* help!! whole in firewall --
@ 2002-06-10 8:42 BGrummel
0 siblings, 0 replies; 5+ messages in thread
From: BGrummel @ 2002-06-10 8:42 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 678 bytes --]
hello
i have a problem with my firewall
any ports from outside are opend,
from inside to outside are the rules ok
this is my configuration
backup FIREWALL (fw-x) CLIENTS (internal tr)
\ /
ISP------ROUTER----------Firewall--------ROUTER (internal eth)
(external eth) / \
PROXY WEBSERVER (internal tr)
(external eth)
my rules --see atm.
help
I don´t know what it is
I think its in the keep-state part
but if I change it i had to change any rule for all connections
any help is welcome
thanks in advise
(See attached file: firewall.netfilter)
[-- Attachment #2: firewall.netfilter --]
[-- Type: application/octet-stream, Size: 35697 bytes --]
#!/bin/sh
##################################################################
#
#
## Variables
IPTABLES="/sbin/iptables"
INTERNAL_ET="eth1" # Internal Ethernet Interface
INTERNAL_TR="tr0" # Internal Tokenring Interface
EXTERNAL="eth0" # External Interface
FW_X="eth2" # testinterface for backupfirewall
#IP_ADRESSES
INTERNAL_OFFICIAL_NET="1.1.1.0/24"
INTERNAL_CLIENT_NET="1.1.3.0/24"
INTERNAL_ROUTER_NET="1.1.4.0/24"
INTERNAL_ROUTER2_NET="1.1.5.0/24"
INTERNAL_ROUTER3_NET="1.1.6.0/24"
INTERNAL_ROUTER4_NET="1.1.7.0/24"
INTERNAL_ROUTER5_NET="1.1.8.0/24"
FIREWALL_CONTROL_NET="1.1.9.0/24"
EXTERNAL_ROUTER_IP="1.1.1.1"
PROXY_REAL_IP="1.1.1.2"
PROXY_NAT_IP="1.1.1.3"
REMOTEUSER_IP="1.1.1.4"
REMOTEUSER_NET="1.1.10.0/24"
SSH_SERVER_IP="1.1.1.5"
DNS_IP="1.1.1.6"
VPN_IP="1.1.1.7"
DC_IP="1.1.1.8"
TIMESERVER_IP="1.1.1.9"
VM_IP="1.1.1.10"
INTERNAL_PMC_IP="1.1.1.11"
SAP_IIS_IP="1.1.1.12"
PCANYWERE_IP="1.1.1.13"
MMWKS_IP="1.1.1.14"
ROUTER_IP="1.1.1.15"
SSH_WKS_IP="1.1.1.16"
WEBSERVER_IP1="1.1.1.20"
INTERNAL_IT_WKS1="1.1.1.15"
SAP_ROUTER1_IP="1.1.1.20"
SAP_ROUTER2_IP="1.1.1.21"
KUNDE_NET="1.1.11.0/24"
KUNDE_IP="1.1.1.22"
KUNDE2_IP="1.1.1.23"
PARTNER_NET="1.1.12.0/24"
## Flush Built-in Rules
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -X
## Set Default Policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
# ecn-support cut because problems with some webservers
#echo 0 > /proc/sys/net/ipv4/tcp_ecn
## Special Chains First, INPUT/OUTPUT chains will follow
############################################################################
#
## Special Chains
############################################################################
#
############################################################################
#
## Special chain KEEP_STATE to handle incoming, outgoing, and
## established connections.
$IPTABLES -N KEEP_STATE
$IPTABLES -F KEEP_STATE
## ACCEPT certain packets which are starting a new connection or are
## related to an established connection.
## ACCEPT packets whose input interface is anything but the external interface.
$IPTABLES -A KEEP_STATE -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A KEEP_STATE -i ! $EXTERNAL -o ! $EXTERNAL -m state --state NEW -j ACCEPT
## DROP packets associated with a NEW or "INVALID" connection.
## DROP TCP packets with only the SYN, SYN/URG, or SYN/PUSH flag set,
## perhaps a bit redundant.
#Remoteuser
$IPTABLES -A KEEP_STATE -i $EXTERNAL -d $REMOTEUSER_IP -m state --state NEW,INVALID -j ACCEPT
$IPTABLES -A KEEP_STATE -i $EXTERNAL -p tcp -s $REMOTEUSER_IP --tcp-flags SYN,ACK SYN -j ACCEPT
$IPTABLES -A KEEP_STATE -i $EXTERNAL -m state --state INVALID -j DROP
$IPTABLES -A KEEP_STATE -i $EXTERNAL -p tcp -s $PROXY_REAL_IP -d 0/0 --tcp-flags SYN,ACK SYN -j ACCEPT
$IPTABLES -A KEEP_STATE -i $EXTERNAL -p tcp -s ! $PROXY_REAL_IP -d ! $PROXY_REAL_IP --tcp-flags SYN,ACK SYN -j DROP
#tcp-reject for faster connections
#$IPTABLES -A KEEP_STATE -p tcp -j REJECT --reject-with tcp-reset
#$IPTABLES -A KEEP_STATE -j REJECT --reject-with icmp-port-unreachable
############################################################################
#
## Special chain CHECK_FLAGS that will DROP and log TCP packets with certain
## TCP flags set.
## We set some limits here to limit the amount of crap that gets sent to the logs.
## Keep in mind that the first dozen rules should never match normal traffic, these
## rules are designed to capture obviously messed up packets... But there's
## alot of wierd shit out there, so who knows.
$IPTABLES -N CHECK_FLAGS
$IPTABLES -F CHECK_FLAGS
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NMAP-XMAS:" ## NMAP Stuff
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "Merry XMAS:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -p tcp --dport 80 -m string --string "root" -j DROP
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -p tcp --dport 80 -m string --string "cmd.exe" -j DROP
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -p tcp --dport 80 -m string --string "mmc.exe" -j DROP
## Make some types of port scanning annoyingly slow, also provides some protection
## against certain DoS attacks. Adjust for your network. The rule in chain
## KEEP_STATE referring to the INVALID state should catch most TCP packets with
## the RST or FIN bits set that aren't associate with an established connection.
## Still, these will limit the amount of stuff that is accepted through our open ports.
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -m psd -m limit --psd-delay-threshold 3 --limit 1/min -j LOG --log-prefix "Port Scan: "
$IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL RST -j ACCEPT
$IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL FIN -j ACCEPT
$IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL SYN -j ACCEPT
# Now, see how we were called
case "$1" in
start)
############################################################################
## Firewall Input Chains
############################################################################
## New chain for input to the external interface
echo " updated"
#
$IPTABLES -N EXTERNAL-input
$IPTABLES -F EXTERNAL-input # Flush chain
## Just DROP all unroutables internal Network.
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -s $INTERNAL_ROUTER_NET -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -s $INTERNAL_CLIENT_NET -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -d 224.0.0.0/8 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -m multiport --dport 23,22 -j DROP
## Check TCP packets coming in on the external interface for wierd flags
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -j CHECK_FLAGS
## These next few serve to block particular ports on the external interface.
## Usually to confine the use of certain services or daemons.
## On a separate router/firewall, these are redundant and pretty much useless.
## On a host, however, with a default they might serve a purpose.
## NFS, X, VNC, SMB, blah blah
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 137:139 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 137:139 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 1433 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 1433 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5432 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5432 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5999:6010 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5999:6010 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5900:5910 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5900:5910 -j DROP
## ICMP Stuff, we're going to allow some ICMP.
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -f -p icmp -j DROP
## Echo Reply (pong)
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 0 -j ACCEPT
## Destination Unreachable (blah)
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 3 -j ACCEPT
## DROP all icmp network broadcasts
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp -d 224.0.0.0/8 -j DROP
## New chain for input to the internal interface
#
$IPTABLES -N INTERNAL_ET-input
$IPTABLES -F INTERNAL_ET-input
$IPTABLES -N INTERNAL_TR-input
$IPTABLES -F INTERNAL_TR-input
$IPTABLES -N FW_X-input
$IPTABLES -F FW_X-input
#allow ping from internal to firewall
$IPTABLES -A INTERNAL_TR-input -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_CLIENT_NET -j ACCEPT
#Direct comunication FW I <-> FW II
$IPTABLES -A FW_X-input -i $FW_X -p icmp -s $FIREWALL_CONTROL_NET -j ACCEPT
#
## New chain for input to the loopback interface
$IPTABLES -N lo-input
$IPTABLES -F lo-input
## Accept packets to the loopback interface
$IPTABLES -A lo-input -i lo -j ACCEPT
############################################################################
## Firewall Output Chains
############################################################################
## New chain for output from the external interface
$IPTABLES -N EXTERNAL-output
$IPTABLES -F EXTERNAL-output
## Just DROP all outgoing unroutables.
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -s $INTERNAL_ROUTER_NET -j DROP
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -s $INTERNAL_CLIENT_NET -d ! $PROXY_REAL_IP -j DROP
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -d 224.0.0.0/8 -j DROP
#
## New chain for output across the internal interface
$IPTABLES -N INTERNAL_TR-output
$IPTABLES -F INTERNAL_TR-output
$IPTABLES -N INTERNAL_ET-output
$IPTABLES -F INTERNAL_ET-output
$IPTABLES -N FW_X-output
$IPTABLES -F FW_X-output
## ACCEPT all outbound traffic across the internal interfaces
$IPTABLES -A INTERNAL_TR-output -o $INTERNAL_TR -j ACCEPT
$IPTABLES -A INTERNAL_TR-output -o $INTERNAL_ET -j ACCEPT
$IPTABLES -A INTERNAL_ET-output -o $INTERNAL_TR -j ACCEPT
$IPTABLES -A INTERNAL_ET-output -o $INTERNAL_ET -j ACCEPT
#Direct comunication FW I <-> FW II
$IPTABLES -A FW_X-output -o $FW_X -p icmp -d $FIREWALL_CONTROL_NET -j ACCEPT
## New chain for output across the loopback device
$IPTABLES -N lo-output
$IPTABLES -F lo-output
## ACCEPT all traffic across loopback device
$IPTABLES -A lo-output -o lo -j ACCEPT
## Firewall FORWARD Chains
# New chain for input to the external interface
$IPTABLES -N EXTERNAL-forward
$IPTABLES -F EXTERNAL-forward # Flush chain
## Just DROP all unroutables internal Network.
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_ROUTER_NET -j DROP
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_CLIENT_NET -d ! $PROXY_REAL_IP -j DROP
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -d 224.0.0.0/8 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -s $INTERNAL_ROUTER_NET -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -s $INTERNAL_CLIENT_NET -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -d 224.0.0.0/8 -j DROP
## Check TCP packets coming in on the external interface for wierd flags
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s ! $PROXY_REAL_IP -j CHECK_FLAGS
#PROXY II darf alles in unser Netz
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -s $PROXY_REAL_IP -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -d $PROXY_REAL_IP -s $INTERNAL_OFFICIAL_NET -j ACCEPT
#remoteuser
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -d $PROXY_REAL_IP -s $REMOTEUSER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -d $PROXY_NAT_IP -s $REMOTEUSER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -d $PROXY_REAL_IP -s $REMOTEUSER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -d $PROXY_NAT_IP -s $REMOTEUSER_IP -j ACCEPT
#Proxy darf router-netz anpingen
$IPTABLES -A EXTERNAL-forward -p icmp -s $PROXY_REAL_IP -d $INTERNAL_ROUTER_NET -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p icmp -d $PROXY_REAL_IP -s $INTERNAL_ROUTER_NET -j ACCEPT
## These next few serve to block particular ports on the external interface.
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 137:139 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 137:139 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 1433 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 1433 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 2345 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --sport 2345 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5432 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5432 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5999:6010 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5999:6010 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5900:5910 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5900:5910 -j DROP
#DNS
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $DNS_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d $DNS_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $DNS_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -d 0/0 -s $DNS_IP -m multiport --dport 25,53 -j ACCEPT
#temp fuer active directory tests
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $DC_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d $DC_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $DC_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -d 0/0 -s $DC_IP -m multiport --dport 25,53 -j ACCEPT
#smtp,http,https
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP1 -m multiport --dport 25,80,443 -j ACCEPT
#webserver darf mailen
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP1 --dport 25 -j ACCEPT
#webserver darf ins internet
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP1 --dport 80 -j ACCEPT
#Multimedia Arbeitsplatz darf ftp
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s $MMWKS_IP -m multiport --dport 20,21 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -s $MMWKS_IP -m multiport --dport 20,21 -j ACCEPT
#Virtuell Maschine darf http und ftp
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $VM_IP -m multiport --dport 20,21,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -d 0/0 -s $VM_IP -m multiport --dport 20,21 -j ACCEPT
#SAP-router
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER1_IP --dport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER2_IP --dport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER1_IP --dport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER2_IP --dport 3200:3399 -j ACCEPT
#Proxy
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --sport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --dport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --sport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --dport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --sport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --dport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --sport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --dport 20,21,80,81,82,86,100,443 -j ACCEPT
#Proxy oberhalb 5000
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --sport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --dport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --sport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --dport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --sport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --dport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --sport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --dport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
#Proxy zur Partner auf extra ports
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $PARTNER_NET -s $PROXY_REAL_IP -m multiport --dport 5631,5632 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $PARTNER_NET -s $PROXY_REAL_IP -m multiport --dport 5631,5632 -j ACCEPT
#citrix zu Kunde
$IPTABLES -A EXTERNAL-forward -o $INTERNAL_ET -p tcp -d $KUNDE_IP -s $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $INTERNAL_ET -p tcp -d $KUNDE_IP -s $INTERNAL_CLIENT_NET -j ACCEPT
#PCANYWEHERE von Comp99
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s $PCANYWERE_IP --dport 8000:8100 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $PCANYWERE_IP --dport 8000:8100 -j ACCEPT
#Proxy darf pingen
#$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p icmp --icmp-typ 8 -d 0/0 -s $PROXY_REAL_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p icmp --icmp-type 8 -m limit --limit 1/second -d 0/0 -s $PROXY_REAL_IP -j ACCEPT
#$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-typ 8 -d 0/0 -s PROXY_REAL_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -m limit --limit 1/second -d 0/0 -s $PROXY_REAL_IP -j ACCEPT
#SAP-router
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER1_IP --dport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER1_IP --sport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER1_IP --sport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER1_IP --dport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER2_IP --dport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER2_IP --sport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER2_IP --sport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER2_IP --dport 3200:3399 -j ACCEPT
#KUNDE2 Telnet
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $KUNDE2_IP -d $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $KUNDE2_IP -d $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $KUNDE2_IP -s $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $KUNDE2_IP -s $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
#Zugriff PMC Entwicklungssystem
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $INTERNAL_PMC_IP --dport 80 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $INTERNAL_PMC_IP --dport 8001 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $INTERNAL_PMC_IP --dport 80 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $INTERNAL_PMC_IP --dport 80 -j ACCEPT
#PMC darf terminalserver nach aussen
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_PMC_IP -j ACCEPT
#KUNDE3 SSH + VNC
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $KUNDE_IP -d $INTERNAL_OFFICIAL_NET -m multiport --sport 5800,5801,5900,5901,10022,10122 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $KUNDE_IP -s $INTERNAL_OFFICIAL_NET -m multiport --dport 5800,5801,5900,5901,10022,10122 -j ACCEPT
#Telnet auf XM2
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $ROUTER_IP -d $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $ROUTER_IP -s $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
#Zugriff auf SAPIIS Port 8800
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $SAP_IIS_IP --dport 8800 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $SAP_IIS_IP --sport 8800 -j ACCEPT
##Timeservice
#$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d $PROXY_NAT_IP --dport 123 -j ACCEPT
#$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -d 0/0 -s $PROXY_NAT_IP --dport 123 -j ACCEPT
#Timeservice
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d $TIMESERVER_IP --dport 123 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -d 0/0 -s $TIMESERVER_IP --dport 123 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -s 0/0 -d $TIMESERVER_IP --dport 123 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -d 0/0 -s $TIMESERVER_IP --dport 123 -j ACCEPT
#SSH_WKS darf ssh
$IPTABLES -A EXTERNAL-forward -i $INTERNAL_TR -p tcp -s $SSH_WKS_IP -d 0/0 -m multiport --dport 22,22000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $INTERNAL_TR -p udp -s $SSH_WKS_IP -d 0/0 -m multiport --dport 22,22000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $SSH_WKS_IP -s 0/0 -m multiport --dport 22222,33333 -j ACCEPT
#REMOTEUSER aufProxy
$IPTABLES -A EXTERNAL-forward -s $REMOTEUSER_NET -d $PROXY_REAL_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -s $REMOTEUSER_NET -d $PROXY_NAT_IP -j ACCEPT
#REMOTE USER in unser Netz
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
# remote DynIP by Ebner u Martin in unser Netz
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
#priv Clients aufProxy
$IPTABLES -A EXTERNAL-forward -s $INTERNAL_CLIENT_NET -d $PROXY_REAL_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -s $INTERNAL_CLIENT_NET -d $PROXY_NAT_IP -j ACCEPT
#VPN-Service
#rein von extern
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p 47 -d $VPN_IP -s 0/0 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $VPN_IP -s 0/0 --sport 1723 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $VPN_IP -s 0/0 --dport 1723 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -d $VPN_IP -s 0/0 -m multiport --sport 53,500,1863,4000,5000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -d $VPN_IP -s 0/0 --dport 1701 --sport 1701 -j ACCEPT
#raus nach extern
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p 47 -s $VPN_IP -d 0/0 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s $VPN_IP -d 0/0 --sport 1723 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s $VPN_IP -d 0/0 --dport 1723 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -s $VPN_IP -d 0/0 -m multiport --sport 53,500,1863,4000,5000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -s $VPN_IP -d 0/0 --dport 1701 --sport 1701 -j ACCEPT
#IT-Rechner
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_IT_WKS1 -d 0/0 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $EXTERNAL_ROUTER_IP -d $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $EXTERNAL_ROUTER_IP -s $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
## ICMP Stuff, we're going to allow some ICMP.
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -f -p icmp -j DROP
## Echo Reply (pong)
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 0 -j ACCEPT
## Destination Unreachable (blah)
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 3 -j ACCEPT
# Accept ping only for our Inernet watched hosts and routers CS 8.8.2001
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -d $TIMESERVER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -d $PROXY_NAT_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -s $PROXY_NAT_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -d $VPN_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -d $EXTERNAL_ROUTER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -m limit --limit 1/second -d $TIMESERVER_IP -j ACCEPT
## TTL Exceeded (traceroute)
# $IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 11 -j ACCEPT
## DROP all icmp network broadcasts
## This may actually break things in a few cases
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp -d 224.0.0.0/8 -j DROP
############################################################################
#
## New chain for input to the internal interface
#
$IPTABLES -N INTERNAL_ET-forward
$IPTABLES -F INTERNAL_ET-forward
$IPTABLES -N INTERNAL_TR-forward
$IPTABLES -F INTERNAL_TR-forward
## ACCEPT internal to internal traffic
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_CLIENT_NET -d $PROXY_REAL_IP -j ACCEPT
$IPTABLES -A INTERNAL_ET-forward -i $INTERNAL_ET -s $INTERNAL_ROUTER2_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_ET-forward -i $INTERNAL_ET -s $INTERNAL_ROUTER3_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_ET-forward -i $INTERNAL_ET -s $INTERNAL_ROUTER4_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_ET-forward -i $INTERNAL_ET -s $INTERNAL_ROUTER5_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_CLIENT_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_CLIENT_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_ROUTER2_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_ROUTER3_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_ROUTER4_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_ROUTER5_NET -j ACCEPT
#internal FX allow
$IPTABLES -A INTERNAL_TR-forward -i $FW_X -s $FIREWALL_CONTROL_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -o $FW_X -d $FIREWALL_CONTROL_NET -j ACCEPT
############################################################################
#
## New chain for input to the loopback interface
$IPTABLES -N lo-forward
$IPTABLES -F lo-forward
## Accept packets to the loopback interface
$IPTABLES -A lo-forward -i lo -j ACCEPT
############################################################################
#
## Main Stuff
############################################################################
#
## Jumping to our INPUT chains.
$IPTABLES -A INPUT -i $INTERNAL_TR -j INTERNAL_TR-input
$IPTABLES -A INPUT -i $INTERNAL_ET -j INTERNAL_ET-input
$IPTABLES -A INPUT -i $EXTERNAL -j EXTERNAL-input
$IPTABLES -A INPUT -i $FW_X -j FW_X-input
$IPTABLES -A INPUT -i lo -j lo-input
## mirror everything else
$IPTABLES -A INPUT -i $EXTERNAL -s ! $PROXY_REAL_IP -j MIRROR
## Jump to our OUTPUT chains.
$IPTABLES -A OUTPUT -o $INTERNAL_TR -j INTERNAL_TR-output
$IPTABLES -A OUTPUT -o $INTERNAL_ET -j INTERNAL_ET-output
$IPTABLES -A OUTPUT -o $EXTERNAL -j EXTERNAL-output
$IPTABLES -A OUTPUT -o $FW_X -j FW_X-output
$IPTABLES -A OUTPUT -o lo -j lo-output
## Jump to KEEP_STATE to accept packets that are part of an established
## connection, and DROP packets that may be trying to establish a new connection.
$IPTABLES -A FORWARD -o $EXTERNAL -j KEEP_STATE
$IPTABLES -A FORWARD -i $EXTERNAL -j EXTERNAL-forward
$IPTABLES -A FORWARD -o $EXTERNAL -j EXTERNAL-forward
$IPTABLES -A FORWARD -i $INTERNAL_TR -j INTERNAL_TR-forward
$IPTABLES -A FORWARD -i $INTERNAL_ET -j INTERNAL_ET-forward
$IPTABLES -A FORWARD -j KEEP_STATE
############################################################################
#
## More Stuff:
############################################################################
#
## Rule to mangle TOS values
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 20 -j TOS --set-tos Maximize-Throughput #8 #0x08
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 21 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 22 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 23 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 25 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 53 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p udp -d 0/0 --dport 53 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 80 -j TOS --set-tos Maximize-Throughput #8 #0x08
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 143 -j TOS --set-tos Maximize-Throughput #8 #0x08
### END FIREWALL RULES ###
############################################################################
###
## IPTABLES Network Address Translation(NAT) Rules
############################################################################
## Destination NAT -- (DNAT)
#######################################################
#Proxy umleiten zieladresse aendern
$IPTABLES -t nat -A PREROUTING -d $PROXY_NAT_IP -j DNAT --to $PROXY_REAL_IP
#######################################################
## Source NAT -- (SNAT/Masquerading)
#######################################################
#Proxy
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
#SAP-ROUTER fallback
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport 3200:3399 --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport 3200:3399 --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_TR -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport 3200:3399 --to $PROXY_NAT_IP
#KUNDE
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -d $KUNDE_NET --to $ROUTER_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -d $KUNDE_NET --to $ROUTER_IP
#Citrix nach KUNDE
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $INTERNAL_OFFICIAL_NET -d $KUNDE_NET --to $KUNDE_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $INTERNAL_CLIENT_NET -d $KUNDE_NET --to $KUNDE_IP
### END NAT RULES ###
############################################################################
###
## Additional Kernel Configuration
############################################################################
###
## - Enable IP Forwarding
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
echo 1 > /proc/sys/net/ipv4/ip_forward
else
echo "Error: /proc/sys/net/ipv4/ip_forward doesn't exist"
echo "(This could be a potential problem)"
fi
echo "FIREWALL is alive"
touch /var/lock/subsys/firewall
RETVAL=0
;;
close)
echo "FIREWALL will close all extended interfaces "
#allow trafic between firewalls
## Set Default Policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -N INTERNAL_ET-input
$IPTABLES -F INTERNAL_ET-input
$IPTABLES -N INTERNAL_ET-output
$IPTABLES -F INTERNAL_ET-output
$IPTABLES -N lo-input
$IPTABLES -F lo-input
$IPTABLES -N lo-output
$IPTABLES -F lo-output
$IPTABLES -A lo-input -i lo -j ACCEPT
$IPTABLES -A lo-output -o lo -j ACCEPT
$IPTABLES -A INPUT -i $FW_X -j INTERNAL_ET-input
$IPTABLES -A INPUT -i lo -j lo-input
$IPTABLES -A OUTPUT -o $FW_X -j INTERNAL_ET-output
$IPTABLES -A OUTPUT -o lo -j lo-output
RETVAL=0
;;
open)
echo ""
echo "!!!! FIREWALL will open all interfaces !!!!!"
echo "not for normal use"
echo ""
#allow trafic between firewalls
## Set Default Policies
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
#######################################################
## Destination NAT -- (DNAT)
#######################################################
$IPTABLES -t nat -A PREROUTING -d $PROXY_NAT_IP -j DNAT --to $PROXY_REAL_IP
#######################################################
## Source NAT -- (SNAT/Masquerading)
#######################################################
#Proxy
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
#SAP-ROUTER fallback
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport 3200:3399 --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport 3200:3399 --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_TR -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport 3200:3399 --to $PROXY_NAT_IP
#KUNDE
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -d $KUNDE_NET --to $ROUTER_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -d $KUNDE_NET --to $ROUTER_IP
#Citrix nach KUNDE
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $INTERNAL_OFFICIAL_NET -d $KUNDE_NET --to $KUNDE_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $INTERNAL_CLIENT_NET -d $KUNDE_NET --to $KUNDE_IP
RETVAL=0
;;
esac
exit $RETVAL
^ permalink raw reply [flat|nested] 5+ messages in thread* help!! whole in firewall --
@ 2002-06-10 9:38 Hard__warE
0 siblings, 0 replies; 5+ messages in thread
From: Hard__warE @ 2002-06-10 9:38 UTC (permalink / raw)
To: netfilter; +Cc: BGrummel
try this Script out ..... it works great
just modify Address / Ports to suit .... : D
---------------------------------------Start Copy Below this
Line -----------------------------------------
#!/bin/sh
#
# rc.firewall Mid-Strong Based Firewall ..BNI..
######## Revision 5.1 ########## Low Comments ##############
#############################################################
EXTIF="eth1"
INTIF="eth0"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
echo " ---"
# Determine the external IP automatically:
# ----------------------------------------
#EXTIP="`/sbin/ifconfig $EXTIF | grep 'inet addr' | awk '{print $2}' |
sed -e 's/.*://'`"
############### For STATIC IP addresses: #############
EXTIP="192.168.0.253"
########## New Multiple External IP Access #########
#EXTIP2="192.168.0.212"
echo " External IP: $EXTIP"
echo " ---"
# Assign the internal TCP/IP network and IP address
INTNET="172.16.0.0/16"
INTIP="172.16.0.253/32"
echo " Internal Network: $INTNET"
echo " Internal IP: $INTIP"
echo " ---"
# The location of various iptables and other shell programs
#
IPTABLES=/sbin/iptables
#IPTABLES=/usr/local/sbin/iptables
LSMOD=/sbin/lsmod
GREP=/bin/grep
AWK=/bin/awk
# Setting a few special variables
#
UNIVERSE="0.0.0.0/0"
IRCPORTS="6665,6666,6667,6668,6669,7000"
############# Kernel Modules Section #############
echo " - Verifying that all kernel modules are ok"
/sbin/depmod -a
echo -en " Loading kernel modules: "
#Load the main body of the IPTABLES module - "iptable"
# - Loaded automatically when the "iptables" command is invoked
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_tables, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
/sbin/insmod ip_tables
fi
#Load the stateful connection tracking framework - "ip_conntrack"
#
# The conntrack module in itself does nothing without other specific
# conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
# module
#
# - This module is loaded automatically when MASQ functionality is
# enabled
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_conntrack, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
/sbin/insmod ip_conntrack
fi
#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -e "ip_conntrack_ftp, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
/sbin/insmod ip_conntrack_ftp
fi
#Load the IRC tracking mechanism for full IRC tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en " ip_conntrack_irc, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
/sbin/insmod ip_conntrack_irc ports=$IRCPORTS
fi
if [ -z "` $LSMOD | $GREP ip_nat_irc | $AWK {'print $1'} `" ]; then
/sbin/insmod ip_nat_irc
fi
#Load the general IPTABLES NAT code - "iptable_nat"
# - Loaded automatically when MASQ functionality is turned on
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "iptable_nat, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
/sbin/insmod iptable_nat
fi
#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_nat_ftp"
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
/sbin/insmod ip_nat_ftp
fi
######### Ip Tables Filter ################
echo -en " ip_tables_filter"
if [ -z "` $LSMOD | $GREP iptable_filter | $AWK {'print $1'} `" ]; then
/sbin/insmod iptable_filter
fi
######### IpT MultiPort ################
echo -e " ipt_multiport"
if [ -z "` $LSMOD | $GREP ipt_multiport | $AWK {'print $1'} `" ]; then
/sbin/insmod ipt_multiport
fi
echo "---"
#CRITICAL: Enable IP forwarding since it is disabled by default since
#
# Redhat Users: you may try changing the options in
# /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo " Enabling Sysctl options."
##### Disable IP Spoof Attack
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
##### Stop Smurf Amplifiers
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
##### Block Source Routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
##### Kill Timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
##### Enable Syn Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
##### Kill Redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
##### Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "32768 61000"> /proc/sys/net/ipv4/ip_local_port_range
##### Log Martians (packets with impossible addresses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
##### Reduce DoS'ing ability/effect by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
# Dynamic IP users:
# Uncomment Second Line Below
echo " Enabling DynamicAddr.."
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo " ---"
echo " Clearing any existing rules and setting default policy to DROP.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
$IPTABLES -F SMB
# Flush the user chain.. if it exists
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
$IPTABLES -F drop-and-log-it
fi
# Delete all User-specified chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z
#Configuring specific CHAINS for later use in the ruleset
#
# NOTE: Some users prefer to have their firewall silently
# "DROP" packets while others prefer to use "REJECT"
# to send ICMP error messages back to the remote
# machine. The default is "REJECT" but feel free to
# change this below.
#
# NOTE: Without the --log-level set to "info", every single
# firewall hit will goto ALL vtys. This is a very big
# pain.
#
echo " Creating a DROP chain.."
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info
$IPTABLES -A drop-and-log-it -j DROP
#
########### Bad ASS Windows/Samba Ports ####################
$IPTABLES -N SMB
$IPTABLES -A SMB -p tcp --dport 135:139 -j REJECT
$IPTABLES -A SMB -p tcp --dport 445 -j REJECT
$IPTABLES -A SMB -p udp --dport 135:139 -j REJECT
$IPTABLES -A SMB -p udp --dport 445 -j REJECT
$IPTABLES -A SMB -p tcp --sport 135:139 -j REJECT
$IPTABLES -A SMB -p tcp --sport 445 -j REJECT
$IPTABLES -A SMB -p udp --sport 135:139 -j REJECT
$IPTABLES -A SMB -p udp --sport 445 -j REJECT
#$IPTABLES -A SMB -p tcp --dport 135:139 -j DROP
#$IPTABLES -A SMB -p tcp --dport 445 -j DROP
#$IPTABLES -A SMB -p udp --dport 135:139 -j DROP
#$IPTABLES -A SMB -p udp --dport 445 -j DROP
#$IPTABLES -A SMB -p tcp --sport 135:139 -j DROP
#$IPTABLES -A SMB -p tcp --sport 445 -j DROP
#$IPTABLES -A SMB -p udp --sport 135:139 -j DROP
#$IPTABLES -A SMB -p udp --sport 445 -j DROP
### Internal Squid Server Redirect ####
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
REDIRECT --to-port 3128
### Internal Web Server DNAT ##########
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 8888 -j DNAT --to
172.16.0.111:80
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 8860 -j DNAT --to
172.16.0.111:443
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p udp --dport 8860 -j DNAT --to
172.16.0.111:443
### NEW Multiple External IP DNAT Done Here, Uncomment and use accordingly
##########
#$IPTABLES -t nat -A PREROUTING -i $EXTIF -d $EXTIP2 -p tcp --dport
0:65535 -j DNAT --to 172.16.0.55
#$IPTABLES -t nat -A PREROUTING -i $EXTIF -d $EXTIP2 -p udp --dport
0:65535 -j DNAT --to 172.16.0.55
echo -e "\n - Loading INPUT rulesets"
#######################################################################
## INPUT: Incoming traffic from various internfaces. All rulesets are
# already flushed and set to a default policy of DROP.
## loopback interfaces are valid.
#
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
## local interface, local machines, going anywhere is valid
#
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
## remote interface, claiming to be local machines, IP spoofing, get lost
#
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
## external interface, from any source, for ICMP traffic is valid
#
# If you would like your machine to "ping" from the Internet,
# enable this next line
#
$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
## remote interface, any source, going to permanent PPP address is valid
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
## NEW Multi EXTIP, Add two lines for each new EXTIP* address below
##########
#$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP2 -j ACCEPT
#$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP2 -m state --state
ESTABLISHED,RELATED -j ACCEPT
## Allow any related traffic coming back to the MASQ serer in
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state
ESTABLISHED,RELATED -j ACCEPT
# Catch all rule, all other incoming is denied and logged.
#
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading OUTPUT rulesets"
#######################################################################
# OUTPUT: Outgoing traffic from various internfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
## loopback interface is valid.
#
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
## local interface, any source going to local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
## outgoing to local net on remote interface, stuffed routing, deny
#
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
## NEW Multi EXTIP, Add two lines for each new EXTIP* address below
##########
#$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP2 -d $INTNET -j ACCEPT
#$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP2 -d $UNIVERSE -j ACCEPT
## anything else outgoing on remote interface is valid
#
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
## Catch all rule, all other outgoing is denied and logged.
#
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading FORWARD rulesets"
#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
#
### Allow Port Forwarding on the Ports Specified
$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 172.16.0.111 --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 172.16.0.111 --dport 443 -j ACCEPT
$IPTABLES -A FORWARD -p udp -i $EXTIF -d 172.16.0.111 --dport 443 -j ACCEPT
## NEW Multi EXTIP, Add two lines for each new EXTIP* address below
##########
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -s $EXTIP2 -d 172.16.0.55 --dport
0:65535 -j ACCEPT
#$IPTABLES -A FORWARD -p udp -i $EXTIF -s $EXTIP2 -d 172.16.0.55 --dport
0:65535 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -j SMB
$IPTABLES -A FORWARD -o $INTIF -j SMB
$IPTABLES -A FORWARD -i $EXTIF -j SMB
$IPTABLES -A FORWARD -o $EXTIF -j SMB
###
# Specific Defence rules can go here to.
###
# Flood Protection
$IPTABLES -A FORWARD -i $EXTIF -p tcp --syn -m limit --limit 1/s -j ACCEPT
# Ports Scanners
$IPTABLES -A FORWARD -i $EXTIF -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m
limit --limit 1/s -j ACCEPT
# Ping o Death
$IPTABLES -A FORWARD -i $EXTIF -p icmp --icmp-type echo-request -m
limit --limit 1/s -j ACCEPT
echo " -=-=-= DoS Defence is Up -=-=-="
echo " - FWD: Allow all connections OUT and only existing/related IN"
## NEW Multi EXTIP, Add a lines for each new EXTIP* address below ##########
#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -d 172.16.0.55 -m state --state
ESTABLISHED,RELATED -j ACCEPT
########## Exisiting Rule (Do Not Delete) #########
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTNET -j ACCEPT
$IPTABLES -A FORWARD -j drop-and-log-it
$IPTABLES -A FORWARD -j DROP
echo " - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF"
#
## Use this for Dynamic IP connections because it does not keep any of the
old Tracked Conections
###
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#
## Stricter form used mainly on Static IP Connections
########## Uncomment line below to enable SNAT on NEW $EXTIP*
################
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 172.16.0.55 -j SNAT --to
$EXTIP2
########## Existing SNAT Rule, Do Not Delete unless you really know what ya
doing #######
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
#######################################################################
echo -e "\nDone.\n"
echo -e "\neXecuting Packet Shaping Dont Forget To /etc/rc.wshaper.\n"
/etc/rc.wshaper
^ permalink raw reply [flat|nested] 5+ messages in thread* help!! whole in firewall --
@ 2002-06-10 9:03 BGrummel
0 siblings, 0 replies; 5+ messages in thread
From: BGrummel @ 2002-06-10 9:03 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 678 bytes --]
hello
i have a problem with my firewall
any ports from outside are opend,
from inside to outside are the rules ok
this is my configuration
backup FIREWALL (fw-x) CLIENTS (internal tr)
\ /
ISP------ROUTER----------Firewall--------ROUTER (internal eth)
(external eth) / \
PROXY WEBSERVER (internal tr)
(external eth)
my rules --see atm.
help
I don´t know what it is
I think its in the keep-state part
but if I change it i had to change any rule for all connections
any help is welcome
thanks in advise
(See attached file: firewall.netfilter)
[-- Attachment #2: firewall.netfilter --]
[-- Type: application/octet-stream, Size: 25114 bytes --]
#!/bin/sh
##################################################################
#
#
## Variables
IPTABLES="/sbin/iptables"
INTERNAL_ET="eth1" # Internal Ethernet Interface
INTERNAL_TR="tr0" # Internal Tokenring Interface
EXTERNAL="eth0" # External Interface
FW_X="eth2" # testinterface for backupfirewall
#IP_ADRESSES
INTERNAL_OFFICIAL_NET="1.1.1.0/24"
INTERNAL_CLIENT_NET="1.1.3.0/24"
INTERNAL_ROUTER_NET="1.1.4.0/24"
INTERNAL_ROUTER2_NET="1.1.5.0/24"
INTERNAL_ROUTER3_NET="1.1.6.0/24"
INTERNAL_ROUTER4_NET="1.1.7.0/24"
INTERNAL_ROUTER5_NET="1.1.8.0/24"
FIREWALL_CONTROL_NET="1.1.9.0/24"
EXTERNAL_ROUTER_IP="1.1.1.1"
PROXY_REAL_IP="1.1.1.2"
PROXY_NAT_IP="1.1.1.3"
REMOTEUSER_IP="1.1.1.4"
REMOTEUSER_NET="1.1.10.0/24"
SSH_SERVER_IP="1.1.1.5"
DNS_IP="1.1.1.6"
VPN_IP="1.1.1.7"
DC_IP="1.1.1.8"
TIMESERVER_IP="1.1.1.9"
VM_IP="1.1.1.10"
INTERNAL_PMC_IP="1.1.1.11"
SAP_IIS_IP="1.1.1.12"
PCANYWERE_IP="1.1.1.13"
MMWKS_IP="1.1.1.14"
ROUTER_IP="1.1.1.15"
SSH_WKS_IP="1.1.1.16"
WEBSERVER_IP1="1.1.1.20"
INTERNAL_IT_WKS1="1.1.1.15"
SAP_ROUTER1_IP="1.1.1.20"
SAP_ROUTER2_IP="1.1.1.21"
KUNDE_NET="1.1.11.0/24"
KUNDE_IP="1.1.1.22"
KUNDE2_IP="1.1.1.23"
PARTNER_NET="1.1.12.0/24"
## Flush Built-in Rules
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -X
## Set Default Policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
############################################################################
## Special Chains
############################################################################
## Special chain KEEP_STATE to handle incoming, outgoing, and
## established connections.
$IPTABLES -N KEEP_STATE
$IPTABLES -F KEEP_STATE
## ACCEPT certain packets which are starting a new connection or are
## related to an established connection.
$IPTABLES -A KEEP_STATE -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A KEEP_STATE -i ! $EXTERNAL -o ! $EXTERNAL -m state --state NEW -j ACCEPT
#Remoteuser
$IPTABLES -A KEEP_STATE -i $EXTERNAL -d $REMOTEUSER_IP -m state --state NEW,INVALID -j ACCEPT
$IPTABLES -A KEEP_STATE -i $EXTERNAL -p tcp -s $REMOTEUSER_IP --tcp-flags SYN,ACK SYN -j ACCEPT
$IPTABLES -A KEEP_STATE -i $EXTERNAL -m state --state INVALID -j DROP
$IPTABLES -A KEEP_STATE -i $EXTERNAL -p tcp -s $PROXY_REAL_IP -d 0/0 --tcp-flags SYN,ACK SYN -j ACCEPT
$IPTABLES -A KEEP_STATE -i $EXTERNAL -p tcp -s ! $PROXY_REAL_IP -d ! $PROXY_REAL_IP --tcp-flags SYN,ACK SYN -j DROP
## Special chain CHECK_FLAGS that will DROP and log TCP packets with certain
$IPTABLES -N CHECK_FLAGS
$IPTABLES -F CHECK_FLAGS
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NMAP-XMAS:" ## NMAP Stuff
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "Merry XMAS:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -p tcp --dport 80 -m string --string "root" -j DROP
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -p tcp --dport 80 -m string --string "cmd.exe" -j DROP
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -p tcp --dport 80 -m string --string "mmc.exe" -j DROP
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -m psd -m limit --psd-delay-threshold 3 --limit 1/min -j LOG --log-prefix "Port Scan: "
$IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL RST -j ACCEPT
$IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL FIN -j ACCEPT
$IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL SYN -j ACCEPT
# Now, see how we were called
case "$1" in
start)
############################################################################
## Firewall Input Chains
############################################################################
#
$IPTABLES -N EXTERNAL-input
$IPTABLES -F EXTERNAL-input # Flush chain
## Just DROP all unroutables internal Network.
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -s $INTERNAL_ROUTER_NET -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -s $INTERNAL_CLIENT_NET -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -d 224.0.0.0/8 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -m multiport --dport 23,22 -j DROP
## Check TCP packets coming in on the external interface for wierd flags
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -j CHECK_FLAGS
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 137:139 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 137:139 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 1433 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 1433 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5432 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5432 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5999:6010 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5999:6010 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5900:5910 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5900:5910 -j DROP
## ICMP Stuff, we're going to allow some ICMP.
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -f -p icmp -j DROP
## Echo Reply (pong)
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 0 -j ACCEPT
## Destination Unreachable (blah)
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 3 -j ACCEPT
## DROP all icmp network broadcasts
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp -d 224.0.0.0/8 -j DROP
## New chain for input to the internal interface
#
$IPTABLES -N INTERNAL_ET-input
$IPTABLES -F INTERNAL_ET-input
$IPTABLES -N INTERNAL_TR-input
$IPTABLES -F INTERNAL_TR-input
$IPTABLES -N FW_X-input
$IPTABLES -F FW_X-input
#allow ping from internal to firewall
$IPTABLES -A INTERNAL_TR-input -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_CLIENT_NET -j ACCEPT
#Direct comunication FW I <-> FW II
$IPTABLES -A FW_X-input -i $FW_X -p icmp -s $FIREWALL_CONTROL_NET -j ACCEPT
## New chain for input to the loopback interface
$IPTABLES -N lo-input
$IPTABLES -F lo-input
## Accept packets to the loopback interface
$IPTABLES -A lo-input -i lo -j ACCEPT
############################################################################
## Firewall Output Chains
############################################################################
## New chain for output from the external interface
$IPTABLES -N EXTERNAL-output
$IPTABLES -F EXTERNAL-output
## Just DROP all outgoing unroutables.
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -s $INTERNAL_ROUTER_NET -j DROP
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -s $INTERNAL_CLIENT_NET -d ! $PROXY_REAL_IP -j DROP
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -d 224.0.0.0/8 -j DROP
## New chain for output across the internal interface
$IPTABLES -N INTERNAL_TR-output
$IPTABLES -F INTERNAL_TR-output
$IPTABLES -N INTERNAL_ET-output
$IPTABLES -F INTERNAL_ET-output
$IPTABLES -N FW_X-output
$IPTABLES -F FW_X-output
## ACCEPT all outbound traffic across the internal interfaces
$IPTABLES -A INTERNAL_TR-output -o $INTERNAL_TR -j ACCEPT
$IPTABLES -A INTERNAL_TR-output -o $INTERNAL_ET -j ACCEPT
$IPTABLES -A INTERNAL_ET-output -o $INTERNAL_TR -j ACCEPT
$IPTABLES -A INTERNAL_ET-output -o $INTERNAL_ET -j ACCEPT
#Direct comunication FW I <-> FW II
$IPTABLES -A FW_X-output -o $FW_X -p icmp -d $FIREWALL_CONTROL_NET -j ACCEPT
## New chain for output across the loopback device
$IPTABLES -N lo-output
$IPTABLES -F lo-output
## ACCEPT all traffic across loopback device
$IPTABLES -A lo-output -o lo -j ACCEPT
## Firewall FORWARD Chains
$IPTABLES -N EXTERNAL-forward
$IPTABLES -F EXTERNAL-forward # Flush chain
## Just DROP all unroutables internal Network.
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_ROUTER_NET -j DROP
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_CLIENT_NET -d ! $PROXY_REAL_IP -j DROP
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -d 224.0.0.0/8 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -s $INTERNAL_ROUTER_NET -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -s $INTERNAL_CLIENT_NET -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -d 224.0.0.0/8 -j DROP
## Check TCP packets coming in on the external interface for wierd flags
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s ! $PROXY_REAL_IP -j CHECK_FLAGS
#PROXY II darf alles in unser Netz
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -s $PROXY_REAL_IP -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -d $PROXY_REAL_IP -s $INTERNAL_OFFICIAL_NET -j ACCEPT
#Proxy darf router-netz anpingen
$IPTABLES -A EXTERNAL-forward -p icmp -s $PROXY_REAL_IP -d $INTERNAL_ROUTER_NET -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p icmp -d $PROXY_REAL_IP -s $INTERNAL_ROUTER_NET -j ACCEPT
## These next few serve to block particular ports on the external interface.
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 137:139 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 137:139 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 1433 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 1433 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 2345 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --sport 2345 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5432 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5432 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5999:6010 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5999:6010 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5900:5910 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5900:5910 -j DROP
#webserver darf ins internet
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP1 --dport 80 -j ACCEPT
#SAP-router
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER1_IP --dport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER2_IP --dport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER1_IP --dport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER2_IP --dport 3200:3399 -j ACCEPT
#Proxy
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --sport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --dport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --sport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --dport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --sport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --dport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --sport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --dport 20,21,80,81,82,86,100,443 -j ACCEPT
#Proxy oberhalb 5000
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --sport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --dport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --sport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --dport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --sport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --dport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --sport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --dport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
#Proxy zur Partner auf extra ports
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $PARTNER_NET -s $PROXY_REAL_IP -m multiport --dport 5631,5632 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $PARTNER_NET -s $PROXY_REAL_IP -m multiport --dport 5631,5632 -j ACCEPT
#Proxy darf pingen
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p icmp --icmp-type 8 -m limit --limit 1/second -d 0/0 -s $PROXY_REAL_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -m limit --limit 1/second -d 0/0 -s $PROXY_REAL_IP -j ACCEPT
#Timeservice
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d $TIMESERVER_IP --dport 123 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -d 0/0 -s $TIMESERVER_IP --dport 123 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -s 0/0 -d $TIMESERVER_IP --dport 123 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -d 0/0 -s $TIMESERVER_IP --dport 123 -j ACCEPT
#priv Clients aufProxy
$IPTABLES -A EXTERNAL-forward -s $INTERNAL_CLIENT_NET -d $PROXY_REAL_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -s $INTERNAL_CLIENT_NET -d $PROXY_NAT_IP -j ACCEPT
## ICMP Stuff, we're going to allow some ICMP.
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -f -p icmp -j DROP
## Echo Reply (pong)
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 0 -j ACCEPT
## Destination Unreachable (blah)
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 3 -j ACCEPT
# Accept ping only for our Inernet watched hosts and routers CS 8.8.2001
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -d $TIMESERVER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -d $PROXY_NAT_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -s $PROXY_NAT_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -d $VPN_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -d $EXTERNAL_ROUTER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -m limit --limit 1/second -d $TIMESERVER_IP -j ACCEPT
## DROP all icmp network broadcasts
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp -d 224.0.0.0/8 -j DROP
## New chain for input to the internal interface
#
$IPTABLES -N INTERNAL_ET-forward
$IPTABLES -F INTERNAL_ET-forward
$IPTABLES -N INTERNAL_TR-forward
$IPTABLES -F INTERNAL_TR-forward
## ACCEPT internal to internal traffic
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_CLIENT_NET -d $PROXY_REAL_IP -j ACCEPT
$IPTABLES -A INTERNAL_ET-forward -i $INTERNAL_ET -s $INTERNAL_ROUTER2_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_ET-forward -i $INTERNAL_ET -s $INTERNAL_ROUTER3_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_ET-forward -i $INTERNAL_ET -s $INTERNAL_ROUTER4_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_ET-forward -i $INTERNAL_ET -s $INTERNAL_ROUTER5_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_CLIENT_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_CLIENT_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_ROUTER2_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_ROUTER3_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_ROUTER4_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_ROUTER5_NET -j ACCEPT
#internal FX allow
$IPTABLES -A INTERNAL_TR-forward -i $FW_X -s $FIREWALL_CONTROL_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -o $FW_X -d $FIREWALL_CONTROL_NET -j ACCEPT
## New chain for input to the loopback interface
$IPTABLES -N lo-forward
$IPTABLES -F lo-forward
## Accept packets to the loopback interface
$IPTABLES -A lo-forward -i lo -j ACCEPT
############################################################################
#
## Main Stuff
############################################################################
## Jumping to our INPUT chains.
$IPTABLES -A INPUT -i $INTERNAL_TR -j INTERNAL_TR-input
$IPTABLES -A INPUT -i $INTERNAL_ET -j INTERNAL_ET-input
$IPTABLES -A INPUT -i $EXTERNAL -j EXTERNAL-input
$IPTABLES -A INPUT -i $FW_X -j FW_X-input
$IPTABLES -A INPUT -i lo -j lo-input
## mirror everything else
$IPTABLES -A INPUT -i $EXTERNAL -s ! $PROXY_REAL_IP -j MIRROR
## Jump to our OUTPUT chains.
$IPTABLES -A OUTPUT -o $INTERNAL_TR -j INTERNAL_TR-output
$IPTABLES -A OUTPUT -o $INTERNAL_ET -j INTERNAL_ET-output
$IPTABLES -A OUTPUT -o $EXTERNAL -j EXTERNAL-output
$IPTABLES -A OUTPUT -o $FW_X -j FW_X-output
$IPTABLES -A OUTPUT -o lo -j lo-output
## Jump to KEEP_STATE to accept packets that are part of an established
## connection, and DROP packets that may be trying to establish a new connection.
$IPTABLES -A FORWARD -o $EXTERNAL -j KEEP_STATE
$IPTABLES -A FORWARD -i $EXTERNAL -j EXTERNAL-forward
$IPTABLES -A FORWARD -o $EXTERNAL -j EXTERNAL-forward
$IPTABLES -A FORWARD -i $INTERNAL_TR -j INTERNAL_TR-forward
$IPTABLES -A FORWARD -i $INTERNAL_ET -j INTERNAL_ET-forward
$IPTABLES -A FORWARD -j KEEP_STATE
############################################################################
## More Stuff:
############################################################################
## Rule to mangle TOS values
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 20 -j TOS --set-tos Maximize-Throughput #8 #0x08
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 21 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 22 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 23 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 25 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 53 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p udp -d 0/0 --dport 53 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 80 -j TOS --set-tos Maximize-Throughput #8 #0x08
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 143 -j TOS --set-tos Maximize-Throughput #8 #0x08
### END FIREWALL RULES ###
############################################################################
###
## IPTABLES Network Address Translation(NAT) Rules
############################################################################
## Destination NAT -- (DNAT)
#######################################################
#Proxy umleiten zieladresse aendern
$IPTABLES -t nat -A PREROUTING -d $PROXY_NAT_IP -j DNAT --to $PROXY_REAL_IP
#######################################################
## Source NAT -- (SNAT/Masquerading)
#######################################################
#Proxy
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
#SAP-ROUTER fallback
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport 3200:3399 --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport 3200:3399 --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_TR -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport 3200:3399 --to $PROXY_NAT_IP
#KUNDE
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -d $KUNDE_NET --to $ROUTER_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -d $KUNDE_NET --to $ROUTER_IP
#Citrix nach KUNDE
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $INTERNAL_OFFICIAL_NET -d $KUNDE_NET --to $KUNDE_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $INTERNAL_CLIENT_NET -d $KUNDE_NET --to $KUNDE_IP
### END NAT RULES ###
############################################################################
## Additional Kernel Configuration
############################################################################
###
## - Enable IP Forwarding
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
echo 1 > /proc/sys/net/ipv4/ip_forward
else
echo "Error: /proc/sys/net/ipv4/ip_forward doesn't exist"
echo "(This could be a potential problem)"
fi
echo "FIREWALL is alive"
touch /var/lock/subsys/firewall
RETVAL=0
;;
close)
echo "FIREWALL will close all extended interfaces "
#allow trafic between firewalls
## Set Default Policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -N INTERNAL_ET-input
$IPTABLES -F INTERNAL_ET-input
$IPTABLES -N INTERNAL_ET-output
$IPTABLES -F INTERNAL_ET-output
$IPTABLES -N lo-input
$IPTABLES -F lo-input
$IPTABLES -N lo-output
$IPTABLES -F lo-output
$IPTABLES -A lo-input -i lo -j ACCEPT
$IPTABLES -A lo-output -o lo -j ACCEPT
$IPTABLES -A INPUT -i $FW_X -j INTERNAL_ET-input
$IPTABLES -A INPUT -i lo -j lo-input
$IPTABLES -A OUTPUT -o $FW_X -j INTERNAL_ET-output
$IPTABLES -A OUTPUT -o lo -j lo-output
RETVAL=0
;;
open)
echo ""
echo "!!!! FIREWALL will open all interfaces !!!!!"
echo "not for normal use"
## Set Default Policies
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
#######################################################
## Destination NAT -- (DNAT)
#######################################################
$IPTABLES -t nat -A PREROUTING -d $PROXY_NAT_IP -j DNAT --to $PROXY_REAL_IP
#######################################################
## Source NAT -- (SNAT/Masquerading)
#######################################################
#Proxy
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
#SAP-ROUTER fallback
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport 3200:3399 --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport 3200:3399 --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_TR -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport 3200:3399 --to $PROXY_NAT_IP
#KUNDE
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -d $KUNDE_NET --to $ROUTER_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -d $KUNDE_NET --to $ROUTER_IP
#Citrix nach KUNDE
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $INTERNAL_OFFICIAL_NET -d $KUNDE_NET --to $KUNDE_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $INTERNAL_CLIENT_NET -d $KUNDE_NET --to $KUNDE_IP
RETVAL=0
;;
esac
exit $RETVAL
^ permalink raw reply [flat|nested] 5+ messages in thread* help!! whole in firewall --
@ 2002-06-07 15:08 BGrummel
0 siblings, 0 replies; 5+ messages in thread
From: BGrummel @ 2002-06-07 15:08 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 678 bytes --]
hello
i have a problem with my firewall
any ports from outside are opend,
from inside to outside are the rules ok
this is my configuration
backup FIREWALL (fw-x) CLIENTS (internal tr)
\ /
ISP------ROUTER----------Firewall--------ROUTER (internal eth)
(external eth) / \
PROXY WEBSERVER (internal tr)
(external eth)
my rules --see atm.
help
I don´t know what it is
I think its in the keep-state part
but if I change it i had to change any rule for all connections
any help is welcome
thanks in advise
(See attached file: firewall.netfilter)
[-- Attachment #2: firewall.netfilter --]
[-- Type: application/octet-stream, Size: 45497 bytes --]
#!/bin/sh
##################################################################
#
#
## Variables
IPTABLES="/sbin/iptables"
INTERNAL_ET="eth1" # Internal Ethernet Interface
INTERNAL_TR="tr0" # Internal Tokenring Interface
EXTERNAL="eth0" # External Interface
FW_X="eth2"
#IP_ADRESSES
INTERNAL_OFFICIAL_NET="1.1.1.0/24"
INTERNAL_CLIENT_NET="1.1.3.0/24"
INTERNAL_ROUTER_NET="1.1.4.0/24"
INTERNAL_ROUTER2_NET="1.1.5.0/24"
INTERNAL_ROUTER3_NET="1.1.6.0/24"
INTERNAL_ROUTER4_NET="1.1.7.0/24"
INTERNAL_ROUTER5_NET="1.1.8.0/24"
FIREWALL_CONTROL_NET="1.1.9.0/24"
EXTERNAL_ROUTER_IP="1.1.1.1"
PROXY_REAL_IP="1.1.1.2"
PROXY_NAT_IP="1.1.1.3"
REMOTEUSER_IP="1.1.1.4"
REMOTEUSER_NET="1.1.10.0/24"
SSH_SERVER_IP="1.1.1.5"
DNS_IP="1.1.1.6"
VPN_IP="1.1.1.7"
DC_IP="1.1.1.8"
TIMESERVER_IP="1.1.1.9"
VM_IP="1.1.1.10"
INTERNAL_PMC_IP="1.1.1.11"
SAP_IIS_IP="1.1.1.12"
PCANYWERE_IP="1.1.1.13"
MMWKS_IP="1.1.1.14"
ROUTER_IP="1.1.1.15"
SSH_WKS_IP="1.1.1.16"
WEBSERVER_IP1="1.1.1.20"
WEBSERVER_IP2="1.1.1.21"
WEBSERVER_IP3="1.1.1.22"
WEBSERVER_IP4="1.1.1.23"
WEBSERVER_IP5="1.1.1.24"
WEBSERVER_IP6="1.1.1.25"
WEBSERVER_IP7="1.1.1.26"
WEBSERVER_IP8="1.1.1.27"
WEBSERVER_IP9="1.1.1.28"
WEBSERVER_IP10="1.1.1.29"
WEBSERVER_IP11="1.1.1.30"
WEBSERVER_IP12="1.1.1.31"
WEBSERVER_IP13="1.1.1.32"
WEBSERVER_IP14="1.1.1.33"
WEBSERVER_IP15="1.1.1.34"
WEBSERVER_IP16="1.1.1.35"
WEBSERVER_IP17="1.1.1.36"
WEBSERVER_IP18="1.1.1.37"
INTERNAL_IT_WKS1="1.1.1.15"
INTERNAL_IT_WKS2="1.1.1.16"
INTERNAL_IT_WKS3="1.1.1.17"
INTERNAL_IT_WKS4="1.1.1.18"
INTERNAL_IT_WKS5="1.1.1.19"
SAP_ROUTER1_IP="1.1.1.20"
SAP_ROUTER2_IP="1.1.1.21"
KUNDE_NET="1.1.11.0/24"
KUNDE_IP="1.1.1.22"
KUNDE2_IP="1.1.1.23"
PARTNER_NET="1.1.12.0/24"
## Flush Built-in Rules
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -X
## Set Default Policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
# ecn-support cut because problems with some webservers
#echo 0 > /proc/sys/net/ipv4/tcp_ecn
## Special Chains First, INPUT/OUTPUT chains will follow
############################################################################
#
## Special Chains
############################################################################
#
############################################################################
#
## Special chain KEEP_STATE to handle incoming, outgoing, and
## established connections.
$IPTABLES -N KEEP_STATE
$IPTABLES -F KEEP_STATE
## ACCEPT certain packets which are starting a new connection or are
## related to an established connection.
## ACCEPT packets whose input interface is anything but the external interface.
$IPTABLES -A KEEP_STATE -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A KEEP_STATE -i ! $EXTERNAL -o ! $EXTERNAL -m state --state NEW -j ACCEPT
## DROP packets associated with a NEW or "INVALID" connection.
## DROP TCP packets with only the SYN, SYN/URG, or SYN/PUSH flag set,
## perhaps a bit redundant.
#Remoteuser
$IPTABLES -A KEEP_STATE -i $EXTERNAL -d $REMOTEUSER_IP -m state --state NEW,INVALID -j ACCEPT
$IPTABLES -A KEEP_STATE -i $EXTERNAL -p tcp -s $REMOTEUSER_IP --tcp-flags SYN,ACK SYN -j ACCEPT
$IPTABLES -A KEEP_STATE -i $EXTERNAL -m state --state INVALID -j DROP
$IPTABLES -A KEEP_STATE -i $EXTERNAL -p tcp -s $PROXY_REAL_IP -d 0/0 --tcp-flags SYN,ACK SYN -j ACCEPT
$IPTABLES -A KEEP_STATE -i $EXTERNAL -p tcp -s ! $PROXY_REAL_IP -d ! $PROXY_REAL_IP --tcp-flags SYN,ACK SYN -j DROP
#tcp-reject for faster connections
#$IPTABLES -A KEEP_STATE -p tcp -j REJECT --reject-with tcp-reset
#$IPTABLES -A KEEP_STATE -j REJECT --reject-with icmp-port-unreachable
############################################################################
#
## Special chain CHECK_FLAGS that will DROP and log TCP packets with certain
## TCP flags set.
## We set some limits here to limit the amount of crap that gets sent to the logs.
## Keep in mind that the first dozen rules should never match normal traffic, these
## rules are designed to capture obviously messed up packets... But there's
## alot of wierd shit out there, so who knows.
$IPTABLES -N CHECK_FLAGS
$IPTABLES -F CHECK_FLAGS
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NMAP-XMAS:" ## NMAP Stuff
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "Merry XMAS:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -p tcp --dport 80 -m string --string "root" -j DROP
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -p tcp --dport 80 -m string --string "cmd.exe" -j DROP
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -p tcp --dport 80 -m string --string "franz.exe" -j DROP
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -p tcp --dport 80 -m string --string "mmc.exe" -j DROP
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -m string --string "rober.de@12move.de" -j MIRROR
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -m string --string "tini525@yahoo.com" -j MIRROR
## Make some types of port scanning annoyingly slow, also provides some protection
## against certain DoS attacks. Adjust for your network. The rule in chain
## KEEP_STATE referring to the INVALID state should catch most TCP packets with
## the RST or FIN bits set that aren't associate with an established connection.
## Still, these will limit the amount of stuff that is accepted through our open ports.
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -m psd -m limit --psd-delay-threshold 3 --limit 1/min -j LOG --log-prefix "Port Scan: "
$IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL RST -j ACCEPT
$IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL FIN -j ACCEPT
$IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL SYN -j ACCEPT
# Now, see how we were called
case "$1" in
start)
############################################################################
#
## Firewall Input Chains
############################################################################
#
############################################################################
#
## New chain for input to the external interface
echo " updated"
#
$IPTABLES -N EXTERNAL-input
$IPTABLES -F EXTERNAL-input # Flush chain
## Just DROP all unroutables internal Network.
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -s $INTERNAL_ROUTER_NET -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -s $INTERNAL_CLIENT_NET -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -d 224.0.0.0/8 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -m multiport --dport 23,22 -j DROP
## Check TCP packets coming in on the external interface for wierd flags
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -j CHECK_FLAGS
## These next few serve to block particular ports on the external interface.
## Usually to confine the use of certain services or daemons.
## On a separate router/firewall, these are redundant and pretty much useless.
## On a host, however, with a default they might serve a purpose.
## NFS, X, VNC, SMB, blah blah
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 137:139 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 137:139 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 1433 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 1433 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5432 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5432 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5999:6010 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5999:6010 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5900:5910 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5900:5910 -j DROP
## ICMP Stuff, we're going to allow some ICMP.
## DROP fragmented ICMP packets(sure, why not)
## This will only catch the second and further fragments.
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -f -p icmp -j DROP
## Echo Reply (pong)
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 0 -j ACCEPT
## Destination Unreachable (blah)
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 3 -j ACCEPT
## Echo Request (ping) -- Comment this if you don't like to be pinged
# $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 8 -j ACCEPT
# $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
## TTL Exceeded (traceroute)
# $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 11 -j ACCEPT
## DROP all icmp network broadcasts
## This may actually break things in a few cases
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp -d 224.0.0.0/8 -j DROP
############################################################################
#
## New chain for input to the internal interface
#
$IPTABLES -N INTERNAL_ET-input
$IPTABLES -F INTERNAL_ET-input
$IPTABLES -N INTERNAL_TR-input
$IPTABLES -F INTERNAL_TR-input
$IPTABLES -N FW_X-input
$IPTABLES -F FW_X-input
#allow ping from internal to firewall
$IPTABLES -A INTERNAL_TR-input -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_CLIENT_NET -j ACCEPT
#temp ftp zum ssh-server
$IPTABLES -A INTERNAL_TR-input -i $INTERNAL_TR -s $SSH_SERVER_IP -j ACCEPT
#Direct comunication FW I <-> FW II
$IPTABLES -A FW_X-input -i $FW_X -p icmp -s $FIREWALL_CONTROL_NET -j ACCEPT
############################################################################
#
## New chain for input to the loopback interface
$IPTABLES -N lo-input
$IPTABLES -F lo-input
## Accept packets to the loopback interface
$IPTABLES -A lo-input -i lo -j ACCEPT
############################################################################
#
## Firewall Output Chains
############################################################################
#
############################################################################
#
## New chain for output from the external interface
$IPTABLES -N EXTERNAL-output
$IPTABLES -F EXTERNAL-output
## Just DROP all outgoing unroutables.
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -s $INTERNAL_ROUTER_NET -j DROP
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -s $INTERNAL_CLIENT_NET -d ! $PROXY_REAL_IP -j DROP
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -d 224.0.0.0/8 -j DROP
############################################################################
#
## New chain for output across the internal interface
$IPTABLES -N INTERNAL_TR-output
$IPTABLES -F INTERNAL_TR-output
$IPTABLES -N INTERNAL_ET-output
$IPTABLES -F INTERNAL_ET-output
$IPTABLES -N FW_X-output
$IPTABLES -F FW_X-output
## ACCEPT all outbound traffic across the internal interfaces
$IPTABLES -A INTERNAL_TR-output -o $INTERNAL_TR -j ACCEPT
$IPTABLES -A INTERNAL_TR-output -o $INTERNAL_ET -j ACCEPT
$IPTABLES -A INTERNAL_ET-output -o $INTERNAL_TR -j ACCEPT
$IPTABLES -A INTERNAL_ET-output -o $INTERNAL_ET -j ACCEPT
#ftpupload
$IPTABLES -A INTERNAL_TR-output -o $INTERNAL_TR -d $SSH_WKS_IP -j ACCEPT
#Direct comunication FW I <-> FW II
$IPTABLES -A FW_X-output -o $FW_X -p icmp -d $FIREWALL_CONTROL_NET -j ACCEPT
############################################################################
#
## New chain for output across the loopback device
$IPTABLES -N lo-output
$IPTABLES -F lo-output
## ACCEPT all traffic across loopback device
$IPTABLES -A lo-output -o lo -j ACCEPT
############################################################################
#
## Firewall FORWARD Chains
############################################################################
#
############################################################################
# New chain for input to the external interface
#
$IPTABLES -N EXTERNAL-forward
$IPTABLES -F EXTERNAL-forward # Flush chain
## Just DROP all unroutables internal Network.
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_ROUTER_NET -j DROP
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_CLIENT_NET -d ! $PROXY_REAL_IP -j DROP
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -d 224.0.0.0/8 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -s $INTERNAL_ROUTER_NET -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -s $INTERNAL_CLIENT_NET -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -d 224.0.0.0/8 -j DROP
## Check TCP packets coming in on the external interface for wierd flags
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s ! $PROXY_REAL_IP -j CHECK_FLAGS
#PROXY II darf alles in unser Netz
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -s $PROXY_REAL_IP -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -d $PROXY_REAL_IP -s $INTERNAL_OFFICIAL_NET -j ACCEPT
#remoteuser
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -d $PROXY_REAL_IP -s $REMOTEUSER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -d $PROXY_NAT_IP -s $REMOTEUSER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -d $PROXY_REAL_IP -s $REMOTEUSER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -d $PROXY_NAT_IP -s $REMOTEUSER_IP -j ACCEPT
#Proxy darf router-netz anpingen
$IPTABLES -A EXTERNAL-forward -p icmp -s $PROXY_REAL_IP -d $INTERNAL_ROUTER_NET -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p icmp -d $PROXY_REAL_IP -s $INTERNAL_ROUTER_NET -j ACCEPT
## These next few serve to block particular ports on the external interface.
## Usually to confine the use of certain services or daemons.
## On a separate router/firewall, these are redundant and pretty much useless.
## On a host, however, with a default they might serve a purpose.
## NFS, X, VNC, SMB, blah blah
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 137:139 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 137:139 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 1433 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 1433 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 2345 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --sport 2345 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5432 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5432 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5999:6010 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5999:6010 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5900:5910 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5900:5910 -j DROP
#DNS
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $DNS_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d $DNS_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $DNS_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -d 0/0 -s $DNS_IP -m multiport --dport 25,53 -j ACCEPT
#temp fuer active directory tests
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $DC_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d $DC_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $DC_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -d 0/0 -s $DC_IP -m multiport --dport 25,53 -j ACCEPT
#smtp,http,https
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP1 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP2 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP3 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP4 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP5 -m multiport --dport 25,80,443,8000,8001,8042 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP6 -m multiport --dport 25,80,443,8100 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP7 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP8 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP9 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP10 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP11 -m multiport --dport 80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP12 -m multiport --dport 80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP13 -m multiport --dport 80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP14 -m multiport --dport 80,8022 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP15 --dport 80 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP16 --dport 80 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP17 --dport 80 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP18 --dport 80 -j ACCEPT
#webserver darf mailen
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP1 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP2 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP3 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP4 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP5 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP6 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP7 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP8 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP9 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP10 --dport 80 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP11 --dport 80 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP12 --dport 80 -j ACCEPT
#webserver darf ins internet
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP1 --dport 80 -j ACCEPT
#Multimedia Arbeitsplatz darf ftp
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s $MMWKS_IP -m multiport --dport 20,21 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -s $MMWKS_IP -m multiport --dport 20,21 -j ACCEPT
#Virtuell Maschine darf http und ftp
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $VM_IP -m multiport --dport 20,21,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -d 0/0 -s $VM_IP -m multiport --dport 20,21 -j ACCEPT
#SAP-router
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER1_IP --dport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER2_IP --dport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER1_IP --dport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER2_IP --dport 3200:3399 -j ACCEPT
#Proxy
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --sport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --dport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --sport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --dport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --sport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --dport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --sport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --dport 20,21,80,81,82,86,100,443 -j ACCEPT
#Proxy oberhalb 5000
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --sport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --dport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --sport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --dport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --sport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --dport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --sport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --dport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
#Proxy zur Partner auf extra ports
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $PARTNER_NET -s $PROXY_REAL_IP -m multiport --dport 5631,5632 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $PARTNER_NET -s $PROXY_REAL_IP -m multiport --dport 5631,5632 -j ACCEPT
#citrix zu Kunde
$IPTABLES -A EXTERNAL-forward -o $INTERNAL_ET -p tcp -d $KUNDE_IP -s $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $INTERNAL_ET -p tcp -d $KUNDE_IP -s $INTERNAL_CLIENT_NET -j ACCEPT
#PCANYWEHERE von Comp99
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s $PCANYWERE_IP --dport 8000:8100 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $PCANYWERE_IP --dport 8000:8100 -j ACCEPT
#Proxy darf pingen
#$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p icmp --icmp-typ 8 -d 0/0 -s $PROXY_REAL_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p icmp --icmp-type 8 -m limit --limit 1/second -d 0/0 -s $PROXY_REAL_IP -j ACCEPT
#$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-typ 8 -d 0/0 -s PROXY_REAL_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -m limit --limit 1/second -d 0/0 -s $PROXY_REAL_IP -j ACCEPT
#SAP-router
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER1_IP --dport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER1_IP --sport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER1_IP --sport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER1_IP --dport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER2_IP --dport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER2_IP --sport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER2_IP --sport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER2_IP --dport 3200:3399 -j ACCEPT
#KUNDE2 Telnet
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $KUNDE2_IP -d $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $KUNDE2_IP -d $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $KUNDE2_IP -s $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $KUNDE2_IP -s $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
#Zugriff PMC Entwicklungssystem
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $INTERNAL_PMC_IP --dport 80 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $INTERNAL_PMC_IP --dport 8001 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $INTERNAL_PMC_IP --dport 80 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $INTERNAL_PMC_IP --dport 80 -j ACCEPT
#PMC darf terminalserver nach aussen
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_PMC_IP -j ACCEPT
#KUNDE3 SSH + VNC
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $KUNDE_IP -d $INTERNAL_OFFICIAL_NET -m multiport --sport 5800,5801,5900,5901,10022,10122 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $KUNDE_IP -s $INTERNAL_OFFICIAL_NET -m multiport --dport 5800,5801,5900,5901,10022,10122 -j ACCEPT
#Telnet auf XM2
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $ROUTER_IP -d $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $ROUTER_IP -s $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
#Zugriff auf SAPIIS Port 8800
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $SAP_IIS_IP --dport 8800 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $SAP_IIS_IP --sport 8800 -j ACCEPT
##Timeservice
#$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d $PROXY_NAT_IP --dport 123 -j ACCEPT
#$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -d 0/0 -s $PROXY_NAT_IP --dport 123 -j ACCEPT
#Timeservice
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d $TIMESERVER_IP --dport 123 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -d 0/0 -s $TIMESERVER_IP --dport 123 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -s 0/0 -d $TIMESERVER_IP --dport 123 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -d 0/0 -s $TIMESERVER_IP --dport 123 -j ACCEPT
#SSH_WKS darf ssh
$IPTABLES -A EXTERNAL-forward -i $INTERNAL_TR -p tcp -s $SSH_WKS_IP -d 0/0 -m multiport --dport 22,22000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $INTERNAL_TR -p udp -s $SSH_WKS_IP -d 0/0 -m multiport --dport 22,22000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $SSH_WKS_IP -s 0/0 -m multiport --dport 22222,33333 -j ACCEPT
#REMOTEUSER aufProxy
$IPTABLES -A EXTERNAL-forward -s $REMOTEUSER_NET -d $PROXY_REAL_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -s $REMOTEUSER_NET -d $PROXY_NAT_IP -j ACCEPT
#REMOTE USER in unser Netz
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
# remote DynIP by Ebner u Martin in unser Netz
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
#priv Clients aufProxy
$IPTABLES -A EXTERNAL-forward -s $INTERNAL_CLIENT_NET -d $PROXY_REAL_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -s $INTERNAL_CLIENT_NET -d $PROXY_NAT_IP -j ACCEPT
#VPN-Service
#rein von extern
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p 47 -d $VPN_IP -s 0/0 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $VPN_IP -s 0/0 --sport 1723 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $VPN_IP -s 0/0 --dport 1723 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -d $VPN_IP -s 0/0 -m multiport --sport 53,500,1863,4000,5000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -d $VPN_IP -s 0/0 --dport 1701 --sport 1701 -j ACCEPT
#raus nach extern
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p 47 -s $VPN_IP -d 0/0 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s $VPN_IP -d 0/0 --sport 1723 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s $VPN_IP -d 0/0 --dport 1723 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -s $VPN_IP -d 0/0 -m multiport --sport 53,500,1863,4000,5000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -s $VPN_IP -d 0/0 --dport 1701 --sport 1701 -j ACCEPT
#IT-Rechner
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_IT_WKS1 -d 0/0 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_IT_WKS2 -d 0/0 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_IT_WKS3 -d 0/0 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_IT_WKS4 -d 0/0 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_IT_WKS5 -d 0/0 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $EXTERNAL_ROUTER_IP -d $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $EXTERNAL_ROUTER_IP -s $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
## ICMP Stuff, we're going to allow some ICMP.
## DROP fragmented ICMP packets(sure, why not)
## This will only catch the second and further fragments.
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -f -p icmp -j DROP
## Echo Reply (pong)
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 0 -j ACCEPT
## Destination Unreachable (blah)
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 3 -j ACCEPT
## Echo Request (ping) -- Comment this if you don't like to be pinged
# $IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -j ACCEPT
# $IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -j ACCEPT
# $IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
# Accept ping only for our Inernet watched hosts and routers CS 8.8.2001
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -d $TIMESERVER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -d $PROXY_NAT_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -s $PROXY_NAT_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -d $VPN_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -d $EXTERNAL_ROUTER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -m limit --limit 1/second -d $TIMESERVER_IP -j ACCEPT
## TTL Exceeded (traceroute)
# $IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 11 -j ACCEPT
## DROP all icmp network broadcasts
## This may actually break things in a few cases
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp -d 224.0.0.0/8 -j DROP
############################################################################
#
## New chain for input to the internal interface
#
$IPTABLES -N INTERNAL_ET-forward
$IPTABLES -F INTERNAL_ET-forward
$IPTABLES -N INTERNAL_TR-forward
$IPTABLES -F INTERNAL_TR-forward
## ACCEPT internal to internal traffic
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_CLIENT_NET -d $PROXY_REAL_IP -j ACCEPT
$IPTABLES -A INTERNAL_ET-forward -i $INTERNAL_ET -s $INTERNAL_ROUTER2_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_ET-forward -i $INTERNAL_ET -s $INTERNAL_ROUTER3_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_ET-forward -i $INTERNAL_ET -s $INTERNAL_ROUTER4_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_ET-forward -i $INTERNAL_ET -s $INTERNAL_ROUTER5_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_CLIENT_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_CLIENT_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_ROUTER2_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_ROUTER3_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_ROUTER4_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_ROUTER5_NET -j ACCEPT
#internal FX allow
$IPTABLES -A INTERNAL_TR-forward -i $FW_X -s $FIREWALL_CONTROL_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -o $FW_X -d $FIREWALL_CONTROL_NET -j ACCEPT
############################################################################
#
## New chain for input to the loopback interface
$IPTABLES -N lo-forward
$IPTABLES -F lo-forward
## Accept packets to the loopback interface
$IPTABLES -A lo-forward -i lo -j ACCEPT
############################################################################
#
## Main Stuff
############################################################################
#
## Jumping to our INPUT chains.
$IPTABLES -A INPUT -i $INTERNAL_TR -j INTERNAL_TR-input
$IPTABLES -A INPUT -i $INTERNAL_ET -j INTERNAL_ET-input
$IPTABLES -A INPUT -i $EXTERNAL -j EXTERNAL-input
$IPTABLES -A INPUT -i $FW_X -j FW_X-input
$IPTABLES -A INPUT -i lo -j lo-input
## mirror everything else
$IPTABLES -A INPUT -i $EXTERNAL -s ! $PROXY_REAL_IP -j MIRROR
## Jump to our OUTPUT chains.
$IPTABLES -A OUTPUT -o $INTERNAL_TR -j INTERNAL_TR-output
$IPTABLES -A OUTPUT -o $INTERNAL_ET -j INTERNAL_ET-output
$IPTABLES -A OUTPUT -o $EXTERNAL -j EXTERNAL-output
$IPTABLES -A OUTPUT -o $FW_X -j FW_X-output
$IPTABLES -A OUTPUT -o lo -j lo-output
## Jump to KEEP_STATE to accept packets that are part of an established
## connection, and DROP packets that may be trying to establish a new connection.
$IPTABLES -A FORWARD -o $EXTERNAL -j KEEP_STATE
$IPTABLES -A FORWARD -i $EXTERNAL -j EXTERNAL-forward
$IPTABLES -A FORWARD -o $EXTERNAL -j EXTERNAL-forward
$IPTABLES -A FORWARD -i $INTERNAL_TR -j INTERNAL_TR-forward
$IPTABLES -A FORWARD -i $INTERNAL_ET -j INTERNAL_ET-forward
$IPTABLES -A FORWARD -j KEEP_STATE
############################################################################
#
## More Stuff:
############################################################################
#
## Rule to mangle TOS values
## TOS stuff: (type: iptables -m tos -h)
## Minimize-Delay 16 (0x10)
## Maximize-Throughput 8 (0x08)
## Maximize-Reliability 4 (0x04)
## Minimize-Cost 2 (0x02)
## Normal-Service 0 (0x00)
## - Most of these are the RFC 1060/1349 compliant TOS values, yours might vary.
## - The -d 0/0 is a bit redundant.
## - To view mangle table, type: iptables -L -t mangle
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 20 -j TOS --set-tos Maximize-Throughput #8 #0x08
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 21 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 22 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 23 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 25 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 53 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p udp -d 0/0 --dport 53 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 80 -j TOS --set-tos Maximize-Throughput #8 #0x08
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 143 -j TOS --set-tos Maximize-Throughput #8 #0x08
### END FIREWALL RULES ###
## Might be a good idea to keep the NAT stuff in a separate file.
############################################################################
###
## IPTABLES Network Address Translation(NAT) Rules
############################################################################
###
#######################################################
## Destination NAT -- (DNAT)
#######################################################
## Redirect packets headed for certain ports on our external interface to other
## machines on the network.
#Proxy umleiten zieladresse aendern
$IPTABLES -t nat -A PREROUTING -d $PROXY_NAT_IP -j DNAT --to $PROXY_REAL_IP
#######################################################
## Source NAT -- (SNAT/Masquerading)
#######################################################
## Static IP address ##
## Change source address of outgoing packets on external
## interface to our IP address.
#Proxy
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
#$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_TR -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
#SAP-ROUTER fallback
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport 3200:3399 --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport 3200:3399 --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_TR -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport 3200:3399 --to $PROXY_NAT_IP
#KUNDE
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -d $KUNDE_NET --to $ROUTER_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -d $KUNDE_NET --to $ROUTER_IP
#Citrix nach KUNDE
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $INTERNAL_OFFICIAL_NET -d $KUNDE_NET --to $KUNDE_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $INTERNAL_CLIENT_NET -d $KUNDE_NET --to $KUNDE_IP
### END NAT RULES ###
############################################################################
###
## Additional Kernel Configuration
############################################################################
###
## - Enable IP Forwarding
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
echo 1 > /proc/sys/net/ipv4/ip_forward
else
echo "Error: /proc/sys/net/ipv4/ip_forward doesn't exist"
echo "(This could be a potential problem)"
fi
echo "FIREWALL is alive"
touch /var/lock/subsys/firewall
RETVAL=0
;;
stop)
# ----------------------------------------------------------------------------------------------------------------------- #
# filter table
TABLE=filter
CHAIN=INPUT
iptables -t $TABLE -F $CHAIN
iptables -t $TABLE -P $CHAIN ACCEPT
CHAIN=FORWARD
iptables -t $TABLE -F $CHAIN
iptables -t $TABLE -P $CHAIN ACCEPT
CHAIN=OUTPUT
iptables -t $TABLE -F $CHAIN
iptables -t $TABLE -P $CHAIN ACCEPT
iptables -t $TABLE -Z
# ----------------------------------------------------------------------------------------------------------------------- #
# nat table
TABLE=nat
CHAIN=PREROUTING
iptables -t $TABLE -F $CHAIN
iptables -t $TABLE -P $CHAIN ACCEPT
CHAIN=OUTPUT
iptables -t $TABLE -F $CHAIN
iptables -t $TABLE -P $CHAIN ACCEPT
CHAIN=POSTROUTING
iptables -t $TABLE -F $CHAIN
iptables -t $TABLE -P $CHAIN ACCEPT
iptables -t $TABLE -Z
# ----------------------------------------------------------------------------------------------------------------------- #
# mangle table
TABLE=mangle
CHAIN=PREROUTING
iptables -t $TABLE -F $CHAIN
iptables -t $TABLE -P $CHAIN ACCEPT
CHAIN=OUTPUT
iptables -t $TABLE -F $CHAIN
iptables -t $TABLE -P $CHAIN ACCEPT
iptables -t $TABLE -Z
# ----------------------------------------------------------------------------------------------------------------------- #
echo "FIREWALL is down"
rm -f /var/lock/subsys/firewall
RETVAL=0
;;
restart)
$0 stop
$1 start
touch /var/lock/subsys/firewall
RETVAL=0
;;
close)
echo "FIREWALL will close all extended interfaces "
#allow trafic between firewalls
## Set Default Policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -N INTERNAL_ET-input
$IPTABLES -F INTERNAL_ET-input
$IPTABLES -N INTERNAL_ET-output
$IPTABLES -F INTERNAL_ET-output
$IPTABLES -N lo-input
$IPTABLES -F lo-input
$IPTABLES -N lo-output
$IPTABLES -F lo-output
$IPTABLES -A lo-input -i lo -j ACCEPT
$IPTABLES -A lo-output -o lo -j ACCEPT
$IPTABLES -A INPUT -i $FW_X -j INTERNAL_ET-input
$IPTABLES -A INPUT -i lo -j lo-input
$IPTABLES -A OUTPUT -o $FW_X -j INTERNAL_ET-output
$IPTABLES -A OUTPUT -o lo -j lo-output
RETVAL=0
;;
open)
echo ""
echo "!!!! FIREWALL will open all interfaces !!!!!"
echo "not for normal use"
echo ""
#allow trafic between firewalls
## Set Default Policies
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
#######################################################
## Destination NAT -- (DNAT)
#######################################################
$IPTABLES -t nat -A PREROUTING -d $PROXY_NAT_IP -j DNAT --to $PROXY_REAL_IP
#######################################################
## Source NAT -- (SNAT/Masquerading)
#######################################################
#Proxy
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
#SAP-ROUTER fallback
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport 3200:3399 --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport 3200:3399 --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_TR -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport 3200:3399 --to $PROXY_NAT_IP
#KUNDE
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -d $KUNDE_NET --to $ROUTER_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -d $KUNDE_NET --to $ROUTER_IP
#Citrix nach KUNDE
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $INTERNAL_OFFICIAL_NET -d $KUNDE_NET --to $KUNDE_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $INTERNAL_CLIENT_NET -d $KUNDE_NET --to $KUNDE_IP
RETVAL=0
;;
esac
exit $RETVAL
^ permalink raw reply [flat|nested] 5+ messages in thread* help!! whole in firewall --
@ 2002-06-07 14:40 BGrummel
0 siblings, 0 replies; 5+ messages in thread
From: BGrummel @ 2002-06-07 14:40 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 835 bytes --]
hello
i have a problem with my firewall
any ports from outside are opend,
from inside to outside are the rules ok
this is my configuration
backup FIREWALL (fw-x) CLIENTS (internal tr)
\ /
ISP------ROUTER----------Firewall--------ROUTER (internal eth)
(external eth) / \
PROXY WEBSERVER (internal tr)
(external eth)
my rules --see atm.
help
I don´t know what it is
I think its in the keep-state part
but if I change it i had to change any rule for all connections
(See attached file: firewall.netfilter)
any help is welcome
thanks in advise
Dipl.-Ing.
Benno Grummel
ZUENDEL & Partner
Systems & Consultants
Abt. IT-Services
Fon: 02153-7376-0
Fax: 02153-7376-16
http://www.ZUENDEL.DE
[-- Attachment #2: firewall.netfilter --]
[-- Type: application/octet-stream, Size: 45497 bytes --]
#!/bin/sh
##################################################################
#
#
## Variables
IPTABLES="/sbin/iptables"
INTERNAL_ET="eth1" # Internal Ethernet Interface
INTERNAL_TR="tr0" # Internal Tokenring Interface
EXTERNAL="eth0" # External Interface
FW_X="eth2"
#IP_ADRESSES
INTERNAL_OFFICIAL_NET="1.1.1.0/24"
INTERNAL_CLIENT_NET="1.1.3.0/24"
INTERNAL_ROUTER_NET="1.1.4.0/24"
INTERNAL_ROUTER2_NET="1.1.5.0/24"
INTERNAL_ROUTER3_NET="1.1.6.0/24"
INTERNAL_ROUTER4_NET="1.1.7.0/24"
INTERNAL_ROUTER5_NET="1.1.8.0/24"
FIREWALL_CONTROL_NET="1.1.9.0/24"
EXTERNAL_ROUTER_IP="1.1.1.1"
PROXY_REAL_IP="1.1.1.2"
PROXY_NAT_IP="1.1.1.3"
REMOTEUSER_IP="1.1.1.4"
REMOTEUSER_NET="1.1.10.0/24"
SSH_SERVER_IP="1.1.1.5"
DNS_IP="1.1.1.6"
VPN_IP="1.1.1.7"
DC_IP="1.1.1.8"
TIMESERVER_IP="1.1.1.9"
VM_IP="1.1.1.10"
INTERNAL_PMC_IP="1.1.1.11"
SAP_IIS_IP="1.1.1.12"
PCANYWERE_IP="1.1.1.13"
MMWKS_IP="1.1.1.14"
ROUTER_IP="1.1.1.15"
SSH_WKS_IP="1.1.1.16"
WEBSERVER_IP1="1.1.1.20"
WEBSERVER_IP2="1.1.1.21"
WEBSERVER_IP3="1.1.1.22"
WEBSERVER_IP4="1.1.1.23"
WEBSERVER_IP5="1.1.1.24"
WEBSERVER_IP6="1.1.1.25"
WEBSERVER_IP7="1.1.1.26"
WEBSERVER_IP8="1.1.1.27"
WEBSERVER_IP9="1.1.1.28"
WEBSERVER_IP10="1.1.1.29"
WEBSERVER_IP11="1.1.1.30"
WEBSERVER_IP12="1.1.1.31"
WEBSERVER_IP13="1.1.1.32"
WEBSERVER_IP14="1.1.1.33"
WEBSERVER_IP15="1.1.1.34"
WEBSERVER_IP16="1.1.1.35"
WEBSERVER_IP17="1.1.1.36"
WEBSERVER_IP18="1.1.1.37"
INTERNAL_IT_WKS1="1.1.1.15"
INTERNAL_IT_WKS2="1.1.1.16"
INTERNAL_IT_WKS3="1.1.1.17"
INTERNAL_IT_WKS4="1.1.1.18"
INTERNAL_IT_WKS5="1.1.1.19"
SAP_ROUTER1_IP="1.1.1.20"
SAP_ROUTER2_IP="1.1.1.21"
KUNDE_NET="1.1.11.0/24"
KUNDE_IP="1.1.1.22"
KUNDE2_IP="1.1.1.23"
PARTNER_NET="1.1.12.0/24"
## Flush Built-in Rules
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -X
## Set Default Policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
# ecn-support cut because problems with some webservers
#echo 0 > /proc/sys/net/ipv4/tcp_ecn
## Special Chains First, INPUT/OUTPUT chains will follow
############################################################################
#
## Special Chains
############################################################################
#
############################################################################
#
## Special chain KEEP_STATE to handle incoming, outgoing, and
## established connections.
$IPTABLES -N KEEP_STATE
$IPTABLES -F KEEP_STATE
## ACCEPT certain packets which are starting a new connection or are
## related to an established connection.
## ACCEPT packets whose input interface is anything but the external interface.
$IPTABLES -A KEEP_STATE -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A KEEP_STATE -i ! $EXTERNAL -o ! $EXTERNAL -m state --state NEW -j ACCEPT
## DROP packets associated with a NEW or "INVALID" connection.
## DROP TCP packets with only the SYN, SYN/URG, or SYN/PUSH flag set,
## perhaps a bit redundant.
#Remoteuser
$IPTABLES -A KEEP_STATE -i $EXTERNAL -d $REMOTEUSER_IP -m state --state NEW,INVALID -j ACCEPT
$IPTABLES -A KEEP_STATE -i $EXTERNAL -p tcp -s $REMOTEUSER_IP --tcp-flags SYN,ACK SYN -j ACCEPT
$IPTABLES -A KEEP_STATE -i $EXTERNAL -m state --state INVALID -j DROP
$IPTABLES -A KEEP_STATE -i $EXTERNAL -p tcp -s $PROXY_REAL_IP -d 0/0 --tcp-flags SYN,ACK SYN -j ACCEPT
$IPTABLES -A KEEP_STATE -i $EXTERNAL -p tcp -s ! $PROXY_REAL_IP -d ! $PROXY_REAL_IP --tcp-flags SYN,ACK SYN -j DROP
#tcp-reject for faster connections
#$IPTABLES -A KEEP_STATE -p tcp -j REJECT --reject-with tcp-reset
#$IPTABLES -A KEEP_STATE -j REJECT --reject-with icmp-port-unreachable
############################################################################
#
## Special chain CHECK_FLAGS that will DROP and log TCP packets with certain
## TCP flags set.
## We set some limits here to limit the amount of crap that gets sent to the logs.
## Keep in mind that the first dozen rules should never match normal traffic, these
## rules are designed to capture obviously messed up packets... But there's
## alot of wierd shit out there, so who knows.
$IPTABLES -N CHECK_FLAGS
$IPTABLES -F CHECK_FLAGS
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NMAP-XMAS:" ## NMAP Stuff
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "Merry XMAS:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -p tcp --dport 80 -m string --string "root" -j DROP
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -p tcp --dport 80 -m string --string "cmd.exe" -j DROP
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -p tcp --dport 80 -m string --string "franz.exe" -j DROP
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -p tcp --dport 80 -m string --string "mmc.exe" -j DROP
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -m string --string "rober.de@12move.de" -j MIRROR
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -m string --string "tini525@yahoo.com" -j MIRROR
## Make some types of port scanning annoyingly slow, also provides some protection
## against certain DoS attacks. Adjust for your network. The rule in chain
## KEEP_STATE referring to the INVALID state should catch most TCP packets with
## the RST or FIN bits set that aren't associate with an established connection.
## Still, these will limit the amount of stuff that is accepted through our open ports.
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -m psd -m limit --psd-delay-threshold 3 --limit 1/min -j LOG --log-prefix "Port Scan: "
$IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL RST -j ACCEPT
$IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL FIN -j ACCEPT
$IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL SYN -j ACCEPT
# Now, see how we were called
case "$1" in
start)
############################################################################
#
## Firewall Input Chains
############################################################################
#
############################################################################
#
## New chain for input to the external interface
echo " updated"
#
$IPTABLES -N EXTERNAL-input
$IPTABLES -F EXTERNAL-input # Flush chain
## Just DROP all unroutables internal Network.
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -s $INTERNAL_ROUTER_NET -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -s $INTERNAL_CLIENT_NET -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -d 224.0.0.0/8 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -m multiport --dport 23,22 -j DROP
## Check TCP packets coming in on the external interface for wierd flags
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -j CHECK_FLAGS
## These next few serve to block particular ports on the external interface.
## Usually to confine the use of certain services or daemons.
## On a separate router/firewall, these are redundant and pretty much useless.
## On a host, however, with a default they might serve a purpose.
## NFS, X, VNC, SMB, blah blah
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 137:139 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 137:139 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 1433 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 1433 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5432 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5432 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5999:6010 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5999:6010 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5900:5910 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5900:5910 -j DROP
## ICMP Stuff, we're going to allow some ICMP.
## DROP fragmented ICMP packets(sure, why not)
## This will only catch the second and further fragments.
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -f -p icmp -j DROP
## Echo Reply (pong)
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 0 -j ACCEPT
## Destination Unreachable (blah)
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 3 -j ACCEPT
## Echo Request (ping) -- Comment this if you don't like to be pinged
# $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 8 -j ACCEPT
# $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
## TTL Exceeded (traceroute)
# $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 11 -j ACCEPT
## DROP all icmp network broadcasts
## This may actually break things in a few cases
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp -d 224.0.0.0/8 -j DROP
############################################################################
#
## New chain for input to the internal interface
#
$IPTABLES -N INTERNAL_ET-input
$IPTABLES -F INTERNAL_ET-input
$IPTABLES -N INTERNAL_TR-input
$IPTABLES -F INTERNAL_TR-input
$IPTABLES -N FW_X-input
$IPTABLES -F FW_X-input
#allow ping from internal to firewall
$IPTABLES -A INTERNAL_TR-input -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_CLIENT_NET -j ACCEPT
#temp ftp zum ssh-server
$IPTABLES -A INTERNAL_TR-input -i $INTERNAL_TR -s $SSH_SERVER_IP -j ACCEPT
#Direct comunication FW I <-> FW II
$IPTABLES -A FW_X-input -i $FW_X -p icmp -s $FIREWALL_CONTROL_NET -j ACCEPT
############################################################################
#
## New chain for input to the loopback interface
$IPTABLES -N lo-input
$IPTABLES -F lo-input
## Accept packets to the loopback interface
$IPTABLES -A lo-input -i lo -j ACCEPT
############################################################################
#
## Firewall Output Chains
############################################################################
#
############################################################################
#
## New chain for output from the external interface
$IPTABLES -N EXTERNAL-output
$IPTABLES -F EXTERNAL-output
## Just DROP all outgoing unroutables.
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -s $INTERNAL_ROUTER_NET -j DROP
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -s $INTERNAL_CLIENT_NET -d ! $PROXY_REAL_IP -j DROP
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -d 224.0.0.0/8 -j DROP
############################################################################
#
## New chain for output across the internal interface
$IPTABLES -N INTERNAL_TR-output
$IPTABLES -F INTERNAL_TR-output
$IPTABLES -N INTERNAL_ET-output
$IPTABLES -F INTERNAL_ET-output
$IPTABLES -N FW_X-output
$IPTABLES -F FW_X-output
## ACCEPT all outbound traffic across the internal interfaces
$IPTABLES -A INTERNAL_TR-output -o $INTERNAL_TR -j ACCEPT
$IPTABLES -A INTERNAL_TR-output -o $INTERNAL_ET -j ACCEPT
$IPTABLES -A INTERNAL_ET-output -o $INTERNAL_TR -j ACCEPT
$IPTABLES -A INTERNAL_ET-output -o $INTERNAL_ET -j ACCEPT
#ftpupload
$IPTABLES -A INTERNAL_TR-output -o $INTERNAL_TR -d $SSH_WKS_IP -j ACCEPT
#Direct comunication FW I <-> FW II
$IPTABLES -A FW_X-output -o $FW_X -p icmp -d $FIREWALL_CONTROL_NET -j ACCEPT
############################################################################
#
## New chain for output across the loopback device
$IPTABLES -N lo-output
$IPTABLES -F lo-output
## ACCEPT all traffic across loopback device
$IPTABLES -A lo-output -o lo -j ACCEPT
############################################################################
#
## Firewall FORWARD Chains
############################################################################
#
############################################################################
# New chain for input to the external interface
#
$IPTABLES -N EXTERNAL-forward
$IPTABLES -F EXTERNAL-forward # Flush chain
## Just DROP all unroutables internal Network.
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_ROUTER_NET -j DROP
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_CLIENT_NET -d ! $PROXY_REAL_IP -j DROP
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -d 224.0.0.0/8 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -s $INTERNAL_ROUTER_NET -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -s $INTERNAL_CLIENT_NET -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -d 224.0.0.0/8 -j DROP
## Check TCP packets coming in on the external interface for wierd flags
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s ! $PROXY_REAL_IP -j CHECK_FLAGS
#PROXY II darf alles in unser Netz
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -s $PROXY_REAL_IP -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -d $PROXY_REAL_IP -s $INTERNAL_OFFICIAL_NET -j ACCEPT
#remoteuser
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -d $PROXY_REAL_IP -s $REMOTEUSER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -d $PROXY_NAT_IP -s $REMOTEUSER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -d $PROXY_REAL_IP -s $REMOTEUSER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -d $PROXY_NAT_IP -s $REMOTEUSER_IP -j ACCEPT
#Proxy darf router-netz anpingen
$IPTABLES -A EXTERNAL-forward -p icmp -s $PROXY_REAL_IP -d $INTERNAL_ROUTER_NET -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p icmp -d $PROXY_REAL_IP -s $INTERNAL_ROUTER_NET -j ACCEPT
## These next few serve to block particular ports on the external interface.
## Usually to confine the use of certain services or daemons.
## On a separate router/firewall, these are redundant and pretty much useless.
## On a host, however, with a default they might serve a purpose.
## NFS, X, VNC, SMB, blah blah
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 137:139 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 137:139 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 1433 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 1433 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 2345 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --sport 2345 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5432 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5432 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5999:6010 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5999:6010 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5900:5910 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5900:5910 -j DROP
#DNS
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $DNS_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d $DNS_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $DNS_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -d 0/0 -s $DNS_IP -m multiport --dport 25,53 -j ACCEPT
#temp fuer active directory tests
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $DC_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d $DC_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $DC_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -d 0/0 -s $DC_IP -m multiport --dport 25,53 -j ACCEPT
#smtp,http,https
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP1 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP2 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP3 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP4 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP5 -m multiport --dport 25,80,443,8000,8001,8042 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP6 -m multiport --dport 25,80,443,8100 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP7 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP8 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP9 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP10 -m multiport --dport 25,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP11 -m multiport --dport 80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP12 -m multiport --dport 80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP13 -m multiport --dport 80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP14 -m multiport --dport 80,8022 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP15 --dport 80 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP16 --dport 80 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP17 --dport 80 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP18 --dport 80 -j ACCEPT
#webserver darf mailen
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP1 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP2 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP3 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP4 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP5 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP6 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP7 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP8 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP9 --dport 25 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP10 --dport 80 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP11 --dport 80 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP12 --dport 80 -j ACCEPT
#webserver darf ins internet
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP1 --dport 80 -j ACCEPT
#Multimedia Arbeitsplatz darf ftp
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s $MMWKS_IP -m multiport --dport 20,21 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -s $MMWKS_IP -m multiport --dport 20,21 -j ACCEPT
#Virtuell Maschine darf http und ftp
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $VM_IP -m multiport --dport 20,21,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -d 0/0 -s $VM_IP -m multiport --dport 20,21 -j ACCEPT
#SAP-router
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER1_IP --dport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER2_IP --dport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER1_IP --dport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER2_IP --dport 3200:3399 -j ACCEPT
#Proxy
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --sport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --dport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --sport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --dport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --sport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --dport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --sport 20,21,80,81,82,86,100,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --dport 20,21,80,81,82,86,100,443 -j ACCEPT
#Proxy oberhalb 5000
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --sport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --dport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --sport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --dport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --sport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --dport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --sport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --dport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT
#Proxy zur Partner auf extra ports
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $PARTNER_NET -s $PROXY_REAL_IP -m multiport --dport 5631,5632 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $PARTNER_NET -s $PROXY_REAL_IP -m multiport --dport 5631,5632 -j ACCEPT
#citrix zu Kunde
$IPTABLES -A EXTERNAL-forward -o $INTERNAL_ET -p tcp -d $KUNDE_IP -s $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $INTERNAL_ET -p tcp -d $KUNDE_IP -s $INTERNAL_CLIENT_NET -j ACCEPT
#PCANYWEHERE von Comp99
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s $PCANYWERE_IP --dport 8000:8100 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $PCANYWERE_IP --dport 8000:8100 -j ACCEPT
#Proxy darf pingen
#$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p icmp --icmp-typ 8 -d 0/0 -s $PROXY_REAL_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p icmp --icmp-type 8 -m limit --limit 1/second -d 0/0 -s $PROXY_REAL_IP -j ACCEPT
#$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-typ 8 -d 0/0 -s PROXY_REAL_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -m limit --limit 1/second -d 0/0 -s $PROXY_REAL_IP -j ACCEPT
#SAP-router
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER1_IP --dport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER1_IP --sport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER1_IP --sport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER1_IP --dport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER2_IP --dport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER2_IP --sport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER2_IP --sport 3200:3399 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER2_IP --dport 3200:3399 -j ACCEPT
#KUNDE2 Telnet
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $KUNDE2_IP -d $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $KUNDE2_IP -d $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $KUNDE2_IP -s $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $KUNDE2_IP -s $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
#Zugriff PMC Entwicklungssystem
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $INTERNAL_PMC_IP --dport 80 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $INTERNAL_PMC_IP --dport 8001 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $INTERNAL_PMC_IP --dport 80 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $INTERNAL_PMC_IP --dport 80 -j ACCEPT
#PMC darf terminalserver nach aussen
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_PMC_IP -j ACCEPT
#KUNDE3 SSH + VNC
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $KUNDE_IP -d $INTERNAL_OFFICIAL_NET -m multiport --sport 5800,5801,5900,5901,10022,10122 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $KUNDE_IP -s $INTERNAL_OFFICIAL_NET -m multiport --dport 5800,5801,5900,5901,10022,10122 -j ACCEPT
#Telnet auf XM2
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $ROUTER_IP -d $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $ROUTER_IP -s $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
#Zugriff auf SAPIIS Port 8800
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $SAP_IIS_IP --dport 8800 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $SAP_IIS_IP --sport 8800 -j ACCEPT
##Timeservice
#$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d $PROXY_NAT_IP --dport 123 -j ACCEPT
#$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -d 0/0 -s $PROXY_NAT_IP --dport 123 -j ACCEPT
#Timeservice
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d $TIMESERVER_IP --dport 123 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -d 0/0 -s $TIMESERVER_IP --dport 123 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -s 0/0 -d $TIMESERVER_IP --dport 123 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -d 0/0 -s $TIMESERVER_IP --dport 123 -j ACCEPT
#SSH_WKS darf ssh
$IPTABLES -A EXTERNAL-forward -i $INTERNAL_TR -p tcp -s $SSH_WKS_IP -d 0/0 -m multiport --dport 22,22000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $INTERNAL_TR -p udp -s $SSH_WKS_IP -d 0/0 -m multiport --dport 22,22000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $SSH_WKS_IP -s 0/0 -m multiport --dport 22222,33333 -j ACCEPT
#REMOTEUSER aufProxy
$IPTABLES -A EXTERNAL-forward -s $REMOTEUSER_NET -d $PROXY_REAL_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -s $REMOTEUSER_NET -d $PROXY_NAT_IP -j ACCEPT
#REMOTE USER in unser Netz
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
# remote DynIP by Ebner u Martin in unser Netz
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT
#priv Clients aufProxy
$IPTABLES -A EXTERNAL-forward -s $INTERNAL_CLIENT_NET -d $PROXY_REAL_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -s $INTERNAL_CLIENT_NET -d $PROXY_NAT_IP -j ACCEPT
#VPN-Service
#rein von extern
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p 47 -d $VPN_IP -s 0/0 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $VPN_IP -s 0/0 --sport 1723 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $VPN_IP -s 0/0 --dport 1723 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -d $VPN_IP -s 0/0 -m multiport --sport 53,500,1863,4000,5000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -d $VPN_IP -s 0/0 --dport 1701 --sport 1701 -j ACCEPT
#raus nach extern
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p 47 -s $VPN_IP -d 0/0 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s $VPN_IP -d 0/0 --sport 1723 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s $VPN_IP -d 0/0 --dport 1723 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -s $VPN_IP -d 0/0 -m multiport --sport 53,500,1863,4000,5000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -s $VPN_IP -d 0/0 --dport 1701 --sport 1701 -j ACCEPT
#IT-Rechner
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_IT_WKS1 -d 0/0 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_IT_WKS2 -d 0/0 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_IT_WKS3 -d 0/0 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_IT_WKS4 -d 0/0 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_IT_WKS5 -d 0/0 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $EXTERNAL_ROUTER_IP -d $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $EXTERNAL_ROUTER_IP -s $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT
## ICMP Stuff, we're going to allow some ICMP.
## DROP fragmented ICMP packets(sure, why not)
## This will only catch the second and further fragments.
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -f -p icmp -j DROP
## Echo Reply (pong)
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 0 -j ACCEPT
## Destination Unreachable (blah)
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 3 -j ACCEPT
## Echo Request (ping) -- Comment this if you don't like to be pinged
# $IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -j ACCEPT
# $IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -j ACCEPT
# $IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
# Accept ping only for our Inernet watched hosts and routers CS 8.8.2001
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -d $TIMESERVER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -d $PROXY_NAT_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -s $PROXY_NAT_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -d $VPN_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -d $EXTERNAL_ROUTER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -m limit --limit 1/second -d $TIMESERVER_IP -j ACCEPT
## TTL Exceeded (traceroute)
# $IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 11 -j ACCEPT
## DROP all icmp network broadcasts
## This may actually break things in a few cases
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp -d 224.0.0.0/8 -j DROP
############################################################################
#
## New chain for input to the internal interface
#
$IPTABLES -N INTERNAL_ET-forward
$IPTABLES -F INTERNAL_ET-forward
$IPTABLES -N INTERNAL_TR-forward
$IPTABLES -F INTERNAL_TR-forward
## ACCEPT internal to internal traffic
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_CLIENT_NET -d $PROXY_REAL_IP -j ACCEPT
$IPTABLES -A INTERNAL_ET-forward -i $INTERNAL_ET -s $INTERNAL_ROUTER2_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_ET-forward -i $INTERNAL_ET -s $INTERNAL_ROUTER3_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_ET-forward -i $INTERNAL_ET -s $INTERNAL_ROUTER4_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_ET-forward -i $INTERNAL_ET -s $INTERNAL_ROUTER5_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_CLIENT_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_CLIENT_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_ROUTER2_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_ROUTER3_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_ROUTER4_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_ROUTER5_NET -j ACCEPT
#internal FX allow
$IPTABLES -A INTERNAL_TR-forward -i $FW_X -s $FIREWALL_CONTROL_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -o $FW_X -d $FIREWALL_CONTROL_NET -j ACCEPT
############################################################################
#
## New chain for input to the loopback interface
$IPTABLES -N lo-forward
$IPTABLES -F lo-forward
## Accept packets to the loopback interface
$IPTABLES -A lo-forward -i lo -j ACCEPT
############################################################################
#
## Main Stuff
############################################################################
#
## Jumping to our INPUT chains.
$IPTABLES -A INPUT -i $INTERNAL_TR -j INTERNAL_TR-input
$IPTABLES -A INPUT -i $INTERNAL_ET -j INTERNAL_ET-input
$IPTABLES -A INPUT -i $EXTERNAL -j EXTERNAL-input
$IPTABLES -A INPUT -i $FW_X -j FW_X-input
$IPTABLES -A INPUT -i lo -j lo-input
## mirror everything else
$IPTABLES -A INPUT -i $EXTERNAL -s ! $PROXY_REAL_IP -j MIRROR
## Jump to our OUTPUT chains.
$IPTABLES -A OUTPUT -o $INTERNAL_TR -j INTERNAL_TR-output
$IPTABLES -A OUTPUT -o $INTERNAL_ET -j INTERNAL_ET-output
$IPTABLES -A OUTPUT -o $EXTERNAL -j EXTERNAL-output
$IPTABLES -A OUTPUT -o $FW_X -j FW_X-output
$IPTABLES -A OUTPUT -o lo -j lo-output
## Jump to KEEP_STATE to accept packets that are part of an established
## connection, and DROP packets that may be trying to establish a new connection.
$IPTABLES -A FORWARD -o $EXTERNAL -j KEEP_STATE
$IPTABLES -A FORWARD -i $EXTERNAL -j EXTERNAL-forward
$IPTABLES -A FORWARD -o $EXTERNAL -j EXTERNAL-forward
$IPTABLES -A FORWARD -i $INTERNAL_TR -j INTERNAL_TR-forward
$IPTABLES -A FORWARD -i $INTERNAL_ET -j INTERNAL_ET-forward
$IPTABLES -A FORWARD -j KEEP_STATE
############################################################################
#
## More Stuff:
############################################################################
#
## Rule to mangle TOS values
## TOS stuff: (type: iptables -m tos -h)
## Minimize-Delay 16 (0x10)
## Maximize-Throughput 8 (0x08)
## Maximize-Reliability 4 (0x04)
## Minimize-Cost 2 (0x02)
## Normal-Service 0 (0x00)
## - Most of these are the RFC 1060/1349 compliant TOS values, yours might vary.
## - The -d 0/0 is a bit redundant.
## - To view mangle table, type: iptables -L -t mangle
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 20 -j TOS --set-tos Maximize-Throughput #8 #0x08
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 21 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 22 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 23 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 25 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 53 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p udp -d 0/0 --dport 53 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 80 -j TOS --set-tos Maximize-Throughput #8 #0x08
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 143 -j TOS --set-tos Maximize-Throughput #8 #0x08
### END FIREWALL RULES ###
## Might be a good idea to keep the NAT stuff in a separate file.
############################################################################
###
## IPTABLES Network Address Translation(NAT) Rules
############################################################################
###
#######################################################
## Destination NAT -- (DNAT)
#######################################################
## Redirect packets headed for certain ports on our external interface to other
## machines on the network.
#Proxy umleiten zieladresse aendern
$IPTABLES -t nat -A PREROUTING -d $PROXY_NAT_IP -j DNAT --to $PROXY_REAL_IP
#######################################################
## Source NAT -- (SNAT/Masquerading)
#######################################################
## Static IP address ##
## Change source address of outgoing packets on external
## interface to our IP address.
#Proxy
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
#$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_TR -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
#SAP-ROUTER fallback
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport 3200:3399 --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport 3200:3399 --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_TR -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport 3200:3399 --to $PROXY_NAT_IP
#KUNDE
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -d $KUNDE_NET --to $ROUTER_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -d $KUNDE_NET --to $ROUTER_IP
#Citrix nach KUNDE
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $INTERNAL_OFFICIAL_NET -d $KUNDE_NET --to $KUNDE_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $INTERNAL_CLIENT_NET -d $KUNDE_NET --to $KUNDE_IP
### END NAT RULES ###
############################################################################
###
## Additional Kernel Configuration
############################################################################
###
## - Enable IP Forwarding
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
echo 1 > /proc/sys/net/ipv4/ip_forward
else
echo "Error: /proc/sys/net/ipv4/ip_forward doesn't exist"
echo "(This could be a potential problem)"
fi
echo "FIREWALL is alive"
touch /var/lock/subsys/firewall
RETVAL=0
;;
stop)
# ----------------------------------------------------------------------------------------------------------------------- #
# filter table
TABLE=filter
CHAIN=INPUT
iptables -t $TABLE -F $CHAIN
iptables -t $TABLE -P $CHAIN ACCEPT
CHAIN=FORWARD
iptables -t $TABLE -F $CHAIN
iptables -t $TABLE -P $CHAIN ACCEPT
CHAIN=OUTPUT
iptables -t $TABLE -F $CHAIN
iptables -t $TABLE -P $CHAIN ACCEPT
iptables -t $TABLE -Z
# ----------------------------------------------------------------------------------------------------------------------- #
# nat table
TABLE=nat
CHAIN=PREROUTING
iptables -t $TABLE -F $CHAIN
iptables -t $TABLE -P $CHAIN ACCEPT
CHAIN=OUTPUT
iptables -t $TABLE -F $CHAIN
iptables -t $TABLE -P $CHAIN ACCEPT
CHAIN=POSTROUTING
iptables -t $TABLE -F $CHAIN
iptables -t $TABLE -P $CHAIN ACCEPT
iptables -t $TABLE -Z
# ----------------------------------------------------------------------------------------------------------------------- #
# mangle table
TABLE=mangle
CHAIN=PREROUTING
iptables -t $TABLE -F $CHAIN
iptables -t $TABLE -P $CHAIN ACCEPT
CHAIN=OUTPUT
iptables -t $TABLE -F $CHAIN
iptables -t $TABLE -P $CHAIN ACCEPT
iptables -t $TABLE -Z
# ----------------------------------------------------------------------------------------------------------------------- #
echo "FIREWALL is down"
rm -f /var/lock/subsys/firewall
RETVAL=0
;;
restart)
$0 stop
$1 start
touch /var/lock/subsys/firewall
RETVAL=0
;;
close)
echo "FIREWALL will close all extended interfaces "
#allow trafic between firewalls
## Set Default Policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -N INTERNAL_ET-input
$IPTABLES -F INTERNAL_ET-input
$IPTABLES -N INTERNAL_ET-output
$IPTABLES -F INTERNAL_ET-output
$IPTABLES -N lo-input
$IPTABLES -F lo-input
$IPTABLES -N lo-output
$IPTABLES -F lo-output
$IPTABLES -A lo-input -i lo -j ACCEPT
$IPTABLES -A lo-output -o lo -j ACCEPT
$IPTABLES -A INPUT -i $FW_X -j INTERNAL_ET-input
$IPTABLES -A INPUT -i lo -j lo-input
$IPTABLES -A OUTPUT -o $FW_X -j INTERNAL_ET-output
$IPTABLES -A OUTPUT -o lo -j lo-output
RETVAL=0
;;
open)
echo ""
echo "!!!! FIREWALL will open all interfaces !!!!!"
echo "not for normal use"
echo ""
#allow trafic between firewalls
## Set Default Policies
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
#######################################################
## Destination NAT -- (DNAT)
#######################################################
$IPTABLES -t nat -A PREROUTING -d $PROXY_NAT_IP -j DNAT --to $PROXY_REAL_IP
#######################################################
## Source NAT -- (SNAT/Masquerading)
#######################################################
#Proxy
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
#SAP-ROUTER fallback
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport 3200:3399 --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport 3200:3399 --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_TR -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport 3200:3399 --to $PROXY_NAT_IP
#KUNDE
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -d $KUNDE_NET --to $ROUTER_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -d $KUNDE_NET --to $ROUTER_IP
#Citrix nach KUNDE
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $INTERNAL_OFFICIAL_NET -d $KUNDE_NET --to $KUNDE_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $INTERNAL_CLIENT_NET -d $KUNDE_NET --to $KUNDE_IP
RETVAL=0
;;
esac
exit $RETVAL
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2002-06-10 9:38 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-06-10 8:42 help!! whole in firewall -- BGrummel
-- strict thread matches above, loose matches on Subject: below --
2002-06-10 9:38 Hard__warE
2002-06-10 9:03 BGrummel
2002-06-07 15:08 BGrummel
2002-06-07 14:40 BGrummel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox