Hallo,
hier mein fw Script erzeugt von fwbuilder:
#!/bin/sh
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v2.1.14-1
#
# Generated Wed Sep 19 14:58:12 2007 CEST by root
#
# files: * fw.local.fw
#
#
# Similar to fw 1, but the firewall is used as DHCP and DNS server for internal network.
# This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.
# Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall can send DNS queries to servers out on the Internet. Another rule permits DNS queries from internal network to the firewall. Special rules permit DHCP requests from internal network and replies sent by the firewall.
#
#
#
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
export PATH
LSMOD="lsmod"
MODPROBE="modprobe"
IPTABLES="iptables"
IPTABLES_RESTORE="iptables-restore"
IP="ip"
LOGGER="logger"
log 'Activating firewall script generated Mon Sep 24 15:22:30 2007 by root'
$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
ip6tables -L -n > /dev/null 2>&1 && {
ip6tables -P OUTPUT DROP
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
}
cat /proc/net/ip_tables_names | while read table; do
$IPTABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IPTABLES -t $table -F $chain
fi
done
$IPTABLES -t $table -X
done
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Rule 0 (NAT)
#
echo "Rule 0 (NAT)"
#
#
$IPTABLES -t nat -A POSTROUTING -o ppp0 -s 192.168.50.0/24 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o ppp0 -s 192.168.45.0/24 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o ppp0 -s 192.168.170.0/24 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o ppp0 -s 192.168.30.0/24 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o ppp0 -s 192.168.70.0/24 -j MASQUERADE
#
# Rule 1 (NAT)
#
echo "Rule 1 (NAT)"
#
#
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s xxx.xxx.xxx.40 --dport 443 -j DNAT --to-destination 192.168.45.254:444
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s xxx.xxx.xxx.40 --dport 443 -j DNAT --to-destination 192.168.50.254:444
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s xxx.xxx.xxx.40 --dport 443 -j DNAT --to-destination 192.168.30.254:444
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s xxx.xxx.xxx.40 --dport 443 -j DNAT --to-destination 192.168.20.254:444
#
# Rule 2 (NAT)
#
echo "Rule 2 (NAT)"
#
#
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s xxx.xxx.xxx.40 --dport 80 -j DNAT --to-destination 192.168.50.26:8011
#
# Rule 3 (NAT)
#
echo "Rule 3 (NAT)"
#
#
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 15661 -j DNAT --to-destination 192.168.45.254
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 15661 -j DNAT --to-destination 192.168.50.254
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 15661 -j DNAT --to-destination 192.168.30.254
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 15661 -j DNAT --to-destination 192.168.20.254
$IPTABLES -t nat -A PREROUTING -p udp -m udp --dport 15665 -j DNAT --to-destination 192.168.45.254
$IPTABLES -t nat -A PREROUTING -p udp -m udp --dport 15665 -j DNAT --to-destination 192.168.50.254
$IPTABLES -t nat -A PREROUTING -p udp -m udp --dport 15665 -j DNAT --to-destination 192.168.30.254
$IPTABLES -t nat -A PREROUTING -p udp -m udp --dport 15665 -j DNAT --to-destination 192.168.20.254
#
# Rule 4 (NAT)
#
echo "Rule 4 (NAT)"
#
#
$IPTABLES -t nat -A PREROUTING -p udp -m udp --dport 10000:10500 -j DNAT --to-destination 192.168.50.26
$IPTABLES -t nat -A PREROUTING -p udp -m udp -m multiport --dports 5004,5060 -j DNAT --to-destination 192.168.50.26
#
# Rule 0 (ppp0)
#
echo "Rule 0 (ppp0)"
#
# anti spoofing rule
#
$IPTABLES -N In_RULE_0
test -n "$i_ppp0" && $IPTABLES -A INPUT -i ppp0 -s $i_ppp0 -j In_RULE_0
$IPTABLES -A INPUT -i ppp0 -s 192.168.70.250 -j In_RULE_0
$IPTABLES -A INPUT -i ppp0 -s 192.168.170.250 -j In_RULE_0
$IPTABLES -A INPUT -i ppp0 -s 192.168.50.250 -j In_RULE_0
$IPTABLES -A INPUT -i ppp0 -s 192.168.45.250 -j In_RULE_0
$IPTABLES -A INPUT -i ppp0 -s 192.168.30.250 -j In_RULE_0
$IPTABLES -A INPUT -i ppp0 -s 10.0.0.0/8 -j In_RULE_0
$IPTABLES -A INPUT -i ppp0 -s 192.168.0.0/16 -j In_RULE_0
$IPTABLES -A INPUT -i ppp0 -s 172.16.0.0/12 -j In_RULE_0
test -n "$i_ppp0" && $IPTABLES -A FORWARD -i ppp0 -s $i_ppp0 -j In_RULE_0
$IPTABLES -A FORWARD -i ppp0 -s 192.168.70.250 -j In_RULE_0
$IPTABLES -A FORWARD -i ppp0 -s 192.168.170.250 -j In_RULE_0
$IPTABLES -A FORWARD -i ppp0 -s 192.168.50.250 -j In_RULE_0
$IPTABLES -A FORWARD -i ppp0 -s 192.168.45.250 -j In_RULE_0
$IPTABLES -A FORWARD -i ppp0 -s 192.168.30.250 -j In_RULE_0
$IPTABLES -A FORWARD -i ppp0 -s 10.0.0.0/8 -j In_RULE_0
$IPTABLES -A FORWARD -i ppp0 -s 192.168.0.0/16 -j In_RULE_0
$IPTABLES -A FORWARD -i ppp0 -s 172.16.0.0/12 -j In_RULE_0
$IPTABLES -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY "
$IPTABLES -A In_RULE_0 -j DROP
#
# Rule 1 (lo)
#
echo "Rule 1 (lo)"
#
#
#
$IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT
#
# Rule 2 (global)
#
echo "Rule 2 (global)"
#
# SSH Access to firewall is permitted
# only from kw.local
#
#
$IPTABLES -N Cid4358F46B.0
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid4358F46B.0
$IPTABLES -A Cid4358F46B.0 -s 192.168.70.2 -j ACCEPT
$IPTABLES -A Cid4358F46B.0 -s 192.168.50.10 -j ACCEPT
$IPTABLES -A Cid4358F46B.0 -s 192.168.45.254 -j ACCEPT
$IPTABLES -A Cid4358F46B.0 -s 192.168.50.254 -j ACCEPT
$IPTABLES -A Cid4358F46B.0 -s 192.168.30.254 -j ACCEPT
$IPTABLES -A Cid4358F46B.0 -s 192.168.20.254 -j ACCEPT
#
# Rule 3 (global)
#
echo "Rule 3 (global)"
#
# Firewall serves DNS for internal
# network
#
$IPTABLES -N Cid4358F459.0
$IPTABLES -A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j Cid4358F459.0
$IPTABLES -A INPUT -p udp -m udp --dport 53 -m state --state NEW -j Cid4358F459.0
$IPTABLES -A Cid4358F459.0 -s 192.168.45.0/24 -j ACCEPT
$IPTABLES -A Cid4358F459.0 -s 192.168.50.0/24 -j ACCEPT
$IPTABLES -A Cid4358F459.0 -s 192.168.170.0/24 -j ACCEPT
$IPTABLES -A Cid4358F459.0 -s 192.168.30.0/24 -j ACCEPT
$IPTABLES -A Cid4358F459.0 -s 192.168.70.0/24 -j ACCEPT
#
# Rule 4 (ppp0)
#
echo "Rule 4 (ppp0)"
#
#
#
$IPTABLES -A INPUT -i ppp0 -p tcp -m tcp -m multiport -s xxx.xxx.xxx.40 --dports 443,80 -m state --state NEW -j ACCEPT
#
# Rule 5 (ppp0)
#
echo "Rule 5 (ppp0)"
#
#
#
$IPTABLES -N Cid45F26DCB2656.0
$IPTABLES -A FORWARD -i ppp0 -p tcp -m tcp -s xxx.xxx.xxx.40 --dport 443 -m state --state NEW -j Cid45F26DCB2656.0
$IPTABLES -A Cid45F26DCB2656.0 -d 192.168.45.254 -j ACCEPT
$IPTABLES -A Cid45F26DCB2656.0 -d 192.168.50.254 -j ACCEPT
$IPTABLES -A Cid45F26DCB2656.0 -d 192.168.30.254 -j ACCEPT
$IPTABLES -A Cid45F26DCB2656.0 -d 192.168.20.254 -j ACCEPT
#
# Rule 6 (ppp0)
#
echo "Rule 6 (ppp0)"
#
#
#
$IPTABLES -A FORWARD -i ppp0 -p tcp -m tcp -m multiport -s xxx.xxx.xxx.40 -d 192.168.50.26 --dports 8001,80 -m state --state NEW -j ACCEPT
#
# Rule 7 (ppp0)
#
echo "Rule 7 (ppp0)"
#
#
#
$IPTABLES -A INPUT -i ppp0 -p tcp -m tcp --dport 15661 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i ppp0 -p udp -m udp --dport 10000:10500 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i ppp0 -p udp -m udp -m multiport --dports 15665,5004,5060 -m state --state NEW -j ACCEPT
#
# Rule 9 (ppp0)
#
echo "Rule 9 (ppp0)"
#
#
#
$IPTABLES -N Cid45F283EF2656.0
$IPTABLES -A FORWARD -i ppp0 -p tcp -m tcp --dport 15661 -m state --state NEW -j Cid45F283EF2656.0
$IPTABLES -A FORWARD -i ppp0 -p udp -m udp --dport 15665 -m state --state NEW -j Cid45F283EF2656.0
$IPTABLES -A Cid45F283EF2656.0 -d 192.168.45.254 -j ACCEPT
$IPTABLES -A Cid45F283EF2656.0 -d 192.168.50.254 -j ACCEPT
$IPTABLES -A Cid45F283EF2656.0 -d 192.168.30.254 -j ACCEPT
$IPTABLES -A Cid45F283EF2656.0 -d 192.168.20.254 -j ACCEPT
#
# Rule 10 (ppp0)
#
echo "Rule 10 (ppp0)"
#
#
#
$IPTABLES -A FORWARD -i ppp0 -p udp -m udp -d 192.168.50.26 --dport 10000:10500 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i ppp0 -p udp -m udp -m multiport -d 192.168.50.26 --dports 5004,5060 -m state --state NEW -j ACCEPT
#
# Rule 11 (global)
#
echo "Rule 11 (global)"
#
# All other attempts to connect to
# the firewall are denied and logged
#
$IPTABLES -N RULE_11
test -n "$i_ppp0" && $IPTABLES -A OUTPUT -d $i_ppp0 -j RULE_11
$IPTABLES -A OUTPUT -d 192.168.70.250 -j RULE_11
$IPTABLES -A OUTPUT -d 192.168.170.250 -j RULE_11
$IPTABLES -A OUTPUT -d 192.168.50.250 -j RULE_11
$IPTABLES -A OUTPUT -d 192.168.45.250 -j RULE_11
$IPTABLES -A OUTPUT -d 192.168.30.250 -j RULE_11
$IPTABLES -A INPUT -j RULE_11
$IPTABLES -A RULE_11 -j LOG --log-level info --log-prefix "RULE 11 -- DENY "
$IPTABLES -A RULE_11 -j DROP
#
# Rule 12 (global)
#
echo "Rule 12 (global)"
#
# Firewall should be able to send
# DNS, HTTP and NTP queries to the Internet
#
$IPTABLES -N Cid45F22B692656.0
$IPTABLES -A INPUT -p tcp -m tcp -m multiport --dports 53,80,873 -m state --state NEW -j Cid45F22B692656.0
$IPTABLES -A INPUT -p udp -m udp -m multiport --dports 53,123 -m state --state NEW -j Cid45F22B692656.0
test -n "$i_ppp0" && $IPTABLES -A Cid45F22B692656.0 -s $i_ppp0 -j ACCEPT
$IPTABLES -A Cid45F22B692656.0 -s 192.168.70.250 -j ACCEPT
$IPTABLES -A Cid45F22B692656.0 -s 192.168.170.250 -j ACCEPT
$IPTABLES -A Cid45F22B692656.0 -s 192.168.50.250 -j ACCEPT
$IPTABLES -A Cid45F22B692656.0 -s 192.168.45.250 -j ACCEPT
$IPTABLES -A Cid45F22B692656.0 -s 192.168.30.250 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m tcp -m multiport --dports 53,80,873 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp -m udp -m multiport --dports 53,123 -m state --state NEW -j ACCEPT
#
# Rule 13 (global)
#
echo "Rule 13 (global)"
#
#
#
$IPTABLES -A INPUT -s 192.168.50.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -s 192.168.70.2 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -s 192.168.50.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -s 192.168.70.2 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.50.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.70.2 -m state --state NEW -j ACCEPT
#
# Rule 14 (ppp0)
#
echo "Rule 14 (ppp0)"
#
#
#
$IPTABLES -A OUTPUT -o ppp0 -s 192.168.170.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o ppp0 -s 192.168.45.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o ppp0 -s 192.168.30.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o ppp0 -s 192.168.70.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o ppp0 -s 192.168.170.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o ppp0 -s 192.168.45.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o ppp0 -s 192.168.30.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o ppp0 -s 192.168.70.0/24 -m state --state NEW -j ACCEPT
#
# Rule 15 (global)
#
echo "Rule 15 (global)"
#
#
#
$IPTABLES -N RULE_15
$IPTABLES -A OUTPUT -j RULE_15
$IPTABLES -A INPUT -j RULE_15
$IPTABLES -A FORWARD -j RULE_15
$IPTABLES -A RULE_15 -j LOG --log-level info --log-prefix "RULE 15 -- DENY "
$IPTABLES -A RULE_15 -j DROP
#
#
echo 1 > /proc/sys/net/ipv4/ip_forward
#
# Epilog script
#
# End of epilog script
#
mfg LANToeter