Menu Content/Inhalt
Home arrow Netzwerkadministration arrow Firewall - Beispiel
Firewall - Beispiel PDF Drucken E-Mail 
#! /bin/bash

## ATTENTION!
##
## Start this script for testing purposes ALWAYS
## with the following cmd-line
## (after checking that atd is running ->pstree)
###
#	at -f /etc/fw NOW +2min; source ./fw_student
###

## script written by students ...

if [ $UID -ne 0 ] ; then
	echo "You must be root to start this firewall!" >&2
	exit 5
elif [ ! -x /etc/fw ]; then
	echo "You'll need this file with "x" for release possibility!" >&2
	exit 5
fi


ipt(){

	EINS="/usr/sbin/iptables"
	$EINS "$@"
}

ipt -F
ipt -X
ipt -t nat -F
ipt -t nat -X
#ipt -Z

ipt -P OUTPUT DROP
ipt -P INPUT DROP
ipt -P FORWARD DROP
#ipt -t nat -P PREROUTING DROP
#ipt -t nat -P POSTROUTING DROP

ipt -I  INPUT -i lo -j ACCEPT
ipt -I OUTPUT -o lo -j ACCEPT


###########

## VARIABLENPART

DMZ="172.19.0.1"
WAN="192.168.1.104"
LAN="10.0.0.1"

SPRUNG="10.0.0.90"

DMZNET="172.19.0.0/16"
WANNET="192.168.0.0/16"
LANNET="10.0.0.0/8"


WEB="172.19.0.23"
SMTP=""
IMAP=""

NS="192.168.1.2"

LAN_IF="eth1"
WAN_IF="eth0"
DMZ_IF="eth2"

P_HIGH="1024:65535"



##### NAT
ipt -t nat -A POSTROUTING -o $WAN_IF -s $LANNET \
-j SNAT --to-source $WAN

 ipt -t nat -A PREROUTING -i $WAN_IF -d $WAN -p tcp --dport 4711 \
-j DNAT --to-destination 10.0.0.90:22

ipt -t nat -A POSTROUTING -o $WAN_IF -s $LANNET \
-j SNAT --to-source $WAN


# DROP  BEREICH
ipt -A FORWARD -m state --state INVALID -j DROP



ipt -A FORWARD -m state --state ESTABLISHED -j ACCEPT
ipt -A   INPUT -m state --state ESTABLISHED -j ACCEPT
ipt -A  OUTPUT -m state --state ESTABLISHED -j ACCEPT


# LANREGELN

# web lan->wan
ipt -A FORWARD -i $LAN_IF -o $WAN_IF -s $LANNET -p tcp --dport 80 \
--sport $P_HIGH -m state --state NEW -j ACCEPT

# ssh aussenwelt->10.0.0.90
ipt -A FORWARD -i $WAN_IF -o $LAN_IF -d $SPRUNG -p tcp --dport 22 \
--sport $P_HIGH -m state --state NEW -j ACCEPT

#  ssh aussen->firewall
#+ NUR ZU TESTZWEICKEN
#+ MUSS wieder geloescht (kommentiert) werden
ipt -A INPUT -i $WAN_IF -d $WAN -p tcp --dport 22 \
--sport $P_HIGH -m state --state NEW -j ACCEPT

# ssh SPRUNG->LAN_IF
ipt -A INPUT -i $LAN_IF -s $SPRUNG -d $LAN -p tcp --dport 22 \
--sport $P_HIGH -m mac --mac-source 00:17:A4:41:C6:BB \
-m state --state NEW -j ACCEPT



# DNS LAN->nameserver
ipt -A FORWARD -i $LAN_IF -o $WAN_IF -s $LANNET -d $NS -p udp --dport 53 \
--sport $P_HIGH -m state --state NEW -j ACCEPT




#finales LOG
ipt -A INPUT -j LOG --log-prefix "restdropin"
ipt -A OUTPUT -j LOG --log-prefix "restdropout"
ipt -A FORWARD -j LOG --log-prefix "restdropforw"


#  just in case if someone is too quick
#+ shall be removed later
##sleep 30
##ipt -P INPUT ACCEPT
##ipt -P OUTPUT ACCEPT
##ipt -P FORWARD ACCEPT
Letzte Aktualisierung ( Friday, 4. May 2007 )
 
< Zurück

Scroll-news

Mailingliste:
http://mlists.in-berlin.de/mailman/listinfo/lieo-mlists.in-berlin.de 

 

Das Forum ist online gegangen
 


Who's Online

Aktuell 45 Gäste online

Google AdSense