From: BGrummel@zuendel.de
To: netfilter@lists.samba.org
Subject: help!! whole in firewall --
Date: Fri, 7 Jun 2002 16:40:31 +0200 [thread overview]
Message-ID: <aear0l$7np$2@main.gmane.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 835 bytes --]
hello
i have a problem with my firewall
any ports from outside are opend,
from inside to outside are the rules ok
this is my configuration
backup FIREWALL (fw-x) CLIENTS (internal tr)
\ /
ISP------ROUTER----------Firewall--------ROUTER (internal eth)
(external eth) / \
PROXY WEBSERVER (internal tr)
(external eth)
my rules --see atm.
help
I don´t know what it is
I think its in the keep-state part
but if I change it i had to change any rule for all connections
(See attached file: firewall.netfilter)
any help is welcome
thanks in advise
Dipl.-Ing.
Benno Grummel
ZUENDEL & Partner
Systems & Consultants
Abt. IT-Services
Fon: 02153-7376-0
Fax: 02153-7376-16
http://www.ZUENDEL.DE
[-- Attachment #2: firewall.netfilter --]
[-- Type: application/octet-stream, Size: 45497 bytes --]
#!/bin/sh
##################################################################
#
#
## Variables
IPTABLES="/sbin/iptables"
INTERNAL_ET="eth1" # Internal Ethernet Interface
INTERNAL_TR="tr0" # Internal Tokenring Interface
EXTERNAL="eth0" # External Interface
FW_X="eth2"
#IP_ADRESSES
INTERNAL_OFFICIAL_NET="1.1.1.0/24"
INTERNAL_CLIENT_NET="1.1.3.0/24"
INTERNAL_ROUTER_NET="1.1.4.0/24"
INTERNAL_ROUTER2_NET="1.1.5.0/24"
INTERNAL_ROUTER3_NET="1.1.6.0/24"
INTERNAL_ROUTER4_NET="1.1.7.0/24"
INTERNAL_ROUTER5_NET="1.1.8.0/24"
FIREWALL_CONTROL_NET="1.1.9.0/24"
EXTERNAL_ROUTER_IP="1.1.1.1"
PROXY_REAL_IP="1.1.1.2"
PROXY_NAT_IP="1.1.1.3"
REMOTEUSER_IP="1.1.1.4"
REMOTEUSER_NET="1.1.10.0/24"
SSH_SERVER_IP="1.1.1.5"
DNS_IP="1.1.1.6"
VPN_IP="1.1.1.7"
DC_IP="1.1.1.8"
TIMESERVER_IP="1.1.1.9"
VM_IP="1.1.1.10"
INTERNAL_PMC_IP="1.1.1.11"
SAP_IIS_IP="1.1.1.12"
PCANYWERE_IP="1.1.1.13"
MMWKS_IP="1.1.1.14"
ROUTER_IP="1.1.1.15"
SSH_WKS_IP="1.1.1.16"
WEBSERVER_IP1="1.1.1.20"
WEBSERVER_IP2="1.1.1.21"
WEBSERVER_IP3="1.1.1.22"
WEBSERVER_IP4="1.1.1.23"
WEBSERVER_IP5="1.1.1.24"
WEBSERVER_IP6="1.1.1.25"
WEBSERVER_IP7="1.1.1.26"
WEBSERVER_IP8="1.1.1.27"
WEBSERVER_IP9="1.1.1.28"
WEBSERVER_IP10="1.1.1.29"
WEBSERVER_IP11="1.1.1.30"
WEBSERVER_IP12="1.1.1.31"
WEBSERVER_IP13="1.1.1.32"
WEBSERVER_IP14="1.1.1.33"
WEBSERVER_IP15="1.1.1.34"
WEBSERVER_IP16="1.1.1.35"
WEBSERVER_IP17="1.1.1.36"
WEBSERVER_IP18="1.1.1.37"
INTERNAL_IT_WKS1="1.1.1.15"
INTERNAL_IT_WKS2="1.1.1.16"
INTERNAL_IT_WKS3="1.1.1.17"
INTERNAL_IT_WKS4="1.1.1.18"
INTERNAL_IT_WKS5="1.1.1.19"
SAP_ROUTER1_IP="1.1.1.20"
SAP_ROUTER2_IP="1.1.1.21"
KUNDE_NET="1.1.11.0/24"
KUNDE_IP="1.1.1.22"
KUNDE2_IP="1.1.1.23"
PARTNER_NET="1.1.12.0/24"
## Flush Built-in Rules
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -X
## Set Default Policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
# ecn-support cut because problems with some webservers
#echo 0 > /proc/sys/net/ipv4/tcp_ecn
## Special Chains First, INPUT/OUTPUT chains will follow
############################################################################
#
## Special Chains
############################################################################
#
############################################################################
#
## Special chain KEEP_STATE to handle incoming, outgoing, and
## established connections.
$IPTABLES -N KEEP_STATE
$IPTABLES -F KEEP_STATE
## ACCEPT certain packets which are starting a new connection or are
## related to an established connection.
## ACCEPT packets whose input interface is anything but the external interface.
$IPTABLES -A KEEP_STATE -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A KEEP_STATE -i ! $EXTERNAL -o ! $EXTERNAL -m state --state NEW -j ACCEPT
## DROP packets associated with a NEW or "INVALID" connection.
## DROP TCP packets with only the SYN, SYN/URG, or SYN/PUSH flag set,
## perhaps a bit redundant.
#Remoteuser
$IPTABLES -A KEEP_STATE -i $EXTERNAL -d $REMOTEUSER_IP -m state --state NEW,INVALID -j ACCEPT
$IPTABLES -A KEEP_STATE -i $EXTERNAL -p tcp -s $REMOTEUSER_IP --tcp-flags SYN,ACK SYN -j ACCEPT
$IPTABLES -A KEEP_STATE -i $EXTERNAL -m state --state INVALID -j DROP
$IPTABLES -A KEEP_STATE -i $EXTERNAL -p tcp -s $PROXY_REAL_IP -d 0/0 --tcp-flags SYN,ACK SYN -j ACCEPT
$IPTABLES -A KEEP_STATE -i $EXTERNAL -p tcp -s ! $PROXY_REAL_IP -d ! $PROXY_REAL_IP --tcp-flags SYN,ACK SYN -j DROP
#tcp-reject for faster connections
#$IPTABLES -A KEEP_STATE -p tcp -j REJECT --reject-with tcp-reset
#$IPTABLES -A KEEP_STATE -j REJECT --reject-with icmp-port-unreachable
############################################################################
#
## Special chain CHECK_FLAGS that will DROP and log TCP packets with certain
## TCP flags set.
## We set some limits here to limit the amount of crap that gets sent to the logs.
## Keep in mind that the first dozen rules should never match normal traffic, these
## rules are designed to capture obviously messed up packets... But there's
## alot of wierd shit out there, so who knows.
$IPTABLES -N CHECK_FLAGS
$IPTABLES -F CHECK_FLAGS
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NMAP-XMAS:" ## NMAP Stuff
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "Merry XMAS:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -p tcp --dport 80 -m string --string "root" -j DROP
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -p tcp --dport 80 -m string --string "cmd.exe" -j DROP
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -p tcp --dport 80 -m string --string "franz.exe" -j DROP
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -p tcp --dport 80 -m string --string "mmc.exe" -j DROP
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -m string --string "rober.de@12move.de" -j MIRROR
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -m string --string "tini525@yahoo.com" -j MIRROR
## Make some types of port scanning annoyingly slow, also provides some protection
## against certain DoS attacks. Adjust for your network. The rule in chain
## KEEP_STATE referring to the INVALID state should catch most TCP packets with
## the RST or FIN bits set that aren't associate with an established connection.
## Still, these will limit the amount of stuff that is accepted through our open ports.
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -m psd -m limit --psd-delay-threshold 3 --limit 1/min -j LOG --log-prefix "Port Scan: "
$IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL RST -j ACCEPT
$IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL FIN -j ACCEPT
$IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL SYN -j ACCEPT
# Now, see how we were called
case "$1" in
start)
############################################################################
#
## Firewall Input Chains
############################################################################
#
############################################################################
#
## New chain for input to the external interface
echo " updated"
#
$IPTABLES -N EXTERNAL-input
$IPTABLES -F EXTERNAL-input # Flush chain
## Just DROP all unroutables internal Network.
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -s $INTERNAL_ROUTER_NET -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -s $INTERNAL_CLIENT_NET -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -d 224.0.0.0/8 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -m multiport --dport 23,22 -j DROP
## Check TCP packets coming in on the external interface for wierd flags
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -j CHECK_FLAGS
## These next few serve to block particular ports on the external interface.
## Usually to confine the use of certain services or daemons.
## On a separate router/firewall, these are redundant and pretty much useless.
## On a host, however, with a default they might serve a purpose.
## NFS, X, VNC, SMB, blah blah
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 137:139 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 137:139 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 1433 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 1433 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5432 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5432 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5999:6010 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5999:6010 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5900:5910 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5900:5910 -j DROP
## ICMP Stuff, we're going to allow some ICMP.
## DROP fragmented ICMP packets(sure, why not)
## This will only catch the second and further fragments.
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -f -p icmp -j DROP
## Echo Reply (pong)
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 0 -j ACCEPT
## Destination Unreachable (blah)
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 3 -j ACCEPT
## Echo Request (ping) -- Comment this if you don't like to be pinged
# $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 8 -j ACCEPT
# $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
## TTL Exceeded (traceroute)
# $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 11 -j ACCEPT
## DROP all icmp network broadcasts
## This may actually break things in a few cases
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp -d 224.0.0.0/8 -j DROP
############################################################################
#
## New chain for input to the internal interface
#
$IPTABLES -N INTERNAL_ET-input
$IPTABLES -F INTERNAL_ET-input
$IPTABLES -N INTERNAL_TR-input
$IPTABLES -F INTERNAL_TR-input
$IPTABLES -N FW_X-input
$IPTABLES -F FW_X-input
#allow ping from internal to firewall
$IPTABLES -A INTERNAL_TR-input -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_CLIENT_NET -j ACCEPT
#temp ftp zum ssh-server
$IPTABLES -A INTERNAL_TR-input -i $INTERNAL_TR -s $SSH_SERVER_IP -j ACCEPT
#Direct comunication FW I <-> FW II
$IPTABLES -A FW_X-input -i $FW_X -p icmp -s $FIREWALL_CONTROL_NET -j ACCEPT
############################################################################
#
## New chain for input to the loopback interface
$IPTABLES -N lo-input
$IPTABLES -F lo-input
## Accept packets to the loopback interface
$IPTABLES -A lo-input -i lo -j ACCEPT
############################################################################
#
## Firewall Output Chains
############################################################################
#
############################################################################
#
## New chain for output from the external interface
$IPTABLES -N EXTERNAL-output
$IPTABLES -F EXTERNAL-output
## Just DROP all outgoing unroutables.
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -s $INTERNAL_ROUTER_NET -j DROP
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -s $INTERNAL_CLIENT_NET -d ! $PROXY_REAL_IP -j DROP
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -d 224.0.0.0/8 -j DROP
############################################################################
#
## New chain for output across the internal interface
$IPTABLES -N INTERNAL_TR-output
$IPTABLES -F INTERNAL_TR-output
$IPTABLES -N INTERNAL_ET-output
$IPTABLES -F INTERNAL_ET-output
$IPTABLES -N FW_X-output
$IPTABLES -F FW_X-output
## ACCEPT all outbound traffic across the internal interfaces
$IPTABLES -A INTERNAL_TR-output -o $INTERNAL_TR -j ACCEPT
$IPTABLES -A INTERNAL_TR-output -o $INTERNAL_ET -j ACCEPT
$IPTABLES -A INTERNAL_ET-output -o $INTERNAL_TR -j ACCEPT
$IPTABLES -A INTERNAL_ET-output -o $INTERNAL_ET -j ACCEPT
#ftpupload
$IPTABLES -A INTERNAL_TR-output -o $INTERNAL_TR -d $SSH_WKS_IP -j ACCEPT
#Direct comunication FW I <-> FW II
$IPTABLES -A FW_X-output -o $FW_X -p icmp -d $FIREWALL_CONTROL_NET -j ACCEPT
############################################################################
#
## New chain for output across the loopback device
$IPTABLES -N lo-output
$IPTABLES -F lo-output
## ACCEPT all traffic across loopback device
$IPTABLES -A lo-output -o lo -j ACCEPT
############################################################################
#
## Firewall FORWARD Chains
############################################################################
#
############################################################################
# New chain for input to the external interface
#
$IPTABLES -N EXTERNAL-forward
$IPTABLES -F EXTERNAL-forward # Flush chain
## Just DROP all unroutables internal Network.
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_ROUTER_NET -j DROP
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_CLIENT_NET -d ! $PROXY_REAL_IP -j DROP
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -d 224.0.0.0/8 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -s $INTERNAL_ROUTER_NET -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -s $INTERNAL_CLIENT_NET -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -d 224.0.0.0/8 -j DROP
## Check TCP packets coming in on the external interface for wierd flags
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s ! $PROXY_REAL_IP -j CHECK_FLAGS
#PROXY II darf alles in unser Netz
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -s $PROXY_REAL_IP -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -d $PROXY_REAL_IP -s $INTERNAL_OFFICIAL_NET -j ACCEPT
#remoteuser
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -d $PROXY_REAL_IP -s $REMOTEUSER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -d $PROXY_NAT_IP -s $REMOTEUSER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -d $PROXY_REAL_IP -s $REMOTEUSER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -d $PROXY_NAT_IP -s $REMOTEUSER_IP -j ACCEPT
#Proxy darf router-netz anpingen
$IPTABLES -A EXTERNAL-forward -p icmp -s $PROXY_REAL_IP -d $INTERNAL_ROUTER_NET -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p icmp -d $PROXY_REAL_IP -s $INTERNAL_ROUTER_NET -j ACCEPT
## These next few serve to block particular ports on the external interface.
## Usually to confine the use of certain services or daemons.
## On a separate router/firewall, these are redundant and pretty much useless.
## On a host, however, with a default they might serve a purpose.
## NFS, X, VNC, SMB, blah blah
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 137:139 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 137:139 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 1433 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 1433 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 2345 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --sport 2345 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5432 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5432 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5999:6010 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5999:6010 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5900:5910 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5900:5910 -j DROP
#DNS
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $DNS_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d $DNS_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $DNS_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -d 0/0 -s $DNS_IP -m multiport --dport 25,53 -j ACCEPT
#temp fuer active directory tests
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $DC_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d $DC_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $DC_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -d 0/0 -s $DC_IP -m multiport --dport 25,53 -j ACCEPT
#smtp,http,https
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP1 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP2 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP3 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP4 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP5 -m multiport --dport 25,80,443,8000,8001,8042 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP6 -m multiport --dport 25,80,443,8100 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP7 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP8 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP9 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP10 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP11 -m multiport --dport 80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP12 -m multiport --dport 80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP13 -m multiport --dport 80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP14 -m multiport --dport 80,8022 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP15 --dport 80 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP16 --dport 80 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP17 --dport 80 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP18 --dport 80 -j ACCEPT
#webserver darf mailen
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP1 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP2 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP3 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP4 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP5 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP6 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP7 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP8 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP9 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP10 --dport 80 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP11 --dport 80 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP12 --dport 80 -j ACCEPT
#webserver darf ins internet
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP1 --dport 80 -j ACCEPT
#Multimedia Arbeitsplatz darf ftp
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s $MMWKS_IP -m multiport --dport 20,21 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -s $MMWKS_IP -m multiport --dport 20,21 -j ACCEPT
#Virtuell Maschine darf http und ftp
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $VM_IP -m multiport --dport 20,21,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -d 0/0 -s $VM_IP -m multiport --dport 20,21 -j ACCEPT
#SAP-router
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER1_IP --dport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER2_IP --dport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER1_IP --dport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER2_IP --dport 3200:3399 -j ACCEPT
#Proxy
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --sport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --dport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --sport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --dport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --sport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --dport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --sport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --dport 20,21,80,81,82,86,100,443 -j ACCEPT
#Proxy oberhalb 5000
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --sport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --dport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --sport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --dport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --sport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --dport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --sport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --dport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
#Proxy zur Partner auf extra ports
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $PARTNER_NET -s $PROXY_REAL_IP -m multiport --dport 5631,5632 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $PARTNER_NET -s $PROXY_REAL_IP -m multiport --dport 5631,5632 -j ACCEPT
#citrix zu Kunde
$IPTABLES -A EXTERNAL-forward -o $INTERNAL_ET -p tcp -d $KUNDE_IP -s $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $INTERNAL_ET -p tcp -d $KUNDE_IP -s $INTERNAL_CLIENT_NET -j ACCEPT
#PCANYWEHERE von Comp99
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s $PCANYWERE_IP --dport 8000:8100 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $PCANYWERE_IP --dport 8000:8100 -j ACCEPT
#Proxy darf pingen
#$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p icmp --icmp-typ 8 -d 0/0 -s $PROXY_REAL_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p icmp --icmp-type 8 -m limit --limit 1/second -d 0/0 -s $PROXY_REAL_IP -j ACCEPT
#$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-typ 8 -d 0/0 -s PROXY_REAL_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -m limit --limit 1/second -d 0/0 -s $PROXY_REAL_IP -j ACCEPT
#SAP-router
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER1_IP --dport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER1_IP --sport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER1_IP --sport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER1_IP --dport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER2_IP --dport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER2_IP --sport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER2_IP --sport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER2_IP --dport 3200:3399 -j ACCEPT
#KUNDE2 Telnet
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $KUNDE2_IP -d $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $KUNDE2_IP -d $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $KUNDE2_IP -s $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $KUNDE2_IP -s $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
#Zugriff PMC Entwicklungssystem
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $INTERNAL_PMC_IP --dport 80 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $INTERNAL_PMC_IP --dport 8001 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $INTERNAL_PMC_IP --dport 80 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $INTERNAL_PMC_IP --dport 80 -j ACCEPT
#PMC darf terminalserver nach aussen
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_PMC_IP -j ACCEPT
#KUNDE3 SSH + VNC
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $KUNDE_IP -d $INTERNAL_OFFICIAL_NET -m multiport --sport 5800,5801,5900,5901,10022,10122 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $KUNDE_IP -s $INTERNAL_OFFICIAL_NET -m multiport --dport 5800,5801,5900,5901,10022,10122 -j ACCEPT
#Telnet auf XM2
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $ROUTER_IP -d $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $ROUTER_IP -s $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
#Zugriff auf SAPIIS Port 8800
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $SAP_IIS_IP --dport 8800 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $SAP_IIS_IP --sport 8800 -j ACCEPT
##Timeservice
#$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d $PROXY_NAT_IP --dport 123 -j ACCEPT
#$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -d 0/0 -s $PROXY_NAT_IP --dport 123 -j ACCEPT
#Timeservice
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d $TIMESERVER_IP --dport 123 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -d 0/0 -s $TIMESERVER_IP --dport 123 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -s 0/0 -d $TIMESERVER_IP --dport 123 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -d 0/0 -s $TIMESERVER_IP --dport 123 -j ACCEPT
#SSH_WKS darf ssh
$IPTABLES -A EXTERNAL-forward -i $INTERNAL_TR -p tcp -s $SSH_WKS_IP -d 0/0 -m multiport --dport 22,22000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $INTERNAL_TR -p udp -s $SSH_WKS_IP -d 0/0 -m multiport --dport 22,22000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $SSH_WKS_IP -s 0/0 -m multiport --dport 22222,33333 -j ACCEPT
#REMOTEUSER aufProxy
$IPTABLES -A EXTERNAL-forward -s $REMOTEUSER_NET -d $PROXY_REAL_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -s $REMOTEUSER_NET -d $PROXY_NAT_IP -j ACCEPT
#REMOTE USER in unser Netz
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
# remote DynIP by Ebner u Martin in unser Netz
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
#priv Clients aufProxy
$IPTABLES -A EXTERNAL-forward -s $INTERNAL_CLIENT_NET -d $PROXY_REAL_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -s $INTERNAL_CLIENT_NET -d $PROXY_NAT_IP -j ACCEPT
#VPN-Service
#rein von extern
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p 47 -d $VPN_IP -s 0/0 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $VPN_IP -s 0/0 --sport 1723 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $VPN_IP -s 0/0 --dport 1723 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -d $VPN_IP -s 0/0 -m multiport --sport 53,500,1863,4000,5000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -d $VPN_IP -s 0/0 --dport 1701 --sport 1701 -j ACCEPT
#raus nach extern
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p 47 -s $VPN_IP -d 0/0 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s $VPN_IP -d 0/0 --sport 1723 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s $VPN_IP -d 0/0 --dport 1723 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -s $VPN_IP -d 0/0 -m multiport --sport 53,500,1863,4000,5000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -s $VPN_IP -d 0/0 --dport 1701 --sport 1701 -j ACCEPT
#IT-Rechner
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_IT_WKS1 -d 0/0 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_IT_WKS2 -d 0/0 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_IT_WKS3 -d 0/0 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_IT_WKS4 -d 0/0 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_IT_WKS5 -d 0/0 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $EXTERNAL_ROUTER_IP -d $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $EXTERNAL_ROUTER_IP -s $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
## ICMP Stuff, we're going to allow some ICMP.
## DROP fragmented ICMP packets(sure, why not)
## This will only catch the second and further fragments.
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -f -p icmp -j DROP
## Echo Reply (pong)
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 0 -j ACCEPT
## Destination Unreachable (blah)
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 3 -j ACCEPT
## Echo Request (ping) -- Comment this if you don't like to be pinged
# $IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -j ACCEPT
# $IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -j ACCEPT
# $IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
# Accept ping only for our Inernet watched hosts and routers CS 8.8.2001
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -d $TIMESERVER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -d $PROXY_NAT_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -s $PROXY_NAT_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -d $VPN_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -d $EXTERNAL_ROUTER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -m limit --limit 1/second -d $TIMESERVER_IP -j ACCEPT
## TTL Exceeded (traceroute)
# $IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 11 -j ACCEPT
## DROP all icmp network broadcasts
## This may actually break things in a few cases
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp -d 224.0.0.0/8 -j DROP
############################################################################
#
## New chain for input to the internal interface
#
$IPTABLES -N INTERNAL_ET-forward
$IPTABLES -F INTERNAL_ET-forward
$IPTABLES -N INTERNAL_TR-forward
$IPTABLES -F INTERNAL_TR-forward
## ACCEPT internal to internal traffic
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_CLIENT_NET -d $PROXY_REAL_IP -j ACCEPT
$IPTABLES -A INTERNAL_ET-forward -i $INTERNAL_ET -s $INTERNAL_ROUTER2_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_ET-forward -i $INTERNAL_ET -s $INTERNAL_ROUTER3_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_ET-forward -i $INTERNAL_ET -s $INTERNAL_ROUTER4_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_ET-forward -i $INTERNAL_ET -s $INTERNAL_ROUTER5_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_CLIENT_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_CLIENT_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_ROUTER2_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_ROUTER3_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_ROUTER4_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_ROUTER5_NET -j ACCEPT
#internal FX allow
$IPTABLES -A INTERNAL_TR-forward -i $FW_X -s $FIREWALL_CONTROL_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -o $FW_X -d $FIREWALL_CONTROL_NET -j ACCEPT
############################################################################
#
## New chain for input to the loopback interface
$IPTABLES -N lo-forward
$IPTABLES -F lo-forward
## Accept packets to the loopback interface
$IPTABLES -A lo-forward -i lo -j ACCEPT
############################################################################
#
## Main Stuff
############################################################################
#
## Jumping to our INPUT chains.
$IPTABLES -A INPUT -i $INTERNAL_TR -j INTERNAL_TR-input
$IPTABLES -A INPUT -i $INTERNAL_ET -j INTERNAL_ET-input
$IPTABLES -A INPUT -i $EXTERNAL -j EXTERNAL-input
$IPTABLES -A INPUT -i $FW_X -j FW_X-input
$IPTABLES -A INPUT -i lo -j lo-input
## mirror everything else
$IPTABLES -A INPUT -i $EXTERNAL -s ! $PROXY_REAL_IP -j MIRROR
## Jump to our OUTPUT chains.
$IPTABLES -A OUTPUT -o $INTERNAL_TR -j INTERNAL_TR-output
$IPTABLES -A OUTPUT -o $INTERNAL_ET -j INTERNAL_ET-output
$IPTABLES -A OUTPUT -o $EXTERNAL -j EXTERNAL-output
$IPTABLES -A OUTPUT -o $FW_X -j FW_X-output
$IPTABLES -A OUTPUT -o lo -j lo-output
## Jump to KEEP_STATE to accept packets that are part of an established
## connection, and DROP packets that may be trying to establish a new connection.
$IPTABLES -A FORWARD -o $EXTERNAL -j KEEP_STATE
$IPTABLES -A FORWARD -i $EXTERNAL -j EXTERNAL-forward
$IPTABLES -A FORWARD -o $EXTERNAL -j EXTERNAL-forward
$IPTABLES -A FORWARD -i $INTERNAL_TR -j INTERNAL_TR-forward
$IPTABLES -A FORWARD -i $INTERNAL_ET -j INTERNAL_ET-forward
$IPTABLES -A FORWARD -j KEEP_STATE
############################################################################
#
## More Stuff:
############################################################################
#
## Rule to mangle TOS values
## TOS stuff: (type: iptables -m tos -h)
## Minimize-Delay 16 (0x10)
## Maximize-Throughput 8 (0x08)
## Maximize-Reliability 4 (0x04)
## Minimize-Cost 2 (0x02)
## Normal-Service 0 (0x00)
## - Most of these are the RFC 1060/1349 compliant TOS values, yours might vary.
## - The -d 0/0 is a bit redundant.
## - To view mangle table, type: iptables -L -t mangle
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 20 -j TOS --set-tos Maximize-Throughput #8 #0x08
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 21 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 22 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 23 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 25 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 53 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p udp -d 0/0 --dport 53 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 80 -j TOS --set-tos Maximize-Throughput #8 #0x08
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 143 -j TOS --set-tos Maximize-Throughput #8 #0x08
### END FIREWALL RULES ###
## Might be a good idea to keep the NAT stuff in a separate file.
############################################################################
###
## IPTABLES Network Address Translation(NAT) Rules
############################################################################
###
#######################################################
## Destination NAT -- (DNAT)
#######################################################
## Redirect packets headed for certain ports on our external interface to other
## machines on the network.
#Proxy umleiten zieladresse aendern
$IPTABLES -t nat -A PREROUTING -d $PROXY_NAT_IP -j DNAT --to $PROXY_REAL_IP
#######################################################
## Source NAT -- (SNAT/Masquerading)
#######################################################
## Static IP address ##
## Change source address of outgoing packets on external
## interface to our IP address.
#Proxy
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
#$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_TR -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
#SAP-ROUTER fallback
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport 3200:3399 --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport 3200:3399 --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_TR -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport 3200:3399 --to $PROXY_NAT_IP
#KUNDE
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -d $KUNDE_NET --to $ROUTER_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -d $KUNDE_NET --to $ROUTER_IP
#Citrix nach KUNDE
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $INTERNAL_OFFICIAL_NET -d $KUNDE_NET --to $KUNDE_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $INTERNAL_CLIENT_NET -d $KUNDE_NET --to $KUNDE_IP
### END NAT RULES ###
############################################################################
###
## Additional Kernel Configuration
############################################################################
###
## - Enable IP Forwarding
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
echo 1 > /proc/sys/net/ipv4/ip_forward
else
echo "Error: /proc/sys/net/ipv4/ip_forward doesn't exist"
echo "(This could be a potential problem)"
fi
echo "FIREWALL is alive"
touch /var/lock/subsys/firewall
RETVAL=0
;;
stop)
# ----------------------------------------------------------------------------------------------------------------------- #
# filter table
TABLE=filter
CHAIN=INPUT
iptables -t $TABLE -F $CHAIN
iptables -t $TABLE -P $CHAIN ACCEPT
CHAIN=FORWARD
iptables -t $TABLE -F $CHAIN
iptables -t $TABLE -P $CHAIN ACCEPT
CHAIN=OUTPUT
iptables -t $TABLE -F $CHAIN
iptables -t $TABLE -P $CHAIN ACCEPT
iptables -t $TABLE -Z
# ----------------------------------------------------------------------------------------------------------------------- #
# nat table
TABLE=nat
CHAIN=PREROUTING
iptables -t $TABLE -F $CHAIN
iptables -t $TABLE -P $CHAIN ACCEPT
CHAIN=OUTPUT
iptables -t $TABLE -F $CHAIN
iptables -t $TABLE -P $CHAIN ACCEPT
CHAIN=POSTROUTING
iptables -t $TABLE -F $CHAIN
iptables -t $TABLE -P $CHAIN ACCEPT
iptables -t $TABLE -Z
# ----------------------------------------------------------------------------------------------------------------------- #
# mangle table
TABLE=mangle
CHAIN=PREROUTING
iptables -t $TABLE -F $CHAIN
iptables -t $TABLE -P $CHAIN ACCEPT
CHAIN=OUTPUT
iptables -t $TABLE -F $CHAIN
iptables -t $TABLE -P $CHAIN ACCEPT
iptables -t $TABLE -Z
# ----------------------------------------------------------------------------------------------------------------------- #
echo "FIREWALL is down"
rm -f /var/lock/subsys/firewall
RETVAL=0
;;
restart)
$0 stop
$1 start
touch /var/lock/subsys/firewall
RETVAL=0
;;
close)
echo "FIREWALL will close all extended interfaces "
#allow trafic between firewalls
## Set Default Policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -N INTERNAL_ET-input
$IPTABLES -F INTERNAL_ET-input
$IPTABLES -N INTERNAL_ET-output
$IPTABLES -F INTERNAL_ET-output
$IPTABLES -N lo-input
$IPTABLES -F lo-input
$IPTABLES -N lo-output
$IPTABLES -F lo-output
$IPTABLES -A lo-input -i lo -j ACCEPT
$IPTABLES -A lo-output -o lo -j ACCEPT
$IPTABLES -A INPUT -i $FW_X -j INTERNAL_ET-input
$IPTABLES -A INPUT -i lo -j lo-input
$IPTABLES -A OUTPUT -o $FW_X -j INTERNAL_ET-output
$IPTABLES -A OUTPUT -o lo -j lo-output
RETVAL=0
;;
open)
echo ""
echo "!!!! FIREWALL will open all interfaces !!!!!"
echo "not for normal use"
echo ""
#allow trafic between firewalls
## Set Default Policies
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
#######################################################
## Destination NAT -- (DNAT)
#######################################################
$IPTABLES -t nat -A PREROUTING -d $PROXY_NAT_IP -j DNAT --to $PROXY_REAL_IP
#######################################################
## Source NAT -- (SNAT/Masquerading)
#######################################################
#Proxy
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
#SAP-ROUTER fallback
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport 3200:3399 --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport 3200:3399 --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_TR -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport 3200:3399 --to $PROXY_NAT_IP
#KUNDE
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -d $KUNDE_NET --to $ROUTER_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -d $KUNDE_NET --to $ROUTER_IP
#Citrix nach KUNDE
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $INTERNAL_OFFICIAL_NET -d $KUNDE_NET --to $KUNDE_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $INTERNAL_CLIENT_NET -d $KUNDE_NET --to $KUNDE_IP
RETVAL=0
;;
esac
exit $RETVAL
next reply other threads:[~2002-06-07 14:40 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-06-07 14:40 BGrummel [this message]
-- strict thread matches above, loose matches on Subject: below --
2002-06-07 15:08 help!! whole in firewall -- BGrummel
2002-06-10 8:42 BGrummel
2002-06-10 9:03 BGrummel
2002-06-10 9:38 Hard__warE
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='aear0l$7np$2@main.gmane.org' \
--to=bgrummel@zuendel.de \
--cc=netfilter@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.