linuxhanz
27-09-2001, 14:43
Hi,
"Mein" (URL später --sorry)
Script läuft.
#! /bin/bash
FTP_AKTIV="false"
MYSERVER="false"
CALISSA="195.182.96.28" # Call by Call
SUSE="192.168.80.1"
echo FTP-Server = $MYSERVER
EXT="ippp0"
INT="eth0"
LAN="192.168.80.0/24"
UNPRIV="1024:65535"
IPC="/sbin/ipchains"
#---Ermitteln der eigenen und der remote IP Adresse---
LOCALIP=$PPP_LOCAL
if [ -z "${LOCALIP}" ]; then
LOCALIP="$(ifconfig $EXT | awk '/addr:/ {print $2}' | sed s/addr://)"
if [ -z "${LOCALIP}" ]; then
echo Local-IP fehlt!
exit 1
fi
fi
REMOTEIP=$PPP_REMOTE
if [ -z "${REMOTEIP}" ]; then
REMOTEIP="$(ifconfig $EXT | awk '/P-t-P/ {print $3}' | sed s/P-t-P://)"
if [ -z "${REMOTEIP}" ]; then
echo Remote-IP fehlt!
exit 1
fi
fi
echo -n "Setting up Firewall ... ... ... ... "
# default
echo 0 > /proc/sys/net/ipv4/ip_forward
$IPC -P input DENY
$IPC -P forward REJECT
$IPC -P output REJECT
$IPC -F
$IPC -X
#--Local Interfaces
$IPC -A input -i ! $EXT -j ACCEPT
$IPC -A output -i ! $EXT -j ACCEPT
#--spoofed packets
$IPC -A input -i $EXT -s $LOCALIP -j DENY -l
$IPC -A output -i $EXT -s ! $LOCALIP -j REJECT -l
$IPC -A input -i $EXT -s 0.0.0.0 -j DENY -l
$IPC -A output -i $EXT -d 0.0.0.0 -j REJECT -l
$IPC -A input -i $EXT -s 10.0.0.0/8 -j DENY -l
$IPC -A output -i $EXT -d 10.0.0.0/8 -j REJECT -l
$IPC -A input -i $EXT -s 127.0.0.0/8 -j DENY -l
$IPC -A output -i $EXT -d 127.0.0.0/8 -j REJECT -l
$IPC -A input -i $EXT -s 169.254.0.0/16 -j DENY -l
$IPC -A output -i $EXT -d 169.254.0.0/16 -j REJECT -l
$IPC -A input -i $EXT -s 172.16.0.0/12 -j DENY -l
$IPC -A output -i $EXT -d 172.16.0.0/12 -j REJECT -l
$IPC -A input -i $EXT -s 192.0.2.0/24 -j DENY -l
$IPC -A output -i $EXT -d 192.0.2.0/24 -j REJECT -l
$IPC -A input -i $EXT -s 192.168.0.0/16 -j DENY -l
$IPC -A output -i $EXT -d 192.168.0.0/16 -j REJECT -l
$IPC -A input -i $EXT -s 224.0.0.0/3 -j DENY -l
$IPC -A output -i $EXT -d 224.0.0.0/3 -j REJECT -l
$IPC -A output -i $EXT -s 255.255.255.255 -j DENY -l
$IPC -A output -i $EXT -d 255.255.255.255 -j REJECT -l
#-----------------------------------------------
#--ICMP--fuer unsere nmap fans
#--incoming
$IPC -A input -i $EXT -p icmp --icmp-type 0 -j ACCEPT
$IPC -A input -i $EXT -p icmp --icmp-type 3 -j ACCEPT
$IPC -A input -i $EXT -p icmp --icmp-type 11 -j ACCEPT
#--ICMP outgoing
$IPC -A output -i $EXT -p icmp --icmp-type 8 -j ACCEPT
$IPC -A output -i $EXT -p icmp -d $CALISSA --icmp-type 3 -j ACCEPT
$IPC -A output -i $EXT -p icmp -d $SUSE --icmp-type 3 -j ACCEPT
#DNS REQUESTs UDP
$IPC -A input -i $EXT -p udp --sport domain --dport $UNPRIV -j ACCEPT
$IPC -A output -i $EXT -p udp --sport $UNPRIV --dport domain -j ACCEPT
#DNS REQUESTs TCP
$IPC -A input -i $EXT -p tcp --sport domain --dport $UNPRIV ! -y -j ACCEPT
$IPC -A output -i $EXT -p tcp --sport $UNPRIV --dport domain -j ACCEPT
# FTP
if [ $MYSERVER = true ]; then
# nur Passiv FTP
$IPC -A input -i $EXT -p tcp --sport $UNPRIV --dport $UNPRIV -y -j ACCEPT
$IPC -A input -i $EXT -p tcp --sport $UNPRIV --dport $UNPRIV -j ACCEPT
$IPC -A output -i $EXT -p tcp --sport $UNPRIV --dport $UNPRIV ! -y -j ACCEPT
fi
# FTP-CLIENT (PASSIV)
$IPC -A input -i $EXT -p tcp --sport $UNPRIV --dport $UNPRIV ! -y -j ACCEPT
$IPC -A output -i $EXT -p tcp --sport $UNPRIV --dport $UNPRIV -j ACCEPT
#
#Anything else
$IPC -A input -i $EXT -l
$IPC -A output -i $EXT -l
#
#--Masq--------------------------------
$IPC -A forward -i $EXT -s $LAN -j MASQ --no-warnings
$IPC -A forward -i $EXT -l --no-warnings
echo 1 > /proc/sys/net/ipv4/ip_forward
#status
#/sbin/ipchains -L
#/sbin/ipchains -L >> /var/log/firewall
echo "done."
exit 0
Wenn ich versuche es über /sbin/init.d
start/stop einzubauen
"hängt" es am Ende bis zur Return Eingabe.
#! /bin/sh
# Copyyour own (c) is a language
#
#
#
# /etc/rc.d/fwu
#
# FWU = Firewall_USER
#. /etc/rc.status
. /etc/rc.config
# Determine the base and follow a runlevel link name.
base=${0##*/}
link=${base#*[SK][0-9][0-9]}
# Force execution if not called by a runlevel directory.
test $link = $base && START_FWU=yes
test "$START_FWU" = yes || exit 0
# The echo return value for success (defined in /etc/rc.config).
return=$rc_done
case "$1" in
start)
echo -n "Starting user defined firewall [ipchains] "
startproc /fw/advanced/fw.02 || return=$rc_failed
echo -e "$return"
;;
stop)
echo -n "Shutting down user defined firewall [ipchains]"
/sbin/ipchains -P input ACCEPT &&
/sbin/ipchains -P output ACCEPT &&
/sbin/ipchains -P forward ACCEPT &&
/sbin/ipchains -F &&
/sbin/ipchains -X &&
killproc -TERM /fw/advanced/fw.02 || return=$rc_failed
echo -e "$return"
;;
restart)
$0 stop && $0 start || return=$rc_failed
;;
*)
echo "Usage: $0 {start|stop|status|restart}"
exit 1
;;
esac
# Inform the caller not only verbosely and set an exit status.
test "$return" = "$rc_done" || exit 1
exit 0
"Mein" (URL später --sorry)
Script läuft.
#! /bin/bash
FTP_AKTIV="false"
MYSERVER="false"
CALISSA="195.182.96.28" # Call by Call
SUSE="192.168.80.1"
echo FTP-Server = $MYSERVER
EXT="ippp0"
INT="eth0"
LAN="192.168.80.0/24"
UNPRIV="1024:65535"
IPC="/sbin/ipchains"
#---Ermitteln der eigenen und der remote IP Adresse---
LOCALIP=$PPP_LOCAL
if [ -z "${LOCALIP}" ]; then
LOCALIP="$(ifconfig $EXT | awk '/addr:/ {print $2}' | sed s/addr://)"
if [ -z "${LOCALIP}" ]; then
echo Local-IP fehlt!
exit 1
fi
fi
REMOTEIP=$PPP_REMOTE
if [ -z "${REMOTEIP}" ]; then
REMOTEIP="$(ifconfig $EXT | awk '/P-t-P/ {print $3}' | sed s/P-t-P://)"
if [ -z "${REMOTEIP}" ]; then
echo Remote-IP fehlt!
exit 1
fi
fi
echo -n "Setting up Firewall ... ... ... ... "
# default
echo 0 > /proc/sys/net/ipv4/ip_forward
$IPC -P input DENY
$IPC -P forward REJECT
$IPC -P output REJECT
$IPC -F
$IPC -X
#--Local Interfaces
$IPC -A input -i ! $EXT -j ACCEPT
$IPC -A output -i ! $EXT -j ACCEPT
#--spoofed packets
$IPC -A input -i $EXT -s $LOCALIP -j DENY -l
$IPC -A output -i $EXT -s ! $LOCALIP -j REJECT -l
$IPC -A input -i $EXT -s 0.0.0.0 -j DENY -l
$IPC -A output -i $EXT -d 0.0.0.0 -j REJECT -l
$IPC -A input -i $EXT -s 10.0.0.0/8 -j DENY -l
$IPC -A output -i $EXT -d 10.0.0.0/8 -j REJECT -l
$IPC -A input -i $EXT -s 127.0.0.0/8 -j DENY -l
$IPC -A output -i $EXT -d 127.0.0.0/8 -j REJECT -l
$IPC -A input -i $EXT -s 169.254.0.0/16 -j DENY -l
$IPC -A output -i $EXT -d 169.254.0.0/16 -j REJECT -l
$IPC -A input -i $EXT -s 172.16.0.0/12 -j DENY -l
$IPC -A output -i $EXT -d 172.16.0.0/12 -j REJECT -l
$IPC -A input -i $EXT -s 192.0.2.0/24 -j DENY -l
$IPC -A output -i $EXT -d 192.0.2.0/24 -j REJECT -l
$IPC -A input -i $EXT -s 192.168.0.0/16 -j DENY -l
$IPC -A output -i $EXT -d 192.168.0.0/16 -j REJECT -l
$IPC -A input -i $EXT -s 224.0.0.0/3 -j DENY -l
$IPC -A output -i $EXT -d 224.0.0.0/3 -j REJECT -l
$IPC -A output -i $EXT -s 255.255.255.255 -j DENY -l
$IPC -A output -i $EXT -d 255.255.255.255 -j REJECT -l
#-----------------------------------------------
#--ICMP--fuer unsere nmap fans
#--incoming
$IPC -A input -i $EXT -p icmp --icmp-type 0 -j ACCEPT
$IPC -A input -i $EXT -p icmp --icmp-type 3 -j ACCEPT
$IPC -A input -i $EXT -p icmp --icmp-type 11 -j ACCEPT
#--ICMP outgoing
$IPC -A output -i $EXT -p icmp --icmp-type 8 -j ACCEPT
$IPC -A output -i $EXT -p icmp -d $CALISSA --icmp-type 3 -j ACCEPT
$IPC -A output -i $EXT -p icmp -d $SUSE --icmp-type 3 -j ACCEPT
#DNS REQUESTs UDP
$IPC -A input -i $EXT -p udp --sport domain --dport $UNPRIV -j ACCEPT
$IPC -A output -i $EXT -p udp --sport $UNPRIV --dport domain -j ACCEPT
#DNS REQUESTs TCP
$IPC -A input -i $EXT -p tcp --sport domain --dport $UNPRIV ! -y -j ACCEPT
$IPC -A output -i $EXT -p tcp --sport $UNPRIV --dport domain -j ACCEPT
# FTP
if [ $MYSERVER = true ]; then
# nur Passiv FTP
$IPC -A input -i $EXT -p tcp --sport $UNPRIV --dport $UNPRIV -y -j ACCEPT
$IPC -A input -i $EXT -p tcp --sport $UNPRIV --dport $UNPRIV -j ACCEPT
$IPC -A output -i $EXT -p tcp --sport $UNPRIV --dport $UNPRIV ! -y -j ACCEPT
fi
# FTP-CLIENT (PASSIV)
$IPC -A input -i $EXT -p tcp --sport $UNPRIV --dport $UNPRIV ! -y -j ACCEPT
$IPC -A output -i $EXT -p tcp --sport $UNPRIV --dport $UNPRIV -j ACCEPT
#
#Anything else
$IPC -A input -i $EXT -l
$IPC -A output -i $EXT -l
#
#--Masq--------------------------------
$IPC -A forward -i $EXT -s $LAN -j MASQ --no-warnings
$IPC -A forward -i $EXT -l --no-warnings
echo 1 > /proc/sys/net/ipv4/ip_forward
#status
#/sbin/ipchains -L
#/sbin/ipchains -L >> /var/log/firewall
echo "done."
exit 0
Wenn ich versuche es über /sbin/init.d
start/stop einzubauen
"hängt" es am Ende bis zur Return Eingabe.
#! /bin/sh
# Copyyour own (c) is a language
#
#
#
# /etc/rc.d/fwu
#
# FWU = Firewall_USER
#. /etc/rc.status
. /etc/rc.config
# Determine the base and follow a runlevel link name.
base=${0##*/}
link=${base#*[SK][0-9][0-9]}
# Force execution if not called by a runlevel directory.
test $link = $base && START_FWU=yes
test "$START_FWU" = yes || exit 0
# The echo return value for success (defined in /etc/rc.config).
return=$rc_done
case "$1" in
start)
echo -n "Starting user defined firewall [ipchains] "
startproc /fw/advanced/fw.02 || return=$rc_failed
echo -e "$return"
;;
stop)
echo -n "Shutting down user defined firewall [ipchains]"
/sbin/ipchains -P input ACCEPT &&
/sbin/ipchains -P output ACCEPT &&
/sbin/ipchains -P forward ACCEPT &&
/sbin/ipchains -F &&
/sbin/ipchains -X &&
killproc -TERM /fw/advanced/fw.02 || return=$rc_failed
echo -e "$return"
;;
restart)
$0 stop && $0 start || return=$rc_failed
;;
*)
echo "Usage: $0 {start|stop|status|restart}"
exit 1
;;
esac
# Inform the caller not only verbosely and set an exit status.
test "$return" = "$rc_done" || exit 1
exit 0