next up previous contents
Next: NAT (kx_fw_nat.sh): Up: Anhang Previous: Dienstauswahl (kx_dienste.sh):   Contents

Dynamische Firewall (kx_fw_dyn.sh):

#!/bin/sh

# /etc/init.d/kx_fw_dyn.sh

# Hiermit wird eine dynamische iptables-Firewall abhängig von den  
# Usereingaben (kx_ip_erfragen.sh) erstellt.

IPTABLES=/sbin/iptables

case "$1" in

start)

 set $(cat /tmp/ipsub_intern.txt | tr "/" " ")

 IP_INT=$1

 SUB_INT=$2

 set $(cat /tmp/ipsub_extern.txt | tr "/" " ")

 IP_EXT=$1

 SUB_EXT=$2

 set $(echo $IP_INT | tr "." " ")

 IP_INT_LAST=$4

 IP_INT_LAST_P=`expr $4 + 1`

 IP_PARTNER=$1.$2.$3.$IP_INT_LAST_P

 echo "IP des Partnerrechners: $IP_PARTNER" 

 rm -f /tmp/fw_fertig.txt 

 echo "localhost erlauben"

 $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT

 echo -n "Ping/Traceroute erlauben..."

 #ping

 $IPTABLES -A INPUT -p icmp -icmp-type echo-request -j ACCEPT

 $IPTABLES -A OUTPUT -p icmp -icmp-type echo-request -j ACCEPT

 $IPTABLES -A FORWARD -p icmp -icmp-type echo-request -j ACCEPT

 #traceroute

 $IPTABLES -A INPUT -p udp -dport 33000: -j ACCEPT

 $IPTABLES -A OUTPUT -p udp -dport 33000: -j ACCEPT

 $IPTABLES -A FORWARD -p udp -dport 33000: -j ACCEPT

 echo " done"

 echo "Ausgehende DNS-Abfragen"

 $IPTABLES -A OUTPUT -p udp -sport 1024: -dport 53 -m state -state NEW -j ACCEPT

 $IPTABLES -A FORWARD -p udp -sport 1024: -dport 53 -m state -state NEW -j ACCEPT

 echo "Ausgehende Telnet-Verbindungen"

 $IPTABLES -A OUTPUT -p tcp -sport 1024: -dport 23 -syn -j LOG

 $IPTABLES -A OUTPUT -p tcp -sport 1024: -dport 23 -m state -state NEW -j ACCEPT

 $IPTABLES -A FORWARD -p tcp -sport 1024: -dport 23 -syn -j LOG

 $IPTABLES -A FORWARD -p tcp -sport 1024: -dport 23 -m state -state NEW -j ACCEPT

 echo "Ausgehende FTP-Verbindungen"

# FTP-Kommando-Verbindung, Rest automatisch

 $IPTABLES -A OUTPUT -p tcp -sport 1024: -dport 21 -syn -j LOG

 $IPTABLES -A OUTPUT -p tcp -sport 1024: -dport 21 -m state -state NEW -j ACCEPT

 $IPTABLES -A FORWARD -p tcp -sport 1024: -dport 21 -syn -j LOG

 $IPTABLES -A FORWARD -p tcp -sport 1024: -dport 21 -m state -state NEW -j ACCEPT

 echo "Ausgehende SSH-Verbindungen"

 $IPTABLES -A OUTPUT -p tcp -sport 1024: -dport 22 -syn -j LOG

 $IPTABLES -A OUTPUT -p tcp -sport 1024: -dport 22 -m state -state NEW -j ACCEPT

 $IPTABLES -A FORWARD -p tcp -sport 1024: -dport 22 -syn -j LOG

 $IPTABLES -A FORWARD -p tcp -sport 1024: -dport 22 -m state -state NEW -j ACCEPT

 echo "Ausgehende SMTP-Verbindungen"

 $IPTABLES -A OUTPUT -p tcp -sport 1024: -dport 25 -syn -j LOG

 $IPTABLES -A OUTPUT -p tcp -sport 1024: -dport 25 -m state -state NEW -j ACCEPT

 $IPTABLES -A FORWARD -p tcp -sport 1024: -dport 25 -syn -j LOG

 $IPTABLES -A FORWARD -p tcp -sport 1024: -dport 25 -m state -state NEW -j ACCEPT

 echo "Ausgehende Port 3128(Proxy)-Verbindungen"

 $IPTABLES -A OUTPUT -p tcp -sport 1024: -dport 3128 -m state -state NEW -j ACCEPT

 $IPTABLES -A FORWARD -p tcp -sport 1024: -dport 3128 -m state -state NEW -j ACCEPT

 echo "Eingehendes SSH vom Secserver"

 $IPTABLES -A INPUT -p tcp -s 192.168.216.254 -sport 1024: -dport 22 -syn -j LOG

 $IPTABLES -A INPUT -p tcp -s 192.168.216.254 -sport 1024: -dport 22 -m state -state NEW -j ACCEPT

 echo "Eingehendes SSH vom Partnerrechner $IP_PARTNER"

 $IPTABLES -A INPUT -p tcp -s $IP_PARTNER -sport 1024: -dport 22 -syn -j LOG

 $IPTABLES -A INPUT -p tcp -s

 $IP_PARTNER -sport 1024: -dport 22 -m state -state NEW -j ACCEPT

 $IPTABLES -A FORWARD -p tcp -sport 1024: -dport 22 -syn -j LOG

 $IPTABLES -A FORWARD -p tcp -sport 1024: -dport 22 -m state -state NEW -j ACCEPT

 echo "Eingehendes Telnet vom Secserver"

 $IPTABLES -A INPUT -p tcp -s 192.168.216.254 -sport 1024: -dport 23 -syn -j LOG

 $IPTABLES -A INPUT -p tcp -s 192.168.216.254 -sport 1024: -dport 23 -m state -state NEW -j ACCEPT

 echo "Eingehendes Telnet vom Partnerrechner $IP_PARTNER"

 $IPTABLES -A INPUT -p tcp -s

 $IP_PARTNER -sport 1024: -dport 23 -syn -j LOG

 $IPTABLES -A INPUT -p tcp -s $IP_PARTNER -sport 1024: -dport 23 -m state -state NEW -j ACCEPT

 $IPTABLES -A FORWARD -p tcp -sport 1024: -dport 23 -syn -j LOG

 $IPTABLES -A FORWARD -p tcp -sport 1024: -dport 23 -m state -state NEW -j ACCEPT

 echo "Eingehendes FTP"

 $IPTABLES -A INPUT -p tcp -sport 1024: -dport 21 -syn -j LOG

 $IPTABLES -A INPUT -p tcp -sport 1024: -dport 21 -m state -state NEW -j ACCEPT

 echo "Eingehendes DNS"

 $IPTABLES -A INPUT -p udp -sport 1024: -dport 53 -m state -state NEW -j ACCEPT

 echo "Eingehendes NTP"

 $IPTABLES -A INPUT -p udp -sport 1024: -dport 123 -m state -state NEW -j ACCEPT

 $IPTABLES -A FORWARD -p udp -sport 1024: -dport 123 -m state -state NEW -j ACCEPT

 echo "Eingehendes SMTP"

 $IPTABLES -A INPUT -p tcp -sport 1024: -dport 25 -syn -j LOG

 $IPTABLES -A INPUT -p tcp -sport 1024: -dport 25 -m state -state NEW -j ACCEPT

 echo "Eingehender Squid"

 $IPTABLES -A INPUT -p tcp -sport 1024: -dport 3128 -m state -state NEW -j ACCEPT

 $IPTABLES -A INPUT -m state -state ESTABLISHED,RELATED -j ACCEPT

 $IPTABLES -A OUTPUT -m state -state ESTABLISHED,RELATED -j ACCEPT

 $IPTABLES -A FORWARD -m state -state ESTABLISHED,RELATED -j ACCEPT

 $IPTABLES -P INPUT DROP

 $IPTABLES -P OUTPUT DROP

 $IPTABLES -P FORWARD DROP

 echo "1" > /tmp/fw_fertig.txt

 ;;

stop)

 $IPTABLES -F

 $IPTABLES -F -t nat

 $IPTABLES -P INPUT ACCEPT

 $IPTABLES -P OUTPUT ACCEPT

 $IPTABLES -P FORWARD ACCEPT

 echo "Firewall gestoppt"

 ;;

restart)

 $0 stop

 $0 start

 echo "Firewall restartet"

 ;;

*)

 echo "Usage $0 {start|stop|restart}"

 ;;

esac

next up previous contents
Next: NAT (kx_fw_nat.sh): Up: Anhang Previous: Dienstauswahl (kx_dienste.sh):   Contents
clumsy 2005-07-21