SUCKUP.de

Desktop Firewall – iptables

This blog post has been published on 2010-01-31 and may be out of date.

Anbei eine Beispiel-Firewall mit iptables für einen Desktop PC.

__________________________

#!/bin/bash

INTERFACE="eth1"
NET="192.168.30.0/24"
MEINE_IP="192.168.30.226"

PING="yes"
SSH="yes"

# loescht alte Regeln
iptables -F
iptables -X

# alles dicht
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP

if [ $SSH = "yes" ] ; then
    # erlauben - ssh
    iptables -A INPUT -i ${INTERFACE} -p tcp --dport 22 --sport 1024:65535 -j ACCEPT
    iptables -A OUTPUT -o ${INTERFACE} -p tcp --sport 22 --dport 1024:65535 -j ACCEPT
    # erlauben - sftp/scp
    iptables -A INPUT -i ${INTERFACE} -p tcp --dport 115 --sport 1024:65535 -j ACCEPT
    iptables -A OUTPUT -o ${INTERFACE} -p tcp --sport 115 --dport 1024:65535 -j ACCEPT
else
    # sperre - ssh und melde SSH-Angriffe im syslog
    iptables -A INPUT -i ${INTERFACE} -p tcp --dport 22 -m limit --limit 6/min -j LOG --log-prefix "Hack-Alarm:"
    iptables -A INPUT -i ${INTERFACE} -p tcp --dport 22 -j DROP
fi

if [ $PING = "yes" ] ; then
    # erlauben - icmp (ping)
    iptables -A INPUT -i ${INTERFACE} -p icmp --icmp-type echo-request -j ACCEPT
    iptables -A OUTPUT -o ${INTERFACE} -p icmp -d ${NET} -j ACCEPT
else
    # sperren - icmp (ping)
    iptables -A INPUT -i ${INTERFACE} -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-host-unreachable
    iptables -A OUTPUT -o ${INTERFACE} -p icmp -d ${NET} -j ACCEPT
fi

# erlaube - Verbindungen nach aussen und deren Antwort
iptables -A OUTPUT -o ${INTERFACE} -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i ${INTERFACE} -d ${MEINE_IP} -m state --state RELATED,ESTABLISHED -j ACCEPT