bpi-r2:network:iptables
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen RevisionVorhergehende ÜberarbeitungNächste Überarbeitung | Vorhergehende Überarbeitung | ||
bpi-r2:network:iptables [2018/03/23 19:14] – [IPTables] frank | bpi-r2:network:iptables [2023/06/08 17:06] (aktuell) – Externe Bearbeitung 127.0.0.1 | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
+ | ====== IPTables ====== | ||
+ | |||
+ | FIXME | ||
+ | |||
+ | |||
+ | {{ : | ||
+ | ===== IPv4 ===== | ||
+ | |||
+ | < | ||
+ | #alle vorherigen Regeln löschen | ||
+ | ${ipt} -F | ||
+ | ${ipt} -X | ||
+ | ${ipt} -t nat -F | ||
+ | ${ipt} -t nat -X | ||
+ | ${ipt} -t mangle -F | ||
+ | ${ipt} -t mangle -X | ||
+ | |||
+ | # standard-Regel für IPv4: alles droppen | ||
+ | ${ipt} -P INPUT DROP | ||
+ | ${ipt} -P OUTPUT | ||
+ | ${ipt} -P FORWARD DROP | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | # policy für TCP-Reset/ | ||
+ | ${ipt} -N ABGELEHNT | ||
+ | if [[ ! " | ||
+ | then | ||
+ | echo " | ||
+ | ${ipt} -A ABGELEHNT -m limit --limit 10/min -j LOG --log-prefix " | ||
+ | fi | ||
+ | ${ipt} -A ABGELEHNT -p tcp -j REJECT --reject-with tcp-reset | ||
+ | ${ipt} -A ABGELEHNT -p udp -j REJECT --reject-with icmp-port-unreachable | ||
+ | ${ipt} -A ABGELEHNT -j DROP | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | # localhost | ||
+ | ${ipt} -A INPUT -i lo -j ACCEPT | ||
+ | ${ipt} -A OUTPUT -o lo -j ACCEPT | ||
+ | |||
+ | ${ipt} -A OUTPUT -j ACCEPT | ||
+ | ${ipt} -A INPUT -m state --state RELATED, | ||
+ | ${ipt} -A INPUT -p icmp -m limit --limit 5/s --icmp-type echo-request -j ACCEPT # ICMP eingehen, max 5/s | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | #Block Teredo-Stuff | ||
+ | #${ipt} -I FORWARD -p udp --dport 3544 -j ABGELEHNT | ||
+ | #${ipt} -I FORWARD -p udp --sport 3544 -j ABGELEHNT | ||
+ | # | ||
+ | ${ipt} -A FORWARD -p 41 -j ABGELEHNT #IPv6 Encapsulation | ||
+ | ${ipt} -A FORWARD -p 43 -j ABGELEHNT #Routing Header for IPv6 | ||
+ | ${ipt} -A FORWARD -p 44 -j ABGELEHNT #Fragment Header for IPv6 | ||
+ | ${ipt} -A FORWARD -p 58 -j ABGELEHNT #ICMP for IPv6 | ||
+ | ${ipt} -A FORWARD -p 59 -j ABGELEHNT #No Next Header for IPv6 | ||
+ | ${ipt} -A FORWARD -p 60 -j ABGELEHNT # | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | #ssh mit rate-limit | ||
+ | ${ipt} -I INPUT -p tcp --dport 22 -i ${if_ext} -m state --state NEW -m recent --set | ||
+ | ${ipt} -I INPUT -p tcp --dport 22 -i ${if_ext} -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j ABGELEHNT #4 verbindungen in 1 Minute | ||
+ | ${ipt} -A INPUT -p tcp --dport | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | ${ipt} -A FORWARD -i ${if_int} -o ${if_ext} -j ACCEPT #Forwarding Int->Ext | ||
+ | ${ipt} -A FORWARD -i ${if_ext} -o ${if_int} -m state --state ESTABLISHED, | ||
+ | |||
+ | ${ipt} -A INPUT -i ${if_int} -j ACCEPT #erlaubt alle Anfragen von Intern | ||
+ | </ | ||
+ | |||
+ | [[# | ||
+ | |||
+ | < | ||
+ | # REJECT/ | ||
+ | ${ipt} -A INPUT -j ABGELEHNT | ||
+ | ${ipt} -A OUTPUT | ||
+ | ${ipt} -A FORWARD -j ABGELEHNT | ||
+ | </ | ||
+ | |||
+ | zusätzliche Optionen: | ||
+ | < | ||
+ | # | ||
+ | echo 1 > / | ||
+ | |||
+ | if [ -f / | ||
+ | echo " | ||
+ | echo 0 > / | ||
+ | fi | ||
+ | |||
+ | if [ -f / | ||
+ | echo " | ||
+ | echo 1 > / | ||
+ | fi | ||
+ | |||
+ | </ | ||
+ | ==== Port-Forwardings ==== | ||
+ | |||
+ | === einrichten === | ||
+ | |||
+ | port 522 auf Client 192.168.0.5 port 22 weiterleiten | ||
+ | |||
+ | ${ipt} -t nat -A PREROUTING -p tcp --dport 522 -j DNAT --to-destination 192.168.0.5: | ||
+ | |||
+ | === anzeigen === | ||
+ | |||
+ | iptables -L -t nat | ||
+ | | ||
+ | Chain PREROUTING (policy ACCEPT) | ||
+ | target | ||
+ | DNAT | ||
+ | |||
+ | ==== active-FTP ==== | ||
+ | |||
+ | damit Clients FTP im ACTIVE-Modus nutzen können müssen 2 Module geladen und eine 1 iptables-Regel angewandt werden | ||
+ | |||
+ | modprobe ip_conntrack_ftp | ||
+ | modprobe ip_nat_ftp ports=21 | ||
+ | |||
+ | |||
+ | ${ipt} -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED, | ||
+ | ===== IPv6 ===== | ||