firewall script fighting
Hello
i try to setup a firewall for my lan. i want to be invissible to the
internet (no respond to a ping), but i want to allow some specific
connects. my script i have so far makes me invissible and i can surf
the web..., but nobody can connect to my server.
maybe you easiely find some errors:
--------------------------------------------------------------------
# Firewall Skript
#!/bin/sh
DEV_LAN=eth0
IP_LAN=192.168.99.10
LAN=192.168.99.0/255.255.255.0
DEV_INET=ippp0
INET=0.0.0.0/0.0.0.0
insmod ip_masq_cuseeme
insmod ip_masq_ftp
insmod ip_masq_irc
insmod ip_masq_quake
insmod ip_masq_raudio
insmod ip_masq_user
insmod ip_masq_vdolive
#----- IP Forwarding und Unterstuetzung dynamisch zugeteilter IP Adressen aktivieren -----
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/ip_forward
#----- Alle Regeln loeschen -----
ipchains -F
#----- Default Policy auf DENY setzen -----
ipchains -P input DENY
ipchains -P forward DENY
ipchains -P output DENY
#----- ip-spoofing verhindern -----
ipchains -A input -i $DEV_INET -p tcp -s $LAN -j DENY -l
#----- Loopback erlauben -----
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT
#----- alle Intranet Verbindungen erlauben -----
ipchains -A input -i $DEV_LAN -s $LAN -j ACCEPT
ipchains -A output -i $DEV_LAN -d $LAN -j ACCEPT
#----- DNS Abfragen ins Internet erlauben, sowohl UDP als auch TCP -----
ipchains -A output -i $DEV_INET -p udp -d $INET 53 -j ACCEPT
ipchains -A input -i $DEV_INET -p udp -s $INET 53 -j ACCEPT
ipchains -A output -i $DEV_INET -p tcp -d $INET 53 -j ACCEPT
ipchains -A input -i $DEV_INET -p tcp -s $INET 53 -j ACCEPT ! -y
#----- HTTP erlauben -----
ipchains -A output -i $DEV_INET -p tcp -d $INET 80 -j ACCEPT
ipchains -A input -i $DEV_INET -p tcp -s $INET 80 -j ACCEPT ! -y
#----- HTTPS erlauben -----
ipchains -A output -i $DEV_INET -p tcp -d $INET 443 -j ACCEPT
ipchains -A input -i $DEV_INET -p tcp -s $INET 443 -j ACCEPT ! -y
#----- FTP erlauben -----
ipchains -A output -i $DEV_INET -p tcp -d $INET 21 -j ACCEPT
ipchains -A input -i $DEV_INET -p tcp -s $INET 21 -j ACCEPT ! -y
#----- Erweiterung fuer aktives FTP -----
ipchains -A output -i $DEV_INET -p tcp -d $INET 20 -j ACCEPT
ipchains -A input -i $DEV_INET -p tcp -s $INET 20 -j ACCEPT
#----- SSH ins Internet erlauben -----
ipchains -A output -i $DEV_INET -p tcp -d $INET 22 -j ACCEPT
ipchains -A input -i $DEV_INET -p tcp -s $INET 22 -j ACCEPT ! -y
#----- SMTP ins Internet erlauben -----
ipchains -A output -i $DEV_INET -p tcp -d $INET 25 -j ACCEPT
ipchains -A input -i $DEV_INET -p tcp -s $INET 25 -j ACCEPT ! -y
#----- POP3 ins Internet erlauben -----
ipchains -A output -i $DEV_INET -p tcp -d $INET 110 -j ACCEPT
ipchains -A input -i $DEV_INET -p tcp -s $INET 110 -j ACCEPT ! -y
#-------------highports---------------
ipchains -A output -i $DEV_INET -p tcp -d $INET 1023:65535 -j ACCEPT
ipchains -A input -i $DEV_INET -p tcp -s $INET 1023:65535 -j ACCEPT ! -y
ipchains -A output -i $DEV_INET -p udp -d $INET 1023:65535 -j ACCEPT
ipchains -A input -i $DEV_INET -p udp -d $INET 1023:65535 -j ACCEPT
#----- Chain fuer ICMP erstellen -----
ipchains -N icmp-out
ipchains -A icmp-out -p icmp --icmp-type echo-reply -j DENY
ipchains -A icmp-out -p icmp --icmp-type echo-request -j ACCEPT
ipchains -A icmp-out -p icmp --icmp-type destination-unreachable -j ACCEPT
ipchains -A icmp-out -p icmp --icmp-type source-quench -j ACCEPT
ipchains -A icmp-out -p icmp --icmp-type time-exceeded -j ACCEPT
ipchains -A icmp-out -p icmp --icmp-type parameter-problem -j ACCEPT
ipchains -N icmp-in
ipchains -A icmp-in -p icmp --icmp-type echo-reply -j ACCEPT
ipchains -A icmp-in -p icmp --icmp-type echo-request -j DENY
ipchains -A icmp-in -p icmp --icmp-type destination-unreachable -j ACCEPT
ipchains -A icmp-in -p icmp --icmp-type source-quench -j ACCEPT
ipchains -A icmp-in -p icmp --icmp-type time-exceeded -j ACCEPT
ipchains -A icmp-in -p icmp --icmp-type parameter-problem -j ACCEPT
#----- ICMP Pakete an Output Chain uebergeben -----
ipchains -A output -p icmp -j icmp-out
#----- ICMP Pakete an Input Chain uebergeben -----
ipchains -A input -p icmp -j icmp-in
#----- Masquerading aktivieren -----
ipchains -A forward -s 192.168.99.0/24 -d 0.0.0.0/0 -j MASQ
echo Firewall is up
-------------------------------------------------------------------------------
again the problem is nobody cant connect except from inside the lan
thanks in advance
--
Best regards,
tim mailto:tim@atomstrahl.de
Reply to: