ubuntuusers.de

border-router-skript

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#! /bin/bash -e

# Border Router Skript UU
# (c) 2022 kB @ UbuntuUsers.de
# SPDX-License-Identifier: GLWTPL
# https://spdx.org/licenses/GLWTPL.html
# Dokumentation: https://wiki.ubuntuusers.de/Router/Paketfilter/

test $UID = 0 || exec sudo "$0" "$@"			# Mach mich Admin!

test -e /sys/class/net/${1? Bitte gib die externe Schnittstelle an!}	||
	{ echo "??? $1 ignoriert." ; false ;}	>&2

IPT()	while read ; do iptables -t ${TABLE:=filter} $REPLY ; done
for TABLE in filter mangle nat raw security ; do IPT <<< '-F' ; done

ipset destroy
ipset create	Localnet	hash:net
ip -4 route show table all scope link type unicast | grep -v ^169.254	|
	while read x _ ; do ipset add Localnet $x || true ; done
ipset create	Martians	hash:net
for x	in	10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12	\
		192.168.0.0/16 192.0.0.0/24 192.0.2.0/24 198.51.100.0/24	\
		203.0.113.0/24 224.0.0.0/4 240.0.0.0/4 0.0.0.0/8
	do ipset add Martians $x ; done
ipset create	Internet	hash:ip
ipset create	Auth-ext	hash:ip timeout 60

TABLE=mangle	IPT	<<-	MANGLE
-P PREROUTING ACCEPT
-A PREROUTING ! -i $1 -j ACCEPT
-A PREROUTING -m state --state INVALID -j DROP
-A PREROUTING -m state --state RELATED,ESTABLISHED -j RETURN
-A PREROUTING -m addrtype --src-type LOCAL --limit-iface-in -j DROP
-A PREROUTING -m set --match-set Localnet src -j DROP
-A PREROUTING -m set --match-set Martians src -j DROP
-A PREROUTING -m addrtype --dst-type BROADCAST -j DROP
-A PREROUTING -m set --match-set Internet src -m addrtype --dst-type LOCAL --limit-iface-in -j RETURN
-A PREROUTING -m set --match-set Internet src -m set --match-set Localnet dst -j RETURN
-A PREROUTING -m set --match-set Auth-ext src -m addrtype --dst-type LOCAL --limit-iface-in -j RETURN
-A PREROUTING -m set --match-set Auth-ext src -m set --match-set Localnet dst -j RETURN
-A PREROUTING -m set --match-set Martians dst -j DROP
-A PREROUTING -p udp -m udp --dport 7 -j SET --add-set Auth-ext src
-A PREROUTING -p udp -m multiport --ports 161,162 -j DROP
-A PREROUTING -p icmp -j DROP
-A PREROUTING
-P POSTROUTING ACCEPT
-A POSTROUTING ! -o $1 -j ACCEPT
-A POSTROUTING -m state --state RELATED,ESTABLISHED -j MARK --set-xmark 0x8/0x8
-A POSTROUTING -m state --state INVALID -j DROP
-A POSTROUTING -m set ! --match-set Localnet src -m comment --comment "Gebot_2/3" -j MARK --set-xmark 0x1/0x1
-A POSTROUTING -m set ! --match-set Localnet src -m comment --comment "Gebot_2/3" -j LOG
-A POSTROUTING -m addrtype --dst-type BROADCAST -m comment --comment Gebot_6 -j MARK --set-xmark 0x1/0x1
-A POSTROUTING -m set --match-set Martians dst -m comment --comment "Gebot_4/5" -j MARK --set-xmark 0x1/0x1
-A POSTROUTING -p udp -m multiport --ports 161,162 -m comment --comment Gebot_9 -j DROP
-A POSTROUTING -d 192.168.178.1/32 -p udp -m udp --dport 53 -m comment --comment DNS -j MARK --set-xmark 0x8/0x8
-A POSTROUTING -m mark --mark 0x8/0x9 -m comment --comment The_Good -j ACCEPT
-A POSTROUTING -m mark --mark 0x1/0x9 -m comment --comment the_Bad -j DROP
-A POSTROUTING -m mark --mark 0x9/0x9 -m comment --comment and_the_Ugly -j RETURN
-A POSTROUTING -m comment --comment Catch-All -j ACCEPT
MANGLE

TABLE=nat	IPT	<<-	NAT
-P POSTROUTING ACCEPT
-A POSTROUTING -o $1 -m set --match-set Localnet src -j MASQUERADE
NAT
Anhang herunterladen

Das Skript zum Artikel Router/Paketfilter. Es fasst die im Artikel erläuterten Skript-Schnipsel zusammen.

Beachte: Dieses Skript installiert nur die Regeln für den beschriebenen Firewall. Für die generellen Einstellungen zur Funktion eines Routers lese die anderen Teile der Artikelserie.

Diese Revision wurde am 26. Juni 2022 16:10 von Heinrich_Schwietering erstellt.