#!/bin/bash
# Mein Firewall Script (by saschabu)
echo "Bitte warten..... Die Firewall wird gestartet... "
# ein paar Variablen deklarieren
IPTABLES=/sbin/iptables
MY_LAN_IP=80.86.91.27
LAN_INTERFACE=eth0
WWW_INTERFACE=eth0
#Alles Regeln löschen
IPTABLES -t nat -F
IPTABLES -t filter -F
IPTABLES -X
#Alles verbieten, was nicht erlaubt wird
IPTABLES -P INPUT DROP
IPTABLES -P OUTPUT DROP
IPTABLES -P FORWARD DROP
# Loopback Interface freigeben
IPTABLES -A INPUT -i lo -j ACCEPT
IPTABLES -A OUTPUT -o lo -j ACCEPT
#SSH (Port 22) aus dem Lan erlauben
IPTABLES -A INPUT -p TCP -i $LAN_INTERFACE --dport 22 -d $MY_LAN_IP -s -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
IPTABLES -A OUTPUT -p TCP -o $LAN_INTERFACE --sport 22 -s $MY_LAN_IP -d -m state --state ESTABLISHED,RELATED -j ACCEPT
#HTTP (Port 80) erlauben (WWW)
IPTABLES -I INPUT -i $LAN_INTERFACE -p TCP --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
IPTABLES -I OUTPUT -o $LAN_INTERFACE -p TCP --sport 80 --dport 1024:65535 --m state --state ESTABLISHED,RELATED -j ACCEPT
#HTTP (Port 80) erlauben (vom Server ausgehend, z.Bsp. für Software Updates (YAST usw.)
IPTABLES -I OUTPUT -o $LAN_INTERFACE -p TCP --sport 1024:65535 --dport 80 --m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
IPTABLES -I INPUT -i $LAN_INTERFACE -p TCP --sport 80 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
#FTP (Port 21) erlauben (vom Server ausgehend, z.Bsp. für Software Updates (YAST usw.)
IPTABLES -I OUTPUT -o $LAN_INTERFACE -p TCP --sport 1024:65535 --dport 21 --m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
IPTABLES -I OUTPUT -o $LAN_INTERFACE -p TCP --sport 1024:65535 --dport 1024:65535 -m state --state NEW -j ACCEPT
IPTABLES -I INPUT -i $LAN_INTERFACE -p TCP --sport 21 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
#FTP (Port 21) für FTP Transfer erlauben (zum Webseiten hochladen)
IPTABLES -I INPUT -i $LAN_INTERFACE -p TCP --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
IPTABLES -I OUTPUT -o $LAN_INTERFACE -p TCP --sport 21 --dport 1024:65535 --m state --state ESTABLISHED,RELATED -j ACCEPT
#SMTP (Port 25) für E-Mails senden
IPTABLES -I INPUT -i $LAN_INTERFACE -p TCP --sport 1024:65535 --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
IPTABLES -I OUTPUT -o $LAN_INTERFACE -p TCP --sport 25 --dport 1024:65535 --m state --state ESTABLISHED,RELATED -j ACCEPT
#POP3 (Port 110) für E-Mails abrufen
IPTABLES -I INPUT -i $LAN_INTERFACE -p TCP --sport 1024:65535 --dport 110 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
IPTABLES -I OUTPUT -o $LAN_INTERFACE -p TCP --sport 110 --dport 1024:65535 --m state --state ESTABLISHED,RELATED -j ACCEPT
#PLESK (Port 8443) für Plesk Zugriff
IPTABLES -I INPUT -i $LAN_INTERFACE -p TCP --sport 1024:65535 --dport 8443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
IPTABLES -I OUTPUT -o $LAN_INTERFACE -p TCP --sport 8443 --dport 1024:65535 --m state --state ESTABLISHED,RELATED -j ACCEPT
#DNS TCP (Port 53) für DNS Zugriffe
IPTABLES -I INPUT -i $LAN_INTERFACE -p TCP --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
IPTABLES -I OUTPUT -o $LAN_INTERFACE -p TCP --sport 53 --dport 1024:65535 --m state --state ESTABLISHED,RELATED -j ACCEPT
#DNS UDP (Port 53) für DNS Zugriffe
IPTABLES -I INPUT -i $LAN_INTERFACE -p UDP --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
IPTABLES -I OUTPUT -o $LAN_INTERFACE -p UDP --sport 53 --dport 1024:65535 --m state --state ESTABLISHED,RELATED -j ACCEPT
echo "[fertig]"
exit 0
#end of file