Linux-Firewall: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(Die Seite wurde neu angelegt: „=Zugangsdaten= *Siehe ESXI Notizen =Interface= *cat /etc/network/interfaces <syntaxhighlight lang="bash"> auto lo iface lo inet loopback auto ens160 iface en…“) |
|||
| (Eine dazwischenliegende Version desselben Benutzers wird nicht angezeigt) | |||
| Zeile 23: | Zeile 23: | ||
address 10.66.248.1 | address 10.66.248.1 | ||
netmask 255.255.255.0 | netmask 255.255.255.0 | ||
| + | </syntaxhighlight> | ||
| + | =Firewall= | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | #!/bin/bash | ||
| + | WANIP=10.66.252.40 | ||
| + | WANDEV=ens160 | ||
| + | LANDEV=ens192 | ||
| + | DMZDEV=ens224 | ||
| + | SERVER_DMZ_1=10.66.248.100 | ||
| + | COMPUTER_LAN_1=10.66.254.100 | ||
| + | LAN=10.66.254.0/24 | ||
| + | OTH=10.66.253.0/24 | ||
| + | VPNDEV=tun0 | ||
| + | case $1 in | ||
| + | start) | ||
| + | echo "starte firewall" | ||
| + | echo flushen der Regeln | ||
| + | iptables -F | ||
| + | iptables -F -t nat | ||
| + | echo "setzen der Default Policy" | ||
| + | iptables -P INPUT DROP | ||
| + | iptables -P OUTPUT DROP | ||
| + | iptables -P FORWARD DROP | ||
| + | iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
| + | iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
| + | iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
| + | iptables -A OUTPUT -m state --state NEW -j ACCEPT | ||
| + | iptables -A INPUT -i lo -m state --state NEW -j ACCEPT | ||
| + | iptables -A INPUT -p tcp --dport 8472 -m state --state NEW -j ACCEPT | ||
| + | iptables -A INPUT -p udp -m multiport --dport 500,4500,5000 -m state --state NEW -j ACCEPT | ||
| + | iptables -A INPUT -p esp -m state --state NEW -j ACCEPT | ||
| + | iptables -A INPUT -p icmp -m state --state NEW -j ACCEPT | ||
| + | iptables -A FORWARD -i $VPNDEV -m state --state NEW -j ACCEPT | ||
| + | iptables -A FORWARD -o $WANDEV -p tcp -d 8.8.8.8 --dport 53 -m state --state NEW -j ACCEPT | ||
| + | iptables -A FORWARD -o $WANDEV -p udp -d 8.8.8.8 --dport 53 -m state --state NEW -j ACCEPT | ||
| + | iptables -A FORWARD -o $WANDEV -p icmp -m state --state NEW -j ACCEPT | ||
| + | iptables -A FORWARD -o $WANDEV -p tcp -m multiport --dport 80,443 -m state --state NEW -j ACCEPT | ||
| + | iptables -A FORWARD -i $WANDEV -o $DMZDEV -p tcp -m multiport --dport 80,443 -m state --state NEW -j ACCEPT | ||
| + | iptables -A FORWARD -i $WANDEV -o $LANDEV -p tcp -m multiport --dport 80,443 -d $COMPUTER_LAN_1 -m state --state NEW -j ACCEPT | ||
| + | # iptables -A FORWARD -j ACCEPT | ||
| + | iptables -A FORWARD -i $LANDEV -o $WANDEV -s $LAN -d $OTH -m policy --dir out --pol ipsec -m state --state NEW -j ACCEPT | ||
| + | iptables -A FORWARD -i $WANDEV -o $LANDEV -s $OTH -d $LAN -m policy --dir in --pol ipsec -m state --state NEW -j ACCEPT | ||
| + | |||
| + | |||
| + | iptables -t nat -A POSTROUTING -o $WANDEV -s $LAN -d $OTH -j RETURN | ||
| + | iptables -t nat -A POSTROUTING -o $WANDEV -j SNAT --to-source $WANIP | ||
| + | iptables -t nat -A PREROUTING -i $WANDEV -j DNAT -p tcp --dport 80 --to $COMPUTER_LAN_1 | ||
| + | iptables -t nat -A PREROUTING -i $WANDEV -j DNAT -p tcp --dport 443 --to $COMPUTER_LAN_1 | ||
| + | |||
| + | iptables -A INPUT -j LOG --log-prefix "--iptables-in--" | ||
| + | iptables -A OUTPUT -j LOG --log-prefix "--iptables-out--" | ||
| + | iptables -A FORWARD -j LOG --log-prefix "--iptables-for--" | ||
| + | ;; | ||
| + | stop) | ||
| + | echo "stoppe firewall" | ||
| + | echo flushen der Regeln | ||
| + | iptables -F | ||
| + | iptables -F -t nat | ||
| + | echo "setzen der Default Policy" | ||
| + | iptables -P INPUT ACCEPT | ||
| + | iptables -P OUTPUT ACCEPT | ||
| + | iptables -P FORWARD ACCEPT | ||
| + | ;; | ||
| + | *) | ||
| + | echo "usage: $0 start|stop" | ||
| + | ;; | ||
| + | esac | ||
| + | </syntaxhighlight> | ||
| + | =Ip forward= | ||
| + | *cat /proc/sys/net/ipv4/ip_forward | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | 1 | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Aktuelle Version vom 8. Februar 2022, 10:32 Uhr
Zugangsdaten
- Siehe ESXI Notizen
Interface
- cat /etc/network/interfaces
auto lo
iface lo inet loopback
auto ens160
iface ens160 inet static
address 10.66.252.40
netmask 255.255.255.0
gateway 10.66.252.1
auto ens192
iface ens192 inet static
address 10.66.254.1
netmask 255.255.255.0
auto ens224
iface ens224 inet static
address 10.66.248.1
netmask 255.255.255.0
Firewall
#!/bin/bash
WANIP=10.66.252.40
WANDEV=ens160
LANDEV=ens192
DMZDEV=ens224
SERVER_DMZ_1=10.66.248.100
COMPUTER_LAN_1=10.66.254.100
LAN=10.66.254.0/24
OTH=10.66.253.0/24
VPNDEV=tun0
case $1 in
start)
echo "starte firewall"
echo flushen der Regeln
iptables -F
iptables -F -t nat
echo "setzen der Default Policy"
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW -j ACCEPT
iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 8472 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp -m multiport --dport 500,4500,5000 -m state --state NEW -j ACCEPT
iptables -A INPUT -p esp -m state --state NEW -j ACCEPT
iptables -A INPUT -p icmp -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $VPNDEV -m state --state NEW -j ACCEPT
iptables -A FORWARD -o $WANDEV -p tcp -d 8.8.8.8 --dport 53 -m state --state NEW -j ACCEPT
iptables -A FORWARD -o $WANDEV -p udp -d 8.8.8.8 --dport 53 -m state --state NEW -j ACCEPT
iptables -A FORWARD -o $WANDEV -p icmp -m state --state NEW -j ACCEPT
iptables -A FORWARD -o $WANDEV -p tcp -m multiport --dport 80,443 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $WANDEV -o $DMZDEV -p tcp -m multiport --dport 80,443 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $WANDEV -o $LANDEV -p tcp -m multiport --dport 80,443 -d $COMPUTER_LAN_1 -m state --state NEW -j ACCEPT
# iptables -A FORWARD -j ACCEPT
iptables -A FORWARD -i $LANDEV -o $WANDEV -s $LAN -d $OTH -m policy --dir out --pol ipsec -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $WANDEV -o $LANDEV -s $OTH -d $LAN -m policy --dir in --pol ipsec -m state --state NEW -j ACCEPT
iptables -t nat -A POSTROUTING -o $WANDEV -s $LAN -d $OTH -j RETURN
iptables -t nat -A POSTROUTING -o $WANDEV -j SNAT --to-source $WANIP
iptables -t nat -A PREROUTING -i $WANDEV -j DNAT -p tcp --dport 80 --to $COMPUTER_LAN_1
iptables -t nat -A PREROUTING -i $WANDEV -j DNAT -p tcp --dport 443 --to $COMPUTER_LAN_1
iptables -A INPUT -j LOG --log-prefix "--iptables-in--"
iptables -A OUTPUT -j LOG --log-prefix "--iptables-out--"
iptables -A FORWARD -j LOG --log-prefix "--iptables-for--"
;;
stop)
echo "stoppe firewall"
echo flushen der Regeln
iptables -F
iptables -F -t nat
echo "setzen der Default Policy"
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
;;
*)
echo "usage: $0 start|stop"
;;
esac
Ip forward
- cat /proc/sys/net/ipv4/ip_forward
1