Wat ik dus probeer is een win2k vpnserver achter mijn iptables firewall te bereiken.
het vreemde is dat ik in mijn firewall toch echt de poorten 1723 en 47 open heb staan.Als ik echter met nmap scan, dan geeft hij aan dat deze DICHT staan!Hetzelfde geld voor poort 3360 (terminal services)
Hier mijn firewall script:
#!/bin/sh
################################################################################
# variabelen
## variabelen die moeten worden aangepast aan omgeving
# waar iptables staat
IPTABLES="/usr/sbin/iptables"
# interfaces
INTERNAL_INTERFACE="eth0" # interface waarmee gateway aan lokale netwerk zit (aanpassen aan eigen omgeving)
EXTERNAL_INTERFACE="eth1" # interface waarmee gateway aan het internet zit (aanpassen aan eigen omgeving)
# ipadressen / netwerken
IPADDR=`/sbin/ifconfig $EXTERNAL_INTERFACE | grep inet | awk '{print $2}' | sed -e "s/[adr:]//g"`
LAN="192.168.1.1/24" # lokale netwerk (aanpassen aan eigen omgeving)
# overige
MASQ="yes"
HTTP_SERVER="no"
FTP_SERVER="no"
SSH_SERVER="yes"
NAME_SERVER="no"
SMTP_SERVER="no"
TELNET_SERVER="no"
LOG="yes"
## variabelen die NIET moeten worden aangepast
# interfaces
LOOPBACK_INTERFACE="lo" # loopback interface
# ipadressen / netwerken
ANYWHERE="0.0.0.0/0" # elk ip adres valt hierbinnen
LOOPBACK="127.0.0.1" # ip adres van localhost
CLASS_A="10.0.0.0/8" # klasse A prive netwerk
CLASS_B="172.16.0.0/12" # klasse B prive netwerk
CLASS_C="192.168.0.0/24" # klasse C prive netwerk
# poorten
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:65535"
################################################################################
# clean-up + init
# flush en clear alle rules en zet de tellers op 0
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t nat -Z
# set de default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
################################################################################
# initialiseren van de kernel
## Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
## Enable IP-spoofing beveiliging
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 1 > $f
done
## Disable ICMP redirect acceptatie
for f in /proc/sys/net/ipv4/conf/*/accept_redirects ; do
echo 0 > $f
done
## Disable ICMP send_redirects
for f in /proc/sys/net/ipv4/conf/*/send_redirects ; do
echo 0 > $f
done
## Source routed pakketten niet accepteren
for f in /proc/sys/net/ipv4/conf/*/accept_source_route ; do
echo 0 > $f
done
## Log spoofed pakketten, source routed pakketten en redirected pakketten
for f in /proc/sys/net/ipv4/conf/*/log_martians ; do
echo 1 > $f
done
## Enable TCP SYN cookie beveiliging
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
## Enable ICMP broadcasting protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
## Enable ICMP dead error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
## Enable dynamic TCP/IP address hacking
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
################################################################################
# op de loopback interface kunnen (en moeten) we alles toelaten
## Onbeperkt verkeer op lo toestaan
$IPTABLES -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
$IPTABLES -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
################################################################################
# in de gemiddelde HTK-environment kunnen we ook alles op het lokale netwerk
# toelaten
## Onbeperkt verkeer op interne interface toestaan
$IPTABLES -A INPUT -i $INTERNAL_INTERFACE -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNAL_INTERFACE -j ACCEPT
################################################################################
# sommige pakketten resoluut weigeren
## Weiger (en log) alle gefragmenteerde pakketten
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -f -j LOG --log-prefix "FRAGMENT! "
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -f -j DROP
## Weiger (en log) alles van privenetwerken op externe iface
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s $LOOPBACK -j LOG --log-prefix "SPOOFING! "
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_A -j LOG --log-prefix "CLASS A ADDRESS! "
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_B -j LOG --log-prefix "CLASS B ADDRESS! "
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_C -j LOG --log-prefix "CLASS C ADDRESS! "
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DROP
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_A -j DROP
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_B -j DROP
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_C -j DROP
################################################################################
# masquerade
## Alles met afkomst van of bestemming lokale netwerk heeft forwarden
if [ $MASQ = yes ] ; then
$IPTABLES -A POSTROUTING -t nat -o $EXTERNAL_INTERFACE -j MASQUERADE
$IPTABLES -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE -s $LAN -d ! $LAN -j ACCEPT
$IPTABLES -A FORWARD -o $INTERNAL_INTERFACE -i $EXTERNAL_INTERFACE -d $LAN -s ! $LAN -j ACCEPT
fi
################################################################################
# accepteer bepaalde ICMP pakketten
## Een aantal typen ICMP pakketten accepteren
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 0 -s $ANYWHERE -d $IPADDR \
-m limit --limit 2/s -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 3 -s $ANYWHERE -d $IPADDR \
-m limit --limit 2/s -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 5 -s $ANYWHERE -d $IPADDR \
-m limit --limit 2/s -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 8 -s $ANYWHERE -d $IPADDR \
-m limit --limit 2/s -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 11 -s $ANYWHERE -d $IPADDR \
-m limit --limit 10/s -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
--icmp-type 3 -s $IPADDR -d $ANYWHERE \
-m limit --limit 2/s -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
--icmp-type 8 -s $IPADDR -d $ANYWHERE \
-m limit --limit 2/s -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
--icmp-type 0 -s $IPADDR -d $ANYWHERE \
-m limit --limit 2/s -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
--icmp-type 11 -s $IPADDR -d $ANYWHERE \
-m limit --limit 10/s -j ACCEPT
################################################################################
# TCP connecties gestart vanuit lokale netwerk accepteren
## accepteer TCP connecties vlgs SYS, ACK+SYN, ACK principe
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-m state --state ESTABLISHED,RELATED \
-s $IPADDR -d $ANYWHERE -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-m state --state ESTABLISHED,RELATED \
-s $ANYWHERE -d $IPADDR -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
--tcp-flags ACK,SYN SYN \
-s $IPADDR -d $ANYWHERE -j ACCEPT
## auth aanvragen accepteren (voorkomt timeouts)
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE -d $IPADDR \
--source-port $UNPRIVPORTS --destination-port 113 -j ACCEPT
################################################################################
# UDP
## dns aanvragen vanuit lokale netwerk toestaan
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $ANYWHERE -d $IPADDR \
--source-port 53 --destination-port $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR -d $ANYWHERE \
--source-port $UNPRIVPORTS --destination-port 53 -j ACCEPT
## traceroute toestaan
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $ANYWHERE -d $IPADDR \
--source-port 32769:65535 --destination-port 33434:33523 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR -d $ANYWHERE \
--source-port 32769:65535 --destination-port 33434:33523 -j ACCEPT
## time toestaan
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $ANYWHERE -d $IPADDR \
--source-port 37 --destination-port $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR -d $ANYWHERE \
--source-port $UNPRIVPORTS --destination-port 37 -j ACCEPT
# andere UDP poorten hier toevoegen
################################################################################
# zelf servers draaien
## http server openstellen voor buitenwereld
if [ $HTTP_SERVER = yes ] ; then
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE -d $IPADDR \
--source-port $UNPRIVPORTS --destination-port 80 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR -d $ANYWHERE \
--source-port 80 --destination-port $UNPRIVPORTS -j ACCEPT
fi
## nameserver openstellen voor buitenwereld
if [ $NAME_SERVER = yes ] ; then
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE -d $IPADDR \
--source-port $UNPRIVPORTS --destination-port 53 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR -d $ANYWHERE \
--source-port 53 --destination-port $UNPRIVPORTS -j ACCEPT
fi
## ssh server openstellen voor buitenwereld
if [ $SSH_SERVER = yes ] ; then
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE -d $IPADDR \
--source-port $UNPRIVPORTS --destination-port 8000 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR -d $ANYWHERE \
--source-port 8000 --destination-port $UNPRIVPORTS -j ACCEPT
fi
## smtp server openstellen voor buitenwereld
if [ $SMTP_SERVER = yes ] ; then
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE -d $IPADDR \
--source-port $UNPRIVPORTS --destination-port 25 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR -d $ANYWHERE \
--source-port 25 --destination-port $UNPRIVPORTS -j ACCEPT
fi
## ftp server openstellen voor buitenwereld
if [ $FTP_SERVER = yes ] ; then
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE -d $IPADDR -m state --state NEW,ESTABLISHED \
--source-port $UNPRIVPORTS --destination-port 2121 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR -d $ANYWHERE -m state --state ESTABLISHED,RELATED \
--source-port 2121 --destination-port $UNPRIVPORTS -j ACCEPT
## ftp server - active
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE -d $IPADDR -m state --state ESTABLISHED,RELATED ! --syn \
--destination-port 20 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR -d $ANYWHERE -m state --state ESTABLISHED,RELATED \
--source-port 20 -j ACCEPT
## ftp server - passive
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE -d $IPADDR -m state --state ESTABLISHED,RELATED \
--destination-port $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR -d $ANYWHERE -m state --state ESTABLISHED,RELATED \
--source-port $UNPRIVPORTS -j ACCEPT
fi
#VPN server openzetten:
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE -d $IPADDR -m state --state NEW,ESTABLISHED \
--source-port $UNPRIVPORTS --destination-port 1723 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR -d $ANYWHERE -m state --state ESTABLISHED,RELATED \
--source-port 1723 --destination-port $UNPRIVPORTS -j ACCEPT
################################################################################
#Forwarding:
# Terminal server in lokale netwerk (192.168.1.3) beschikbaar maken voor buitenwereld
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp \
-d $IPADDR --dport 3360 -j DNAT --to 192.168.1.3:3360
# vpnserver in lokale netwerk (192.168.1.3) beschikbaar maken voor buitenwereld
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp \
-d $IPADDR --dport 47 -j DNAT --to 192.168.1.3:47
# vpnserver in lokale netwerk (192.168.1.3) beschikbaar maken voor buitenwereld
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp \
-d $IPADDR --dport 1723 -j DNAT --to 192.168.1.3:1723
################################################################################
# trash opvangen
# alles dat nu nog wordt opgevangen loggen
#if [ $LOG = yes ] ; then
$IPTABLES -A INPUT -j LOG --log-prefix "filtered on INPUT "
$IPTABLES -A OUTPUT -j LOG --log-prefix "filtered on OUTPUT "
$IPTABLES -A FORWARD -j LOG --log-prefix "filtered on FORWARD "
het vreemde is dat ik in mijn firewall toch echt de poorten 1723 en 47 open heb staan.Als ik echter met nmap scan, dan geeft hij aan dat deze DICHT staan!Hetzelfde geld voor poort 3360 (terminal services)
Hier mijn firewall script:
#!/bin/sh
################################################################################
# variabelen
## variabelen die moeten worden aangepast aan omgeving
# waar iptables staat
IPTABLES="/usr/sbin/iptables"
# interfaces
INTERNAL_INTERFACE="eth0" # interface waarmee gateway aan lokale netwerk zit (aanpassen aan eigen omgeving)
EXTERNAL_INTERFACE="eth1" # interface waarmee gateway aan het internet zit (aanpassen aan eigen omgeving)
# ipadressen / netwerken
IPADDR=`/sbin/ifconfig $EXTERNAL_INTERFACE | grep inet | awk '{print $2}' | sed -e "s/[adr:]//g"`
LAN="192.168.1.1/24" # lokale netwerk (aanpassen aan eigen omgeving)
# overige
MASQ="yes"
HTTP_SERVER="no"
FTP_SERVER="no"
SSH_SERVER="yes"
NAME_SERVER="no"
SMTP_SERVER="no"
TELNET_SERVER="no"
LOG="yes"
## variabelen die NIET moeten worden aangepast
# interfaces
LOOPBACK_INTERFACE="lo" # loopback interface
# ipadressen / netwerken
ANYWHERE="0.0.0.0/0" # elk ip adres valt hierbinnen
LOOPBACK="127.0.0.1" # ip adres van localhost
CLASS_A="10.0.0.0/8" # klasse A prive netwerk
CLASS_B="172.16.0.0/12" # klasse B prive netwerk
CLASS_C="192.168.0.0/24" # klasse C prive netwerk
# poorten
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:65535"
################################################################################
# clean-up + init
# flush en clear alle rules en zet de tellers op 0
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t nat -Z
# set de default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
################################################################################
# initialiseren van de kernel
## Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
## Enable IP-spoofing beveiliging
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 1 > $f
done
## Disable ICMP redirect acceptatie
for f in /proc/sys/net/ipv4/conf/*/accept_redirects ; do
echo 0 > $f
done
## Disable ICMP send_redirects
for f in /proc/sys/net/ipv4/conf/*/send_redirects ; do
echo 0 > $f
done
## Source routed pakketten niet accepteren
for f in /proc/sys/net/ipv4/conf/*/accept_source_route ; do
echo 0 > $f
done
## Log spoofed pakketten, source routed pakketten en redirected pakketten
for f in /proc/sys/net/ipv4/conf/*/log_martians ; do
echo 1 > $f
done
## Enable TCP SYN cookie beveiliging
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
## Enable ICMP broadcasting protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
## Enable ICMP dead error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
## Enable dynamic TCP/IP address hacking
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
################################################################################
# op de loopback interface kunnen (en moeten) we alles toelaten
## Onbeperkt verkeer op lo toestaan
$IPTABLES -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
$IPTABLES -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
################################################################################
# in de gemiddelde HTK-environment kunnen we ook alles op het lokale netwerk
# toelaten
## Onbeperkt verkeer op interne interface toestaan
$IPTABLES -A INPUT -i $INTERNAL_INTERFACE -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNAL_INTERFACE -j ACCEPT
################################################################################
# sommige pakketten resoluut weigeren
## Weiger (en log) alle gefragmenteerde pakketten
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -f -j LOG --log-prefix "FRAGMENT! "
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -f -j DROP
## Weiger (en log) alles van privenetwerken op externe iface
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s $LOOPBACK -j LOG --log-prefix "SPOOFING! "
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_A -j LOG --log-prefix "CLASS A ADDRESS! "
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_B -j LOG --log-prefix "CLASS B ADDRESS! "
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_C -j LOG --log-prefix "CLASS C ADDRESS! "
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DROP
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_A -j DROP
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_B -j DROP
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_C -j DROP
################################################################################
# masquerade
## Alles met afkomst van of bestemming lokale netwerk heeft forwarden
if [ $MASQ = yes ] ; then
$IPTABLES -A POSTROUTING -t nat -o $EXTERNAL_INTERFACE -j MASQUERADE
$IPTABLES -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE -s $LAN -d ! $LAN -j ACCEPT
$IPTABLES -A FORWARD -o $INTERNAL_INTERFACE -i $EXTERNAL_INTERFACE -d $LAN -s ! $LAN -j ACCEPT
fi
################################################################################
# accepteer bepaalde ICMP pakketten
## Een aantal typen ICMP pakketten accepteren
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 0 -s $ANYWHERE -d $IPADDR \
-m limit --limit 2/s -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 3 -s $ANYWHERE -d $IPADDR \
-m limit --limit 2/s -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 5 -s $ANYWHERE -d $IPADDR \
-m limit --limit 2/s -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 8 -s $ANYWHERE -d $IPADDR \
-m limit --limit 2/s -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 11 -s $ANYWHERE -d $IPADDR \
-m limit --limit 10/s -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
--icmp-type 3 -s $IPADDR -d $ANYWHERE \
-m limit --limit 2/s -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
--icmp-type 8 -s $IPADDR -d $ANYWHERE \
-m limit --limit 2/s -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
--icmp-type 0 -s $IPADDR -d $ANYWHERE \
-m limit --limit 2/s -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
--icmp-type 11 -s $IPADDR -d $ANYWHERE \
-m limit --limit 10/s -j ACCEPT
################################################################################
# TCP connecties gestart vanuit lokale netwerk accepteren
## accepteer TCP connecties vlgs SYS, ACK+SYN, ACK principe
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-m state --state ESTABLISHED,RELATED \
-s $IPADDR -d $ANYWHERE -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-m state --state ESTABLISHED,RELATED \
-s $ANYWHERE -d $IPADDR -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
--tcp-flags ACK,SYN SYN \
-s $IPADDR -d $ANYWHERE -j ACCEPT
## auth aanvragen accepteren (voorkomt timeouts)
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE -d $IPADDR \
--source-port $UNPRIVPORTS --destination-port 113 -j ACCEPT
################################################################################
# UDP
## dns aanvragen vanuit lokale netwerk toestaan
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $ANYWHERE -d $IPADDR \
--source-port 53 --destination-port $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR -d $ANYWHERE \
--source-port $UNPRIVPORTS --destination-port 53 -j ACCEPT
## traceroute toestaan
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $ANYWHERE -d $IPADDR \
--source-port 32769:65535 --destination-port 33434:33523 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR -d $ANYWHERE \
--source-port 32769:65535 --destination-port 33434:33523 -j ACCEPT
## time toestaan
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $ANYWHERE -d $IPADDR \
--source-port 37 --destination-port $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR -d $ANYWHERE \
--source-port $UNPRIVPORTS --destination-port 37 -j ACCEPT
# andere UDP poorten hier toevoegen
################################################################################
# zelf servers draaien
## http server openstellen voor buitenwereld
if [ $HTTP_SERVER = yes ] ; then
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE -d $IPADDR \
--source-port $UNPRIVPORTS --destination-port 80 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR -d $ANYWHERE \
--source-port 80 --destination-port $UNPRIVPORTS -j ACCEPT
fi
## nameserver openstellen voor buitenwereld
if [ $NAME_SERVER = yes ] ; then
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE -d $IPADDR \
--source-port $UNPRIVPORTS --destination-port 53 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR -d $ANYWHERE \
--source-port 53 --destination-port $UNPRIVPORTS -j ACCEPT
fi
## ssh server openstellen voor buitenwereld
if [ $SSH_SERVER = yes ] ; then
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE -d $IPADDR \
--source-port $UNPRIVPORTS --destination-port 8000 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR -d $ANYWHERE \
--source-port 8000 --destination-port $UNPRIVPORTS -j ACCEPT
fi
## smtp server openstellen voor buitenwereld
if [ $SMTP_SERVER = yes ] ; then
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE -d $IPADDR \
--source-port $UNPRIVPORTS --destination-port 25 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR -d $ANYWHERE \
--source-port 25 --destination-port $UNPRIVPORTS -j ACCEPT
fi
## ftp server openstellen voor buitenwereld
if [ $FTP_SERVER = yes ] ; then
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE -d $IPADDR -m state --state NEW,ESTABLISHED \
--source-port $UNPRIVPORTS --destination-port 2121 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR -d $ANYWHERE -m state --state ESTABLISHED,RELATED \
--source-port 2121 --destination-port $UNPRIVPORTS -j ACCEPT
## ftp server - active
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE -d $IPADDR -m state --state ESTABLISHED,RELATED ! --syn \
--destination-port 20 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR -d $ANYWHERE -m state --state ESTABLISHED,RELATED \
--source-port 20 -j ACCEPT
## ftp server - passive
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE -d $IPADDR -m state --state ESTABLISHED,RELATED \
--destination-port $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR -d $ANYWHERE -m state --state ESTABLISHED,RELATED \
--source-port $UNPRIVPORTS -j ACCEPT
fi
#VPN server openzetten:
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE -d $IPADDR -m state --state NEW,ESTABLISHED \
--source-port $UNPRIVPORTS --destination-port 1723 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR -d $ANYWHERE -m state --state ESTABLISHED,RELATED \
--source-port 1723 --destination-port $UNPRIVPORTS -j ACCEPT
################################################################################
#Forwarding:
# Terminal server in lokale netwerk (192.168.1.3) beschikbaar maken voor buitenwereld
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp \
-d $IPADDR --dport 3360 -j DNAT --to 192.168.1.3:3360
# vpnserver in lokale netwerk (192.168.1.3) beschikbaar maken voor buitenwereld
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp \
-d $IPADDR --dport 47 -j DNAT --to 192.168.1.3:47
# vpnserver in lokale netwerk (192.168.1.3) beschikbaar maken voor buitenwereld
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp \
-d $IPADDR --dport 1723 -j DNAT --to 192.168.1.3:1723
################################################################################
# trash opvangen
# alles dat nu nog wordt opgevangen loggen
#if [ $LOG = yes ] ; then
$IPTABLES -A INPUT -j LOG --log-prefix "filtered on INPUT "
$IPTABLES -A OUTPUT -j LOG --log-prefix "filtered on OUTPUT "
$IPTABLES -A FORWARD -j LOG --log-prefix "filtered on FORWARD "
Ik heb daar niet zo heel veel ervaring mee, ik wist alleen dat dat protocol een struikelblok was en dat het vaak verward wordt met poort 47. Voor de rest heb ik ook alleen maar de klok horen luiden.
Ik weet het echt niet.
:strip_icc():strip_exif()/u/4167/bacall8.jpg?f=community)
