RFC: firewall-hint_v1.3

Henning Rohde Rohde.Henning at gmx.net
Sat Aug 11 10:30:24 PDT 2001


Hi Jeff, hi everybody else,

thank you, Jeff, for reviewing my hint!

Hmm, at the very first I would like admit that I deliberately did limit 
the scope of my firewalling-hint:
I want to tell our users how to start, who ever may be in the need for severe
protection, he needs himself to get familiar with this topic!

My hint, as it is my intention, is supposed to fit at least for
dial-up-users; those who want to protect their company's network will be paid
for setting-up the firewall and will know the services, that they need to
access, and especially those, that their employers want to be blocked!
 -> mp3-downloads, porn, kommunism	;-)

Ok, let's talk about your remarks:

jbauman at adsl-63-193-249-142.dsl.snfc21.pacbell.net wrote:
> 
> On Fri, Aug 10, 2001 at 08:46:58PM +0200, Henning Rohde wrote:
<+snip+>

> > LFS VERSION:  any, but Kernel > 2.4
> The INSTALL document in the iptables 1.2.2 tarball claims kernel 2.4.4 or
> later is required.

OK, will be changed at next release.

<+snip+>
> > Before compiling you might want to edit the Makefile to adapt install-dir's.
<+snip+>
> As with most packages, you can specify the directories you would like to
> have it installed in on the command line, for example:
>         make BINDIR=/usr/bin LIBDIR=/usr/lib MANDIR=/usr/share/man install

Right you are. 
But I do only mention where to edit, I do not recommend this edditing.
Those who know why they want stuff not to be put elsewhere either know your way
or deliberately pay the effort to edit the Makefile.

> > Now compile and install iptables and the utilities for saving and restoring
> > via 'make && make install experimental install-experimental'.
<+snip+>
> If you're seriously configuring this as a working firewall, I would
> recommend skipping the "experimental" stuff.

The only things that are assingned experimental in iptables-1.2.2 are are the
save- & restore-utilities!
I consider them to be quite useful, whoever likes to use them will test them to
be sure they work as he expects them to do: again: i do not recommend but enable
their use!

<+snip+>
> > # disable ECN - too many routers are still ignorant
> > echo 0 > /proc/sys/net/ipv4/tcp_ecn
> I can't see why you would compile this in and then leave it disabled. Why
> not just skip it in the compile step? The level of detail that must be
> attended to here is high already, so why not simplify where possible?

OK, again you're right!
But I'd like to keep it this way because ECN is a good thing, I'd like to enable
it's use but recommend to turn it off.
The greater level of complexiety is outweigted by being sure that it's not ECN
that caused some sites being inaccessible.

<+snip+>
> > #!/bin/sh
> > ##/etc/init.d/firewall
<+snip+>
> > # allow forwarding
> > iptables -A FORWARD -m state --state ESTABLISHED,RELATED      -j ACCEPT
> > iptables -A FORWARD -m state --state NEW      -i ! ppp+       -j ACCEPT
> > # do masquerading (not needed if intranet is not using private ip-adresses)
> > iptables -t nat -A POSTROUTING  -o ppp+                       -j MASQUERADE
> > # Log everything for debugging: must be at the end of all rules
<+unsnip+>
    iptables -A INPUT-j LOG --log-prefix "FIREWALL:INPUT  "
    iptables -A FORWARD-j LOG --log-prefix "FIREWALL:FORWARD"
    iptables -A OUTPUT-j LOG --log-prefix "FIREWALL:OUTPUT "
    # set a sane policy
    iptables -P INPUT       DROP
    iptables -P FORWARD     DROP
    iptables -P OUTPUT      DROP

> I'm not sure what you mean here. The LOG rule must come before an ACCEPT
> or DROP rule that matches the packet, otherwise, the packet will not be
> logged.

:-), but you just snipped the wrong lines: 
those packets, that are not accepted in FORWARD or on loopback but are dropped
by policy are those that get logged: eg scans, identd-queries, ...

<+snip+>
> > Alternativly, if you want to ping your box to enshure it's still alive:
> > iptables -I INPUT  -p icmp -m icmp --icmp-type echo-request     -j ACCEPT
> > iptables -I OUTPUT -p icmp -m icmp --icmp-type echo-reply       -j ACCEPT
> 
> It would be wise to limit echo-requests to addresses you know you will
> use, if this is possible, rather than making your box visible to the whole
> world. For instance:
> iptables -I INPUT  -p icmp -s 20.20.20.0/24 -m icmp --icmp-type
> echo-request -j ACCEPT  # only accept pings from the 20.20.20 network.

Again, you're right.	But, why did you chose 20.20.20.0/24? 
Any network we would chose here will confuse those who do nothing 
but copy'n'past the script; and those who feel themselves in the need to will be
able to combine the mentioned features of netfilter and find out about the rest.
And furthermore, what if the user wants to check it via Dial-Up from anywhere?
At least IMHO, pings do not harm besides preventing an automatik dial-off; 
and if the user feels they did he would know the need for a much deeper level of
security than I'd like here to be offered.

<+snip+>
> It may be prudent to take some other precautions here, for example, here
> are a couple ways to block spoofed packets. I recommend using both -- if
> one fails, the other is there to catch the problem:
> 
> # Block spoofed packets
> for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
>   echo 1 > $f
> done
> 
> # Anything coming from the outside should not have a private address!
> iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8 -j LOG  \
>         --log-prefix "Dropping spoofed packet"
> iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8 -j DROP
> iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j LOG  \
>         --log-prefix "Dropping spoofed packet"
> iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP
> iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12 -j LOG  \
>         --log-prefix "Dropping spoofed packet"
> iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12 -j DROP
> 
OK, correct, we could include these lines.
But I do think that IP-spoofing has become a much lesser danger than it was in
times of ipchains: 
wherever possible I do filter by interface, which is IMHO unspoofable.
If one really needed to filter by IPs, then he could combine filtering by
ip-adress with filtering by interface.

There another reason why I doubt we should include them:
Oskar Andreasson mentioned in his tutorial that there are ISP's who use
IP-networks that are assigned to private use for internal services, eg
nameserver at Telia, Sweden.
Eg our German exMonopolist, the DeutscheTelekom AG, uses 192.168.0.0/24 for it's
antiquated BTX, a proprietary network for text-terminals, nowadays nearly solely
used for homebanking, being still quite secure.

> There are certain types of packets that you will never want coming in from
> the Internet. Here are some rules that address this:
> 
> # Log and drop malformed packets
> iptables -A INPUT -p tcp -m state --state INVALID -j LOG \
>         --log-prefix "invalid tcp packet DROP: "
> iptables -A INPUT -p tcp -m state --state INVALID -j DROP
> 
> # The following packets are used for various types of scans, and nothing
> #       legitimate:
> 
> # XMAS packets
> iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
>         --log-prefix "XMAS packet hit the firewall"
> iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
> 
> # NULL packets
> iptables -A INPUT -p tcp --tcp-flags ALL NONE -j LOG \
>         --log-prefix "NULL packet hit the firewall"
> iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
> 
> # Drop FIN packets that don't have ACKs. They are scans.
> iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j LOG  \
>         --log-prefix "FIN packet hit the firewall"
> iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
> 
> These rules should be placed early in the chain, before any ACCEPTs, other
> than perhaps ESTABLISHED,RELATED connections.
> 
Hmm, do you really think that these lines are necessary? 
I do not doubt that they are helpful for 'the highest security', but Linux is
IIRC not vulnerable.
They will, like pinging, prevent a automatik dial-off, but because they are
caught by stateful-filtering they do not offer any ways to access harmfully any
services, at least if I understood the topic correctly.
Even scanning does not harm as long as firewalling is done correctly.

> 
> I would also suggest having a look at
> http://boingworld.com/workshops/linux/iptables-tutorial/rc.firewall.txt
> While the accompanying explanations are long-winded and poorly written,
> the information itself is pretty good, and the firewall ruleset has some
> really nice ideas.
> 
> http://www.securityfocus.com has a wealth of good information, including a
> section dedicated to Linux.
> 
> Happy blfs-ing,
> 
> Jeff

BTW, the whole domain of boingworld.com seems to be deleted, at least down,
every nameserver I asked told me:  Non-existent domain!
I undertook some efforts to dig for it's content, at least 
http://www.flux.org/pipermail/linux/2001-May/003528.html lists rc.firewall.txt,
but I do not know, if it is it's last revision.

I consider it to be too complex for seting up a firewall for the first time,
and I don't like his approach to use protocol-specific chains: 
the CPU-load is IMHO not the most decisive criteria, as long as it does not 
cause bandwith-limiting effects!
I'v attached 2 documents, on is my actual rc.firewall, the other is my old
layout, both slightly edited, I hope I have not overlooked too many comments 
on German.
The old one, a Packet-Filter, was translated from being based on ipchains,
it is quite complex and is meant more as a study how a firewall can be designed
than an actually working layout.
But it made learning and debugging very easy, albeit with kernel 2.4 and
iptables
I don't think the layout needs to be so complex anymore.

Once again, thank you very much for the review!

Have a nice Weekend,

	Henning


PS: please tell your mailer to cut lines somewhere shortly before the 80'th
character!
-------------- next part --------------
#!/bin/sh
# Begin /etc/init.d/packetfilter

case "$1" in
start)
	echo "Starting Firewall..."

	modprobe -k ip_conntrack_ftp
	modprobe -k ip_nat_ftp

# clean-up
iptables -t mangle	-Z
iptables -t mangle	-F
iptables -t mangle	-X
iptables -t nat		-Z
iptables -t nat		-F
iptables -t nat		-X
iptables		-Z
iptables		-F
iptables		-X

# während des Setups soll keinesfalls ein Weiterleiten stattfinden
iptables -A FORWARD	-j REJECT

# Grundeinstellung: Was nicht erlaubt wurde, ist verboten!
iptables -P INPUT	DROP
iptables -P FORWARD	DROP
iptables -P OUTPUT	DROP

# Einrichten der Ketten
iptables -N lan2lan	# Packete zwischen den beiden LANs
iptables -N lan2inet	# Packete aus dem LAN: Forwarding, Masquerading
iptables -N inet2lan	# Packete aus dem Internet: DNAT
iptables -N lan2gw	# Packete aus dem LAN für Serverdienste auf dem Gateway
iptables -N gw2lan	# Packete von Serverdiensten / Anwendungen des Gateway für das LAN
iptables -N gw2inet	# Packete von Serverdiensten / Anwendungen des Gateway ins Internet
iptables -N inet2gw	# Packete aus dem Internet für Serverdiensten / Anwendungen des Gateway


# extra Chain zum Loggen und Droppen aller verdächtigen Packete
iptables -N insane
iptables -A insane -m limit --limit 1/m --limit-burst 1	-j LOG --log-prefix "FIREWALL:insane   " --log-level 4
iptables -A insane		-j DROP

# (versehentliche / irrtümliche) IP-Packete statt PPP-Packete über die DSL-Verbindung
iptables -A INPUT	-i eth1								-j insane
iptables -A FORWARD	-i eth1								-j insane
iptables -A FORWARD		-o eth1							-j insane
iptables -A OUTPUT		-o eth1							-j insane

# Sanity-Check: alle verdächtigen Packete werden geloggt und verworfen
iptables -N sanity	# Sicherheits-Check für alle Packete
iptables -A sanity			-m state --state INVALID			-j insane
## XMAS-Packete: alle TCP-Flags sind gesetzt: bringt Win9x zum Absturz
iptables -A sanity			-p tcp --tcp-flags ALL ALL			-j insane
## NULL-Packete: keines der TCP-Flags ist gesetzt
iptables -A sanity			-p tcp --tcp-flags ALL NONE			-j insane
## Packete auf reservierte Ports
iptables -A sanity			-p tcp --dport 0				-j insane
iptables -A sanity			-p udp --dport 0				-j insane
## Soll wohl noch nicht verwendet werden, aber schau'n wir doch mal...
iptables -A sanity			-m unclean					-j insane
## erstmal alles OK, das Packet an und für sich ist hiernach nicht bösartig
iptables -A sanity									-j RETURN

# Packete von privaten Netzen / Broadcasts / SAMBA
## Check auf IP-SPOOFING: gegen Packete von privaten IP's auf externe Interfaces
## bzw. gegen nichtverwendete IP-Aressen auch auf interne Schnittstellen
iptables -N privchk
iptables -A privchk		-s 127.0.0.0/8		-j insane
iptables -A privchk		-d 127.0.0.0/8		-j insane
iptables -A privchk -i ppp+	-s 10.0.0.0/8		-j insane
iptables -A privchk -i ippp+	-s 10.0.0.0/8		-j insane
iptables -A privchk -i ppp+	-d 10.0.0.0/8		-j insane
iptables -A privchk -i ippp+	-d 10.0.0.0/8		-j insane
iptables -A privchk -o ppp+	-d 10.0.0.0/8		-j insane
iptables -A privchk -o ippp+	-d 10.0.0.0/8		-j insane
iptables -A privchk		-s 172.16.0.0/12	-j insane
iptables -A privchk		-d 172.16.0.0/12	-j insane
iptables -A privchk		-s 224.0.0.0/4		-j insane
iptables -A privchk		-s 240.0.0.0/5		-j insane
iptables -A privchk		-s 0.0.0.0/32		-j insane
iptables -A privchk		-d 0.0.0.0/32		-j insane
iptables -A privchk		-s 255.255.255.255/32	-j insane
iptables -A privchk		-d 255.255.255.255/32	-j insane
##keine SMB-Packete ins / vom Internet
iptables -A privchk	-p tcp --dport 137:139		-j DROP
iptables -A privchk	-p udp --dport 137:139		-j DROP
iptables -A privchk	-p tcp --sport 137:139		-j DROP
iptables -A privchk	-p udp --sport 137:139		-j DROP
## erstmal alles OK, das Packet an und für sich ist hiernach nicht bösartig
iptables -A privchk				-j RETURN

# Sicherheits-Check für ICMP-Packete
iptables -N icmpchk
iptables -A icmpchk			-p icmp --icmp-type redirect			-j insane
iptables -A icmpchk	-i ppp+		-p icmp --icmp-type echo-request		-j insane
iptables -A icmpchk	-i ippp+	-p icmp --icmp-type echo-request		-j insane
iptables -A icmpchk			-p icmp --icmp-type router-advertisement	-j insane
iptables -A icmpchk			-p icmp --icmp-type parameter-problem		-j insane
iptables -A icmpchk			-p icmp --icmp-type timestamp-request		-j insane
iptables -A icmpchk			-p icmp --icmp-type address-mask-request	-j insane
## erstmal alles OK, das ICMP-Packet an und für sich ist hiernach nicht bösartig
iptables -A icmpchk									-j RETURN


# Verbindungen über das loopback-Interface
iptables -A INPUT	-i lo							-j ACCEPT
iptables -A OUTPUT		-o lo						-j ACCEPT

# Packete aus dem LAN für die Serverdienste des Gateway
iptables -A INPUT	-i eth0		 -s 192.168.0.0/24 -d 192.168.0.1/32	-j lan2gw
iptables -A INPUT	-i eth0		 -s 192.168.0.0/24 -d 192.168.2.1/32	-j lan2gw
iptables -A INPUT	-i eth2		 -s 192.168.2.0/24 -d 192.168.2.1/32	-j lan2gw
iptables -A INPUT	-i eth2		 -s 192.168.2.0/24 -d 192.168.0.1/32	-j lan2gw
## Broadcasts
iptables -A INPUT	-i eth0		 		   -d 192.168.0.255/32	-j lan2gw
iptables -A INPUT	-i eth2		 		   -d 192.168.2.255/32	-j lan2gw

# Packete aus dem Internet für Anwendungen / Serverdienste des Gateway
iptables -A INPUT	-i ppp+		 					-j inet2gw
iptables -A INPUT	-i ippp+						-j inet2gw

# Forwarding von Verbindungen zwischen den beiden LANs
iptables -A FORWARD	-i eth0	-o eth2	 -s 192.168.0.0/24 -d 192.168.2.0/24	-j lan2lan
iptables -A FORWARD	-i eth2	-o eth0	 -s 192.168.2.0/24 -d 192.168.0.0/24	-j lan2lan

# Forwarding / masquerading von Verbindungen des LAN ins Internet
iptables -A FORWARD	-i eth0	-o ppp+  -s 192.168.0.0/24 -d ! 192.168.0.0/16	-j lan2inet
iptables -A FORWARD	-i eth2	-o ppp+  -s 192.168.2.0/24 -d ! 192.168.0.0/16	-j lan2inet
iptables -A FORWARD	-i eth0	-o ippp+ -s 192.168.0.0/24 -d ! 192.168.0.0/16	-j lan2inet
iptables -A FORWARD	-i eth2	-o ippp+ -s 192.168.2.0/24 -d ! 192.168.0.0/16	-j lan2inet

# Forwarding / masquerading von Verbindungen vom Internet ins LAN
iptables -A FORWARD	-i ppp+  -o eth0 -s ! 192.168.0.0/16 -d 192.168.0.0/24	-j inet2lan
iptables -A FORWARD	-i ppp+  -o eth2 -s ! 192.168.0.0/16 -d 192.168.2.0/24	-j inet2lan
iptables -A FORWARD	-i ippp+ -o eth0 -s ! 192.168.0.0/16 -d 192.168.0.0/24	-j inet2lan
iptables -A FORWARD	-i ippp+ -o eth2 -s ! 192.168.0.0/16 -d 192.168.2.0/24	-j inet2lan

# Packete von Serverdiensten / Anwendungen ins LAN
iptables -A OUTPUT		 -o eth0		      -d 192.168.0.0/24	-j gw2lan
iptables -A OUTPUT		 -o eth2		      -d 192.168.2.0/24	-j gw2lan

# Packete von Serverdiensten / Anwendungen ins Internet
iptables -A OUTPUT		 -o ppp+		    -d ! 192.168.0.0/16	-j gw2inet
iptables -A OUTPUT		 -o ippp+		    -d ! 192.168.0.0/16	-j gw2inet


# Sanity-Check
iptables -A gw2inet								-j sanity
iptables -A inet2gw								-j sanity
iptables -A lan2gw								-j sanity
iptables -A gw2lan								-j sanity
iptables -A lan2inet								-j sanity
iptables -A inet2lan								-j sanity

# privacy-Check
iptables -A inet2lan								-j privchk
iptables -A lan2inet								-j privchk
iptables -A inet2gw								-j privchk
iptables -A gw2inet								-j privchk


# clamp-mss-to-pmtu für Packete über t-DSL
iptables -I lan2inet	-o ppp+	-p tcp --tcp-flags SYN,RST SYN	-j TCPMSS --clamp-mss-to-pmtu


# alle Verbindungen zwischen den LANs
iptables -A lan2lan	-s 192.168.0.0/24	-d 192.168.2.0/24		-j ACCEPT
iptables -A lan2lan	-s 192.168.2.0/24	-d 192.168.0.0/24		-j ACCEPT

# DNS
iptables -A gw2inet	-p udp 		  --dport 53					-j ACCEPT
iptables -A inet2gw	-p udp --sport 53 --dport 1024:	-m state --state ESTABLISHED	-j ACCEPT
iptables -A lan2gw	-p udp 		  --dport 53					-j ACCEPT
iptables -A gw2lan	-p udp --sport 53						-j ACCEPT
iptables -A gw2lan	-p udp 		  --dport 53					-j ACCEPT
iptables -A lan2gw	-p udp --sport 53						-j ACCEPT

# SAMBA
iptables -A lan2gw	-p tcp			--dport 137:139			-j ACCEPT
iptables -A lan2gw	-p udp			--dport 137:139			-j ACCEPT
iptables -A lan2gw	-p tcp --sport 137:139					-j ACCEPT
iptables -A lan2gw	-p udp --sport 137:139					-j ACCEPT
iptables -A gw2lan	-p tcp			--dport 137:139			-j ACCEPT
iptables -A gw2lan	-p udp			--dport 137:139			-j ACCEPT
iptables -A gw2lan	-p tcp --sport 137:139					-j ACCEPT
iptables -A gw2lan	-p udp --sport 137:139					-j ACCEPT
## Antworten auf SMB-Broadcasts, werden von den NICs kurzgeschlossen
iptables -A INPUT	-p udp	--sport 137:139 --dport 137:139			-j looping
iptables -A INPUT	-p udp	--sport 137:139 --dport 137:139			-j looping

# SWAT
iptables -A lan2gw	-p tcp			--dport 901			-j ACCEPT
iptables -A gw2lan	-p tcp --sport 901					-j ACCEPT

# WWW
iptables -A gw2inet	-p tcp --dport 80						-j ACCEPT
iptables -A inet2gw	-p tcp --sport 80 --dport 1024:	-m state --state ESTABLISHED	-j ACCEPT
iptables -A lan2inet	-p tcp --dport 80						-j ACCEPT
iptables -A inet2lan	-p tcp --sport 80 --dport 1024:	-m state --state ESTABLISHED	-j ACCEPT
## SQUID als transparenter Proxy
iptables -t nat	-A PREROUTING	-i eth0	-p tcp	--dport 80	-j REDIRECT --to-ports 8080
iptables -t nat	-A PREROUTING	-i eth2	-p tcp	--dport 80	-j REDIRECT --to-ports 8080
iptables -A lan2gw	-p tcp --dport 8080						-j ACCEPT
iptables -A gw2lan	-p tcp --sport 8080						-j ACCEPT
## keine Verbindungen von außerhalb zum Proxy
iptables -A inet2gw	-p tcp --dport 8080						-j DROP
# WWWsec
iptables -A lan2gw	-p tcp --dport 443						-j ACCEPT
iptables -A gw2lan	-p tcp --sport 443						-j ACCEPT
iptables -A gw2inet	-p tcp --dport 443						-j ACCEPT
iptables -A inet2gw	-p tcp --sport 443 --dport 1024: -m state --state ESTABLISHED	-j ACCEPT
iptables -A lan2inet	-p tcp --dport 443						-j ACCEPT
iptables -A inet2lan	-p tcp --sport 443 --dport 1024: -m state --state ESTABLISHED	-j ACCEPT

# FTP
iptables -A lan2inet	-p tcp		  --dport 21					-j ACCEPT
iptables -A inet2lan	-p tcp --sport 21 --dport 1024:	-m state --state ESTABLISHED	-j ACCEPT
## aktives FTP
iptables -A inet2lan	-p tcp --sport 20 --dport 1024:	-m state --state ESTABLISHED,RELATED	-j ACCEPT
iptables -A lan2inet	-p tcp 		  --dport 20	-m state --state ESTABLISHED	-j ACCEPT
iptables -A gw2inet	-p tcp		  --dport 21					-j ACCEPT
iptables -A inet2gw	-p tcp --sport 21 --dport 1024:	-m state --state ESTABLISHED	-j ACCEPT
## aktives FTP
iptables -A inet2gw	-p tcp --sport 20 --dport 1024:	-m state --state ESTABLISHED,RELATED	-j ACCEPT
iptables -A gw2inet	-p tcp		  --dport 20	-m state --state ESTABLISHED	-j ACCEPT
# AUTH/IDENT
## Es werden nur 3 Packete pro Sekunde akzeptiert, um DoS-Angriffe auf den identd zu unterbinden 
iptables -A inet2gw	-p tcp			--dport 113	-m limit --limit 3/s	-j ACCEPT
## Die überzähligen werden kommentarlos verworfen
iptables -A inet2gw	-p tcp			--dport 113	 			-j DROP
## Antworten
iptables -A gw2inet	-p tcp --sport 113						-j ACCEPT

# POP3
iptables -A lan2inet	-p tcp --dport 110					-j ACCEPT
iptables -A inet2lan	-p tcp --sport 110 --dport 1024: -m state --state ESTABLISHED	-j ACCEPT
iptables -A gw2inet	-p tcp --dport 110					-j ACCEPT
iptables -A inet2gw	-p tcp --sport 110 --dport 1024: -m state --state ESTABLISHED	-j ACCEPT
iptables -A lan2gw	-p tcp --dport 110					-j ACCEPT
iptables -A gw2lan	-p tcp --sport 110	-m state --state ESTABLISHED	-j ACCEPT
# POP3sec
iptables -A gw2inet	-p tcp --dport 995					-j ACCEPT
iptables -A inet2gw	-p tcp --sport 995 --dport 1024: -m state --state ESTABLISHED	-j ACCEPT

# IMAP
iptables -A lan2gw	-p tcp --dport 143					-j ACCEPT
iptables -A gw2lan	-p tcp --sport 143	-m state --state ESTABLISHED	-j ACCEPT
# IMAPsec
iptables -A lan2gw	-p tcp --dport 993					-j ACCEPT
iptables -A gw2lan	-p tcp --sport 993	-m state --state ESTABLISHED	-j ACCEPT

# SMTP
iptables -A lan2inet	-p tcp --dport 25					-j ACCEPT
iptables -A inet2lan	-p tcp --sport 25 --dport 1024:	-m state --state ESTABLISHED	-j ACCEPT
iptables -A gw2inet	-p tcp --dport 25					-j ACCEPT
iptables -A inet2gw	-p tcp --sport 25 --dport 1024:	-m state --state ESTABLISHED	-j ACCEPT
iptables -A lan2gw	-p tcp --dport 25					-j ACCEPT
iptables -A gw2lan	-p tcp --sport 25	-m state --state ESTABLISHED	-j ACCEPT

# NEWS
iptables -A lan2inet	-p tcp --dport 119					-j ACCEPT
iptables -A inet2lan	-p tcp --sport 119 --dport 1024: -m state --state ESTABLISHED	-j ACCEPT
iptables -A gw2inet	-p tcp --dport 119					-j ACCEPT
iptables -A inet2gw	-p tcp --sport 119 --dport 1024: -m state --state ESTABLISHED	-j ACCEPT
iptables -A lan2gw	-p tcp --dport 119					-j ACCEPT
iptables -A gw2lan	-p tcp --sport 119	-m state --state ESTABLISHED	-j ACCEPT

# SSH
iptables -A lan2inet	-p tcp --dport 22					-j ACCEPT
iptables -A inet2lan	-p tcp --sport 22 --dport 1024:	-m state --state ESTABLISHED	-j ACCEPT
#iptables -A inet2lan	-p tcp --sport 22 	-m state --state ESTABLISHED	-j ACCEPT
iptables -A gw2inet	-p tcp --dport 22					-j ACCEPT
iptables -A inet2gw	-p tcp --sport 22 --dport 1024:	-m state --state ESTABLISHED	-j ACCEPT
iptables -A lan2gw	-p tcp --dport 22					-j ACCEPT
iptables -A gw2lan	-p tcp --sport 22	-m state --state ESTABLISHED	-j ACCEPT
iptables -A gw2lan	-p tcp --dport 22					-j ACCEPT
iptables -A lan2gw	-p tcp --sport 22	-m state --state ESTABLISHED	-j ACCEPT

# CUPS
iptables -A lan2gw	-p tcp --dport 631					-j ACCEPT
iptables -A lan2gw	-p udp --sport 631	--dport 631			-j ACCEPT
iptables -A gw2lan	-p tcp --sport 631					-j ACCEPT
iptables -A gw2lan	-p udp --sport 631	--dport 631			-j ACCEPT

# LPD
iptables -A lan2gw	-p tcp			--dport 515			-j ACCEPT
iptables -A gw2lan	-p tcp --sport 515					-j ACCEPT

# NTP
iptables -A gw2inet	-p udp --sport 123 --dport 123					-j ACCEPT
iptables -A inet2gw	-p udp --sport 123 --dport 123	-m state --state ESTABLISHED	-j ACCEPT
iptables -A lan2inet	-p udp		   --dport 37					-j ACCEPT
iptables -A inet2lan	-p udp --sport 37 --dport 1024:	-m state --state ESTABLISHED	-j ACCEPT


# high-lands: nichts für Hochsicherheitsfirewalls, 
iptables -A gw2lan	-p tcp --sport 1024: --dport 1024:				-j ACCEPT
iptables -A gw2lan	-p udp --sport 1024: --dport 1024:				-j ACCEPT
iptables -A lan2gw	-p tcp --sport 1024: --dport 1024:				-j ACCEPT
iptables -A lan2gw	-p udp --sport 1024: --dport 1024:				-j ACCEPT
iptables -A gw2inet	-p tcp --sport 1024: --dport 1024:				-j ACCEPT
iptables -A gw2inet	-p udp --sport 1024: --dport 1024:				-j ACCEPT
iptables -A inet2gw	-p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED	-j ACCEPT
iptables -A inet2gw	-p udp --sport 1024: --dport 1024: -m state --state ESTABLISHED	-j ACCEPT
iptables -A lan2inet	-p tcp --sport 1024: --dport 1024:				-j ACCEPT
iptables -A lan2inet	-p udp --sport 1024: --dport 1024:				-j ACCEPT
iptables -A inet2lan	-p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED	-j ACCEPT
iptables -A inet2lan	-p udp --sport 1024: --dport 1024: -m state --state ESTABLISHED	-j ACCEPT


# ICMP-Check
iptables -A gw2inet	-p icmp						-j icmpchk
iptables -A inet2gw	-p icmp						-j icmpchk
iptables -A lan2gw	-p icmp						-j icmpchk
iptables -A gw2lan	-p icmp						-j icmpchk
iptables -A lan2inet	-p icmp						-j icmpchk
iptables -A inet2lan	-p icmp						-j icmpchk
# ICMP-accept - z.T. Limit als Schutz gegen PING-FLOODING
iptables -A gw2lan	-p icmp						-j ACCEPT
iptables -A lan2gw	-p icmp						-j ACCEPT
iptables -A gw2inet	-p icmp						-j ACCEPT
iptables -A inet2gw	-p icmp --icmp-type destination-unreachable	-j ACCEPT
iptables -A inet2gw	-p icmp --icmp-type time-exceeded		-j ACCEPT
iptables -A inet2gw	-p icmp	-m limit --limit 1/s --limit-burst 2	-j ACCEPT
iptables -A lan2inet	-p icmp						-j ACCEPT
iptables -A inet2lan	-p icmp --icmp-type destination-unreachable	-j ACCEPT
iptables -A inet2lan	-p icmp --icmp-type time-exceeded		-j ACCEPT
iptables -A inet2lan	-p icmp	-m limit --limit 1/s --limit-burst 2	-j ACCEPT


# Ende der Ketten: was bis hierher nicht akzeptiert wurde, wird geloggt und verworfen
## default war --reject-with icmp-port-unreachable
iptables -A INPUT	-m limit --limit-burst 2 -j LOG --log-prefix "FIREWALL:INPUT    " --log-level 4
iptables -A INPUT		-j REJECT	--reject-with icmp-host-prohibited
iptables -A FORWARD	-m limit --limit-burst 2 -j LOG --log-prefix "FIREWALL:FORWARD  " --log-level 4
iptables -A FORWARD		-j REJECT	--reject-with icmp-net-prohibited
iptables -A OUTPUT	-m limit --limit-burst 2 -j LOG --log-prefix "FIREWALL:OUTPUT   " --log-level 4
iptables -A OUTPUT		-j REJECT
iptables -A inet2gw	-m limit --limit-burst 2 -j LOG --log-prefix "FIREWALL:inet2gw  " --log-level 4
iptables -A inet2gw		-j REJECT	--reject-with icmp-host-prohibited
iptables -A gw2inet	-m limit --limit-burst 2 -j LOG --log-prefix "FIREWALL:gw2inet  " --log-level 4
iptables -A gw2inet	 	-j REJECT
iptables -A lan2inet	-m limit --limit-burst 2 -j LOG --log-prefix "FIREWALL:lan2inet " --log-level 4
iptables -A lan2inet		-j REJECT	--reject-with icmp-net-prohibited
iptables -A inet2lan	-m limit --limit-burst 2 -j LOG --log-prefix "FIREWALL:inet2lan " --log-level 4
iptables -A inet2lan		-j REJECT	--reject-with icmp-net-prohibited
iptables -A lan2gw	-m limit --limit-burst 2 -j LOG --log-prefix "FIREWALL:lan2gw   " --log-level 4
iptables -A lan2gw		-j REJECT	--reject-with icmp-host-prohibited
iptables -A gw2lan	-m limit --limit-burst 2 -j LOG --log-prefix "FIREWALL:gw2lan   " --log-level 4
iptables -A gw2lan		-j REJECT


# Beschleunige ins Internet gehende Verbindungen
iptables -t mangle -N settos
iptables -t mangle -A PREROUTING -i eth0 -s 192.168.0.0/24 -d ! 192.168.0.0/16	-j settos
iptables -t mangle -A PREROUTING -i eth2 -s 192.168.2.0/24 -d ! 192.168.0.0/16	-j settos
iptables -t mangle -A OUTPUT	  -o ppp+	-d ! 192.168.0.0/16	-j settos
iptables -t mangle -A OUTPUT	  -o ippp+	-d ! 192.168.0.0/16	-j settos
## Maximize-Reliability
iptables -t mangle -A settos	-p tcp	--dport 22	-j TOS --set-tos 0x04
iptables -t mangle -A settos	-p udp	--dport 53	-j TOS --set-tos 0x04
iptables -t mangle -A settos	-p udp	--dport 123	-j TOS --set-tos 0x04
iptables -t mangle -A settos	-p udp	--dport 1024:	-j TOS --set-tos 0x04
## Maximize-Throughput
iptables -t mangle -A settos	-p tcp	--dport 25	-j TOS --set-tos 0x08
iptables -t mangle -A settos	-p tcp	--dport 119	-j TOS --set-tos 0x08
## Minimize-Delay
iptables -t mangle -A settos	-p tcp	--dport 20	-j TOS --set-tos 0x10
iptables -t mangle -A settos	-p tcp	--dport 21	-j TOS --set-tos 0x10
iptables -t mangle -A settos	-p tcp	--dport 80	-j TOS --set-tos 0x10
iptables -t mangle -A settos	-p tcp	--dport 110	-j TOS --set-tos 0x10
iptables -t mangle -A settos	-p tcp	--dport 443	-j TOS --set-tos 0x10
iptables -t mangle -A settos	-p tcp	--dport 995	-j TOS --set-tos 0x10
iptables -t mangle -A settos	-p tcp	--dport 1024:	-j TOS --set-tos 0x10
iptables -t mangle -A settos	-p icmp			-j TOS --set-tos 0x10

# für Client-Zugriffe aus dem Internet
## Maximize-Reliability
iptables -t mangle -A settos	-p tcp	--sport 22	-j TOS --set-tos 0x04


# Ende der Ketten
iptables -t mangle -A settos				-j ACCEPT
iptables -t mangle -A PREROUTING			-j ACCEPT
iptables -t mangle -A OUTPUT				-j ACCEPT


# Maskiere ins Internet gehende Verbindungen
iptables -t nat	-A POSTROUTING	-o ppp+			-j MASQUERADE
iptables -t nat	-A POSTROUTING	-o ippp+		-j MASQUERADE

# Ende der Ketten
iptables -t nat -A PREROUTING				-j ACCEPT
iptables -t nat -A OUTPUT				-j ACCEPT
iptables -t nat	-A POSTROUTING				-j ACCEPT



# disable ExplicitCongestionNotification-support
## diverse Router im Netz lassen Packete mit gesetztem ECN-Bit nicht durch.
echo 0 > /proc/sys/net/ipv4/tcp_ecn 

# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
	echo 0 > $f
    done

# Route-Verification aktivieren = IP-Spoofing_protection
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
	echo 1 > $f
    done

# keine Source-routed Packete
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
	echo 0 > $f
    done

# Defekte Packete werden geloggt: Spoofed P, Source Routed P, Redirect Packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
	echo 1 > $f
    done

# Enable bad error message Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Enable always-defragging Protection
#echo 1 > /proc/sys/net/ipv4/ip_always_defrag

# be verbose on dynamic ip-adresses
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# TCPsyncookie support
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# es wird nicht auf Broadcast-Pings geantwortet
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 

# time trying to finish closing a connection
echo 30 >/proc/sys/net/ipv4/tcp_fin_timeout 

# time before killing a stale connection
echo 1800 >/proc/sys/net/ipv4/tcp_keepalive_time 

# turn off some IP extensions that aren't needed
echo 0  >/proc/sys/net/ipv4/tcp_window_scaling 
echo 0  >/proc/sys/net/ipv4/tcp_sack 
echo 0  >/proc/sys/net/ipv4/tcp_timestamps


# IP-Forwarding aktivieren
echo 1 > /proc/sys/net/ipv4/ip_forward	


# Entfernen des Setups_Schutzes
iptables -D FORWARD 1

    ;;

noproxy)
	echo "Allowing http-Traffic to access webservers directly ..."
	iptables -t nat -F PREROUTING
    ;;

proxy)
	echo "Redirecting http-Traffic to transparent Proxy ..."
	iptables -t nat -F PREROUTING
	## SQUID als transparenter Proxy
iptables -t nat	-A PREROUTING	-i eth0	-p tcp	--dport 80	-j REDIRECT --to-ports 8080
iptables -t nat	-A PREROUTING	-i eth2	-p tcp	--dport 80	-j REDIRECT --to-ports 8080
    ;;


stop)

	echo "Stopping ..."

	# IP-Forwarding deaktivieren
	echo 0 > /proc/sys/net/ipv4/ip_forward	

	# clean-up
	iptables -Z
	iptables -F
	iptables -t nat		-F PREROUTING
	iptables -t nat		-F OUTPUT
	iptables -t nat		-F POSTROUTING
	iptables -t mangle	-F PREROUTING
	iptables -t mangle	-F OUTPUT
	iptables -X

	# Grundeinstellung: alles ist erlaubt, außer Forwarding/Masquerading!
	iptables -P INPUT	ACCEPT
	iptables -P FORWARD	DROP
	iptables -P OUTPUT	ACCEPT

    ;;

restart)
        $0 stop
        /usr/bin/sleep 1
        $0 start
    ;;

status)
	echo "iptables.mangling:"
	iptables -t mangle	-v -L -n --line-numbers
	echo
	echo "iptables.nat:"
	iptables -t nat		-v -L -n --line-numbers
	echo
	echo "iptables.filter:"
	iptables		-v -L -n --line-numbers
    ;;

*)
        echo "Usage: $0 {start|stop|restart|status|noproxy}"
        exit 1
    ;;

esac

# End /etc/init.d/rc.packetfilter

-------------- next part --------------
#!/bin/sh
##/etc/init.d/firewall


case "$1" in
start)
	echo "Starting Firewall..."

	modprobe ip_tables
	modprobe iptable_filter
	modprobe ip_conntrack
	modprobe ip_conntrack_ftp
	modprobe ipt_state
	modprobe iptable_nat
	modprobe ip_nat_ftp
	modprobe iptable_mangle
	modprobe ipt_MASQUERADE
	modprobe ipt_TCPMSS
	modprobe ipt_REDIRECT
	modprobe ipt_REJECT
	modprobe ipt_limit
	modprobe ipt_LOG
	modprobe ipt_TOS

# clean-up
iptables -t mangle	-Z
iptables -t mangle	-F
iptables -t mangle	-X
iptables -t nat		-Z
iptables -t nat		-F
iptables -t nat		-X
iptables		-Z
iptables		-F
iptables		-X

# allow connections on loopback
iptables -A INPUT	-i lo							-j ACCEPT
iptables -A OUTPUT		-o lo						-j ACCEPT

# drop mistakenly IP-Packets instead of PPP-Packets on DSL
iptables -A INPUT	-i eth1							-j DROP
iptables -A FORWARD	-i eth1							-j DROP
iptables -A FORWARD		-o eth1						-j DROP
iptables -A OUTPUT		-o eth1						-j DROP

# allow intranet-connections, but not from and to DSL
iptables -A INPUT	-i eth+							-j ACCEPT
iptables -A OUTPUT		-o eth+						-j ACCEPT

# setup forwarding
iptables -A FORWARD -m state --state ESTABLISHED,RELATED 			-j ACCEPT
iptables -A FORWARD -m state --state NEW	-i ! ppp+			-j ACCEPT

# do masquerading
iptables -t nat -A POSTROUTING	-o ppp+						-j MASQUERADE
iptables -t nat -A POSTROUTING	-o ippp+					-j MASQUERADE

# fix forwarding for DSL
iptables -I FORWARD	-o ppp+	-p tcp --tcp-flags SYN,RST SYN	-j TCPMSS --clamp-mss-to-pmtu


# set a sane policy
iptables -P INPUT       DROP
iptables -P FORWARD     DROP
iptables -P OUTPUT      DROP


# DNS
iptables -A OUTPUT	-p udp			--dport 53			-j ACCEPT
iptables -A INPUT	-p udp	--sport 53	-m state --state ESTABLISHED	-j ACCEPT

# WWW
iptables -A OUTPUT	-p tcp			--dport 80			-j ACCEPT
iptables -A INPUT	-p tcp	--sport 80	-m state --state ESTABLISHED	-j ACCEPT
## SQUID als transparenter Proxy
iptables -t nat	-A PREROUTING	-i eth+	-p tcp	--dport 80	-j REDIRECT --to-ports 8080
# WWWsec
iptables -A OUTPUT	-p tcp			--dport 443			-j ACCEPT
iptables -A INPUT	-p tcp	--sport 443	-m state --state ESTABLISHED	-j ACCEPT

# FTP
iptables -A OUTPUT	-p tcp			--dport 21			-j ACCEPT
iptables -A INPUT	-p tcp	--sport 21	-m state --state ESTABLISHED	-j ACCEPT
## aktives FTP
iptables -A INPUT	-p tcp	--sport 20  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT	-p tcp	  --dport 20	-m state --state ESTABLISHED	-j ACCEPT
# AUTH/IDENT
iptables -A INPUT	-p tcp			--dport 113	-j REJECT --reject-with tcp-reset
iptables -A OUTPUT	-p tcp	--sport 113	-m state --state RELATED	-j ACCEPT

# POP3
iptables -A OUTPUT	-p tcp			--dport 110			-j ACCEPT
iptables -A INPUT	-p tcp	--sport 110	-m state --state ESTABLISHED	-j ACCEPT
# POP3sec
iptables -A OUTPUT	-p tcp			--dport 995			-j ACCEPT
iptables -A INPUT	-p tcp	--sport 995	-m state --state ESTABLISHED	-j ACCEPT

# SMTP
iptables -A OUTPUT	-p tcp			--dport 25			-j ACCEPT
iptables -A INPUT	-p tcp	--sport 25	-m state --state ESTABLISHED	-j ACCEPT

# NEWS
iptables -A OUTPUT	-p tcp			--dport 119			-j ACCEPT
iptables -A INPUT	-p tcp	--sport 119	-m state --state ESTABLISHED	-j ACCEPT

# SSH
## outgoing
iptables -A OUTPUT	-p tcp			--dport 22			-j ACCEPT
iptables -A INPUT	-p tcp	--sport 22	-m state --state ESTABLISHED	-j ACCEPT
## incoming
#iptables -A INPUT	-p tcp	--sport 22					-j ACCEPT
#iptables -A OUTPUT	-p tcp	  --dport 22	-m state --state ESTABLISHED	-j ACCEPT

# NTP
iptables -A OUTPUT	-p udp	--sport 123	--dport 123			-j ACCEPT
iptables -A INPUT	-p udp	--sport 123 --dport 123	-m state --state ESTABLISHED	-j ACCEPT

# PING
iptables -A OUTPUT	-p icmp --icmp-type echo-request			-j ACCEPT
iptables -A INPUT	-p icmp --icmp-type echo-reply				-j ACCEPT
#iptables -A OUTPUT	-p icmp --icmp-type 3	 				-j ACCEPT
iptables -A OUTPUT	-p icmp --icmp-type network-prohibited			-j ACCEPT
iptables -A OUTPUT	-p icmp --icmp-type host-prohibited			-j ACCEPT
# evil ICMP-Packets
iptables -A INPUT	-p icmp --icmp-type redirect				-j DROP
iptables -A INPUT	-p icmp --icmp-type echo-request			-j DROP
iptables -A INPUT	-p icmp --icmp-type echo-request			-j DROP
iptables -A INPUT	-p icmp --icmp-type router-advertisement		-j DROP
iptables -A INPUT	-p icmp --icmp-type parameter-problem			-j DROP
iptables -A INPUT	-p icmp --icmp-type timestamp-request			-j DROP
iptables -A INPUT	-p icmp --icmp-type address-mask-request		-j DROP
## limit of 3 Packete per second to prevent DoS-attacks
iptables -A INPUT	-p icmp		-m limit --limit 3/s			-j ACCEPT
iptables -A OUTPUT	-p icmp		-m state --state ESTABLISHED,RELATED	-j ACCEPT

# high-lands: DO NOT USE FOR THE HIGHEST SECURITY
## They, who feel unsure should comment out the lines dealing with UDP:
iptables -A INPUT	-p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED	-j ACCEPT
iptables -A INPUT	-p udp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED	-j ACCEPT
iptables -A OUTPUT	-p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED	-j ACCEPT
iptables -A OUTPUT	-p udp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED	-j ACCEPT

# Logging and REJECT
## default: --reject-with icmp-port-unreachable
iptables -A INPUT	-m limit --limit-burst 2 -j LOG --log-prefix "FIREWALL:INPUT    " --log-level 4
iptables -A INPUT		-j REJECT	--reject-with icmp-host-prohibited
iptables -A FORWARD	-m limit --limit-burst 2 -j LOG --log-prefix "FIREWALL:FORWARD  " --log-level 4
iptables -A FORWARD		-j REJECT	--reject-with icmp-net-prohibited
iptables -A OUTPUT	-m limit --limit-burst 2 -j LOG --log-prefix "FIREWALL:OUTPUT   " --log-level 4
iptables -A OUTPUT		-j REJECT	--reject-with icmp-net-prohibited

# speedup for outgoing connections
iptables -t mangle -N settos
iptables -t mangle -A PREROUTING -i eth+ -s 192.168.0.0/16 -d ! 192.168.0.0/16	-j settos
iptables -t mangle -A OUTPUT	  -o ppp+	-d ! 192.168.0.0/16	-j settos
iptables -t mangle -A OUTPUT	  -o ippp+	-d ! 192.168.0.0/16	-j settos
## Maximize-Reliability
iptables -t mangle -A settos	-p tcp	--dport 22	-j TOS --set-tos 0x04
iptables -t mangle -A settos	-p udp	--dport 53	-j TOS --set-tos 0x04
iptables -t mangle -A settos	-p udp	--dport 123	-j TOS --set-tos 0x04
iptables -t mangle -A settos	-p udp	--dport 1024:	-j TOS --set-tos 0x04
## Maximize-Throughput
iptables -t mangle -A settos	-p tcp	--dport 25	-j TOS --set-tos 0x08
iptables -t mangle -A settos	-p tcp	--dport 119	-j TOS --set-tos 0x08
## Minimize-Delay
iptables -t mangle -A settos	-p tcp	--dport 20	-j TOS --set-tos 0x10
iptables -t mangle -A settos	-p tcp	--dport 21	-j TOS --set-tos 0x10
iptables -t mangle -A settos	-p tcp	--dport 80	-j TOS --set-tos 0x10
iptables -t mangle -A settos	-p tcp	--dport 110	-j TOS --set-tos 0x10
iptables -t mangle -A settos	-p tcp	--dport 443	-j TOS --set-tos 0x10
iptables -t mangle -A settos	-p tcp	--dport 995	-j TOS --set-tos 0x10
iptables -t mangle -A settos	-p tcp	--dport 1024:	-j TOS --set-tos 0x10
iptables -t mangle -A settos	-p icmp			-j TOS --set-tos 0x10
## Maximize-Reliability
iptables -t mangle -A settos	-p tcp	--sport 22	-j TOS --set-tos 0x04


# disable ExplicitCongestionNotification-support
echo 0 > /proc/sys/net/ipv4/tcp_ecn 

# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
	echo 0 > $f
    done

# activate Route-Verification = IP-Spoofing_protection
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
	echo 1 > $f
    done

# no Source-routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
	echo 0 > $f
    done

# logging of insane Packets: Spoofed P, Source Routed P, Redirect Packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
	echo 1 > $f
    done

# Enable bad error message Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Enable always-defragging Protection
echo 1 > /proc/sys/net/ipv4/ip_always_defrag

# be verbose on dynamic ip-adresses
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# TCPsyncookie support
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# es wird nicht auf Broadcast-Pings geantwortet
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 

# time trying to finish closing a connection
echo 30 >/proc/sys/net/ipv4/tcp_fin_timeout 

# time before killing a stale connection
echo 1800 >/proc/sys/net/ipv4/tcp_keepalive_time 

# turn off some IP extensions that aren't needed
echo 0  >/proc/sys/net/ipv4/tcp_window_scaling 
echo 0  >/proc/sys/net/ipv4/tcp_sack 
echo 0  >/proc/sys/net/ipv4/tcp_timestamps

# IP-Forwarding aktivieren
echo 1 > /proc/sys/net/ipv4/ip_forward	
		;;

noproxy)
echo "Allowing http-Traffic to access webservers directly ..."
iptables -t nat -F PREROUTING
		;;

proxy)
echo "Redirecting http-Traffic to transparent Proxy ..."
iptables -t nat -F PREROUTING
## SQUID als transparenter Proxy
iptables -t nat	-A PREROUTING	-i eth0	-p tcp	--dport 80	-j REDIRECT --to-ports 8080
iptables -t nat	-A PREROUTING	-i eth2	-p tcp	--dport 80	-j REDIRECT --to-ports 8080
		;;


stop)

	echo "Stopping ..."

	# IP-Forwarding deaktivieren
	echo 0 > /proc/sys/net/ipv4/ip_forward	

	# clean-up
	iptables -t mangle	-Z
	iptables -t mangle	-F
	iptables -t mangle	-X
	iptables -t nat		-Z
	iptables -t nat		-F
	iptables -t nat		-X
	iptables		-Z
	iptables		-F
	iptables		-X

	# defaults: everything is allowed besides Forwarding/Masquerading!
	iptables -P INPUT	ACCEPT
	iptables -P FORWARD	DROP
	iptables -P OUTPUT	ACCEPT

    ;;

restart)
        $0 stop
                /usr/bin/sleep 1
        $0 start
    ;;

status)
	echo "iptables.mangling:"
	iptables -t mangle	-v -L -n --line-numbers
	echo
	echo "iptables.nat:"
	iptables -t nat		-v -L -n --line-numbers
	echo
	echo "iptables.filter:"
	iptables		-v -L -n --line-numbers
    ;;

*)
        echo "Usage: $0 {start|stop|restart|status|noproxy}"
        exit 1
    ;;

esac

# End /etc/init.d/firewall



More information about the blfs-book mailing list