Skripte
ssl-cert.sh
#!/bin/bash
#
# ssl-cert.sh
# generate certificate signing request or self signed certificate
#
# Copyright 2008 Frank Remetter < sunnyboyfrank web de >
# License: GNU GPL v2
#
# Version: 200802281045
#
umask 077
KEYFILE="server.key"
CSRFILE="server.csr"
CNFFILE="cert.cnf"
CRTFILE="server.crt"
DAYS="730"
OPENSSL=`which openssl`
function write_cert_cnf() {
if [ ! -f $CNFFILE ]
then
echo """
#
# OpenSSL configuration file.
#
HOME = .
RANDFILE = /etc/ssl/MyCert/ssl.rand
oid_section = new_oids
[ new_oids ]
[ req ]
default_bits = 2048
#encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
#prompt = no
[ req_dn ]
countryName = Country Name (2 letter code)
countryName_default = DE
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Hessen
localityName = Locality Name (eg, city)
localityName_default = Darmstadt
0.organizationName = Organization Name (eg, company)
0.organizationName_default = RZ
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = IT
commonName = Common Name (eg, YOUR name)
commonName_default = foo.domain-name.tld
commonName_max = 64
emailAddress = Email Address
emailAddress_default = admin@foo.domain-name.tld
emailAddress_max = 64
[ cert_type ]
nsCertType = server
""" > cert.cnf
fi
}
if [ "$OPENSSL" == "" ]
then
echo "openssl is missing"
fi
case "$1" in
request)
write_cert_cnf
${OPENSSL} req -nodes -new -config $CNFFILE -keyout $KEYFILE -out $CSRFILE
;;
self)
write_cert_cnf
${OPENSSL} req -x509 -newkey rsa:1024 -config $CNFFILE -keyout $KEYFILE -out $CRTFILE -days $DAYS -nodes
;;
*)
echo "Usage: $0 < request | self >"
;;
esac
exit 0
backup.sh
#!/bin/bash
#
# backup.sh
# Copyright 2007, 2008 Frank Remetter < sunnyboyfrank web de >
# License: GNU GPL v2
#
# last mod: 20080419
#
# include secure-bashscripts.inc.sh
if [ -f ${HOME}/bin/secure-bashscripts.inc.sh ]; then
. ${HOME}/bin/secure-bashscripts.inc.sh
else
echo "${HOME}/bin/secure-bashscripts.inc.sh missing!" >&2
exit 1
fi
set +e
# bist du root?
if test "$UID" != "0"; then
echo " ------------------------------------------------------- "
echo " Dummi, du musst root sein, um `basename $0` auszufuehren !! "
echo " ------------------------------------------------------- "
exit 1
fi
# Variablen
DEBIAN="1" # debian?
BACKUPDIR="/home/backup/linux" # no trailing slash
CPCOMMAND="/bin/cp --parents --preserve --no-dereference"
TARCOMMAND="/bin/tar -cf"
TGZCOMMAND="/bin/tar -czf"
OF="backup-$(hostname)-$(date +%Y%m%d-%H%M).tgz"
TEMPDIR="`mktemp -d /tmp/backup.XXXXXXXXXX`" # no trailing slash
E_DIRMISS="2"
E_BACKUPMISS="3"
# zu sichernde Dateien
files="\
/boot/config-* \
/boot/grub/menu.lst \
"
# zu sichernde Verzeichnisse
dirs="\
/etc \
/root/bin \
"
# not exit on any error
set +e
# end messages
end_msg () {
# If no arguments were passed, return
[ -z "$1" ] && return 1
if [ ${CRONJOB-0} != "1" ]; then
# output stuff
EXPR="/usr/bin/expr"
TPUT="/usr/bin/tput"
if [[ -e "$TPUT" && -e "$EXPR" ]]; then
#$TPUT hpa 60 # Move cursor to column 60
COLS="`$TPUT cols`" # determine cols of terminal
if [[ -n "$COLS" ]]; then
COL="`$EXPR "$COLS" - "7"`"
else
COL="73"
fi
UP="`$TPUT cuu1`" # Move cursor up one line
#END="`$TPUT hpa $COL`" # Move cursor to column $COL
END="`$TPUT cuf $COL`" # Move cursor $COL right
START="`$TPUT hpa 0`" # Move cursor to column 0
RED="`$TPUT setaf 1`" # set foreground color red
GREEN="`$TPUT setaf 2`" # set foreground color green
NORMAL="`$TPUT op`"
echo "$2"
if [[ "$1" -ne "0" ]]
then
echo -e "$UP$START $RED*$NORMAL$END[${RED}fail${NORMAL}]"
else
echo "$UP$END[${GREEN} ok ${NORMAL}]"
fi
else
echo "ERROR: $TPUT and/or $EXPR not found"
exit 1
fi
else
if [[ "$1" -ne "0" ]]; then
echo "$2"
echo -e "$UP$START $RED*$NORMAL$END[${RED}fail${NORMAL}]"
fi
fi
return $1
}
info_msg() {
if [ ${CRONJOB-0} != "1" ]; then
echo "$1"
fi
}
error_msg() {
echo " ERROR: $1"
exit $2
}
# test safedirs
[ -d $BACKUPDIR ] || error_msg "$BACKUPDIR existiert nicht!" "$E_DIRMISS"
[ -d $TEMPDIR ] || error_msg "$TEMPDIR existiert nicht!" "$E_DIRMISS"
info_msg " -- Starte Sicherung. -- "
# Verzeichnis wechseln
cd /
# debian-specific, pre
if [ $DEBIAN == "1" ]; then
dpkg -l > ${TEMPDIR}/package_list.`date +%Y%m%d-%H%M`
end_msg "$?" " -- Erstelle package_list"
dpkg --get-selections > ${TEMPDIR}/package_selections.`date +%Y%m%d-%H%M`
end_msg "$?" " -- Erstelle package_selections"
mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --all-databases > ${TEMPDIR}/mysql_dump_all.`date +%Y%m%d-%H%M`
end_msg "$?" " -- Erstelle mysql_dump_all"
#${SLAPCAT} | gzip > ${TEMPDIR}/ldap_ldif.`date +%Y%m%d-%H%M`.gz
#end_msg "$?" " -- Erstelle ldap_ldif"
fi
# dateien sichern
for file in $files
do
if [ -f $file ]
then
$CPCOMMAND $file ${TEMPDIR}
end_msg "$?" " -sichere $file"
else
error_msg "$file (Datei) existiert nicht" "$E_BACKUPMISS"
fi
done
info_msg " -- Dateien gesichert -- "
# verzeichnisse sichern
for dir in $dirs
do
if [ -d $dir ]
then
tardir=`echo $dir | cut -b 2-`
tarname=`echo $tardir | sed 's/\//_/g'`
$TARCOMMAND ${TEMPDIR}/$tarname.tar $tardir
end_msg "$?" " -sichere $dir"
else
error_msg "$dir (Verzeichnis) existiert nicht" "$E_BACKUPMISS"
fi
done
info_msg " -- Verzeichnisse gesichert -- "
# packen (ein einziges tgz erzeugen)
cd ${TEMPDIR}
$TGZCOMMAND ${BACKUPDIR}/${OF} ./
end_msg "$?" " -- Erstelle ${BACKUPDIR}/${OF}. -- "
cd /
# MD5-Summe berechnen
md5sum ${BACKUPDIR}/${OF} > ${BACKUPDIR}/${OF}.md5
end_msg "$?" " -- Erstelle Checksumme von ${BACKUPDIR}/${OF}. -- "
# tempdir Verzeichnis loeschen
rm -R ${TEMPDIR}
end_msg "$?" " -- Loesche ${TEMPDIR} --"
info_msg " -- Sicherung beendet. -- "
# delete files older than 186 days (6Monate)
info_msg " -- Loesche veraltete Sicherungen. -- "
find ${BACKUPDIR} -maxdepth 1 -mtime +186 -type f -name "backup-$(hostname)-*" -print0 | xargs -0 rm -f
exit 0
secure-bashscripts.inc.sh
#!/bin/bash
#
# secure-bashscripts include file
# Copyright 2007 Frank Remetter < sunnyboyfrank web de >
# License: GNU GPL v2
#
# Version: 200701271202
#
## example include code
# if [ -f ${HOME}/bin/secure-bashscripts.inc.sh ]; then
# . ${HOME}/bin/secure-bashscripts.inc.sh
# else
# echo "${HOME}/bin/secure-bashscripts.inc.sh missing!" >&2
# exit 1
# fi
##
#
# permissions
umask 077
# core file size
ulimit -c 0
# environment,variables
export IFS=$' \t\n'
export PATH="/bin:/usr/bin"
export SHELL="/bin/bash"
export BASH_ENV=""
export ENV=""
#export LC_ALL=C
#export TZ=""
env -i
# file descriptors
test -e /dev/fd/0 || exec < /dev/null
test -e /dev/fd/1 || exec 1>&/dev/null
test -e /dev/fd/2 || exec 2>&/dev/null
# working directory
if [ -d "${HOME}" ]; then
WDIR_USER="`stat -c %u ${HOME}`"
if [ ${WDIR_USER} != "${UID}" ]; then
echo "WARNING: ${HOME} != ${UID}" >&2
fi
if [ -d "${HOME}/temp" ]; then
WDIR_USER="`stat -c %u ${HOME}/temp`"
if [ ${WDIR_USER} != "${UID}" ]; then
echo "WARNING: ${HOME}/temp != ${UID}" >&2
fi
WDIR_PERM="`stat -c %a ${HOME}/temp`"
if [ ${WDIR_PERM} != "700" ]; then
echo "WARNING: ${HOME}/temp permissions are (${WDIR_PERM}) not secure" >&2
fi
cd ${HOME}/temp || exit 1
else
WDIR_PERM="`stat -c %a ${HOME}`"
if [ ${WDIR_PERM} != "700" ]; then
echo "WARNING: ${HOME} permissions are (${WDIR_PERM}) not secure" >&2
fi
cd ${HOME} || exit 1
fi
unset WDIR_PERM WDIR_USER
else
TEMPDIR=`mktemp -d /tmp/bash-script.XXXXXXXXXX`
cd ${TEMPDIR} || exit 1
fi
# not overwrite existing files with >
set -C
# not follow symlinks when executing commands
set -P
# priviliged mode
set -p
# exit on any error
set -e
# restricted shell
if [ ${RESTRICTED-0} == "1" ]; then
set -r
fi
# print verbose info
if [ ${VERBOSE-0} == "1" ]; then
echo "INFO: secure-bashscripts.sh included"
elif [ ${VERBOSE-0} == "2" ]; then
echo "INFO: secure-bashscripts.sh included"
exit 0
fi
packet-filter.sh (iptables-Skript)
#!/bin/bash
#
# packet-filter.sh
# fuer einen Router mit dynamischer externer IP-Adresse
# nicht sehr restriktiv und ohne QoS (lartc)
#
# Copyright 2007 Frank Remetter < sunnyboyfrank web de >
# License: GNU GPL v2
#
# Version: 200702071300
#
if [ -f ${HOME}/bin/secure-bashscripts.inc.sh ]; then
. ${HOME}/bin/secure-bashscripts.inc.sh
else
echo "${HOME}/bin/secure-bashscripts.inc.sh missing!" >&2
exit 1
fi
set +C
set +e
###########################################################################
#
# 0. you need to be root
#
if [ "$UID" -ne "0" ]
then
echo "ERROR: you need to be root to run this script"
exit 1
fi
###########################################################################
#
# 1. Configuration options.
#
#
# 1.0 Script variables
#
E_OPTERROR="65"
E_UOPTION="65"
NO_ARGS="0"
#
# 1.1 Interfaces
#
INT="eth0"
EXT="ppp0"
#
# 1.2 IP's
#
INT_IP="192.168.57.5"
INT_NET="192.168.57.0/24"
INET_BROADCAST="192.168.57.255"
#NS="145.253.2.11 145.253.2.75 195.50.140.252"
#
# 1.3 Ports
#
PORTS_LOW="1:1023"
PORTS_HIGH="1024:65535"
SSH_PORT_INT="22"
#SSH_PORT_EXT="22"
#
# 1.4 Commands
#
IPTABLES="/usr/sbin/iptables"
MODPROBE="/sbin/modprobe"
#IP="/usr/sbin/ip"
#TC="/usr/sbin/tc"
###########################################################################
#
# 2. Functions.
#
print_usage() {
printf "\n\
Usage: `basename $0` [-rt]|[-s] <args>\n\
\n\
\t-r \treset packet filter\n\
\t-s host \tsetup very simple single host filter\n\
\t-s gw \tsetup gateway filter\n\
\t-t std \tprint status\n\
\t-t verbose \tprint verbose status\n\
\n"
}
flush_tables() {
# reset the default policies in the nat table.
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
# reset the default policies in the mangle table.
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
# flush all the rules in the filter and nat tables.
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
# erase all chains that's not default in filter and nat table.
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
echo "IPTABLES: all tables flushed"
}
reload() {
echo "0" > /proc/sys/net/ipv4/ip_forward
echo "0" > /proc/sys/net/ipv4/ip_dynaddr
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
flush_tables
echo "IPTABLES: default drop"
}
reset() {
echo "0" > /proc/sys/net/ipv4/ip_forward
echo "0" > /proc/sys/net/ipv4/ip_dynaddr
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
flush_tables
}
status() {
$IPTABLES -nL
$IPTABLES -t nat -nL
$IPTABLES -t mangle -nL
}
status_verbose() {
$IPTABLES -vnL
$IPTABLES -t nat -vnL
$IPTABLES -t mangle -vnL
}
single_host() {
echo "0" > /proc/sys/net/ipv4/ip_forward
$IPTABLES -P FORWARD DROP
$IPTABLES -A INPUT -i $EXT -m state --state NEW,INVALID -j DROP
echo "IPTABLES: single_host started"
}
setup_gw() {
echo "IPTABLES: start gw func"
###########################################################################
#
# 3. Module loading. (recent 2.6 kernel)
#
echo " load modules"
$MODPROBE x_tables
$MODPROBE ip_tables
$MODPROBE iptable_filter
$MODPROBE iptable_mangle
$MODPROBE iptable_nat
$MODPROBE ip_conntrack
$MODPROBE ipt_LOG
$MODPROBE xt_state
$MODPROBE xt_tcpudp
$MODPROBE ipt_REJECT
$MODPROBE ipt_TCPMSS
$MODPROBE ipt_MASQUERADE
$MODPROBE ip_conntrack_ftp
$MODPROBE xt_helper
$MODPROBE xt_limit
#$MODPROBE ipt_owner
#$MODPROBE ip_conntrack_irc
#$MODPROBE ip_nat_ftp
#$MODPROBE ip_nat_irc
###########################################################################
#
# 4. /proc set up.
#
echo " set /proc"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#echo "16384" > /proc/sys/net/ipv4/ip_conntrack_max
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/bootp_relay
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
###########################################################################
#
# 5. Rules set up.
#
######
# 5.0 presetup
#
#
# 5.0.1 delete existing rules
#
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
flush_tables
#
# 5.0.2 localhost
#
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
#
# 5.0.3 ssh
#
$IPTABLES -A INPUT -i $INT -p TCP --dport $SSH_PORT_INT -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $INT -p TCP --sport $SSH_PORT_INT -m state --state ESTABLISHED -j ACCEPT
#$IPTABLES -A INPUT -i $EXT -p TCP --dport $SSH_PORT_EXT -m state --state NEW,ESTABLISHED -j ACCEPT
#$IPTABLES -A OUTPUT -o $EXT -p TCP --sport $SSH_PORT_EXT -m state --state ESTABLISHED -j ACCEPT
#
# 5.0.4 custom chains
#
echo " Custom chains"
#
# LOG
#
$IPTABLES -N log_drop
$IPTABLES -A log_drop -p TCP -j LOG --log-prefix "DROP-TCP: "
$IPTABLES -A log_drop -p UDP -j LOG --log-prefix "DROP-UDP: "
$IPTABLES -A log_drop -p ICMP -j LOG --log-prefix "DROP-ICMP: "
$IPTABLES -A log_drop -j DROP
$IPTABLES -N log_reject
$IPTABLES -A log_reject -p ICMP -j LOG --log-prefix "REJECT-ICMP: "
$IPTABLES -A log_reject -p UDP -j LOG --log-prefix "REJECT-UDP: "
$IPTABLES -A log_reject -p TCP -j LOG --log-prefix "REJECT-TCP: "
$IPTABLES -A log_reject -p TCP -j REJECT --reject-with tcp-reset
$IPTABLES -A log_reject -p UDP -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A log_reject -j REJECT --reject-with icmp-proto-unreachable
$IPTABLES -N log_forw_drop
$IPTABLES -A log_forw_drop -p ICMP -j LOG --log-prefix "DROP-FORW-ICMP: "
$IPTABLES -A log_forw_drop -p UDP -j LOG --log-prefix "DROP-FORW-UDP: "
$IPTABLES -A log_forw_drop -p TCP -j LOG --log-prefix "DROP-FORW-TCP: "
$IPTABLES -A log_forw_drop -j DROP
$IPTABLES -t mangle -N log_spoof
$IPTABLES -t mangle -A log_spoof -j LOG --log-prefix "SPOOF: "
$IPTABLES -t mangle -A log_spoof -j DROP
#
# antispoof
#
$IPTABLES -t mangle -N antispoof
$IPTABLES -t mangle -A antispoof -s 192.168.0.0/16 -j log_spoof
$IPTABLES -t mangle -A antispoof -s 172.16.0.0/12 -j log_spoof
$IPTABLES -t mangle -A antispoof -s 10.0.0.0/8 -j log_spoof
$IPTABLES -t mangle -A antispoof -s 127.0.0.0/8 -j log_spoof
$IPTABLES -t mangle -A antispoof -s 224.0.0.0/4 -j log_spoof
$IPTABLES -t mangle -A antispoof -s 240.0.0.0/5 -j log_spoof
#
# bad_packets
#
$IPTABLES -t mangle -N bad_packets
$IPTABLES -t mangle -A bad_packets -m state --state INVALID -j LOG --log-prefix "INVALID: "
$IPTABLES -t mangle -A bad_packets -m state --state INVALID -j DROP
#$IPTABLES -t mangle -A bad_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -t mangle -A bad_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "NEW NOT SYN: "
$IPTABLES -t mangle -A bad_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -t mangle -A bad_packets --fragment -j LOG --log-prefix "FRAGMENT: "
$IPTABLES -t mangle -A bad_packets --fragment -j DROP
$IPTABLES -t mangle -A bad_packets -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -t mangle -A bad_packets -p icmp --icmp-type echo-request -j LOG --log-prefix "POD: "
$IPTABLES -t mangle -A bad_packets -p icmp --icmp-type echo-request -j DROP
######
# 5.1 Filter table
#
echo " filter table"
#
# 5.1.1 default policies
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# 5.1.2 INPUT chain
#
#
# ICMP ('/sbin/iptables -p icmp -h')
#
# echo reply (0), echo (8); ausgehend, eingehend
$IPTABLES -A INPUT -p ICMP --icmp-type echo-reply -j ACCEPT
$IPTABLES -A INPUT -p ICMP --icmp-type echo-request -j ACCEPT
# source quench (4)
$IPTABLES -A INPUT -p ICMP --icmp-type source-quench -j log_drop
# time exceeded (11)
$IPTABLES -A INPUT -p ICMP --icmp-type time-exceeded -j ACCEPT
# parameter problem (12)
$IPTABLES -A INPUT -p ICMP --icmp-type parameter-problem -j ACCEPT
# destination unreachable (3)
$IPTABLES -A INPUT -p ICMP --icmp-type protocol-unreachable -j log_drop
$IPTABLES -A INPUT -p ICMP --icmp-type port-unreachable -j log_drop
$IPTABLES -A INPUT -p ICMP --icmp-type fragmentation-needed -j log_drop
$IPTABLES -A INPUT -p ICMP --icmp-type destination-unreachable -j ACCEPT
#
# established
#
$IPTABLES -A INPUT -m state --state ESTABLISHED -j ACCEPT
#
# internal
#
$IPTABLES -A INPUT -i $INT -s $INT_NET -j ACCEPT
#
# external
#
# ident reject
$IPTABLES -A INPUT -i $EXT -p tcp --dport 113 -m state --state NEW -j REJECT --reject-with tcp-reset
# ftp-control (client)
#$IPTABLES -A INPUT -i $EXT -p tcp --sport 21 --dport $PORTS_HIGH -m conntrack --ctproto tcp --ctstate ESTABLISHED -m helper --helper ftp -j ACCEPT
# ftp-data-passive (client)
#$IPTABLES -A INPUT -i $EXT -p tcp --sport $PORTS_HIGH --dport $PORTS_HIGH -m conntrack --ctproto tcp --ctstate ESTABLISHED -m helper --helper ftp -j ACCEPT
# ftp-data-active (client)
$IPTABLES -A INPUT -i $EXT -p tcp --sport 20 --dport $PORTS_HIGH -m conntrack --ctproto tcp --ctstate ESTABLISHED,RELATED -m helper --helper ftp -j ACCEPT
#
# last
#
$IPTABLES -A INPUT -j log_drop
#
# 5.1.3 FORWARD chain
#
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#
# forward packets from internal
#
$IPTABLES -A FORWARD -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT -o $EXT -s $INT_NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT -o $INT -m state --state NEW,INVALID -j log_forw_drop
#
# last
#
$IPTABLES -A FORWARD -j log_forw_drop
#
# 5.1.4 OUTPUT chain
#
$IPTABLES -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
#
# ICMP
#
# echo reply (0), echo (8); ausgehend, eingehend
$IPTABLES -A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT
$IPTABLES -A OUTPUT -p ICMP --icmp-type echo-reply -j ACCEPT
# source quench (4)
$IPTABLES -A OUTPUT -p ICMP --icmp-type source-quench -j ACCEPT
# time exceeded (11)
$IPTABLES -A OUTPUT -p ICMP --icmp-type time-exceeded -j ACCEPT
# parameter problem (12)
$IPTABLES -A OUTPUT -p ICMP --icmp-type parameter-problem -j ACCEPT
# destination unreachable (3)
$IPTABLES -A OUTPUT -p ICMP --icmp-type fragmentation-needed -j ACCEPT
$IPTABLES -A OUTPUT -p ICMP --icmp-type port-unreachable -j ACCEPT
#
# internal
#
$IPTABLES -A OUTPUT -o $INT -d $INT_NET -j ACCEPT
#
# external
#
$IPTABLES -A OUTPUT -o $EXT -p UDP --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT -p TCP --dport 22 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT -p TCP --dport 80 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT -p TCP --dport 443 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT -p TCP --dport 995 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT -p TCP --dport 25 -m state --state NEW -j ACCEPT
# ftp-control (client)
$IPTABLES -A OUTPUT -o $EXT -p tcp --dport 21 --sport $PORTS_HIGH -m conntrack --ctproto tcp --ctstate NEW -j ACCEPT
# ftp-data-passive (client)
$IPTABLES -A OUTPUT -o $EXT -p tcp --sport $PORTS_HIGH --dport $PORTS_HIGH -m conntrack --ctproto tcp --ctstate ESTABLISHED,RELATED -m helper --helper ftp -j ACCEPT
# ftp-data-active (client)
#$IPTABLES -A OUTPUT -o $EXT -p tcp --dport 20 --sport $PORTS_HIGH -m conntrack --ctproto tcp --ctstate ESTABLISHED -m helper --helper ftp -j ACCEPT
#
# last
#
$IPTABLES -A OUTPUT -j log_reject
######
# 5.2 nat table
#
echo " nat table"
#
# 5.2.1 PREROUTING chain
#
#$IPTABLES -t nat -A PREROUTING -i $INT -s $INT_NET -p tcp --dport 80 -j REDIRECT --to-ports $PROXY_PORT
#
# 5.2.2 POSTROUTING chain
#
#
# Enable simple IP Forwarding and Network Address Translation
#
# $IPTABLES -t nat -A POSTROUTING -i $INT -o $EXT -j SNAT --to-source $EXT_IP
$IPTABLES -t nat -A POSTROUTING -o $EXT -s $INT_NET -j MASQUERADE
#
# 5.2.3 OUTPUT chain
#
######
# 5.3 mangle table
#
echo " mangle table"
#
# 5.3.1 PREROUTING chain
#
$IPTABLES -t mangle -A PREROUTING -i $EXT -j antispoof
$IPTABLES -t mangle -A PREROUTING -i $EXT -j bad_packets
#
# 5.3.2 INPUT chain
#
#
# 5.3.3 FORWARD chain
#
#
# 5.3.4 OUTPUT chain
#
#
# 5.3.5 POSTROUTING chain
#
}
###########################################################################
#
# 6. Option parsing.
#
if [ "$#" -eq "$NO_ARGS" ]
then
print_usage
exit $E_OPTERROR
fi
while getopts ":rs:t:" Option
do
case $Option in
r)
reset
;;
s)
if [ "$OPTARG" == "gw" ]
then
setup_gw
elif [ "$OPTARG" == "host" ]
then
single_host
else
print_usage
fi
;;
t)
if [ "$OPTARG" == "std" ]
then
status
elif [ "$OPTARG" == "verbose" ]
then
status_verbose
else
print_usage
fi
;;
*)
print_usage
exit $E_UOPTION
;;
esac
done
shift $(($OPTIND - 1))
exit 0