saiki
Bratwurstgriller
Ich habe ein kleines Problem. Und zwar würde ich gerne SC hinter meinem Router hosten. Soweit so gut, hab ich mir gedacht, machste in dem Script (s.u.) einfach ein Copy&Paster von der edonky zeile und änderst die ports und ips entsprechend. Leider funktioniert es nicht.
TCP scheint zu funktioneren (das Log sagt zumindest nichts , UDP leider nicht.
Wie kriege ich das Script (iptables) dazu, das es Port 6112 als TCP und UDP auf die x.x.x.10 leitet?
So schauts im Log aus (und zwar ganz oft ):
Apr 6 22:52:46 knecht kernel: REJECT UDP IN=ippp0 OUT= MAC= SRC=213.51.37.195 DST=217.3.35.228 LEN=36 TOS=0x00 PREC=0x00 TTL=120 ID=33228 PROTO=UDP SPT=6112 DPT=1024 LEN=16
TCP scheint zu funktioneren (das Log sagt zumindest nichts , UDP leider nicht.
Wie kriege ich das Script (iptables) dazu, das es Port 6112 als TCP und UDP auf die x.x.x.10 leitet?
Code:
#!/bin/bash
# ---------------------------------------------------------------------
# Linux-iptables-Firewallskript, Copyright (c) 2004 under the GPL
# Autogenerated by iptables Generator v1.16 (c) 2002 by Harald Bertram*
# Please visit [url]http://www.harry.homelinux.org[/url] for new versions of
# the iptables Generator (c).
#
# This Script was generated by request from:
# [email]saiki@gmx.info[/email] on: 2004-1-30 16:39.51 MET.
#
# If you have questions about the iptables Generator or about
# your Firewall-Skript feel free to take a look at out website or
# send me an E-Mail to [email]webmaster@harry.homelinux.org[/email].
#
# My special thanks are going to Lutz Heinrich (trinitywork@hotmail.com) who
# made lots of Beta-Testing and gave me lots of well qualified
# Feedback that made me able to improve the iptables Generator.
# --------------------------------------------------------------------
case "$1" in
start)
echo "Starte IP-Paketfilter"
# iptables-Modul
modprobe ip_tables
# Connection-Tracking-Module
modprobe ip_conntrack
# Das Modul ip_conntrack_irc ist erst bei Kerneln >= 2.4.19 verfuegbar
modprobe ip_conntrack_irc
modprobe ip_conntrack_ftp
# Tabelle flushen
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
# Default-Policies setzen
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# MY_REJECT-Chain
iptables -N MY_REJECT
# MY_REJECT fuellen
iptables -A MY_REJECT -p tcp -m limit --limit 7200/h -j LOG --log-prefix "REJECT TCP "
iptables -A MY_REJECT -p tcp -j REJECT --reject-with tcp-reset
iptables -A MY_REJECT -p udp -m limit --limit 7200/h -j LOG --log-prefix "REJECT UDP "
iptables -A MY_REJECT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A MY_REJECT -p icmp -m limit --limit 7200/h -j LOG --log-prefix "DROP ICMP "
iptables -A MY_REJECT -p icmp -j DROP
iptables -A MY_REJECT -m limit --limit 7200/h -j LOG --log-prefix "REJECT OTHER "
iptables -A MY_REJECT -j REJECT --reject-with icmp-proto-unreachable
# MY_DROP-Chain
iptables -N MY_DROP
iptables -A MY_DROP -m limit --limit 7200/h -j LOG --log-prefix "PORTSCAN DROP "
iptables -A MY_DROP -j DROP
# Alle verworfenen Pakete protokollieren
iptables -A INPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "INPUT INVALID "
iptables -A OUTPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "OUTPUT INVALID "
iptables -A FORWARD -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "FORWARD INVALID "
# Korrupte Pakete zurueckweisen
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
# Stealth Scans etc. DROPpen
# Keine Flags gesetzt
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j MY_DROP
# SYN und FIN gesetzt
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
# SYN und RST gleichzeitig gesetzt
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
# FIN und RST gleichzeitig gesetzt
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
# FIN ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
# PSH ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
# URG ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j MY_DROP
# Loopback-Netzwerk-Kommunikation zulassen
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Maximum Segment Size (MSS) für das Forwarding an PMTU anpassen
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# Connection-Tracking aktivieren
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ! ippp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH
iptables -A INPUT -i eth0 -m state --state NEW -p tcp --dport 22 -j ACCEPT
# IP-Adresse des LAN-Interfaces ermitteln
LAN_IP=$(ifconfig eth0 | head -n 2 | tail -n 1 | cut -d: -f2 | cut -d" " -f 1)
# NAT fuer EDONKEY
iptables -t nat -A PREROUTING -i ippp0 -p tcp --dport 4661 -j DNAT --to-destination 192.168.6.2
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 4661 -j SNAT --to-source $LAN_IP
iptables -A FORWARD -i ippp0 -m state --state NEW -p tcp -d 192.168.6.2 --dport 4661 -j ACCEPT
iptables -t nat -A PREROUTING -i ippp0 -p tcp --dport 4662 -j DNAT --to-destination 192.168.6.2
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 4662 -j SNAT --to-source $LAN_IP
iptables -A FORWARD -i ippp0 -m state --state NEW -p tcp -d 192.168.6.2 --dport 4662 -j ACCEPT
iptables -t nat -A PREROUTING -i ippp0 -p tcp --dport 4663 -j DNAT --to-destination 192.168.6.2
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 4663 -j SNAT --to-source $LAN_IP
iptables -A FORWARD -i ippp0 -m state --state NEW -p tcp -d 192.168.6.2 --dport 4663 -j ACCEPT
iptables -t nat -A PREROUTING -i ippp0 -p udp --dport 4665 -j DNAT --to-destination 192.168.6.2
iptables -t nat -A POSTROUTING -o eth0 -p udp --dport 4665 -j SNAT --to-source $LAN_IP
iptables -A FORWARD -i ippp0 -m state --state NEW -p udp -d 192.168.6.2 --dport 4665 -j ACCEPT
#StarCraft TCP/UDP Ports
iptables -t nat -A PREROUTING -i ippp0 -p tcp --dport 6112 -j DNAT --to-destination 192.168.6.10
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 6112 -j SNAT --to-source $LAN_IP
iptables -A FORWARD -i ippp0 -m state --state NEW -p tcp -d 192.168.6.10 --dport 6112 -j ACCEPT
iptables -t nat -A PREROUTING -i ippp0 -p udp --dport 6112 -j DNAT --to-destination 192.168.6.10
iptables -t nat -A POSTROUTING -o eth0 -p udp --dport 6112 -j SNAT --to-source $LAN_IP
iptables -A FORWARD -i ippp0 -m state --state NEW -p udp -d 192.168.6.10 --dport 6112 -j ACCEPT
# NAT fuer RA3 1.7 tcp
# iptables -t nat -A PREROUTING -i ippp0 -p tcp --dport 27960 -j DNAT --to-destination 192.168.6.2
# iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 27960 -j SNAT --to-source $LAN_IP
# iptables -A FORWARD -i ippp0 -m state --state NEW -p tcp -d 192.168.6.2 --dport 27960 -j ACCEPT
# NAT fuer RA3 1.7 udp
# iptables -t nat -A PREROUTING -i ippp0 -p udp --dport 27960 -j DNAT --to-destination 192.168.6.2
# iptables -t nat -A POSTROUTING -o eth0 -p udp --dport 27960 -j SNAT --to-source $LAN_IP
# iptables -A FORWARD -i ippp0 -m state --state NEW -p udp -d 192.168.6.2 --dport 27960 -j ACCEPT
# LAN-Zugriff auf eth0
iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT
# Default-Policies mit REJECT
iptables -A INPUT -j MY_REJECT
iptables -A OUTPUT -j MY_REJECT
iptables -A FORWARD -j MY_REJECT
# Routing
echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null
# Masquerading
iptables -t nat -A POSTROUTING -o ippp0 -j MASQUERADE
# SYN-Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null
# Stop Source-Routing
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_source_route 2> /dev/null; done
# Stop Redirecting
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_redirects 2> /dev/null; done
# Reverse-Path-Filter
for i in /proc/sys/net/ipv4/conf/*; do echo 2 > $i/rp_filter 2> /dev/null; done
# Log Martians
for i in /proc/sys/net/ipv4/conf/*; do echo 1 > $i/log_martians 2> /dev/null; done
# BOOTP-Relaying ausschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/bootp_relay 2> /dev/null; done
# Proxy-ARP ausschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/proxy_arp 2> /dev/null; done
# Ungültige ICMP-Antworten ignorieren
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 2> /dev/null
# ICMP Echo-Broadcasts ignorieren
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null
# Max. 500/Sekunde (5/Jiffie) senden
echo 5 > /proc/sys/net/ipv4/icmp_ratelimit
# Speicherallozierung und -timing für IP-De/-Fragmentierung
echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh
echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh
echo 30 > /proc/sys/net/ipv4/ipfrag_time
# TCP-FIN-Timeout zum Schutz vor DoS-Attacken setzen
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
# Maximal 3 Antworten auf ein TCP-SYN
echo 3 > /proc/sys/net/ipv4/tcp_retries1
# TCP-Pakete maximal 15x wiederholen
echo 15 > /proc/sys/net/ipv4/tcp_retries2
;;
stop)
echo "Stoppe IP-Paketfilter"
# Tabelle flushen
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
echo "Deaktiviere IP-Routing"
echo 0 > /proc/sys/net/ipv4/ip_forward
# Default-Policies setzen
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
;;
status)
echo "Tabelle filter"
iptables -L -vn
echo "Tabelle nat"
iptables -t nat -L -vn
echo "Tabelle mangle"
iptables -t mangle -L -vn
;;
*)
echo "Fehlerhafter Aufruf"
echo "Syntax: $0 {start|stop|status}"
exit 1
;;
esac
So schauts im Log aus (und zwar ganz oft ):
Apr 6 22:52:46 knecht kernel: REJECT UDP IN=ippp0 OUT= MAC= SRC=213.51.37.195 DST=217.3.35.228 LEN=36 TOS=0x00 PREC=0x00 TTL=120 ID=33228 PROTO=UDP SPT=6112 DPT=1024 LEN=16