#!/bin/sh
echo "Initialisiere Firewall ..."
modprobe ip_conntrack
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -Z
iptables -N MYDDROP
iptables -N MYACCEPT
#
# Lokale Kommunikation
#
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#
# Statefull Inspection
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j MYDDROP
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
#
# Eigene Chains und Logging
#
iptables -A MYDDROP -j LOG --log-level 3 --log-prefix "FW-DROP: "
iptables -A MYDDROP -j DROP
iptables -A MYACCEPT -j LOG --log-prefix "FW-ACCEPT: "
iptables -A MYACCEPT -j ACCEPT
#
# SSH Server
#
iptables -A INPUT -p tcp --dport 44 -s 192.168.0.0/24 -j MYACCEPT
#
# ICMP
#
iptables -A INPUT -p icmp -s 192.168.0.0/24 -j MYACCEPT
iptables -A OUTPUT -p icmp -d 192.169.0.0/24 -j MYACCEPT
#
# SAMBA
#
iptables -A INPUT -p udp -m multiport --destination-port 137,138 -s 192.168.0.0/24 -j MYACCEPT
iptables -A INPUT -p tcp -m multiport --destination-port 139,445 -s 192.168.0.0/24 -j MYACCEPT
iptables -A OUTPUT -p udp -m multiport --destination-port 137,138 -d 192.168.0.0/24 -j MYACCEPT
iptables -A OUTPUT -p tcp -m multiport --destination-port 139,445 -d 192.168.0.0/24 -j MYACCEPT
#
# DHCP-CLIENT
#
iptables -A OUTPUT -p udp --dport 68 -j MYACCEPT
#
# NTOP
iptables -A INPUT -p tcp --dport 3000 -s 192.168.0.0/24 -j ACCEPT
#
# Cups
iptables -A INPUT -p udp --dport 631 -s 192.169.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 631 -s 192.168.0.0/24 -j ACCEPT
#
#
echo "Firewall ist konfiguriert und aktiv"