home-harmening:sicherheit:firewall:iptables

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
home-harmening:sicherheit:firewall:iptables [2024/10/09 11:01] – gelöscht - Externe Bearbeitung (Unbekanntes Datum) 127.0.0.1home-harmening:sicherheit:firewall:iptables [2024/10/09 11:01] (aktuell) – ↷ Seite von sicherheit:firewall:iptables nach home-harmening:sicherheit:firewall:iptables verschoben charmening
Zeile 1: Zeile 1:
 +====== IpTables Firewall ======
  
 +Hier ein Beispiel für ein Firewallskript mit IpTables
 +\\ \\
 +==== Installation ====
 +  - Ordner anlegen /root/firewall
 +  - Skripte hinein kopieren
 +  - Link für manuelle Steuerung anlegen
 +  - System Link hinzufügen
 +\\
 +== Link für manuelle Steuerung anlegen ==
 +<code>ln -s /root/firewall/firewall.sh /usr/local/sbin/firewall</code>
 +\\
 +== System Link hinzufügen ==
 +<code>
 +ln -s /root/firewall/firewall.service /etc/system/systemd/firewall.service
 +systemctl daemon-reload
 +</code>
 +\\
 +==== Bedienung ====
 +Neue Regeln werden in den Dateien ipv4.rules, ipv6.rules geschrieben.
 +Die Steuerung erfolgt entweder mit **systemctl start|stop|status firewall**
 +oder direkt mit **firewall start|stop|status|rules**.
 +\\
 +Alle Dateien befinden sich in dem Ordner
 +<code>
 +/root/firewall
 +|
 +|->firewall.start            # Startet die Firewall, setzt Standard Werte und lädt die Regeln
 +|->firewall.stop             # Stopt die Firewall und resettet diese
 +|->firewall.service          # Datei für die Systemd Daemon
 +|->firewall.sh               # Steuert die Firewall Hauptdatei
 +|->ipv4.rules                # Regeln für ipv4 <- Neue Regeln hier!
 +|->ipv6.rules                # Regeln für ipv6 <- Neue Regeln hier!
 +</code>
 +\\
 +=== Dateien ===
 +\\
 +== firewall.start ==
 +<code>
 +#!/bin/bash
 +# Startscript for iptables
 +
 +# Variables
 +  ipt4=$(which iptables)
 +  ipt6=$(which ip6tables)
 +  mypath=$(dirname $(realpath $0)) # Get path
 +  pidfile=/var/run/firewall.pid
 +
 +printf "\e[1;33mStarting Firewall\e[1;0m ... \n"
 +
 +# Enable debugging
 +  if [ ! -z ${@: -1} ]&&[ ${@: -1} = "debug" ]; then set -x ; fi
 +
 +# Reset Firewall
 +  # ipv4
 +    $ipt4 -F
 +    $ipt4 -t nat -F
 +    $ipt4 -t filter -F
 +    $ipt4 -P INPUT DROP
 +    $ipt4 -P FORWARD DROP
 +    $ipt4 -P OUTPUT DROP
 +
 +  # ipv6
 +    $ipt6 -F
 +    $ipt6 -t nat -F
 +    $ipt6 -t filter -F
 +    $ipt6 -P INPUT DROP
 +    $ipt6 -P FORWARD DROP
 +    $ipt6 -P OUTPUT DROP
 +
 +# Create PID File
 +  echo $$ > ${pidfile}
 +
 +/usr/bin/systemctl restart fail2ban
 +
 +#################
 +# Default rules #
 +#################
 +
 +  # allow local traffic
 +    $ipt4 -A INPUT -i lo -j ACCEPT
 +    $ipt4 -A OUTPUT -o lo -j ACCEPT
 +    $ipt4 -A FORWARD -i lo -j ACCEPT
 +    $ipt6 -A INPUT -i lo -j ACCEPT
 +    $ipt6 -A OUTPUT -o lo -j ACCEPT
 +    $ipt6 -A FORWARD -i lo -j ACCEPT
 +
 +  # Enable established incomming/outgoing connections
 +    $ipt4 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 +    $ipt6 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 +    $ipt4 -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
 +    $ipt6 -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
 +
 +# Enabled ipv4 rules
 +  source ${mypath}/ipv4.rules
 +# Enable ipv6 rules
 +  source ${mypath}/ipv6.rules
 +
 +###########
 +# logging #
 +###########
 +    if [ ! -z $2 ]&&[ $2 = "logging" ]; then
 +      case $3 in
 +        on)    #$ipt4 -A INPUT -j LOG
 +               #$ipt6 -A INPUT -j LOG;;
 +               $ipt4 -N LOGGING
 +               $ipt4 -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4 ;;
 +        of)    $ipt4 -D INPUT -j LOG
 +               $ipt6 -D INPUT -j LOG;;
 +        *)     printf "\nfirewall logging on|off\n"
 +      esac
 +    fi
 +
 +
 +# Disable debugging
 +  if [ ! -z ${@: -1} ]&&[ ${@: -1} = "debug" ]; then set +x ; fi
 +
 +exit 0
 +</code>
 +\\
 +== firewall.stop ==
 +<code>
 +#!/bin/bash
 +# Stopscript for iptables
 +
 +# Variables
 +  ipt4=$(which iptables)
 +  ipt6=$(which ip6tables)
 +  pidfile=/var/run/firewall.pid
 +
 +printf "\e[1;33mStopping Firewall\e[1;0m ... \n"
 +
 +# Reset Firewall
 +  # ipv4
 +    $ipt4 -F
 +    $ipt4 -t nat -F
 +    $ipt4 -t filter -F
 +    $ipt4 -P INPUT ACCEPT
 +    $ipt4 -P FORWARD ACCEPT
 +    $ipt4 -P OUTPUT ACCEPT
 +
 +  # ipv6
 +    $ipt6 -F
 +    $ipt6 -t nat -F
 +    $ipt6 -t filter -F
 +    $ipt6 -P INPUT ACCEPT
 +    $ipt6 -P FORWARD ACCEPT
 +    $ipt6 -P OUTPUT ACCEPT
 +
 +# Delete PID File if exists
 +  if [ -f ${pidfile} ]; then rm ${pidfile}; fi
 +
 +exit 0
 +</code>
 +\\
 +== firewall.sh ==
 +<code>
 +#!/bin/bash
 +
 +pidfile=/var/run/firewall.pid # Create PID File
 +mypath=$(dirname $(realpath $0)) # Get path
 +ipt=$(which iptables)
 +
 +help="
 +
 +This script can use to control iptables
 +
 +Config
 +------
 +  Write firewall rules in
 +    /root/firewall/ipv4.rules
 +    /root/firewall/ipv6.rules
 +
 +Control
 +-------
 +  \e[1;1mfirewall.sh {start|stop|restart|status|rules}}\e[1;0m
 +
 +    \e[1;1mstart\e[1;0m You can start iptables.
 +
 +                After start command you can set the logging command to enable or disable
 +                logging to syslog.
 +
 +                \e[1;1mfirewall start logging {on|off}\e[1;0m
 +
 +                On the last position you can write debug to debug your rules.
 +
 +                \e[1;1mfirewall start debug\e[1;0m
 +
 +    \e[1;1mstop\e[1;0m  You can flush your rules and disable iptables.
 +
 +    \e[1;1mrestart\e[1;0m       Stop and start your firewall.
 +
 +    \e[1;1mstatus\e[1;0m        Show if your firewall is running.
 +
 +    \e[1;1mrules\e[1;0m Show runnig rules.
 +
 +"
 +
 +case $1 in
 +  start)   ${mypath}/firewall.start $@;;
 +  stop)    ${mypath}/firewall.stop;;
 +  restart) ;;
 +  status)  if [ -f ${pidfile} ]; then
 +             printf "\nFirewall is \e[1;32mrunning\e[1;0m\n\n"
 +           else
 +             printf "\nFirewall is \e[1;31mstopped\n\n\e[1;0m"
 +           fi ;;
 +  rules)   printf "\n\e[4;33;1mFirewall filter rules\e[1;0m\n\n$($ipt -t filter -L -n -v --line-numbers)\n\n\e[4;33;1mFirewall NAT rules\e[1;0m\n\n$($ipt -t nat -L -n -v --line-numbers)\n\n" ;;
 +  help)    printf "${help}";;
 +  *)       printf "${help}";;
 +esac
 +
 +exit 0
 +</code>
 +\\
 +== firewall.servivce ==
 +<code>
 +[Unit]
 +  Description = Firewallscript for IpTables
 +[Service]
 +  Type = oneshot
 +  ExecStart = /root/firewall/firewall.sh start
 +  ExecReload = /root/firewall/firewall.sh restart
 +  ExecStop = /root/firewall/firewall.sh stop
 +  ExecStatus = /root/firewall/firewall.sh status
 +[Install]
 +  WantedBy = multi-user.target
 +</code>
 +\\
 +== ipv4.rules ==
 +<code>
 +# Variables
 +  ipt4=$(which iptables)
 +  ipt6=$(which ip6tables)
 +
 +#######
 +# SSH #
 +#######
 +
 +  # enable outgoing/incoming ssh connections
 +    $ipt4 -A INPUT -p tcp --sport 1024: --dport 22-m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Accept all incoming ssh on port 22"
 +    #$ipt6 -A INPUT -p tcp --sport 1024: --dport 22-m state --state NEW,ESTABLISHED -j ACCEPT
 +    $ipt4 -A OUTPUT -p tcp --sport 1024: --dport 22 -m state --state ESTABLISHED -j ACCEPT -m comment --comment "Accept all outgoing ssh"
 +    #ipt6 -A OUTPUT -p tcp --sport 1024: --dport 22 -m state --state ESTABLISHED -j ACCEPT
 +
 +########
 +# http #
 +########
 +    $ipt4 -A INPUT -p tcp --sport 1024: --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Accept alle incoming htt in port 80"
 +    $ipt4 -A INPUT -p tcp --sport 1024: --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Accept alle incoming htt in port 443"
 +
 +###########
 +# updates #
 +###########
 +
 +  # Ubuntu Repos
 +    repos="185.125.190.39 91.189.91.83 91.189.91.82 91.189.91.81 185.125.190.36"
 +    for repo in ${repos}; do
 +      $ipt4 -A OUTPUT -p tcp --sport 1024: --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Accept Update Repo"
 +      $ipt4 -A OUTPUT -p tcp --sport 1024: --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Accept Update Repo"
 +      $ipt6 -A OUTPUT -p tcp --sport 1024: --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Accept Update Repo"
 +      $ipt6 -A OUTPUT -p tcp --sport 1024: --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Accept Update Repo"
 +    done
 +
 +#######
 +# DNS #
 +#######
 +
 +  # enable outgoing dns requests
 +    dnsservers="8.8.8.8"
 +    for dnsserver in $dnsservers ; do
 +      $ipt4 -A OUTPUT -p tcp --dport 53 -d $dnsserver -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Accept outgoing dns to server"
 +      $ipt4 -A OUTPUT -p udp --dport 53 -d $dnsserver -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Accept outgoing dns to server"
 +    done
 +
 +#######
 +# NTP #
 +#######
 +  # enable ntp requests to internet ptbtime1.ptb.de
 +    ntpservers="192.53.103.108 192.53.103.104 192.53.103.103"
 +    for ntpserver in $ntpservers; do
 +      $ipt4 -A OUTPUT -p udp --dport 123 -d $ntpserver -m state --state  NEW,ESTABLISHED -j ACCEPT -m comment --comment "Accept ntp requests to internet"
 +    done
 +</code>
 +\\
 +== ipv6.rules ==
 +<code>
 +</code>