Da ich gezwungen bin, auf meinem V-Server iptables ohne connection tracking zu verwenden, habe ich mir selber ein Firewall-Script zusammengehackt. Vielleicht kann der eine oder andere damit was anfangen, oder evtl. habt ihr einige Verbesserungsvorschläge.
Auf den ersten Blick funktionierts, das heißt aber noch lange nichts, also keine Gewähr Vernichtende Kommentare sind übrigens immer willkommen
Ach ja, mein OS: Debian Confixx 1.1
Auf den ersten Blick funktionierts, das heißt aber noch lange nichts, also keine Gewähr Vernichtende Kommentare sind übrigens immer willkommen
Ach ja, mein OS: Debian Confixx 1.1
Code:
#!/bin/sh
#
###############################################################
# #
# iptables based firewall script for Virtuozzo virtual servers #
# (without connection tracking) #
# Version 0.3 (2004/11/27) #
# #
# Configuration: #
# - set external interface name (EXT_IF) #
# - if ifconfig output has other format on your box, #
# you may have to change EXT_IP #
# - add/remove entries in EnableServices() and EnableOutgoing() #
# - add/remove entries in EnableICMP #
# - comment out EnablePingIn in start section if needed #
# #
# (c) 2004 Ralf Terdic - use at your own risk #
# #
###############################################################
# external interface
EXT_IF=venet0:0
IPTABLES=/sbin/iptables
IFCONFIG=/sbin/ifconfig
# get IP of external interface
EXT_IP=`$IFCONFIG $EXT_IF | grep inet | cut -d : -f 2 | cut -d " " -f 1`
# IP of loopback interface
LO_IP=127.0.0.1
IN="$IPTABLES -A INPUT"
OUT="$IPTABLES -A OUTPUT"
YES="-j ACCEPT"
NO="-j DROP"
FlushAll()
{
echo " Flushing chains"
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
}
SetPolicyAllowAll()
{
echo " Setting accept policy"
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
}
SetPolicyDenyAll()
{
echo " Setting drop policy"
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
}
EnableLocalTraffic()
{
echo " Enabling local traffic"
$OUT -d $LO_IP $YES
$OUT -d $EXT_IP $YES
$IN -s $LO_IP $YES
$IN -s $EXT_IP $YES
}
EnablePingIn()
{
echo " Allowing incoming ping (limit: 12/minute)"
# allow incoming ping requests, set limit to prevent ping flood
$IN -d $EXT_IP -p icmp --icmp-type echo-request -m limit --limit 12/minute $YES
# allow outgoing ping replies (pong)
$OUT -s $EXT_IP -p icmp --icmp-type echo-reply $YES
}
EnablePingOut()
{
echo " Allowing outgoing ping"
$OUT -s $EXT_IP -p icmp --icmp-type echo-request $YES
$IN -d $EXT_IP -p icmp --icmp-type echo-reply $YES
}
EnableICMP()
{
# allow incoming ICMP traffic other than echo request/reply
echo " Allowing ICMP:"
echo " - destination-unreachable (limit: 1/second)"
$IN -d $EXT_IP -p icmp --icmp-type destination-unreachable -m limit --limit 1/second $YES
echo " - source-quench (limit: 1/second)"
$IN -d $EXT_IP -p icmp --icmp-type source-quench -m limit --limit 1/second $YES
echo " - time-exceeded (limit: 1/second)"
$IN -d $EXT_IP -p icmp --icmp-type time-exceeded -m limit --limit 1/second $YES
}
EnablePassiveFTP()
{
# Warning: allows out-traffic to any non-privileged ports
echo " Allowing passive FTP:"
EnableTCPOut 21 "ftp cmd"
EnableTCPOut 1024:65535 "passive ftp data"
}
EnableTCPService()
{
echo " -$2 (TCP port $1)"
PORT=$1
# allow in-traffic from any unprivileged client port to service port
$IN -p tcp --sport 1024: -d $EXT_IP --dport $PORT $YES
# allow out-traffic from service port to any unprivileged client port (except SYN)
$OUT -p tcp -s $EXT_IP --sport $PORT --dport 1024: "!" --syn $YES
}
EnableUDPService()
{
echo " -$2 (UDP port $1)"
PORT=$1
# allow in-traffic from any unprivileged client port to service port
$IN -p udp --sport 1024: -d $EXT_IP --dport $PORT $YES
# allow out-traffic from service port to any unprivileged client port
$OUT -p udp -s $EXT_IP --sport $PORT --dport 1024: $YES
}
EnableTCPOut()
{
echo " -$2 (TCP port $1)"
PORT=$1
# allow out-traffic from unprivileged port to service port
$OUT -p tcp -s $EXT_IP --sport 1024: --dport $PORT $YES
# allow in-traffic from service port to unprivileged port (no SYN)
$IN -p tcp --sport $PORT -d $EXT_IP --dport 1024: "!" --syn $YES
}
EnableUDPOut()
{
echo " -$2 (UDP port $1)"
PORT=$1
# allow out-traffic from unprivileged port to service port
$OUT -p udp -s $EXT_IP --sport 1024: --dport $PORT $YES
# allow in-traffic from service port to unprivileged port (for replies)
$IN -p udp --sport $PORT -d $EXT_IP --dport 1024: $YES
}
EnableServices()
{
##########################################
# Usage:
# TCP: EnableTCPService port "description"
# UDP: EnableUDPService port "description"
##########################################
echo " Enabling TCP services:"
EnableTCPService 22 "ssh daemon"
EnableTCPService 80 "web server"
echo " Enabling UDP services:"
#EnableUDPService 53 "dns server"
}
EnableOutgoing()
{
##########################################
# Usage:
# TCP: EnableTCPOut port "description"
# UDP: EnableUDPOut port "description"
##########################################
echo " Enabling outgoing TCP:"
EnableTCPOut 80 "browser"
EnableTCPOut 22 "ssh client"
echo " Enabling outgoing UDP:"
EnableUDPOut 53 "dns queries"
}
case "$1" in
start|restart)
echo "Setting up firewall:"
FlushAll
SetPolicyDenyAll
EnableLocalTraffic
EnablePingIn
EnablePingOut
EnableICMP
EnableServices
EnableOutgoing
#EnablePassiveFTP
echo "Firewall set up."
;;
stop)
echo "Stopping firewall..."
FlushAll
SetPolicyAllowAll
echo "Firewall disabled."
;;
status)
$IPTABLES -L
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
exit 1
;;
esac
exit 0
Last edited by a moderator: