help!! whole in firewall --

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: BGrummel@zuendel.de
To: netfilter@lists.samba.org
Subject: help!! whole in firewall --
Date: Fri, 7 Jun 2002 16:40:31 +0200	[thread overview]
Message-ID: <aear0l$7np$2@main.gmane.org> (raw)

[-- Attachment #1: Type: text/plain, Size: 835 bytes --]


hello
i have a problem with my firewall
any ports from outside are opend,
from inside to outside are the rules ok


this is my configuration



backup FIREWALL (fw-x)     CLIENTS (internal tr)
               \    /
ISP------ROUTER----------Firewall--------ROUTER (internal eth)
     (external eth)    /                 \
                  PROXY                    WEBSERVER (internal tr)
          (external eth)



my rules --see atm.


help
I don´t know what it is
I think its in the keep-state part
but if I change it i had to change any rule for all connections

(See attached file: firewall.netfilter)

any help is welcome

thanks in advise


Dipl.-Ing.
Benno Grummel
ZUENDEL & Partner
Systems & Consultants
Abt. IT-Services
Fon:   02153-7376-0
Fax:   02153-7376-16
http://www.ZUENDEL.DE

[-- Attachment #2: firewall.netfilter --]
[-- Type: application/octet-stream, Size: 45497 bytes --]

#!/bin/sh
##################################################################
#

#	
## Variables
IPTABLES="/sbin/iptables"
INTERNAL_ET="eth1" # Internal Ethernet Interface
INTERNAL_TR="tr0" # Internal Tokenring Interface
EXTERNAL="eth0" # External Interface
FW_X="eth2"

#IP_ADRESSES
INTERNAL_OFFICIAL_NET="1.1.1.0/24"
INTERNAL_CLIENT_NET="1.1.3.0/24"
INTERNAL_ROUTER_NET="1.1.4.0/24"
INTERNAL_ROUTER2_NET="1.1.5.0/24"
INTERNAL_ROUTER3_NET="1.1.6.0/24"
INTERNAL_ROUTER4_NET="1.1.7.0/24"
INTERNAL_ROUTER5_NET="1.1.8.0/24"
FIREWALL_CONTROL_NET="1.1.9.0/24"
EXTERNAL_ROUTER_IP="1.1.1.1"

PROXY_REAL_IP="1.1.1.2"
PROXY_NAT_IP="1.1.1.3"
REMOTEUSER_IP="1.1.1.4"
REMOTEUSER_NET="1.1.10.0/24"

SSH_SERVER_IP="1.1.1.5"
DNS_IP="1.1.1.6"
VPN_IP="1.1.1.7"
DC_IP="1.1.1.8"
TIMESERVER_IP="1.1.1.9"
VM_IP="1.1.1.10"
INTERNAL_PMC_IP="1.1.1.11"
SAP_IIS_IP="1.1.1.12"
PCANYWERE_IP="1.1.1.13"
MMWKS_IP="1.1.1.14"
ROUTER_IP="1.1.1.15"
SSH_WKS_IP="1.1.1.16"

WEBSERVER_IP1="1.1.1.20"
WEBSERVER_IP2="1.1.1.21"
WEBSERVER_IP3="1.1.1.22"
WEBSERVER_IP4="1.1.1.23"
WEBSERVER_IP5="1.1.1.24"
WEBSERVER_IP6="1.1.1.25"
WEBSERVER_IP7="1.1.1.26"
WEBSERVER_IP8="1.1.1.27"
WEBSERVER_IP9="1.1.1.28"
WEBSERVER_IP10="1.1.1.29"
WEBSERVER_IP11="1.1.1.30"
WEBSERVER_IP12="1.1.1.31"
WEBSERVER_IP13="1.1.1.32"
WEBSERVER_IP14="1.1.1.33"
WEBSERVER_IP15="1.1.1.34"
WEBSERVER_IP16="1.1.1.35"
WEBSERVER_IP17="1.1.1.36"
WEBSERVER_IP18="1.1.1.37"

INTERNAL_IT_WKS1="1.1.1.15"
INTERNAL_IT_WKS2="1.1.1.16"
INTERNAL_IT_WKS3="1.1.1.17"
INTERNAL_IT_WKS4="1.1.1.18"
INTERNAL_IT_WKS5="1.1.1.19"

SAP_ROUTER1_IP="1.1.1.20"
SAP_ROUTER2_IP="1.1.1.21"

KUNDE_NET="1.1.11.0/24"
KUNDE_IP="1.1.1.22"
KUNDE2_IP="1.1.1.23"
PARTNER_NET="1.1.12.0/24"

## Flush Built-in Rules
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -X
## Set Default Policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
# ecn-support cut because problems with some webservers
#echo 0 > /proc/sys/net/ipv4/tcp_ecn
## Special Chains First, INPUT/OUTPUT chains will follow
############################################################################
#
## Special Chains
############################################################################
#
############################################################################
#
## Special chain KEEP_STATE to handle incoming, outgoing, and
## established connections.
$IPTABLES -N KEEP_STATE
$IPTABLES -F KEEP_STATE
## ACCEPT certain packets which are starting a new connection or are
## related to an established connection.
## ACCEPT packets whose input interface is anything but the external interface.
$IPTABLES -A KEEP_STATE -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A KEEP_STATE -i ! $EXTERNAL -o ! $EXTERNAL -m state --state NEW -j ACCEPT
## DROP packets associated with a NEW or "INVALID" connection.
## DROP TCP packets with only the SYN, SYN/URG, or SYN/PUSH flag set,
## perhaps a bit redundant.

#Remoteuser
$IPTABLES -A KEEP_STATE -i $EXTERNAL -d $REMOTEUSER_IP -m state --state NEW,INVALID -j ACCEPT
$IPTABLES -A KEEP_STATE -i $EXTERNAL -p tcp -s $REMOTEUSER_IP --tcp-flags SYN,ACK SYN -j ACCEPT

$IPTABLES -A KEEP_STATE -i $EXTERNAL -m state --state INVALID -j DROP
$IPTABLES -A KEEP_STATE -i $EXTERNAL -p tcp -s $PROXY_REAL_IP -d 0/0 --tcp-flags SYN,ACK SYN -j ACCEPT
$IPTABLES -A KEEP_STATE -i $EXTERNAL -p tcp -s ! $PROXY_REAL_IP -d ! $PROXY_REAL_IP --tcp-flags SYN,ACK SYN -j DROP
#tcp-reject for faster connections
#$IPTABLES -A KEEP_STATE -p tcp -j REJECT --reject-with tcp-reset
#$IPTABLES -A KEEP_STATE -j REJECT --reject-with icmp-port-unreachable
############################################################################
#
## Special chain CHECK_FLAGS that will DROP and log TCP packets with certain
## TCP flags set.
## We set some limits here to limit the amount of crap that gets sent to the logs.
## Keep in mind that the first dozen rules should never match normal traffic, these
## rules are designed to capture obviously messed up packets... But there's
## alot of wierd shit out there, so who knows.
$IPTABLES -N CHECK_FLAGS
$IPTABLES -F CHECK_FLAGS
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NMAP-XMAS:" ## NMAP Stuff
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "Merry XMAS:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -p tcp --dport 80 -m string --string "root" -j DROP
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -p tcp --dport 80 -m string --string "cmd.exe" -j DROP
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -p tcp --dport 80 -m string --string "franz.exe" -j DROP
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -p tcp --dport 80 -m string --string "mmc.exe" -j DROP
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -m string --string "rober.de@12move.de" -j MIRROR
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -m string --string "tini525@yahoo.com" -j MIRROR

## Make some types of port scanning annoyingly slow, also provides some protection
## against certain DoS attacks. Adjust for your network. The rule in chain
## KEEP_STATE referring to the INVALID state should catch most TCP packets with
## the RST or FIN bits set that aren't associate with an established connection.
## Still, these will limit the amount of stuff that is accepted through our open ports.
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -m psd -m limit --psd-delay-threshold 3 --limit 1/min -j LOG --log-prefix "Port Scan: "
$IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL RST -j ACCEPT
$IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL FIN -j ACCEPT
$IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL SYN -j ACCEPT

# Now, see how we were called
case "$1" in
start)
############################################################################
#
## Firewall Input Chains
############################################################################
#
############################################################################
#
## New chain for input to the external interface
echo " updated"
#
$IPTABLES -N EXTERNAL-input
$IPTABLES -F EXTERNAL-input # Flush chain
## Just DROP all unroutables internal Network.
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -s $INTERNAL_ROUTER_NET -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -s $INTERNAL_CLIENT_NET -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -d 224.0.0.0/8 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -m multiport --dport 23,22 -j DROP

## Check TCP packets coming in on the external interface for wierd flags
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -j CHECK_FLAGS

## These next few serve to block particular ports on the external interface.
## Usually to confine the use of certain services or daemons.
## On a separate router/firewall, these are redundant and pretty much useless.
## On a host, however, with a default they might serve a purpose.
## NFS, X, VNC, SMB, blah blah
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 137:139 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 137:139 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 1433 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 1433 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5432 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5432 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5999:6010 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5999:6010 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5900:5910 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5900:5910 -j DROP
## ICMP Stuff, we're going to allow some ICMP.
## DROP fragmented ICMP packets(sure, why not)
## This will only catch the second and further fragments.
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -f -p icmp -j DROP
## Echo Reply (pong)
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 0 -j ACCEPT
## Destination Unreachable (blah)
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 3 -j ACCEPT
## Echo Request (ping) -- Comment this if you don't like to be pinged
# $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 8 -j ACCEPT
# $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
## TTL Exceeded (traceroute)
# $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 11 -j ACCEPT
## DROP all icmp network broadcasts
## This may actually break things in a few cases
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp -d 224.0.0.0/8 -j DROP

############################################################################
#
## New chain for input to the internal interface
#
$IPTABLES -N INTERNAL_ET-input
$IPTABLES -F INTERNAL_ET-input
$IPTABLES -N INTERNAL_TR-input
$IPTABLES -F INTERNAL_TR-input
$IPTABLES -N FW_X-input
$IPTABLES -F FW_X-input


#allow ping from internal to firewall
$IPTABLES -A INTERNAL_TR-input -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_CLIENT_NET -j ACCEPT
#temp ftp zum ssh-server
$IPTABLES -A INTERNAL_TR-input -i $INTERNAL_TR -s $SSH_SERVER_IP -j ACCEPT

#Direct comunication FW I <-> FW II
$IPTABLES -A FW_X-input -i $FW_X -p icmp -s $FIREWALL_CONTROL_NET -j ACCEPT

############################################################################
#
## New chain for input to the loopback interface
$IPTABLES -N lo-input
$IPTABLES -F lo-input
## Accept packets to the loopback interface
$IPTABLES -A lo-input -i lo -j ACCEPT

############################################################################
#
## Firewall Output Chains
############################################################################
#
############################################################################
#
## New chain for output from the external interface
$IPTABLES -N EXTERNAL-output
$IPTABLES -F EXTERNAL-output

## Just DROP all outgoing unroutables.
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -s $INTERNAL_ROUTER_NET -j DROP
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -s $INTERNAL_CLIENT_NET -d ! $PROXY_REAL_IP -j DROP
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -d 224.0.0.0/8 -j DROP

############################################################################
#
## New chain for output across the internal interface
$IPTABLES -N INTERNAL_TR-output
$IPTABLES -F INTERNAL_TR-output
$IPTABLES -N INTERNAL_ET-output
$IPTABLES -F INTERNAL_ET-output
$IPTABLES -N FW_X-output
$IPTABLES -F FW_X-output
## ACCEPT all outbound traffic across the internal interfaces
$IPTABLES -A INTERNAL_TR-output -o $INTERNAL_TR -j ACCEPT
$IPTABLES -A INTERNAL_TR-output -o $INTERNAL_ET -j ACCEPT
$IPTABLES -A INTERNAL_ET-output -o $INTERNAL_TR -j ACCEPT
$IPTABLES -A INTERNAL_ET-output -o $INTERNAL_ET -j ACCEPT
#ftpupload
$IPTABLES -A INTERNAL_TR-output -o $INTERNAL_TR -d $SSH_WKS_IP -j ACCEPT
#Direct comunication FW I <-> FW II
$IPTABLES -A FW_X-output -o $FW_X -p icmp -d $FIREWALL_CONTROL_NET -j ACCEPT

############################################################################
#
## New chain for output across the loopback device
$IPTABLES -N lo-output
$IPTABLES -F lo-output
## ACCEPT all traffic across loopback device
$IPTABLES -A lo-output -o lo -j ACCEPT

############################################################################
#
## Firewall FORWARD Chains
############################################################################
#
############################################################################
# New chain for input to the external interface
#
$IPTABLES -N EXTERNAL-forward
$IPTABLES -F EXTERNAL-forward # Flush chain

## Just DROP all unroutables internal Network.
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_ROUTER_NET -j DROP
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_CLIENT_NET -d ! $PROXY_REAL_IP -j DROP
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -d 224.0.0.0/8 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -s $INTERNAL_ROUTER_NET -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -s $INTERNAL_CLIENT_NET -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -d 224.0.0.0/8 -j DROP
## Check TCP packets coming in on the external interface for wierd flags
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s ! $PROXY_REAL_IP -j CHECK_FLAGS
#PROXY II darf alles in unser Netz
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -s $PROXY_REAL_IP -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -d $PROXY_REAL_IP -s $INTERNAL_OFFICIAL_NET -j ACCEPT
#remoteuser
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -d $PROXY_REAL_IP -s $REMOTEUSER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -d $PROXY_NAT_IP -s $REMOTEUSER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -d $PROXY_REAL_IP -s $REMOTEUSER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -d $PROXY_NAT_IP -s $REMOTEUSER_IP -j ACCEPT

#Proxy darf router-netz anpingen
$IPTABLES -A EXTERNAL-forward -p icmp -s $PROXY_REAL_IP -d $INTERNAL_ROUTER_NET -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p icmp -d $PROXY_REAL_IP -s $INTERNAL_ROUTER_NET -j ACCEPT


## These next few serve to block particular ports on the external interface.
## Usually to confine the use of certain services or daemons.
## On a separate router/firewall, these are redundant and pretty much useless.
## On a host, however, with a default they might serve a purpose.
## NFS, X, VNC, SMB, blah blah
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 137:139 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 137:139 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 1433 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 1433 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 2345 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --sport 2345 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5432 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5432 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5999:6010 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5999:6010 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5900:5910 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5900:5910 -j DROP

#DNS
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $DNS_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d $DNS_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $DNS_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -d 0/0 -s $DNS_IP -m multiport --dport 25,53 -j ACCEPT
#temp fuer active directory tests
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $DC_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d $DC_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $DC_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -d 0/0 -s $DC_IP -m multiport --dport 25,53 -j ACCEPT

#smtp,http,https
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP1 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP2 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP3 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP4 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP5 -m multiport --dport 25,80,443,8000,8001,8042 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP6 -m multiport --dport 25,80,443,8100 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP7 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP8 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP9 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP10 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP11 -m multiport --dport 80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP12 -m multiport --dport 80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP13 -m multiport --dport 80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP14 -m multiport --dport 80,8022 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP15 --dport 80 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP16 --dport 80 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP17 --dport 80 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP18 --dport 80 -j ACCEPT
#webserver darf mailen
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP1 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP2 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP3 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP4 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP5 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP6 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP7 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP8 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP9 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP10 --dport 80 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP11 --dport 80 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP12 --dport 80 -j ACCEPT
#webserver darf ins internet
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP1 --dport 80 -j ACCEPT
#Multimedia Arbeitsplatz darf ftp 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s $MMWKS_IP -m multiport --dport 20,21 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -s $MMWKS_IP -m multiport --dport 20,21 -j ACCEPT
#Virtuell Maschine darf http und ftp
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $VM_IP -m multiport --dport 20,21,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -d 0/0 -s $VM_IP -m multiport --dport 20,21 -j ACCEPT
#SAP-router
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER1_IP --dport 3200:3399 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER2_IP --dport 3200:3399 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER1_IP --dport 3200:3399 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER2_IP --dport 3200:3399 -j ACCEPT 

#Proxy
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --sport 20,21,80,81,82,86,100,443 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --dport 20,21,80,81,82,86,100,443 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --sport 20,21,80,81,82,86,100,443 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --dport 20,21,80,81,82,86,100,443 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --sport 20,21,80,81,82,86,100,443 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --dport 20,21,80,81,82,86,100,443 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --sport 20,21,80,81,82,86,100,443 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --dport 20,21,80,81,82,86,100,443 -j ACCEPT 
#Proxy oberhalb 5000
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --sport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --dport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --sport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --dport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --sport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --dport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --sport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --dport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT 
#Proxy zur Partner auf extra ports
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $PARTNER_NET -s $PROXY_REAL_IP -m multiport --dport 5631,5632 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $PARTNER_NET -s $PROXY_REAL_IP -m multiport --dport 5631,5632 -j ACCEPT 

#citrix zu Kunde
$IPTABLES -A EXTERNAL-forward -o $INTERNAL_ET -p tcp -d $KUNDE_IP -s $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $INTERNAL_ET -p tcp -d $KUNDE_IP -s $INTERNAL_CLIENT_NET -j ACCEPT
#PCANYWEHERE von Comp99
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s $PCANYWERE_IP --dport 8000:8100 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $PCANYWERE_IP --dport 8000:8100 -j ACCEPT 
#Proxy darf pingen
#$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p icmp --icmp-typ 8 -d 0/0 -s $PROXY_REAL_IP -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p icmp --icmp-type 8 -m limit --limit 1/second -d 0/0 -s $PROXY_REAL_IP -j ACCEPT
#$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-typ 8 -d 0/0 -s PROXY_REAL_IP -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -m limit --limit 1/second -d 0/0 -s $PROXY_REAL_IP -j ACCEPT

#SAP-router
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER1_IP --dport 3200:3399 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER1_IP --sport 3200:3399 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER1_IP --sport 3200:3399 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER1_IP --dport 3200:3399 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER2_IP --dport 3200:3399 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER2_IP --sport 3200:3399 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER2_IP --sport 3200:3399 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER2_IP --dport 3200:3399 -j ACCEPT 

#KUNDE2 Telnet
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $KUNDE2_IP -d $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $KUNDE2_IP -d $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $KUNDE2_IP -s $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $KUNDE2_IP -s $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT 
#Zugriff PMC Entwicklungssystem
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $INTERNAL_PMC_IP --dport 80 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $INTERNAL_PMC_IP --dport 8001 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $INTERNAL_PMC_IP --dport 80 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $INTERNAL_PMC_IP --dport 80 -j ACCEPT 
#PMC darf terminalserver nach aussen
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_PMC_IP -j ACCEPT

#KUNDE3 SSH + VNC
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $KUNDE_IP -d $INTERNAL_OFFICIAL_NET -m multiport --sport 5800,5801,5900,5901,10022,10122 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $KUNDE_IP -s $INTERNAL_OFFICIAL_NET -m multiport --dport 5800,5801,5900,5901,10022,10122 -j ACCEPT 
#Telnet auf XM2
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $ROUTER_IP -d $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $ROUTER_IP -s $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT 
#Zugriff auf SAPIIS Port 8800
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $SAP_IIS_IP --dport 8800 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $SAP_IIS_IP --sport 8800 -j ACCEPT 
##Timeservice
#$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d $PROXY_NAT_IP --dport 123 -j ACCEPT 
#$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -d 0/0 -s $PROXY_NAT_IP --dport 123 -j ACCEPT 
#Timeservice 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d $TIMESERVER_IP --dport 123 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -d 0/0 -s $TIMESERVER_IP --dport 123 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -s 0/0 -d $TIMESERVER_IP --dport 123 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -d 0/0 -s $TIMESERVER_IP --dport 123 -j ACCEPT 

#SSH_WKS darf ssh
$IPTABLES -A EXTERNAL-forward -i $INTERNAL_TR -p tcp -s $SSH_WKS_IP -d 0/0 -m multiport --dport 22,22000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $INTERNAL_TR -p udp -s $SSH_WKS_IP -d 0/0 -m multiport --dport 22,22000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $SSH_WKS_IP -s 0/0 -m multiport --dport 22222,33333 -j ACCEPT

#REMOTEUSER aufProxy
$IPTABLES -A EXTERNAL-forward -s $REMOTEUSER_NET -d $PROXY_REAL_IP -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -s $REMOTEUSER_NET -d $PROXY_NAT_IP -j ACCEPT 
#REMOTE USER in unser Netz
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT 

# remote DynIP by Ebner u Martin in unser Netz
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT 

#priv Clients aufProxy
$IPTABLES -A EXTERNAL-forward -s $INTERNAL_CLIENT_NET -d $PROXY_REAL_IP -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -s $INTERNAL_CLIENT_NET -d $PROXY_NAT_IP -j ACCEPT 

#VPN-Service
#rein von extern
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p 47 -d $VPN_IP -s 0/0  -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $VPN_IP -s 0/0 --sport 1723 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $VPN_IP -s 0/0 --dport 1723 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -d $VPN_IP -s 0/0 -m multiport --sport 53,500,1863,4000,5000 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -d $VPN_IP -s 0/0 --dport 1701 --sport 1701 -j ACCEPT 
#raus nach extern
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p 47 -s $VPN_IP -d 0/0  -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s $VPN_IP -d 0/0 --sport 1723 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s $VPN_IP -d 0/0 --dport 1723 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -s $VPN_IP -d 0/0 -m multiport --sport 53,500,1863,4000,5000 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -s $VPN_IP -d 0/0 --dport 1701 --sport 1701 -j ACCEPT 

#IT-Rechner
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_IT_WKS1 -d 0/0 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_IT_WKS2 -d 0/0 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_IT_WKS3 -d 0/0 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_IT_WKS4 -d 0/0 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_IT_WKS5 -d 0/0 -j ACCEPT 

$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $EXTERNAL_ROUTER_IP -d $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $EXTERNAL_ROUTER_IP -s $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT 

## ICMP Stuff, we're going to allow some ICMP.
## DROP fragmented ICMP packets(sure, why not)
## This will only catch the second and further fragments.
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -f -p icmp -j DROP
## Echo Reply (pong)
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 0 -j ACCEPT
## Destination Unreachable (blah)
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 3 -j ACCEPT
## Echo Request (ping) -- Comment this if you don't like to be pinged
# $IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -j ACCEPT
# $IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -j ACCEPT
# $IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT

# Accept ping only for our Inernet watched hosts and routers CS 8.8.2001
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -d $TIMESERVER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -d $PROXY_NAT_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -s $PROXY_NAT_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -d $VPN_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -d $EXTERNAL_ROUTER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -m limit --limit 1/second -d $TIMESERVER_IP -j ACCEPT
## TTL Exceeded (traceroute)
# $IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 11 -j ACCEPT
## DROP all icmp network broadcasts
## This may actually break things in a few cases
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp -d 224.0.0.0/8 -j DROP

############################################################################
#
## New chain for input to the internal interface
#
$IPTABLES -N INTERNAL_ET-forward
$IPTABLES -F INTERNAL_ET-forward
$IPTABLES -N INTERNAL_TR-forward
$IPTABLES -F INTERNAL_TR-forward

## ACCEPT internal to internal traffic
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_CLIENT_NET -d $PROXY_REAL_IP -j ACCEPT
$IPTABLES -A INTERNAL_ET-forward -i $INTERNAL_ET -s $INTERNAL_ROUTER2_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_ET-forward -i $INTERNAL_ET -s $INTERNAL_ROUTER3_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_ET-forward -i $INTERNAL_ET -s $INTERNAL_ROUTER4_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_ET-forward -i $INTERNAL_ET -s $INTERNAL_ROUTER5_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_CLIENT_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_CLIENT_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_ROUTER2_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_ROUTER3_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_ROUTER4_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_ROUTER5_NET -j ACCEPT

#internal FX allow
$IPTABLES -A INTERNAL_TR-forward -i $FW_X -s $FIREWALL_CONTROL_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -o $FW_X -d $FIREWALL_CONTROL_NET -j ACCEPT
############################################################################
#
## New chain for input to the loopback interface
$IPTABLES -N lo-forward
$IPTABLES -F lo-forward
## Accept packets to the loopback interface
$IPTABLES -A lo-forward -i lo -j ACCEPT


############################################################################
#
## Main Stuff
############################################################################
#
## Jumping to our INPUT chains.
$IPTABLES -A INPUT -i $INTERNAL_TR -j INTERNAL_TR-input
$IPTABLES -A INPUT -i $INTERNAL_ET -j INTERNAL_ET-input
$IPTABLES -A INPUT -i $EXTERNAL -j EXTERNAL-input
$IPTABLES -A INPUT -i $FW_X -j FW_X-input
$IPTABLES -A INPUT -i lo -j lo-input
## mirror everything else
$IPTABLES -A INPUT -i $EXTERNAL -s ! $PROXY_REAL_IP -j MIRROR
## Jump to our OUTPUT chains.
$IPTABLES -A OUTPUT -o $INTERNAL_TR -j INTERNAL_TR-output
$IPTABLES -A OUTPUT -o $INTERNAL_ET -j INTERNAL_ET-output
$IPTABLES -A OUTPUT -o $EXTERNAL -j EXTERNAL-output
$IPTABLES -A OUTPUT -o $FW_X -j FW_X-output
$IPTABLES -A OUTPUT -o lo -j lo-output
## Jump to KEEP_STATE to accept packets that are part of an established
## connection, and DROP packets that may be trying to establish a new connection.
$IPTABLES -A FORWARD -o $EXTERNAL -j KEEP_STATE
$IPTABLES -A FORWARD -i $EXTERNAL -j EXTERNAL-forward
$IPTABLES -A FORWARD -o $EXTERNAL -j EXTERNAL-forward
$IPTABLES -A FORWARD -i $INTERNAL_TR -j INTERNAL_TR-forward
$IPTABLES -A FORWARD -i $INTERNAL_ET -j INTERNAL_ET-forward
$IPTABLES -A FORWARD -j KEEP_STATE

############################################################################
#
## More Stuff:
############################################################################
#
## Rule to mangle TOS values
## TOS stuff: (type: iptables -m tos -h)
## Minimize-Delay 16 (0x10)
## Maximize-Throughput 8 (0x08)
## Maximize-Reliability 4 (0x04)
## Minimize-Cost 2 (0x02)
## Normal-Service 0 (0x00)
## - Most of these are the RFC 1060/1349 compliant TOS values, yours might vary.
## - The -d 0/0 is a bit redundant.
## - To view mangle table, type: iptables -L -t mangle
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 20 -j TOS --set-tos Maximize-Throughput #8 #0x08
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 21 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 22 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 23 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 25 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 53 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p udp -d 0/0 --dport 53 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 80 -j TOS --set-tos Maximize-Throughput #8 #0x08
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 143 -j TOS --set-tos Maximize-Throughput #8 #0x08
### END FIREWALL RULES ###

## Might be a good idea to keep the NAT stuff in a separate file.
############################################################################
###
## IPTABLES Network Address Translation(NAT) Rules
############################################################################
###
#######################################################
## Destination NAT -- (DNAT)
#######################################################
## Redirect packets headed for certain ports on our external interface to other
## machines on the network.
#Proxy umleiten zieladresse aendern
$IPTABLES -t nat -A PREROUTING -d $PROXY_NAT_IP -j DNAT --to $PROXY_REAL_IP


#######################################################
## Source NAT -- (SNAT/Masquerading)
#######################################################
## Static IP address ##
## Change source address of outgoing packets on external
## interface to our IP address.
#Proxy
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
#$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_TR -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
#SAP-ROUTER fallback
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport  3200:3399 --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport  3200:3399 --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_TR -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport  3200:3399 --to $PROXY_NAT_IP

#KUNDE
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -d $KUNDE_NET --to $ROUTER_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -d $KUNDE_NET --to $ROUTER_IP

#Citrix nach KUNDE
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $INTERNAL_OFFICIAL_NET -d $KUNDE_NET --to $KUNDE_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $INTERNAL_CLIENT_NET -d $KUNDE_NET --to $KUNDE_IP

### END NAT RULES ###

############################################################################
###
## Additional Kernel Configuration
############################################################################
###
## - Enable IP Forwarding
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
echo 1 > /proc/sys/net/ipv4/ip_forward
else
echo "Error: /proc/sys/net/ipv4/ip_forward doesn't exist"
echo "(This could be a potential problem)"
fi
echo "FIREWALL is alive"
		touch /var/lock/subsys/firewall
		RETVAL=0
		;;
stop)
		# ----------------------------------------------------------------------------------------------------------------------- #
		# filter table
		TABLE=filter
		
		CHAIN=INPUT
		iptables -t $TABLE -F $CHAIN
		iptables -t $TABLE -P $CHAIN ACCEPT
		
		CHAIN=FORWARD
		iptables -t $TABLE -F $CHAIN
		iptables -t $TABLE -P $CHAIN ACCEPT
		
		CHAIN=OUTPUT
		iptables -t $TABLE -F $CHAIN
		iptables -t $TABLE -P $CHAIN ACCEPT
		
		iptables -t $TABLE -Z
		
		# ----------------------------------------------------------------------------------------------------------------------- #
		# nat table
		TABLE=nat
		
		CHAIN=PREROUTING
		iptables -t $TABLE -F $CHAIN
		iptables -t $TABLE -P $CHAIN ACCEPT
		
		CHAIN=OUTPUT
		iptables -t $TABLE -F $CHAIN
		iptables -t $TABLE -P $CHAIN ACCEPT
		
		CHAIN=POSTROUTING
		iptables -t $TABLE -F $CHAIN
		iptables -t $TABLE -P $CHAIN ACCEPT
		
		iptables -t $TABLE -Z

		# ----------------------------------------------------------------------------------------------------------------------- #
		# mangle table
		TABLE=mangle
		
		CHAIN=PREROUTING
		iptables -t $TABLE -F $CHAIN
		iptables -t $TABLE -P $CHAIN ACCEPT
		
		CHAIN=OUTPUT
		iptables -t $TABLE -F $CHAIN
		iptables -t $TABLE -P $CHAIN ACCEPT
		
		iptables -t $TABLE -Z
		
		# ----------------------------------------------------------------------------------------------------------------------- #
		
echo "FIREWALL is down"
		rm -f /var/lock/subsys/firewall
		RETVAL=0
		;;
restart)
		$0 stop
		$1 start
		
		touch /var/lock/subsys/firewall
		RETVAL=0
		;;

close)
echo "FIREWALL will close all extended interfaces "
#allow trafic between firewalls
## Set Default Policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

$IPTABLES -N INTERNAL_ET-input
$IPTABLES -F INTERNAL_ET-input
$IPTABLES -N INTERNAL_ET-output
$IPTABLES -F INTERNAL_ET-output
$IPTABLES -N lo-input
$IPTABLES -F lo-input
$IPTABLES -N lo-output
$IPTABLES -F lo-output

$IPTABLES -A lo-input -i lo -j ACCEPT
$IPTABLES -A lo-output -o lo -j ACCEPT

$IPTABLES -A INPUT -i $FW_X -j INTERNAL_ET-input
$IPTABLES -A INPUT -i lo -j lo-input
$IPTABLES -A OUTPUT -o $FW_X -j INTERNAL_ET-output
$IPTABLES -A OUTPUT -o lo -j lo-output

RETVAL=0
;;

open)

echo ""
echo "!!!!  FIREWALL will open all interfaces !!!!!"
echo "not for normal use"
echo ""
#allow trafic between firewalls
## Set Default Policies
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT


#######################################################
## Destination NAT -- (DNAT)
#######################################################
$IPTABLES -t nat -A PREROUTING -d $PROXY_NAT_IP -j DNAT --to $PROXY_REAL_IP


#######################################################
## Source NAT -- (SNAT/Masquerading)
#######################################################
#Proxy
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
#SAP-ROUTER fallback
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport  3200:3399 --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport  3200:3399 --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_TR -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport  3200:3399 --to $PROXY_NAT_IP
#KUNDE
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -d $KUNDE_NET --to $ROUTER_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -d $KUNDE_NET --to $ROUTER_IP
#Citrix nach KUNDE
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $INTERNAL_OFFICIAL_NET -d $KUNDE_NET --to $KUNDE_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $INTERNAL_CLIENT_NET -d $KUNDE_NET --to $KUNDE_IP


RETVAL=0

;;

esac

exit $RETVAL

next             reply	other threads:[~2002-06-07 14:40 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-06-07 14:40 BGrummel [this message]
  -- strict thread matches above, loose matches on Subject: below --
2002-06-07 15:08 help!! whole in firewall -- BGrummel
2002-06-10  8:42 BGrummel
2002-06-10  9:03 BGrummel
2002-06-10  9:38 Hard__warE

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='aear0l$7np$2@main.gmane.org' \
    --to=bgrummel@zuendel.de \
    --cc=netfilter@lists.samba.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox