bullzeye
22-06-2007, 10:58
Hi Leute,
ich hoffe ihr könnt mir helfen. Ich habe ein START/STOP Script und eine Daemon file. Aber wenn ich den Service starten möchte, startet er und beendet sich sofort wieder. Ich weiß nicht mehr weiter. Deswegen poste ich hier bei euch:
Daemon File :
#!/bin/sh
. /opt/andrea/conf/andrea.conf
ETH1=`/sbin/ifconfig eth1|grep Bcast|awk -F':' '{print $2}'|awk '{print $1}'`
eth0_adr=$RN_ANDREAIP
eth01_adr=$BN_ANDREAIP
eth1_adr=$ETH1
# :%s/eth0_adr/eth0_adr/g
# :%s/eth01_adr/eth01_adr/g
# :%s/eth1_adr/eth1_adr/g
log() {
test -x "$LOGGER" && $LOGGER -p info "$1"
}
va_num=1
add_addr() {
addr=$1
nm=$2
dev=$3
type=""
aadd=""
L=`$IP -4 link ls $dev | grep "$dev:"`
if test -n "$L"; then
OIFS=$IFS
IFS=" /:,<"
set $L
type=$4
IFS=$OIFS
L=`$IP -4 addr ls $dev to $addr | grep " inet "`
if test -n "$L"; then
OIFS=$IFS
IFS=" /"
set $L
aadd=$2
IFS=$OIFS
fi
fi
if test -z "$aadd"; then
if test "$type" = "POINTOPOINT"; then
$IP -4 addr add $addr dev $dev scope global label $dev:FWB${va_num}
va_num=`expr $va_num + 1`
fi
if test "$type" = "BROADCAST"; then
$IP -4 addr add $addr/$nm dev $dev brd + scope global label $dev:FWB${va_num}
va_num=`expr $va_num + 1`
fi
fi
}
getaddr() {
dev=$1
name=$2
L=`$IP -4 addr show dev $dev | grep inet`
test -z "$L" && {
eval "$name=''"
return
}
OIFS=$IFS
IFS=" /"
set $L
eval "$name=$2"
IFS=$OIFS
}
getinterfaces() {
NAME=$1
$IP link show | grep -E "$NAME[^ ]*: "| while read L; do
OIFS=$IFS
IFS=" :"
set $L
IFS=$OIFS
echo $2
done
}
LSMOD="/sbin/lsmod"
MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"
IP="/sbin/ip"
LOGGER="/bin/logger"
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl
$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
cat /proc/net/ip_tables_names | while read table; do
$IPTABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IPTABLES -t $table -F $chain
fi
done
$IPTABLES -t $table -X
done
MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/"
MODULES=`(cd $MODULE_DIR; ls *_nat_* | sed 's/\.o.*$//; s/\.ko$//')`
for module in $(echo $MODULES); do
if $LSMOD | grep ${module} >/dev/null; then continue; fi
$MODPROBE ${module} || exit 1
done
log "Aktiviere generiertes Firewall-Skript Tue Sep 7 08:39:18 2004 CEST bei mlarc"
#
# Rule 0(NAT)
#
# freigeschalteter host
#$IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -s 172.20.3.254 --source-port 1024:65535 --destination-port 80 -j SNAT --to-source $eth1_adr:1024-65535
#
#
# steam regel
$IPTABLES -t nat -A POSTROUTING -o eth1 -p udp --source-port 1024:65535 --destination-port 1200 -j SNAT --to-source $eth1_adr:1024-65535
$IPTABLES -t nat -A POSTROUTING -o eth1 -p udp --source-port 1024:65535 --destination-port 27000:27015 -j SNAT --to-source $eth1_adr:1024-65535
$IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp --source-port 1024:65535 --destination-port 27030:27039 -j SNAT --to-source $eth1_adr:1024-65535
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Rule 0(eth0)
#
#
#
$IPTABLES -A INPUT -i eth0 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth0 -m state --state NEW -j ACCEPT
#
# Rule 0(eth0:1)
#
#
#
$IPTABLES -A INPUT -i eth0+ -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth0+ -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth0+ -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth0+ -m state --state NEW -j ACCEPT
#
# Rule 0(eth1)
#
# freigeschalteter host
#
#$IPTABLES -A INPUT -i eth1 -s 172.20.3.254 -m state --state NEW -j ACCEPT
#$IPTABLES -A FORWARD -i eth1 -s 172.20.3.254 -m state --state NEW -j ACCEPT
#$IPTABLES -A FORWARD -o eth1 -s 172.20.3.254 -m state --state NEW -j ACCEPT
#
# Rule 1(eth1)
#
#
#
$IPTABLES -A INPUT -i eth1 -p icmp --icmp-type 0/0 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -p icmp --icmp-type 0/0 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -p icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p icmp --icmp-type 0/0 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -p icmp --icmp-type 0/0 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -p icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT
#
# Rule 2(eth1)
#
#
#
$IPTABLES -A FORWARD -i eth1 -s $eth0_adr -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -s $eth01_adr -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -s $eth1_adr -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -s $eth0_adr -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -s $eth01_adr -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -s $eth1_adr -m state --state NEW -j ACCEPT
#
# Rule 3(eth1)
#
#
#
$IPTABLES -A INPUT -i eth1 -p tcp --source-port 1000:65535 -d $eth0_adr --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p tcp --source-port 1000:65535 -d $eth01_adr --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p tcp --source-port 1000:65535 -d $eth1_adr --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p tcp --source-port 1000:65535 -d $eth0_adr --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p tcp --source-port 1000:65535 -d $eth01_adr --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p tcp --source-port 1000:65535 -d $eth1_adr --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -p tcp --source-port 1000:65535 -d $eth0_adr --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -p tcp --source-port 1000:65535 -d $eth01_adr --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -p tcp --source-port 1000:65535 -d $eth1_adr --destination-port 22 -m state --state NEW -j ACCEPT
#
# Rule 4(eth1)
#
#
#
$IPTABLES -N eth1_In_RULE_4
$IPTABLES -A INPUT -i eth1 -j eth1_In_RULE_4
$IPTABLES -A FORWARD -i eth1 -j eth1_In_RULE_4
$IPTABLES -A eth1_In_RULE_4 -j LOG --log-level info --log-prefix "RULE 4 -- DENY "
$IPTABLES -A eth1_In_RULE_4 -j DROP
$IPTABLES -N eth1_Out_RULE_4
$IPTABLES -A OUTPUT -o eth1 -j eth1_Out_RULE_4
$IPTABLES -A FORWARD -o eth1 -j eth1_Out_RULE_4
$IPTABLES -A eth1_Out_RULE_4 -j LOG --log-level info --log-prefix "RULE 4 -- DENY "
$IPTABLES -A eth1_Out_RULE_4 -j DROP
#
# Rule 0(lo)
#
#
#
$IPTABLES -N Cid40BE018E.0
$IPTABLES -A INPUT -i lo -s $eth0_adr -m state --state NEW -j Cid40BE018E.0
$IPTABLES -A INPUT -i lo -s $eth01_adr -m state --state NEW -j Cid40BE018E.0
$IPTABLES -A INPUT -i lo -s $eth1_adr -m state --state NEW -j Cid40BE018E.0
$IPTABLES -A INPUT -i lo -s 127.0.0.1 -m state --state NEW -j Cid40BE018E.0
$IPTABLES -A Cid40BE018E.0 -i lo -d $eth0_adr -m state --state NEW -j ACCEPT
$IPTABLES -A Cid40BE018E.0 -i lo -d $eth01_adr -m state --state NEW -j ACCEPT
$IPTABLES -A Cid40BE018E.0 -i lo -d $eth1_adr -m state --state NEW -j ACCEPT
$IPTABLES -A Cid40BE018E.0 -i lo -d 127.0.0.1 -m state --state NEW -j ACCEPT
$IPTABLES -N Cid40BE018E.1
$IPTABLES -A OUTPUT -o lo -s $eth0_adr -m state --state NEW -j Cid40BE018E.1
$IPTABLES -A OUTPUT -o lo -s $eth01_adr -m state --state NEW -j Cid40BE018E.1
$IPTABLES -A OUTPUT -o lo -s $eth1_adr -m state --state NEW -j Cid40BE018E.1
$IPTABLES -A OUTPUT -o lo -s 127.0.0.1 -m state --state NEW -j Cid40BE018E.1
$IPTABLES -A Cid40BE018E.1 -o lo -d $eth0_adr -m state --state NEW -j ACCEPT
$IPTABLES -A Cid40BE018E.1 -o lo -d $eth01_adr -m state --state NEW -j ACCEPT
$IPTABLES -A Cid40BE018E.1 -o lo -d $eth1_adr -m state --state NEW -j ACCEPT
$IPTABLES -A Cid40BE018E.1 -o lo -d 127.0.0.1 -m state --state NEW -j ACCEPT
#
# Rule 0(global)
#
#
#
$IPTABLES -A INPUT -s $eth1_adr -d $eth0_adr -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -s $eth1_adr -d $eth0_adr -m state --state NEW -j ACCEPT
#
# Rule 1(global)
#
#
#
$IPTABLES -A OUTPUT -p icmp --icmp-type 0/0 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 0/0 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type 0/0 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT
#
# Rule 2(global)
#
#
#
$IPTABLES -N RULE_2
$IPTABLES -A OUTPUT -j RULE_2
$IPTABLES -A INPUT -j RULE_2
$IPTABLES -A FORWARD -j RULE_2
$IPTABLES -A RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- DENY "
$IPTABLES -A RULE_2 -j DROP
#
#
echo 1 > /proc/sys/net/ipv4/ip_forward
START/STOP File:
#!/bin/sh
#
# firewall This shell script takes care of starting and stopping
# the fwbuilder firewall.
#
# chkconfig: 2345 11 89
# description: fwbuilder firewall
[ -d /etc/firewall/ ] || exit 0
if ! [ -d "/var/lock/subsys/firewall" ]; then
mkdir -p "/var/lock/subsys/firewall"
fi
RETVAL=0
prog="firewall"
start() {
# Start daemons.
echo -n $"Starting $prog: "
daemon /etc/firewall/login.fw
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/firewall
return $RETVAL
}
stop() {
# Stop daemons.
echo -n $"Shutting down $prog: "
iptables -F
iptables -X
iptables -P INPUT DROP && \
iptables -P FORWARD DROP && \
iptables -P OUTPUT DROP && \
echo "success: Resetting built-in chains to the default DROP policy" || \
echo "failure: Resetting built-in chains to the default DROP policy"
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/firewall
return $RETVAL
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart|reload)
stop
start
RETVAL=$?
;;
condrestart)
if [ -f /var/lock/subsys/firewall ]; then
stop
start
RETVAL=$?
fi
;;
status)
base="firewall"
pid="?"
if [ -f /var/lock/subsys/firewall ]; then
echo $"${base} (pid $pid) is running..."
RETVAL=0
else
echo $"${base} is stopped"
RETVAL=1
fi
;;
*)
echo $"Usage: $0 {start|stop|restart|condrestart|status}"
exit 1
esac
exit $RETVAL
Vielen Dank schon einmal
ich hoffe ihr könnt mir helfen. Ich habe ein START/STOP Script und eine Daemon file. Aber wenn ich den Service starten möchte, startet er und beendet sich sofort wieder. Ich weiß nicht mehr weiter. Deswegen poste ich hier bei euch:
Daemon File :
#!/bin/sh
. /opt/andrea/conf/andrea.conf
ETH1=`/sbin/ifconfig eth1|grep Bcast|awk -F':' '{print $2}'|awk '{print $1}'`
eth0_adr=$RN_ANDREAIP
eth01_adr=$BN_ANDREAIP
eth1_adr=$ETH1
# :%s/eth0_adr/eth0_adr/g
# :%s/eth01_adr/eth01_adr/g
# :%s/eth1_adr/eth1_adr/g
log() {
test -x "$LOGGER" && $LOGGER -p info "$1"
}
va_num=1
add_addr() {
addr=$1
nm=$2
dev=$3
type=""
aadd=""
L=`$IP -4 link ls $dev | grep "$dev:"`
if test -n "$L"; then
OIFS=$IFS
IFS=" /:,<"
set $L
type=$4
IFS=$OIFS
L=`$IP -4 addr ls $dev to $addr | grep " inet "`
if test -n "$L"; then
OIFS=$IFS
IFS=" /"
set $L
aadd=$2
IFS=$OIFS
fi
fi
if test -z "$aadd"; then
if test "$type" = "POINTOPOINT"; then
$IP -4 addr add $addr dev $dev scope global label $dev:FWB${va_num}
va_num=`expr $va_num + 1`
fi
if test "$type" = "BROADCAST"; then
$IP -4 addr add $addr/$nm dev $dev brd + scope global label $dev:FWB${va_num}
va_num=`expr $va_num + 1`
fi
fi
}
getaddr() {
dev=$1
name=$2
L=`$IP -4 addr show dev $dev | grep inet`
test -z "$L" && {
eval "$name=''"
return
}
OIFS=$IFS
IFS=" /"
set $L
eval "$name=$2"
IFS=$OIFS
}
getinterfaces() {
NAME=$1
$IP link show | grep -E "$NAME[^ ]*: "| while read L; do
OIFS=$IFS
IFS=" :"
set $L
IFS=$OIFS
echo $2
done
}
LSMOD="/sbin/lsmod"
MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"
IP="/sbin/ip"
LOGGER="/bin/logger"
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl
$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
cat /proc/net/ip_tables_names | while read table; do
$IPTABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IPTABLES -t $table -F $chain
fi
done
$IPTABLES -t $table -X
done
MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/"
MODULES=`(cd $MODULE_DIR; ls *_nat_* | sed 's/\.o.*$//; s/\.ko$//')`
for module in $(echo $MODULES); do
if $LSMOD | grep ${module} >/dev/null; then continue; fi
$MODPROBE ${module} || exit 1
done
log "Aktiviere generiertes Firewall-Skript Tue Sep 7 08:39:18 2004 CEST bei mlarc"
#
# Rule 0(NAT)
#
# freigeschalteter host
#$IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -s 172.20.3.254 --source-port 1024:65535 --destination-port 80 -j SNAT --to-source $eth1_adr:1024-65535
#
#
# steam regel
$IPTABLES -t nat -A POSTROUTING -o eth1 -p udp --source-port 1024:65535 --destination-port 1200 -j SNAT --to-source $eth1_adr:1024-65535
$IPTABLES -t nat -A POSTROUTING -o eth1 -p udp --source-port 1024:65535 --destination-port 27000:27015 -j SNAT --to-source $eth1_adr:1024-65535
$IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp --source-port 1024:65535 --destination-port 27030:27039 -j SNAT --to-source $eth1_adr:1024-65535
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Rule 0(eth0)
#
#
#
$IPTABLES -A INPUT -i eth0 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth0 -m state --state NEW -j ACCEPT
#
# Rule 0(eth0:1)
#
#
#
$IPTABLES -A INPUT -i eth0+ -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth0+ -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth0+ -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth0+ -m state --state NEW -j ACCEPT
#
# Rule 0(eth1)
#
# freigeschalteter host
#
#$IPTABLES -A INPUT -i eth1 -s 172.20.3.254 -m state --state NEW -j ACCEPT
#$IPTABLES -A FORWARD -i eth1 -s 172.20.3.254 -m state --state NEW -j ACCEPT
#$IPTABLES -A FORWARD -o eth1 -s 172.20.3.254 -m state --state NEW -j ACCEPT
#
# Rule 1(eth1)
#
#
#
$IPTABLES -A INPUT -i eth1 -p icmp --icmp-type 0/0 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -p icmp --icmp-type 0/0 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -p icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p icmp --icmp-type 0/0 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -p icmp --icmp-type 0/0 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -p icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT
#
# Rule 2(eth1)
#
#
#
$IPTABLES -A FORWARD -i eth1 -s $eth0_adr -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -s $eth01_adr -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -s $eth1_adr -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -s $eth0_adr -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -s $eth01_adr -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -s $eth1_adr -m state --state NEW -j ACCEPT
#
# Rule 3(eth1)
#
#
#
$IPTABLES -A INPUT -i eth1 -p tcp --source-port 1000:65535 -d $eth0_adr --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p tcp --source-port 1000:65535 -d $eth01_adr --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p tcp --source-port 1000:65535 -d $eth1_adr --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p tcp --source-port 1000:65535 -d $eth0_adr --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p tcp --source-port 1000:65535 -d $eth01_adr --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p tcp --source-port 1000:65535 -d $eth1_adr --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -p tcp --source-port 1000:65535 -d $eth0_adr --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -p tcp --source-port 1000:65535 -d $eth01_adr --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -p tcp --source-port 1000:65535 -d $eth1_adr --destination-port 22 -m state --state NEW -j ACCEPT
#
# Rule 4(eth1)
#
#
#
$IPTABLES -N eth1_In_RULE_4
$IPTABLES -A INPUT -i eth1 -j eth1_In_RULE_4
$IPTABLES -A FORWARD -i eth1 -j eth1_In_RULE_4
$IPTABLES -A eth1_In_RULE_4 -j LOG --log-level info --log-prefix "RULE 4 -- DENY "
$IPTABLES -A eth1_In_RULE_4 -j DROP
$IPTABLES -N eth1_Out_RULE_4
$IPTABLES -A OUTPUT -o eth1 -j eth1_Out_RULE_4
$IPTABLES -A FORWARD -o eth1 -j eth1_Out_RULE_4
$IPTABLES -A eth1_Out_RULE_4 -j LOG --log-level info --log-prefix "RULE 4 -- DENY "
$IPTABLES -A eth1_Out_RULE_4 -j DROP
#
# Rule 0(lo)
#
#
#
$IPTABLES -N Cid40BE018E.0
$IPTABLES -A INPUT -i lo -s $eth0_adr -m state --state NEW -j Cid40BE018E.0
$IPTABLES -A INPUT -i lo -s $eth01_adr -m state --state NEW -j Cid40BE018E.0
$IPTABLES -A INPUT -i lo -s $eth1_adr -m state --state NEW -j Cid40BE018E.0
$IPTABLES -A INPUT -i lo -s 127.0.0.1 -m state --state NEW -j Cid40BE018E.0
$IPTABLES -A Cid40BE018E.0 -i lo -d $eth0_adr -m state --state NEW -j ACCEPT
$IPTABLES -A Cid40BE018E.0 -i lo -d $eth01_adr -m state --state NEW -j ACCEPT
$IPTABLES -A Cid40BE018E.0 -i lo -d $eth1_adr -m state --state NEW -j ACCEPT
$IPTABLES -A Cid40BE018E.0 -i lo -d 127.0.0.1 -m state --state NEW -j ACCEPT
$IPTABLES -N Cid40BE018E.1
$IPTABLES -A OUTPUT -o lo -s $eth0_adr -m state --state NEW -j Cid40BE018E.1
$IPTABLES -A OUTPUT -o lo -s $eth01_adr -m state --state NEW -j Cid40BE018E.1
$IPTABLES -A OUTPUT -o lo -s $eth1_adr -m state --state NEW -j Cid40BE018E.1
$IPTABLES -A OUTPUT -o lo -s 127.0.0.1 -m state --state NEW -j Cid40BE018E.1
$IPTABLES -A Cid40BE018E.1 -o lo -d $eth0_adr -m state --state NEW -j ACCEPT
$IPTABLES -A Cid40BE018E.1 -o lo -d $eth01_adr -m state --state NEW -j ACCEPT
$IPTABLES -A Cid40BE018E.1 -o lo -d $eth1_adr -m state --state NEW -j ACCEPT
$IPTABLES -A Cid40BE018E.1 -o lo -d 127.0.0.1 -m state --state NEW -j ACCEPT
#
# Rule 0(global)
#
#
#
$IPTABLES -A INPUT -s $eth1_adr -d $eth0_adr -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -s $eth1_adr -d $eth0_adr -m state --state NEW -j ACCEPT
#
# Rule 1(global)
#
#
#
$IPTABLES -A OUTPUT -p icmp --icmp-type 0/0 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 0/0 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type 0/0 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT
#
# Rule 2(global)
#
#
#
$IPTABLES -N RULE_2
$IPTABLES -A OUTPUT -j RULE_2
$IPTABLES -A INPUT -j RULE_2
$IPTABLES -A FORWARD -j RULE_2
$IPTABLES -A RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- DENY "
$IPTABLES -A RULE_2 -j DROP
#
#
echo 1 > /proc/sys/net/ipv4/ip_forward
START/STOP File:
#!/bin/sh
#
# firewall This shell script takes care of starting and stopping
# the fwbuilder firewall.
#
# chkconfig: 2345 11 89
# description: fwbuilder firewall
[ -d /etc/firewall/ ] || exit 0
if ! [ -d "/var/lock/subsys/firewall" ]; then
mkdir -p "/var/lock/subsys/firewall"
fi
RETVAL=0
prog="firewall"
start() {
# Start daemons.
echo -n $"Starting $prog: "
daemon /etc/firewall/login.fw
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/firewall
return $RETVAL
}
stop() {
# Stop daemons.
echo -n $"Shutting down $prog: "
iptables -F
iptables -X
iptables -P INPUT DROP && \
iptables -P FORWARD DROP && \
iptables -P OUTPUT DROP && \
echo "success: Resetting built-in chains to the default DROP policy" || \
echo "failure: Resetting built-in chains to the default DROP policy"
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/firewall
return $RETVAL
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart|reload)
stop
start
RETVAL=$?
;;
condrestart)
if [ -f /var/lock/subsys/firewall ]; then
stop
start
RETVAL=$?
fi
;;
status)
base="firewall"
pid="?"
if [ -f /var/lock/subsys/firewall ]; then
echo $"${base} (pid $pid) is running..."
RETVAL=0
else
echo $"${base} is stopped"
RETVAL=1
fi
;;
*)
echo $"Usage: $0 {start|stop|restart|condrestart|status}"
exit 1
esac
exit $RETVAL
Vielen Dank schon einmal