[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

firewall script fighting


i try to setup a firewall for my lan. i want to be invissible to the
internet (no respond to a ping), but i want to allow some specific
connects. my script i have so far makes me invissible and i can surf
the web..., but nobody can connect to my server.

maybe you easiely find some errors:


# Firewall Skript


insmod ip_masq_cuseeme
insmod ip_masq_ftp
insmod ip_masq_irc
insmod ip_masq_quake
insmod ip_masq_raudio
insmod ip_masq_user
insmod ip_masq_vdolive

#----- IP Forwarding und Unterstuetzung dynamisch zugeteilter IP Adressen aktivieren -----
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/ip_forward

#----- Alle Regeln loeschen -----
ipchains -F

#----- Default Policy auf DENY setzen -----
ipchains -P input DENY
ipchains -P forward DENY 
ipchains -P output DENY 

#----- ip-spoofing verhindern -----
ipchains -A input -i $DEV_INET -p tcp -s $LAN -j DENY -l

#----- Loopback erlauben -----
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT

#----- alle Intranet Verbindungen erlauben -----
ipchains -A input -i $DEV_LAN -s $LAN -j ACCEPT
ipchains -A output -i $DEV_LAN -d $LAN -j ACCEPT

#----- DNS Abfragen ins Internet erlauben, sowohl UDP als auch TCP -----
ipchains -A output -i $DEV_INET -p udp -d $INET 53 -j ACCEPT
ipchains -A input -i $DEV_INET -p udp -s $INET 53 -j ACCEPT
ipchains -A output -i $DEV_INET -p tcp -d $INET 53 -j ACCEPT
ipchains -A input -i $DEV_INET -p tcp -s $INET 53 -j ACCEPT ! -y

#----- HTTP erlauben -----
ipchains -A output -i $DEV_INET -p tcp -d $INET 80 -j ACCEPT
ipchains -A input -i $DEV_INET -p tcp -s $INET 80 -j ACCEPT ! -y

#----- HTTPS erlauben -----
ipchains -A output -i $DEV_INET -p tcp -d $INET 443 -j ACCEPT
ipchains -A input -i $DEV_INET -p tcp -s $INET 443 -j ACCEPT ! -y

#----- FTP erlauben -----
ipchains -A output -i $DEV_INET -p tcp -d $INET 21 -j ACCEPT
ipchains -A input -i $DEV_INET -p tcp -s $INET 21 -j ACCEPT ! -y

#----- Erweiterung fuer aktives FTP -----
ipchains -A output -i $DEV_INET -p tcp -d $INET 20 -j ACCEPT
ipchains -A input -i $DEV_INET -p tcp -s $INET 20 -j ACCEPT

#----- SSH ins Internet erlauben -----
ipchains -A output -i $DEV_INET -p tcp -d $INET 22 -j ACCEPT
ipchains -A input -i $DEV_INET -p tcp -s $INET 22 -j ACCEPT ! -y

#----- SMTP ins Internet erlauben -----
ipchains -A output -i $DEV_INET -p tcp -d $INET 25 -j ACCEPT
ipchains -A input -i $DEV_INET -p tcp -s $INET 25 -j ACCEPT ! -y

#----- POP3 ins Internet erlauben -----
ipchains -A output -i $DEV_INET -p tcp -d $INET 110 -j ACCEPT
ipchains -A input -i $DEV_INET -p tcp -s $INET 110 -j ACCEPT ! -y

ipchains -A output -i $DEV_INET -p tcp -d $INET 1023:65535 -j ACCEPT
ipchains -A input -i $DEV_INET -p tcp -s $INET 1023:65535 -j ACCEPT ! -y
ipchains -A output -i $DEV_INET -p udp -d $INET 1023:65535 -j ACCEPT
ipchains -A input -i $DEV_INET -p udp -d $INET 1023:65535 -j ACCEPT

#----- Chain fuer ICMP erstellen -----
ipchains -N icmp-out
ipchains -A icmp-out -p icmp --icmp-type echo-reply -j DENY
ipchains -A icmp-out -p icmp --icmp-type echo-request -j ACCEPT
ipchains -A icmp-out -p icmp --icmp-type destination-unreachable -j ACCEPT
ipchains -A icmp-out -p icmp --icmp-type source-quench -j ACCEPT
ipchains -A icmp-out -p icmp --icmp-type time-exceeded -j ACCEPT
ipchains -A icmp-out -p icmp --icmp-type parameter-problem -j ACCEPT

ipchains -N icmp-in
ipchains -A icmp-in -p icmp --icmp-type echo-reply -j ACCEPT
ipchains -A icmp-in -p icmp --icmp-type echo-request -j DENY
ipchains -A icmp-in -p icmp --icmp-type destination-unreachable -j ACCEPT
ipchains -A icmp-in -p icmp --icmp-type source-quench -j ACCEPT
ipchains -A icmp-in -p icmp --icmp-type time-exceeded -j ACCEPT
ipchains -A icmp-in -p icmp --icmp-type parameter-problem -j ACCEPT

#----- ICMP Pakete an Output Chain uebergeben -----
ipchains -A output -p icmp -j icmp-out

#----- ICMP Pakete an Input Chain uebergeben -----
ipchains -A input -p icmp -j icmp-in

#----- Masquerading aktivieren -----
ipchains -A forward -s -d -j MASQ
echo Firewall is up


again the problem is nobody cant connect except from inside the lan

thanks in advance


Best regards,
 tim                          mailto:tim@atomstrahl.de

Reply to: