Iptables Grundgerüst Firewall: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(Eine dazwischenliegende Version desselben Benutzers wird nicht angezeigt)
Zeile 15: Zeile 15:
 
#!/bin/bash
 
#!/bin/bash
  
LANDEV="enp0s3"
+
WANDEV="enp0s3" # Wan-Interface
WANDEV="enp0s8"
+
LANDEV="enp0s8" # Lan-Interface
  
 
iptables -F
 
iptables -F
Zeile 23: Zeile 23:
  
 
iptables -P INPUT DROP
 
iptables -P INPUT DROP
 +
iptables -P OUTPUT DROP
 +
iptables -P FORWARD DROP
 +
 
iptables -A INPUT -i lo -j ACCEPT
 
iptables -A INPUT -i lo -j ACCEPT
 +
iptables -A OUTPUT -o lo -j ACCEPT
 +
 +
iptables -A INPUT -i $WANDEV -s 192.168.3.0/24 -p tcp --dport 2222 -j ACCEPT
 +
 
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 +
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 +
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 +
 
iptables -A INPUT -p icmp -j ACCEPT
 
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i $LANDEV -s 192.168.178.0/24 -p tcp --dport 22 -j ACCEPT
+
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A INPUT -j LOG --log-prefix "iptables drop INPUT:"
 
 
 
iptables -P OUTPUT DROP
 
iptables -A OUTPUT -o lo -j ACCEPT
 
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
iptables -A OUTPUT -j LOG --log-prefix "iptables drop OUTPUT:"
 
  
iptables -P FORWARD DROP
+
iptables -A INPUT -j LOG --log-prefix "iptables drop INPUT: "
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+
iptables -A OUTPUT -j LOG --log-prefix "iptables drop OUTPUT: "
iptables -A FORWARD -j LOG --log-prefix "iptables drop FORWARD:"
+
iptables -A FORWARD -j LOG --log-prefix "iptables drop FORWARD: "
  
 
iptables -t nat -A POSTROUTING -o $WANDEV -j MASQUERADE
 
iptables -t nat -A POSTROUTING -o $WANDEV -j MASQUERADE
 +
 
</syntaxhighlight>
 
</syntaxhighlight>
  

Aktuelle Version vom 4. März 2025, 14:11 Uhr

Eigenschaften der Firewall

  • Der Host darf mit sich selbst kommunizieren
  • Pings werden vom Host beantwortet
  • Remotezugriff über den SSH Port aus dem LAN (192.168.178.0/24) ist freigeschaltet
  • Bereits etablierte und verwandte Verbindungen werden zugelassen
  • Auf Pakete, die das WAN-Interface (enp0s8) verlassen, wird Masquerading angewendet
  • Verworfene Pakete werden ins Kernel-log geschrieben

Shell-Skript

  • Das Skript sollte als Nutzer root erstellt werden, da iptables erhöhte Rechte zu ausführen benötigt
  • vim /usr/local/sbin/basic-firewall 
#!/bin/bash

WANDEV="enp0s3"  # Wan-Interface
LANDEV="enp0s8"  # Lan-Interface

iptables -F
iptables -F -t nat
iptables -F -t mangle

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -i $WANDEV -s 192.168.3.0/24 -p tcp --dport 2222 -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

iptables -A INPUT -j LOG --log-prefix "iptables drop INPUT: "
iptables -A OUTPUT -j LOG --log-prefix "iptables drop OUTPUT: "
iptables -A FORWARD -j LOG --log-prefix "iptables drop FORWARD: "

iptables -t nat -A POSTROUTING -o $WANDEV -j MASQUERADE
  • chmod +x /usr/local/sbin/basic-firewall
  • basic-firewall
  • Diese Einstellungen sind nur temporär und Verschwinden nach einem Neustart des Hosts

Regeln anzeigen

  • Die Optionen -nvL zeigen die Regeln der filter-Tabelle möglichst genau mit Statistiken an
  • iptables -nvL
Chain INPUT (policy DROP 1 packets, 36 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0
  219 14752 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     6    --  enp0s3 *       192.168.178.0/24     0.0.0.0/0            tcp dpt:22
    1    36 LOG        0    --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4 prefix "iptables drop INPUT:"

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 LOG        0    --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4 prefix "iptables drop FORWARD:"

Chain OUTPUT (policy DROP 2 packets, 144 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     0    --  *      lo      0.0.0.0/0            0.0.0.0/0
  129 22484 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    2   144 LOG        0    --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4 prefix "iptables drop OUTPUT:"
  • Für NAT-Regeln muss die Tabelle nat zusätzlich angegeben werden
  • iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  0    --  *      enp0s8  0.0.0.0/0            0.0.0.0/0
Abgerufen von „http://wiki.ixheim.de/index.php?title=Iptables_Grundgerüst_Firewall&oldid=59238