#!/bin/bash EXT="eth0" LOC="eth1" DMZ="eth2" WLAN="ath0" #iptables # module laden modprobe ip_conntrack_amanda modprobe ip_conntrack_ftp modprobe ip_conntrack_h323 modprobe ip_conntrack_irc modprobe ip_conntrack modprobe ip_conntrack_netbios_ns modprobe ip_conntrack_netlink modprobe ip_conntrack_pptp modprobe ip_conntrack_proto_sctp modprobe ip_conntrack_sip modprobe ip_conntrack_tftp # loesche alle regeln iptables -F iptables -t nat -F iptables -t mangle -F iptables -X iptables -t nat -X iptables -t mangle -X # setze default auf drop iptables -P FORWARD DROP iptables -P INPUT DROP iptables -P OUTPUT DROP # block iptables -N statefull iptables -I statefull -m state --state ESTABLISHED,RELATED -j ACCEPT # ssh erlauben iptables -N ssh iptables -A ssh -m state --state NEW -p tcp --dport ssh -j ACCEPT # http iptables -N web iptables -A web -m state --state NEW -p tcp --dport www -j ACCEPT iptables -A web -m state --state NEW -p tcp --dport https -j ACCEPT iptables -A web -m state --state NEW -p tcp --dport ftp -j ACCEPT #squid #iptables -A web -m state --state NEW -p tcp --dport 3128 -j ACCEPT #ntp iptables -A web -m state --state NEW -p tcp --dport ntp -j ACCEPT #apt-proxy iptables -A web -m state --state NEW -p tcp --dport 9999 -j ACCEPT #4444 mercurila iptables -A web -m state --state NEW -p tcp --dport 4444 -j ACCEPT iptables -A web -m state --state NEW -p tcp --dport nntp -j ACCEPT #regeln fuer loc interface iptables -N web1 iptables -A web1 -m state --state NEW -p tcp --dport svn -j ACCEPT iptables -A web1 -m state --state NEW -p tcp --dport ircd -j ACCEPT #icq iptables -A web1 -m state --state NEW -p tcp --dport aol -j ACCEPT #jabber iptables -A web1 -m state --state NEW -p tcp --dport 5222 -j ACCEPT #teamspeak iptables -A web1 -m state --state NEW -p udp --dport 8767 -j ACCEPT #skype in iptables -A web1 -m state --state NEW -p tcp --dport 19818 -j ACCEPT # dict woerterbuch iptables -A web1 -m state --state NEW -p tcp --dport 2628 -j ACCEPT #telnet #iptables -A web1 -m state --state NEW -p tcp --dport 23 -j ACCEPT #steam iptables -N steam iptables -A steam -m state --state NEW -p udp --dport 20000:29999 -j ACCEPT iptables -A steam -m state --state NEW -p tcp --dport 27000:27050 -j ACCEPT iptables -N dns iptables -A dns -m state --state NEW -p udp --dport domain -j ACCEPT iptables -A dns -m state --state NEW -p tcp --dport domain -j ACCEPT iptables -N dhcp iptables -A dhcp -m state --state NEW -p udp --dport bootps -j ACCEPT iptables -N xicmp iptables -A xicmp -m state --state NEW -p icmp -j ACCEPT iptables -N mail iptables -A mail -m state --state NEW -p tcp --dport smtp -j ACCEPT iptables -A mail -m state --state NEW -p tcp --dport imap -j ACCEPT iptables -A mail -m state --state NEW -p tcp --dport pop3 -j ACCEPT iptables -N blockloc iptables -A blockloc -j dhcp iptables -A blockloc -j web1 iptables -A blockloc -j steam iptables -N blockwlan iptables -A blockwlan -j dhcp iptables -A blockwlan -j web1 iptables -A blockwlan -j steam iptables -N blockin iptables -A blockin -j statefull iptables -A blockin -j ssh iptables -A blockin -j xicmp iptables -A blockin -j web iptables -A blockin -j mail iptables -A blockin -j dns # muss raus iptables -A blockin -i $WLAN -j blockwlan iptables -A blockin -i $LOC -j blockloc #erlaube lo iptables -A INPUT -i lo -j ACCEPT iptables -A FORWARD -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # nun die regeln anhaengen iptables -A INPUT -j blockin iptables -A FORWARD -j blockin iptables -A OUTPUT -j blockin #nach ausen routen iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE #squid #iptables -t nat -A PREROUTING -i ! $EXT -p tcp --dport www -j REDIRECT --to-port 3128