#!/bin/sh
#
# by rac 2011, placed under GPLv2
#
#############################################################################
# Variables
 
IPT=/usr/sbin/iptables
 
# Interfaces:
IF_LAN=eth0.1
IF_DSL=pppoe-dsl
IF_FUNK=wlan0
 
# Netz IPs:
NET_LAN=192.168.0.0/16
NET_DSL=xxx.xxx.xxx.xxx/16
NET_FUNK=10.0.0.0/8
 
# Eigene IPs:
IP_LAN=192.168.1.1
IP_DSL=$(ifconfig|grep 'inet addr:xxx'|cut -d':' -f2|awk '{print $1}')
IP_FUNK=10.0.0.1
 
# User IPs:
IP_USER1=192.168.1.1
IP_USER2=192.168.2.1
IP_USER3=192.168.3.1
IP_USER4=192.168.4.1
IP_USER5=192.168.5.1
 
# User IP/MAC-Combos:
USER1=" -s 192.168.1.1 -m mac --mac-source xx:xx:xx:xx:xx:xx"
USER2=" -s 192.168.2.1 -m mac --mac-source xx:xx:xx:xx:xx:xx"
USER3=" -s 192.168.3.1 -m mac --mac-source xx:xx:xx:xx:xx:xx"
USER4=" -s 192.168.4.1 -m mac --mac-source xx:xx:xx:xx:xx:xx"
USER5=" -s 192.168.5.1 -m mac --mac-source xx:xx:xx:xx:xx:xx"
 
# Besondere IPs/Netze:
UNI=xxx.xxx.xxx.xxx
NET_VEREIN=xxx.xxx.xxx.xxx/24
NET_DNS=xxx.xxx.xxx.xxx/24
FRIEND1=xxx.xxx.xxx.xxx
 
#############################################################################
# Ketten leeren und löschen
 
$IPT -t filter -F
$IPT -t filter -X
$IPT -t nat -F
$IPT -t nat -X 
#$IPT -t mangle -F  this will be done by the tc script
#$IPT -t mangle -X
$IPT -t raw -F
$IPT -t raw -X
 
if [ "$1" = "stop" ]; then
	echo "Firewall completely flushed! Now running with no firewall."
	exit 0
fi
 
#############################################################################
# Default Policies fuer integrierte Ketten festlegen:
# http://en.wikipedia.org/wiki/File:Netfilter-packet-flow.svg
 
# Policies setzen
$IPT -t raw -P PREROUTING ACCEPT #----- before connection tracking
$IPT -t raw -P OUTPUT ACCEPT #--------- before connection tracking
$IPT -t mangle -P PREROUTING ACCEPT #-- before routing; change TOS, TTL, MARK, etc
$IPT -t mangle -P INPUT ACCEPT #------- 
$IPT -t mangle -P FORWARD ACCEPT #----- 
$IPT -t mangle -P OUTPUT ACCEPT #------ 
$IPT -t mangle -P POSTROUTING ACCEPT #- VOR nat POSTROUTING, MARK by source
$IPT -t nat -P PREROUTING ACCEPT   #--- before routing
$IPT -t nat -P POSTROUTING ACCEPT #---- 
$IPT -t nat -P OUTPUT ACCEPT #--------- 
$IPT -t filter -P INPUT DROP #--------- 
$IPT -t filter -P FORWARD DROP #------- 
$IPT -t filter -P OUTPUT ACCEPT #------ 
 
# Eigene Ketten anlegen
$IPT -N INPUT_dsl
$IPT -N INPUT_lan
$IPT -N INPUT_funk
$IPT -N FWD_lan_dsl
$IPT -N FWD_dsl_lan
$IPT -N FWD_funk_dsl
$IPT -N FWD_dsl_funk
$IPT -N FWD_lan_funk
$IPT -N FWD_funk_lan
$IPT -N nuisance
 
#############################################################################
# FILTER
 
#================================
# INPUT (Policy: DROP)
#---------------------
$IPT -A INPUT -j ACCEPT -i lo -s 127.0.0.1 -d 127.0.0.1 #--------------- loopback
$IPT -A INPUT -j ACCEPT -i $IF_LAN  -p udp --dport 67:68 --sport 67:68 #- DHCP-Anfragen kommen von 255.255.255.255
$IPT -A INPUT -j ACCEPT -i $IF_FUNK -p udp --dport 67:68 --sport 67:68 #- DHCP-Anfragen kommen von 255.255.255.255
$IPT -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED #- ALLES, was vom Router aufgebaut wurde, darf wieder zurueck
 
$IPT -A INPUT -j INPUT_lan -i $IF_LAN -s $NET_LAN -d $IP_LAN
$IPT -A INPUT -j INPUT_dsl -i $IF_DSL
$IPT -A INPUT -j INPUT_funk -i $IF_FUNK -s $NET_FUNK -d $IP_FUNK
 
$IPT -A INPUT_lan -j ACCEPT #--------------------- Alles von intern erlaubt
 
$IPT -A INPUT_dsl -j ACCEPT -p icmp -s 0/0 --icmp-type 11 #-------- Time Exceeded
$IPT -A INPUT_dsl -j ACCEPT -p tcp --dport 22 #-------------------- ssh
$IPT -A INPUT_dsl -j LOG       --log-prefix "IPT_dsl-Rej "
$IPT -A INPUT_dsl -j DROP
 
$IPT -A INPUT_funk -j ACCEPT -p icmp --icmp-type 8 #--------------- allow system to be pinged!
$IPT -A INPUT_funk -j ACCEPT -p tcp --dport 8080 #----------------- kleine Nachricht
$IPT -A INPUT_funk -j LOG       --log-prefix "IPT_funk-Rej "
$IPT -A INPUT -j REJECT    --reject-with icmp-host-prohibited
 
#================================
# FORWARD (Policy: DROP)
#-----------------------
$IPT -A FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED #- ALLES, was bereits aufgebaut wurde, darf auch wieder durch
 
$IPT -A FORWARD -j FWD_lan_dsl -i $IF_LAN -o $IF_DSL -s $NET_LAN
$IPT -A FORWARD -j FWD_dsl_lan -i $IF_DSL -o $IF_LAN
$IPT -A FORWARD -j FWD_funk_dsl -i $IF_FUNK -o $IF_DSL -s $NET_FUNK
$IPT -A FORWARD -j FWD_dsl_funk -i $IF_DSL -o $IF_FUNK
$IPT -A FORWARD -j FWD_lan_funk -i $IF_LAN -o $IF_FUNK -s $NET_LAN
$IPT -A FORWARD -j FWD_funk_lan -i $IF_FUNK -o $IF_LAN -s $NET_FUNK
$IPT -A FORWARD -j LOG       --log-prefix "FORWARD: " #--- duerfte nix uebrig bleiben
$IPT -A FORWARD -j DROP
 
# LAN und DSL
$IPT -A FWD_lan_dsl -j REJECT -p udp --dport 135:139 #--------------- hat nichts im internet verloren
$IPT -A FWD_lan_dsl -j REJECT -p tcp --dport 135:139 #--------------- hat nichts im internet verloren
$IPT -A FWD_lan_dsl -j REJECT -p tcp --dport 445  #------------------ hat nichts im internet verloren
$IPT -A FWD_lan_dsl -j ACCEPT
 
# DSL to LAN (the portforwards)
$IPT -A FWD_dsl_lan -j ACCEPT -p udp --dport 11111 --sport 1024:65535 -d $IP_USER1 -m state --state NEW #- udp
$IPT -A FWD_dsl_lan -j ACCEPT -p tcp --dport 11111 --sport 1024:65535 -d $IP_USER1 -m state --state NEW #- tcp
$IPT -A FWD_dsl_lan -j ACCEPT -p udp --dport 22222 --sport 1024:65535 -d $IP_USER2 -m state --state NEW #- udp
$IPT -A FWD_dsl_lan -j ACCEPT -p tcp --dport 22222 --sport 1024:65535 -d $IP_USER2 -m state --state NEW #- tcp
$IPT -A FWD_dsl_lan -j ACCEPT -p udp --dport 44444 --sport 1024:65535 -d $IP_USER4 -m state --state NEW #- tcp
$IPT -A FWD_dsl_lan -j ACCEPT -p tcp --dport  8000 --sport 1024:65535 -d $IP_USER5 -s $FRIEND1 -m state --state NEW #- tcp
$IPT -A FWD_dsl_lan -j LOG       --log-prefix "FWD_dsl_lan "
$IPT -A FWD_dsl_lan -j DROP
 
# FUNK to DSL
$IPT -A FWD_funk_dsl -j ACCEPT -s 10.10.10.99 -m mac --mac-source 11:22:33:44:55:66 #------- no safety here!
$IPT -A FWD_funk_dsl -j LOG       --log-prefix "FWD_funk_dsl "
$IPT -A FWD_funk_dsl -j REJECT    --reject-with icmp-host-prohibited
 
# DSL to FUNK
$IPT -A FWD_dsl_funk -j LOG       --log-prefix "FWD_dsl_funk "
$IPT -A FWD_dsl_funk -j DROP
 
# LAN to FUNK
$IPT -A FWD_lan_funk -j ACCEPT #------------------------------- alles erlaubt
$IPT -A FWD_lan_funk -j LOG       --log-prefix "FWD_lan_funk "
$IPT -A FWD_lan_funk -j DROP
 
# FUNK to LAN
$IPT -A FWD_funk_lan -j ACCEPT #------------------------------- alles erlaubt
$IPT -A FWD_funk_lan -j LOG       --log-prefix "FWD_funk_lan "
$IPT -A FWD_funk_lan -j DROP
 
#================================
# OUTPUT (Policy: ACCEPT)
#---------------------
 
#############################################################################
# NAT
 
#================================
# PREROUTING (Policy: ACCEPT)
#----------------------------
 
#
# Portforwads:
#
 
$IPT -t nat -A PREROUTING -i $IF_DSL -p udp --dport 11111 -j DNAT --to-destination ${IP_USER1}:11111 #--- udp
$IPT -t nat -A PREROUTING -i $IF_DSL -p tcp --dport 11111 -j DNAT --to-destination ${IP_USER1}:11111 #--- tcp
$IPT -t nat -A PREROUTING -i $IF_DSL -p udp --dport 22222 -j DNAT --to-destination ${IP_USER2}:11111 #--- udp
$IPT -t nat -A PREROUTING -i $IF_DSL -p tcp --dport 22222 -j DNAT --to-destination ${IP_USER2}:11111 #--- tcp
$IPT -t nat -A PREROUTING -i $IF_DSL -p udp --dport 44444 -j DNAT --to-destination ${IP_USER4}:11111 #--- udp
$IPT -t nat -A PREROUTING -i $IF_DSL -p tcp --dport 55555 -j DNAT --to-destination ${IP_USER5}:11111 #--- tcp
 
#================================
# POSTROUTING (Policy: ACCEPT)
#-----------------------------
$IPT -t nat -A POSTROUTING -o $IF_DSL -j MASQUERADE #--------------- Alles ins Internet auf Router-IP naten
 
#############################################################################
# RAW
 
#================================
# PREROUTING (Policy: ACCEPT)
#----------------------------
$IPT -t raw -A PREROUTING -i $IF_LAN -s $NET_LAN -d $IP_LAN -p tcp --dport  139 -j CT --notrack #-- don't track SMB
$IPT -t raw -A PREROUTING -i $IF_LAN -s $NET_LAN -d $IP_LAN -p tcp --dport  145 -j CT --notrack #-- don't track SMB
#$IPT -t raw -A PREROUTING -i $IF_LAN -s $NET_LAN -d $IP_LAN -p tcp --dport   20 -j CT --notrack #-- don't track ftp
#$IPT -t raw -A PREROUTING -i $IF_LAN -s $NET_LAN -d $IP_LAN -p tcp --dport   21 -j CT --notrack #-- don't track ftp
#$IPT -t raw -A PREROUTING -i $IF_LAN -s $NET_LAN -d $IP_LAN -p tcp --dport 2049 -j CT --notrack #-- don't track NFS
#$IPT -t raw -A PREROUTING -i $IF_LAN -s $NET_LAN -d $IP_LAN -p tcp --dport 3277:32780 -j CT --notrack #-- don't track NFS
#$IPT -t raw -A PREROUTING -i $IF_LAN -s $NET_LAN -d $IP_LAN -p tcp --dport 5001 -j CT --notrack #-- don't track ipperf
 
#================================
# OUTPUT (Policy: ACCEPT)
#----------------------------
$IPT -t raw -A OUTPUT -o $IF_LAN -s $IP_LAN -p tcp --sport 139 -j CT --notrack #------------------ don't track SMB
 
 
#############################################################################
# MANGLE
 
#================================
# POSTROUTING (Policy: ACCEPT)
#----------------------------
# included in the tc script

Back to top

doc/howto/netfilter/netfilter.iptables.example2.txt · Last modified: 2013/08/15 10:10 by lorema