Code:
# alle Regeln löschen
$iptables -t nat -F
$iptables -t filter -F
$iptables -X
# neue Regeln erzeugen
$iptables -N garbage
$iptables -I garbage -p TCP -j LOG --log-prefix="DROP TCP-Packet: " --log-level info
$iptables -I garbage -p UDP -j LOG --log-prefix="DROP UDP-Packet: " --log-level info
$iptables -I garbage -p ICMP -j LOG --log-prefix="DROP ICMP-Packet: " --log-level info
# Default Policy
$iptables -P INPUT DROP
$iptables -P OUTPUT DROP
$iptables -P FORWARD DROP
# über Loopback alles erlauben
$iptables -I INPUT -i lo -j ACCEPT
$iptables -I OUTPUT -o lo -j ACCEPT
#####################################################
# ausgehende Verbindungen
#iptables -N whitelist
#iptables -A whitelist -s 192.168.178.0/24 -j ACCEPT
#iptables -A whitelist -t filter -s 183.98.143.10/24 -j ACCEPT
# Port 22
$iptables -I OUTPUT -o wlan0 -p TCP --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -I INPUT -i wlan0 -p TCP --sport 22 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Port 53
$iptables -I OUTPUT -o wlan0 -p TCP --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -I INPUT -i wlan0 -p TCP --sport 53 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -I OUTPUT -o wlan0 -p UDP --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -I INPUT -i wlan0 -p UDP --sport 53 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Port 80
$iptables -I OUTPUT -o wlan0 -p TCP --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED,RELATED --match set --set whitelist dst -j ACCEPT
$iptables -I INPUT -i wlan0 -p TCP --sport 80 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Port 443
$iptables -I OUTPUT -o wlan0 -p TCP --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED,RELATED --match set --set whitelist dst -j ACCEPT
$iptables -I INPUT -i wlan0 -p TCP --sport 443 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Port 8080
#$iptables -I OUTPUT -o wlan0 -p TCP --sport 1024:65535 --dport 8080 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$iptables -I INPUT -i wlan0 -p TCP --sport 8080 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Port 3128
#$iptables -I OUTPUT -o wlan0 -p TCP --sport 1024:65535 --dport 3128 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$iptables -I INPUT -i wlan0 -p TCP --sport 3128 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# ICMP
$iptables -I OUTPUT -o wlan0 -p ICMP --icmp-type echo-reply -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -I INPUT -i wlan0 -p ICMP --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT
#####################################################
# eingehende Verbindungen
# Port 22
$iptables -I INPUT -i wlan0 -p TCP --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -I OUTPUT -o wlan0 -p TCP --sport 22 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Port 53
$iptables -I INPUT -i wlan0 -p TCP --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -I OUTPUT -o wlan0 -p TCP --sport 53 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -I INPUT -i wlan0 -p UDP --sport 53 --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -I OUTPUT -o wlan0 -p UDP --sport 53 --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -I INPUT -i wlan0 -p UDP --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -I OUTPUT -o wlan0 -p UDP --sport 53 --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Port 80
$iptables -I INPUT -i wlan0 -p TCP --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -I OUTPUT -o wlan0 -p TCP --sport 80 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Port 443
$iptables -I INPUT -i wlan0 -p TCP --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -I OUTPUT -o wlan0 -p TCP --sport 443 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Port 8080
#$iptables -I INPUT -i wlan0 -p TCP --sport 1024:65535 --dport 8080 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$iptables -I OUTPUT -o wlan0 -p TCP --sport 8080 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Port 3128
#$iptables -I INPUT -i wlan0 -p TCP --sport 1024:65535 --dport 3128 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$iptables -I OUTPUT -o wlan0 -p TCP --sport 3128 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# ICMP
$iptables -I INPUT -i wlan0 -p ICMP --icmp-type echo-request -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -I OUTPUT -o wlan0 -p ICMP --icmp-type echo-request -m state --state ESTABLISHED,RELATED -j ACCEPT
#####################################################
# Erweiterte Sicherheitsfunktionen
# SynFlood
$iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
# PortScan
$iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# Ping-of-Death
$iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
#####################################################
# bestehende Verbindungen akzeptieren
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#####################################################
# Garbage übergeben wenn nicht erlaubt
$iptables -A INPUT -m state --state NEW,INVALID -j garbage
#####################################################
# alles verbieten was bisher erlaubt war
$iptables -A INPUT -j garbage
$iptables -A OUTPUT -j garbage
$iptables -A FORWARD -j garbage
;;
Bookmarks