Hallo zusammen!!!
Mein Router läuft jetzt, wenn ich die unten aufgeführten Befehle eintippe:
echo "1" >/proc/sys/net/ipv4/ip_forward
modprobe ip_tables
modprobe iptable_nat
iptables -t nat -A POSTROUTING -o ippp0 -j MASQUERADE
möchte das allerdings nicht jedesmal tippen, wenn mein Server neu starten. Ich weiß ein Server läuft eigentlich durch!
Außerdem möchte ich die Firewall mit Regeln ergänzen, habe aber keine Ahnung von iptable.
Desweiteren möchte ich per Dial-In ftp-Bereich zugänglich machen und samba-Freigaben
Hat jemand Tipps für mich????
Übrigens läuft bei mir in der Standard-Installation immer /usr/sbin/lisa mit und sorgt für einen Multicast alle 1:20h
was zur automatischen Einwahl ins Internet führt!
Habe das in/etc/rc.config erst mal auf "none gesetzt!!! dann hört der Multicast auf!!!
Was macht eigentlich lisa (irgendwas mit laninternet... für KDE???)
Vielen Dank für jeden Tip
tomtom
Firewall und Masquerade für Router unter Suse 7.3
Re: Firewall und Masquerade für Router unter Suse 7.3
Im <!--http--><a href="http://www.pl-berichte.de/t_netzwerk/fi ... enbau.html" target="_blank">Forum</a><!--url--> gibt es eine FW, der du deine Befehle hinzufügen kannst. Lediglich FTP geht noch nicht. Das script wird nach /etc/init.d kopiert und kann per zu erstellender links aus den run-leveln 3 und 5 heraus gestartet werden, bzw bei jeder Einwahl aus /etc/ppp/ip-up heraus gestartet und auch gestoppt werden. der geänderte script könnte so aussehen, dann klappt wenigstens auch passive ftp:
<blockquote><pre><font size="1" face="">code:</font><hr><font face="Courier New" size="2">
#!/bin/sh
#
#
#
# test "x$2" = "x" && exit 0
INTERFACE="ippp0"
INTERN="eth0"
LOCAL="192.168.0.0/24"
IPTABLES="/usr/sbin/iptables"
#
Stop()
{
Flush ACCEPT
}
Close()
{
Flush DROP
}
# Wir haben also eine weitere Funktion zu definieren:
Flush()
{
${IPTABLES} -P INPUT $1
${IPTABLES} -P OUTPUT $1
${IPTABLES} -P FORWARD $1
${IPTABLES} -F
${IPTABLES} -F INPUT
${IPTABLES} -F OUTPUT
${IPTABLES} -F FORWARD
${IPTABLES} -X destroy > /dev/null 2>&1
${IPTABLES} -X in_private > /dev/null 2>&1
${IPTABLES} -X out_private > /dev/null 2>&1
# ${IPTABLES} -X masquerades > /dev/null 2>&1
}
Start()
{
Close
CreateBucket
EgressFilter
AcceptLocal
# InOutTCP 22 # auth, Telnet and ssh
OutTCP http 81 https 8080
OutTCP smtp finger pop3 nntp
# OutTCP 871 # sup
# OutTCP realplayer
# OutTCP cvspserver
# OutTCP 6667 # IRC
OutFTP
# OutTCP time
OutUDP time # ntp
InOutUDP domain
# Firewall ICMP. ICMP is useful so allow any by default.
${IPTABLES} -A INPUT -j ACCEPT -p icmp
${IPTABLES} -A OUTPUT -j ACCEPT -p icmp
${IPTABLES} -A FORWARD -j ACCEPT -p icmp
${IPTABLES} -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
${IPTABLES} -A INPUT -j destroy
${IPTABLES} -A OUTPUT -j destroy
# Nat|rlich brauchen wir auch Masquerading <img src="http://www.pl-forum.de/UltraBoard/Images/Wilk.gif" border="0" align="middle">
# ${IPTABLES} -A POSTROUTING -t nat -o $INTERFACE -s $LOCAL -j MASQUERADE
}
CreateBucket()
{
${IPTABLES} -N destroy
# These rules are only there for logging.
${IPTABLES} -A destroy -j LOG --log-level notice -m limit
${IPTABLES} -A destroy -j DROP
}
EgressFilter()
{
# Dont't let private addresses in.
${IPTABLES} -N in_private
${IPTABLES} -F in_private
${IPTABLES} -A in_private -j destroy -s 127.0.0.0/8
${IPTABLES} -A in_private -j destroy -s 10.0.0.0/8
${IPTABLES} -A in_private -j destroy -s 172.16.0.0/12
${IPTABLES} -A in_private -j destroy -s 192.168.0.0/16
${IPTABLES} -A in_private -j destroy -s 224.0.0.0/4
${IPTABLES} -A in_private -j destroy -s 240.0.0.0/4
# Dont't let private addresses escape.
${IPTABLES} -N out_private
${IPTABLES} -F out_private
${IPTABLES} -A out_private -j destroy -d 127.0.0.0/8
${IPTABLES} -A out_private -j destroy -d 10.0.0.0/8
${IPTABLES} -A out_private -j destroy -d 172.16.0.0/12
${IPTABLES} -A out_private -j destroy -d 192.168.0.0/16
${IPTABLES} -A out_private -j destroy -d 224.0.0.0/4
${IPTABLES} -A out_private -j destroy -d 240.0.0.0/4
# Dont't masquerade to private addresses.
echo "1" > /proc/sys/net/ipv4/ip_forward
${IPTABLES} -F POSTROUTING -t nat
${IPTABLES} -F PREROUTING -t nat
for i in ${INTERFACE}; do
${IPTABLES} -A POSTROUTING -t nat -o ${i} -s ${LOCAL} -j MASQUERADE
${IPTABLES} -A INPUT -j in_private -i ${i}
${IPTABLES} -A FORWARD -j in_private -i ${i}
${IPTABLES} -A OUTPUT -j out_private -o ${i}
${IPTABLES} -A FORWARD -j out_private -o ${i}
done
}
AcceptLocal()
{
for i in ${INTERFACE}; do
${IPTABLES} -A INPUT -j ACCEPT -i \! ${i}
${IPTABLES} -A OUTPUT -j ACCEPT -o \! ${i}
${IPTABLES} -A FORWARD -j ACCEPT -i \! ${i} \
-o \! ${i}
${IPTABLES} -A FORWARD -j destroy -i ${i} \
-o ${i}
done
}
InOutTCP()
{
InTCP $*
OutTCP $*
}
InOutUDP()
{
InUDP $*
OutUDP $*
}
InTCP()
{
for i in $*
do
for j in ${INTERFACE}; do
${IPTABLES} -A INPUT -j ACCEPT -i ${j} -p tcp \
--dport $i -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A OUTPUT -j ACCEPT -o ${j} -p tcp \
--sport $i -m state --state ESTABLISHED,RELATED
${IPTABLES} -A FORWARD -j ACCEPT -i ${j} -p tcp \
--dport $i -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A FORWARD -j ACCEPT -o ${j} -p tcp \
--sport $i -m state --state ESTABLISHED,RELATED
done
done
}
OutTCP()
{
for i in $*
do
for j in ${INTERFACE}; do
${IPTABLES} -A OUTPUT -j ACCEPT -o ${j} -p tcp \
--sport 1024: --dport $i -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A INPUT -j ACCEPT -i ${j} -p tcp \
--sport $i -m state --state ESTABLISHED,RELATED
${IPTABLES} -A FORWARD -j ACCEPT -o ${j} -p tcp \
-s ${LOCAL} --sport 1024: --dport $i -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A FORWARD -j ACCEPT -i ${j} -p tcp \
--sport $i -d ${LOCAL} -m state --state ESTABLISHED,RELATED
done
done
}
InUDP()
{
for i in $*
do
for j in ${INTERFACE}; do
${IPTABLES} -A INPUT -j ACCEPT -i ${j} -p udp \
--dport $i -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A OUTPUT -j ACCEPT -o ${j} -p udp \
--sport $i --dport 1024: -m state --state ESTABLISHED,RELATED
${IPTABLES} -A FORWARD -j ACCEPT -i ${j} -p udp \
--dport $i -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A FORWARD -j ACCEPT -o ${j} -p udp \
--sport $i -m state --state ESTABLISHED,RELATED
done
done
}
OutUDP()
{
for i in $*
do
for j in ${INTERFACE}; do
${IPTABLES} -A OUTPUT -j ACCEPT -o ${j} -p udp \
--sport 1024: --dport $i -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A INPUT -j ACCEPT -i ${j} -p udp \
--sport $i -m state --state ESTABLISHED,RELATED
${IPTABLES} -A FORWARD -j ACCEPT -o ${j} -p udp \
-s ${LOCAL} --sport 1024: --dport $i -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A FORWARD -j ACCEPT -i ${j} -p udp \
--sport $i -d ${LOCAL} -m state --state ESTABLISHED,RELATED
done
done
}
OutEqualUDP()
{
for i in $*
do
for j in ${INTERFACE}; do
${IPTABLES} -A OUTPUT -j ACCEPT -o ${j} -p udp \
--sport $i --dport $i -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A INPUT -j ACCEPT -i ${j} -p udp \
--sport $i --dport $i -m state --state ESTABLISHED,RELATED
${IPTABLES} -A FORWARD -j ACCEPT -o ${j} -p udp \
-s ${LOCAL} --sport $i --dport $i -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A FORWARD -j ACCEPT -i ${j} -p udp \
--sport $i -d ${LOCAL} --dport $i -m state --state ESTABLISHED,RELATED
done
done
}
OutFTP()
{
for j in ${INTERFACE}; do
${IPTABLES} -A OUTPUT -j ACCEPT -o ${j} -p tcp \
--sport 1024: --dport ftp -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A FORWARD -j ACCEPT -o ${j} -p tcp \
--sport 1024: -s $LOCAL --dport ftp -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A INPUT -j ACCEPT -i ${j} -p tcp \
--dport 1024: --sport ftp -m state --state ESTABLISHED,RELATED
${IPTABLES} -A FORWARD -j ACCEPT -i ${j} -p tcp \
--dport 1024: -d $LOCAL --sport ftp -m state --state ESTABLISHED,RELATED
${IPTABLES} -A OUTPUT -j ACCEPT -o ${j} -p tcp \
--sport 1024: --dport 1024: -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A FORWARD -s $LOCAL -j ACCEPT -o ${j} -p tcp \
--sport 1024: --dport 1024: -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A INPUT -j ACCEPT -i ${j} -p tcp \
--sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED
${IPTABLES} -A FORWARD -j ACCEPT -i ${j} -p tcp \
--sport 1024: -d $LOCAL --dport 1024: -m state --state ESTABLISHED,RELATED
done
}
case "$1" in
start)
echo -n "Starting (${INTERFACE})-Interface filtering... "
Start
echo "done."
;;
stop)
echo -n "Stopping (${INTERFACE})-Interface filtering... "
Stop
echo "done."
;;
close)
echo -n "Closing (${INTERFACE})-Interfaces... "
Close
echo "done."
;;
*)
echo "Usage: $0 start|stop|close"
exit 1
esac
exit 0
</font><hr></pre></blockquote>
<blockquote><pre><font size="1" face="">code:</font><hr><font face="Courier New" size="2">
#!/bin/sh
#
#
#
# test "x$2" = "x" && exit 0
INTERFACE="ippp0"
INTERN="eth0"
LOCAL="192.168.0.0/24"
IPTABLES="/usr/sbin/iptables"
#
Stop()
{
Flush ACCEPT
}
Close()
{
Flush DROP
}
# Wir haben also eine weitere Funktion zu definieren:
Flush()
{
${IPTABLES} -P INPUT $1
${IPTABLES} -P OUTPUT $1
${IPTABLES} -P FORWARD $1
${IPTABLES} -F
${IPTABLES} -F INPUT
${IPTABLES} -F OUTPUT
${IPTABLES} -F FORWARD
${IPTABLES} -X destroy > /dev/null 2>&1
${IPTABLES} -X in_private > /dev/null 2>&1
${IPTABLES} -X out_private > /dev/null 2>&1
# ${IPTABLES} -X masquerades > /dev/null 2>&1
}
Start()
{
Close
CreateBucket
EgressFilter
AcceptLocal
# InOutTCP 22 # auth, Telnet and ssh
OutTCP http 81 https 8080
OutTCP smtp finger pop3 nntp
# OutTCP 871 # sup
# OutTCP realplayer
# OutTCP cvspserver
# OutTCP 6667 # IRC
OutFTP
# OutTCP time
OutUDP time # ntp
InOutUDP domain
# Firewall ICMP. ICMP is useful so allow any by default.
${IPTABLES} -A INPUT -j ACCEPT -p icmp
${IPTABLES} -A OUTPUT -j ACCEPT -p icmp
${IPTABLES} -A FORWARD -j ACCEPT -p icmp
${IPTABLES} -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
${IPTABLES} -A INPUT -j destroy
${IPTABLES} -A OUTPUT -j destroy
# Nat|rlich brauchen wir auch Masquerading <img src="http://www.pl-forum.de/UltraBoard/Images/Wilk.gif" border="0" align="middle">
# ${IPTABLES} -A POSTROUTING -t nat -o $INTERFACE -s $LOCAL -j MASQUERADE
}
CreateBucket()
{
${IPTABLES} -N destroy
# These rules are only there for logging.
${IPTABLES} -A destroy -j LOG --log-level notice -m limit
${IPTABLES} -A destroy -j DROP
}
EgressFilter()
{
# Dont't let private addresses in.
${IPTABLES} -N in_private
${IPTABLES} -F in_private
${IPTABLES} -A in_private -j destroy -s 127.0.0.0/8
${IPTABLES} -A in_private -j destroy -s 10.0.0.0/8
${IPTABLES} -A in_private -j destroy -s 172.16.0.0/12
${IPTABLES} -A in_private -j destroy -s 192.168.0.0/16
${IPTABLES} -A in_private -j destroy -s 224.0.0.0/4
${IPTABLES} -A in_private -j destroy -s 240.0.0.0/4
# Dont't let private addresses escape.
${IPTABLES} -N out_private
${IPTABLES} -F out_private
${IPTABLES} -A out_private -j destroy -d 127.0.0.0/8
${IPTABLES} -A out_private -j destroy -d 10.0.0.0/8
${IPTABLES} -A out_private -j destroy -d 172.16.0.0/12
${IPTABLES} -A out_private -j destroy -d 192.168.0.0/16
${IPTABLES} -A out_private -j destroy -d 224.0.0.0/4
${IPTABLES} -A out_private -j destroy -d 240.0.0.0/4
# Dont't masquerade to private addresses.
echo "1" > /proc/sys/net/ipv4/ip_forward
${IPTABLES} -F POSTROUTING -t nat
${IPTABLES} -F PREROUTING -t nat
for i in ${INTERFACE}; do
${IPTABLES} -A POSTROUTING -t nat -o ${i} -s ${LOCAL} -j MASQUERADE
${IPTABLES} -A INPUT -j in_private -i ${i}
${IPTABLES} -A FORWARD -j in_private -i ${i}
${IPTABLES} -A OUTPUT -j out_private -o ${i}
${IPTABLES} -A FORWARD -j out_private -o ${i}
done
}
AcceptLocal()
{
for i in ${INTERFACE}; do
${IPTABLES} -A INPUT -j ACCEPT -i \! ${i}
${IPTABLES} -A OUTPUT -j ACCEPT -o \! ${i}
${IPTABLES} -A FORWARD -j ACCEPT -i \! ${i} \
-o \! ${i}
${IPTABLES} -A FORWARD -j destroy -i ${i} \
-o ${i}
done
}
InOutTCP()
{
InTCP $*
OutTCP $*
}
InOutUDP()
{
InUDP $*
OutUDP $*
}
InTCP()
{
for i in $*
do
for j in ${INTERFACE}; do
${IPTABLES} -A INPUT -j ACCEPT -i ${j} -p tcp \
--dport $i -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A OUTPUT -j ACCEPT -o ${j} -p tcp \
--sport $i -m state --state ESTABLISHED,RELATED
${IPTABLES} -A FORWARD -j ACCEPT -i ${j} -p tcp \
--dport $i -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A FORWARD -j ACCEPT -o ${j} -p tcp \
--sport $i -m state --state ESTABLISHED,RELATED
done
done
}
OutTCP()
{
for i in $*
do
for j in ${INTERFACE}; do
${IPTABLES} -A OUTPUT -j ACCEPT -o ${j} -p tcp \
--sport 1024: --dport $i -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A INPUT -j ACCEPT -i ${j} -p tcp \
--sport $i -m state --state ESTABLISHED,RELATED
${IPTABLES} -A FORWARD -j ACCEPT -o ${j} -p tcp \
-s ${LOCAL} --sport 1024: --dport $i -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A FORWARD -j ACCEPT -i ${j} -p tcp \
--sport $i -d ${LOCAL} -m state --state ESTABLISHED,RELATED
done
done
}
InUDP()
{
for i in $*
do
for j in ${INTERFACE}; do
${IPTABLES} -A INPUT -j ACCEPT -i ${j} -p udp \
--dport $i -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A OUTPUT -j ACCEPT -o ${j} -p udp \
--sport $i --dport 1024: -m state --state ESTABLISHED,RELATED
${IPTABLES} -A FORWARD -j ACCEPT -i ${j} -p udp \
--dport $i -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A FORWARD -j ACCEPT -o ${j} -p udp \
--sport $i -m state --state ESTABLISHED,RELATED
done
done
}
OutUDP()
{
for i in $*
do
for j in ${INTERFACE}; do
${IPTABLES} -A OUTPUT -j ACCEPT -o ${j} -p udp \
--sport 1024: --dport $i -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A INPUT -j ACCEPT -i ${j} -p udp \
--sport $i -m state --state ESTABLISHED,RELATED
${IPTABLES} -A FORWARD -j ACCEPT -o ${j} -p udp \
-s ${LOCAL} --sport 1024: --dport $i -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A FORWARD -j ACCEPT -i ${j} -p udp \
--sport $i -d ${LOCAL} -m state --state ESTABLISHED,RELATED
done
done
}
OutEqualUDP()
{
for i in $*
do
for j in ${INTERFACE}; do
${IPTABLES} -A OUTPUT -j ACCEPT -o ${j} -p udp \
--sport $i --dport $i -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A INPUT -j ACCEPT -i ${j} -p udp \
--sport $i --dport $i -m state --state ESTABLISHED,RELATED
${IPTABLES} -A FORWARD -j ACCEPT -o ${j} -p udp \
-s ${LOCAL} --sport $i --dport $i -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A FORWARD -j ACCEPT -i ${j} -p udp \
--sport $i -d ${LOCAL} --dport $i -m state --state ESTABLISHED,RELATED
done
done
}
OutFTP()
{
for j in ${INTERFACE}; do
${IPTABLES} -A OUTPUT -j ACCEPT -o ${j} -p tcp \
--sport 1024: --dport ftp -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A FORWARD -j ACCEPT -o ${j} -p tcp \
--sport 1024: -s $LOCAL --dport ftp -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A INPUT -j ACCEPT -i ${j} -p tcp \
--dport 1024: --sport ftp -m state --state ESTABLISHED,RELATED
${IPTABLES} -A FORWARD -j ACCEPT -i ${j} -p tcp \
--dport 1024: -d $LOCAL --sport ftp -m state --state ESTABLISHED,RELATED
${IPTABLES} -A OUTPUT -j ACCEPT -o ${j} -p tcp \
--sport 1024: --dport 1024: -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A FORWARD -s $LOCAL -j ACCEPT -o ${j} -p tcp \
--sport 1024: --dport 1024: -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A INPUT -j ACCEPT -i ${j} -p tcp \
--sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED
${IPTABLES} -A FORWARD -j ACCEPT -i ${j} -p tcp \
--sport 1024: -d $LOCAL --dport 1024: -m state --state ESTABLISHED,RELATED
done
}
case "$1" in
start)
echo -n "Starting (${INTERFACE})-Interface filtering... "
Start
echo "done."
;;
stop)
echo -n "Stopping (${INTERFACE})-Interface filtering... "
Stop
echo "done."
;;
close)
echo -n "Closing (${INTERFACE})-Interfaces... "
Close
echo "done."
;;
*)
echo "Usage: $0 start|stop|close"
exit 1
esac
exit 0
</font><hr></pre></blockquote>