Project InfoSponsor & PartnerInstalling ispCPFAQDocumentationDevelopment
Current time: 04-30-2024, 03:04 AM Hello There, Guest! (LoginRegister)

ispCP - Board - Support / ispCP Omega International Area / German Corner / Plauderecke v / Firewall auf ispCP Servern

Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Firewall auf ispCP Servern
Author Message
fulltilt Offline
Member
***

Posts: 1,225
Joined: Apr 2007
Reputation: 5
Post: #14
RE: Firewall auf ispCP Servern
habe ein init script für iptables im Einsatz:
/etc/init.d/firewall

Code:
#!/bin/sh

#####################################################
# IPTables Firewall-Skript                          #
#                                                   #
# erzeugt mit dem IPTables-Skript-Generator auf     #
#      tobias-bauer.de - Version 0.3                #
# URL: http://linux.tobias-bauer.de/iptables.html   #
#                                                   #
# Autor: Tobias Bauer                               #
# E-Mail: exarkun@ist-root.org                      #
#                                                   #
# Das erzeugte Skript steht unter der GNU GPL!      #
#                                                   #
# ACHTUNG! Die Benutzung des Skriptes erfolgt auf   #
# eigene Gefahr! Ich übernehme keinerlei Haftung    #
# für Schäden die durch dieses Skript entstehen!    #
#                                                   #
#####################################################

# iptables suchen
iptables=`which iptables`

# wenn iptables nicht installiert abbrechen
test -f $iptables || exit 0

case "$1" in
   start)
      echo "Starte Firewall..."
      # alle Regeln löschen
      $iptables -t nat -F
      $iptables -t filter -F
      $iptables -X

      # neue Regeln erzeugen
      $iptables -N garbage
      $iptables -I garbage -p TCP -j LOG --log-prefix="DROP TCP-Packet: " --log-level err
      $iptables -I garbage -p UDP -j LOG --log-prefix="DROP UDP-Packet: " --log-level err
      $iptables -I garbage -p ICMP -j LOG --log-prefix="DROP ICMP-Packet: " --log-level err

      # Default Policy
      $iptables -P INPUT DROP
      $iptables -P OUTPUT DROP
      $iptables -P FORWARD DROP

      # über Loopback alles erlauben
      $iptables -I INPUT -i lo -j ACCEPT
      $iptables -I OUTPUT -o lo -j ACCEPT

      #####################################################
      # ausgehende Verbindungen
      # Port 21
      $iptables -I OUTPUT -o eth0 -p TCP --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p TCP --sport 21 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p TCP --sport 49152:65535 --dport 20 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p TCP --sport 20 --dport 49152:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 22
      $iptables -I OUTPUT -o eth0 -p TCP --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p TCP --sport 22 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 2020
      $iptables -I OUTPUT -o eth0 -p TCP --sport 1024:65535 --dport 2020 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p TCP --sport 2220 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 25
      $iptables -I OUTPUT -o eth0 -p TCP --sport 1024:65535 --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p TCP --sport 25 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 53
      $iptables -I OUTPUT -o eth0 -p TCP --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p TCP --sport 53 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p UDP --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p UDP --sport 53 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 80
      $iptables -I OUTPUT -o eth0 -p TCP --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p TCP --sport 80 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 110
      $iptables -I OUTPUT -o eth0 -p TCP --sport 1024:65535 --dport 110 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p TCP --sport 110 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 123
      $iptables -I OUTPUT -o eth0 -p TCP --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p TCP --sport 123 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p UDP --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p UDP --sport 123 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 143
      $iptables -I OUTPUT -o eth0 -p TCP --sport 1024:65535 --dport 143 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p TCP --sport 143 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 443
      $iptables -I OUTPUT -o eth0 -p TCP --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p TCP --sport 443 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 465
      $iptables -I OUTPUT -o eth0 -p TCP --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p TCP --sport 465 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 993
      $iptables -I OUTPUT -o eth0 -p TCP --sport 1024:65535 --dport 993 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p TCP --sport 993 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 995
      $iptables -I OUTPUT -o eth0 -p TCP --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p TCP --sport 995 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 3306
      $iptables -I OUTPUT -o eth0 -p TCP --sport 1024:65535 --dport 3306 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p TCP --sport 3306 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # ICMP
      $iptables -I OUTPUT -o eth0 -p ICMP --icmp-type echo-reply -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p ICMP --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 24441
      $iptables -I OUTPUT -o eth0 -p UDP --sport 1024:65535 --dport 24441 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p UDP --sport 24441 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 6277
      $iptables -I OUTPUT -o eth0 -p UDP --sport 1024:65535 --dport 6277 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p UDP --sport 6277 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 2703
      $iptables -I OUTPUT -o eth0 -p TCP --sport 1024:65535 --dport 2703 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p TCP --sport 2703 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 783
      $iptables -I OUTPUT -o eth0 -p TCP --sport 1024:65535 --dport 783 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p TCP --sport 783 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 12525
      $iptables -I OUTPUT -o eth0 -p TCP --sport 1024:65535 --dport 12525 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p TCP --sport 12525 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 43
      $iptables -I OUTPUT -o eth0 -p TCP --sport 1024:65535 --dport 43 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p TCP --sport 43 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 10050
      $iptables -I OUTPUT -o eth0 -p TCP --sport 1024:65535 --dport 10050 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p TCP --sport 10050 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 10051
      $iptables -I OUTPUT -o eth0 -p TCP --sport 1024:65535 --dport 10051 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p TCP --sport 10051 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 6000
      $iptables -I OUTPUT -o eth0 -p TCP --sport 1024:65535 --dport 6000 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p TCP --sport 6000 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      #####################################################
      # eingehende Verbindungen
      # Port 21
      $iptables -I INPUT -i eth0 -p TCP --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p TCP --sport 21 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p TCP --sport 1024:65535 --dport 1024:65535 -m state --state NEW -j ACCEPT
      $iptables -I INPUT -i eth0 -p TCP --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p TCP --sport 49152:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p TCP --sport 20 --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      # Port 22
      $iptables -I INPUT -i eth0 -p TCP --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p TCP --sport 22 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 2020
      $iptables -I INPUT -i eth0 -p TCP --sport 1024:65535 --dport 2020 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p TCP --sport 2020 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 25
      $iptables -I INPUT -i eth0 -p TCP --sport 1024:65535 --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p TCP --sport 25 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 53
      $iptables -I INPUT -i eth0 -p TCP --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p TCP --sport 53 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p UDP --sport 53 --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p UDP --sport 53 --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p UDP --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p UDP --sport 53 --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      # Port 80
      $iptables -I INPUT -i eth0 -p TCP --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p TCP --sport 80 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 110
      $iptables -I INPUT -i eth0 -p TCP --sport 1024:65535 --dport 110 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p TCP --sport 110 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 123
      $iptables -I INPUT -i eth0 -p TCP --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p TCP --sport 123 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      $iptables -I INPUT -i eth0 -p UDP --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p UDP --sport 123 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 143
      $iptables -I INPUT -i eth0 -p TCP --sport 1024:65535 --dport 143 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p TCP --sport 143 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 443
      $iptables -I INPUT -i eth0 -p TCP --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p TCP --sport 443 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 465
      $iptables -I INPUT -i eth0 -p TCP --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p TCP --sport 465 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 993
      $iptables -I INPUT -i eth0 -p TCP --sport 1024:65535 --dport 993 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p TCP --sport 993 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 995
      $iptables -I INPUT -i eth0 -p TCP --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p TCP --sport 995 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 3306
      $iptables -I INPUT -i eth0 -p TCP --sport 1024:65535 --dport 3306 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p TCP --sport 3306 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # ICMP
      $iptables -I INPUT -i eth0 -p ICMP --icmp-type echo-request -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p ICMP --icmp-type echo-request -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 24441
      $iptables -I INPUT -i eth0 -p UDP --sport 1024:65535 --dport 24441 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p UDP --sport 24441 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 6277
      $iptables -I INPUT -i eth0 -p UDP --sport 1024:65535 --dport 6277 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p UDP --sport 6277 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 2703
      $iptables -I INPUT -i eth0 -p TCP --sport 1024:65535 --dport 2703 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p TCP --sport 2703 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 783
      $iptables -I INPUT -i eth0 -p TCP --sport 1024:65535 --dport 783 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p TCP --sport 783 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 12525
      $iptables -I INPUT -i eth0 -p TCP --sport 1024:65535 --dport 12525 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p TCP --sport 12525 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 43
      $iptables -I INPUT -i eth0 -p TCP --sport 1024:65535 --dport 43 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p TCP --sport 43 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 10051
      $iptables -I INPUT -i eth0 -p TCP --sport 1024:65535 --dport 10051 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p TCP --sport 10051 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Port 6000
      $iptables -I INPUT -i eth0 -p TCP --sport 1024:65535 --dport 6000 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $iptables -I OUTPUT -o eth0 -p TCP --sport 6000 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      #####################################################
      # Erweiterte Sicherheitsfunktionen
      # SynFlood
      $iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
      # PortScan
      $iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
      # Ping-of-Death
      $iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

      #####################################################
      # bestehende Verbindungen akzeptieren
      $iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
      $iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

      #####################################################
      # Garbage übergeben wenn nicht erlaubt
      $iptables -A INPUT -m state --state NEW,INVALID -j garbage

      #####################################################
      # alles verbieten was bisher erlaubt war
      $iptables -A INPUT -j garbage
      $iptables -A OUTPUT -j garbage
      $iptables -A FORWARD -j garbage
      ;;
   stop)
      echo "Stoppe Firewall..."
      $iptables -t nat -F
      $iptables -t filter -F
      $iptables -X
      $iptables -P INPUT ACCEPT
      $iptables -P OUTPUT ACCEPT
      $iptables -P FORWARD ACCEPT
      ;;
   restart|reload|force-reload)
   $0 stop
   $0 start
      ;;
   *)
      echo "Usage: /etc/init.d/firewall (start|stop)"
      exit 1
      ;;
esac
exit 0
06-29-2009 12:55 AM
Find all posts by this user Quote this message in a reply
Post Reply 


Messages In This Thread
Firewall auf ispCP Servern - BeNe - 06-17-2009, 10:04 PM
RE: Firewall auf ispCP Servern - rbtux - 06-17-2009, 10:16 PM
RE: Firewall auf ispCP Servern - MasterTH - 06-18-2009, 01:19 AM
RE: Firewall auf ispCP Servern - BeNe - 06-18-2009, 04:15 AM
RE: Firewall auf ispCP Servern - MasterTH - 06-18-2009, 04:38 AM
RE: Firewall auf ispCP Servern - BeNe - 06-18-2009, 04:41 AM
RE: Firewall auf ispCP Servern - MasterTH - 06-18-2009, 04:43 AM
RE: Firewall auf ispCP Servern - BeNe - 06-18-2009, 04:55 AM
RE: Firewall auf ispCP Servern - MasterTH - 06-18-2009, 05:05 AM
RE: Firewall auf ispCP Servern - BeNe - 06-18-2009, 05:14 AM
RE: Firewall auf ispCP Servern - Michi91 - 06-18-2009, 05:59 AM
RE: Firewall auf ispCP Servern - rbtux - 06-18-2009, 06:01 AM
RE: Firewall auf ispCP Servern - fulltilt - 06-29-2009 12:55 AM
RE: Firewall auf ispCP Servern - nuke3d - 06-18-2009, 06:24 PM

Forum Jump:


User(s) browsing this thread: 1 Guest(s)

Contact Us | isp Control Panel ( ispCP ) | Return to Top | Return to Content | Lite (Archive) Mode | RSS Syndication