Here is nothing else to write about but the source code you put into /etc/init.d/firewall as a 755 script, and a ". /etc/init.d/firewall" line in to /etc/rc.local".
I adjusted some stuff reading through Eric Ambergs "Linux-Server" book.
I adjusted some stuff reading through Eric Ambergs "Linux-Server" book.
#!/bin/sh
echo "Initialisiere Firewall iptables ..."
# Firewallregeln löschen
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -Z
# Module laden für FTP ports
modprobe ip_conntrack_ftp
#------------------------------------------------------------------------------
#
# http://wiki.debianforum.de/Einfaches_Firewall-Script
#
# Logging options.
LOG="LOG --log-level 4 --log-tcp-sequence --log-tcp-options"
LOG="$LOG --log-ip-options"
# Defaults for rate limiting
RLIMIT="-m limit --limit 3/s --limit-burst 30"
# Custom user-defined chains.
# LOG packets, then ACCEPT.
iptables -N ACCEPTLOG
iptables -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "FW-ACCEPT: "
iptables -A ACCEPTLOG -j ACCEPT
# LOG packets, then DROP.
iptables -N DROPLOG
iptables -A DROPLOG -j $LOG $RLIMIT --log-prefix "FW-DROP: "
iptables -A DROPLOG -j DROP
# better not to REJECT anything for it tells somebody something
# LOG packets, then REJECT.
# TCP packets are rejected with a TCP reset.
iptables -N REJECTLOG
iptables -A REJECTLOG -j $LOG $RLIMIT --log-prefix "FW-REJECT: "
iptables -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
iptables -A REJECTLOG -j REJECT
# Only allows RELATED ICMP types
# (destination-unreachable, time-exceeded, and parameter-problem).
# TODO: Rate-limit this traffic?
# TODO: Allow fragmentation-needed?
# TODO: Test.
iptables -N RELATED_ICMP
iptables -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A RELATED_ICMP -j DROPLOG
# Make It Even Harder To Multi-PING
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
# Only allow the minimally required/recommended parts of ICMP. Block the rest.
#------------------------------------------------------------------------------
# Allow all ESTABLISHED ICMP traffic.
iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
iptables -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
# Allow some parts of the RELATED ICMP traffic, block the rest.
iptables -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
iptables -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
# Allow incoming ICMP echo requests (ping), but only rate-limited.
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT
# Allow outgoing ICMP echo requests (ping), but only rate-limited.
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT
# Drop any other ICMP traffic.
iptables -A INPUT -p icmp -j DROPLOG
iptables -A OUTPUT -p icmp -j DROPLOG
iptables -A FORWARD -p icmp -j DROPLOG
#------------------------------------------------------------------------------
# loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# stateful inspection
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROPLOG
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPTLOG
# DNS
iptables -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
# http
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
# https
iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
#
# mail
#
# Erlaube eingehende SMTP Anfragen.
iptables -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT
# Erlaube ausgehende SMTP Anfragen.
iptables -A OUTPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT
# Erlaube ausgehende SMTPS Anfragen.
iptables -A OUTPUT -m state --state NEW -p tcp --dport 465 -j ACCEPT
# Erlaube eingehende POP3 Anfragen.
iptables -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT
# Erlaube eingehende POP3S Anfragen.
iptables -A INPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT
# Erlaube eingehende und ausgehendeIMAP4 Anfragen.
iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED -p tcp --dport 143 -j ACCEPT
# Erlaube eingehende und ausgehende IMAPS Anfragen.
iptables -A INPUT -m state --state NEW -p tcp --dport 993 -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED -p tcp --dport 993 -j ACCEPT
# FTP
iptables -A OUTPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
# Erlaube ausgehende NTP Anfragen.
iptables -A OUTPUT -m state --state NEW -p udp --dport 123 -j ACCEPT
# Erlaube ausgehende WHOIS Anfragen.
iptables -A OUTPUT -m state --state NEW -p tcp --dport 43 -j ACCEPT
# Explicitly log and reject everything else.
#------------------------------------------------------------------------------
# Use REJECT instead of REJECTLOG if you don't need/want logging. better DROPLOG!
iptables -A INPUT -j DROPLOG
iptables -A OUTPUT -j DROPLOG
iptables -A FORWARD -j DROPLOG
# Exit gracefully.
#------------------------------------------------------------------------------
echo "Firewall konfiguriert und aktiv."
exit 0
Kommentare
Kommentar veröffentlichen