUT ACCEPT

eend 0
}

sieht irgendjemand irgendwelche lücken, oder kann ich das script problemlos einsetzten?
_________________
Apfelmus schmeckt gut!

Display posts from previous:

	Gentoo Forums Forum Index Deutsches Forum (German) Diskussionsforum	All times are GMT
Page 1 of 1

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Copyright 2001-2012 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p6 © 2001, 2002 phpBB Group