Anhang: border-router-skript
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 | #! /bin/bash -e
# Border Router Skript UU
# (c) 2022 kB @ UbuntuUsers.de
# SPDX-License-Identifier: GLWTPL
# https://spdx.org/licenses/GLWTPL.html
# Dokumentation: https://wiki.ubuntuusers.de/Router/Paketfilter/
test $UID = 0 || exec sudo "$0" "$@" # Mach mich Admin!
test -e /sys/class/net/${1? Bitte gib die externe Schnittstelle an!} ||
{ echo "??? $1 ignoriert." ; false ;} >&2
IPT() while read ; do iptables -t ${TABLE:=filter} $REPLY ; done
for TABLE in filter mangle nat raw security ; do IPT <<< '-F' ; done
ipset destroy
ipset create Localnet hash:net
ip -4 route show table all scope link type unicast | grep -v ^169.254 |
while read x _ ; do ipset add Localnet $x || true ; done
ipset create Martians hash:net
for x in 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 \
192.168.0.0/16 192.0.0.0/24 192.0.2.0/24 198.51.100.0/24 \
203.0.113.0/24 224.0.0.0/4 240.0.0.0/4 0.0.0.0/8
do ipset add Martians $x ; done
ipset create Internet hash:ip
ipset create Auth-ext hash:ip timeout 60
TABLE=mangle IPT <<- MANGLE
-P PREROUTING ACCEPT
-A PREROUTING ! -i $1 -j ACCEPT
-A PREROUTING -m state --state INVALID -j DROP
-A PREROUTING -m state --state RELATED,ESTABLISHED -j RETURN
-A PREROUTING -m addrtype --src-type LOCAL --limit-iface-in -j DROP
-A PREROUTING -m set --match-set Localnet src -j DROP
-A PREROUTING -m set --match-set Martians src -j DROP
-A PREROUTING -m addrtype --dst-type BROADCAST -j DROP
-A PREROUTING -m set --match-set Internet src -m addrtype --dst-type LOCAL --limit-iface-in -j RETURN
-A PREROUTING -m set --match-set Internet src -m set --match-set Localnet dst -j RETURN
-A PREROUTING -m set --match-set Auth-ext src -m addrtype --dst-type LOCAL --limit-iface-in -j RETURN
-A PREROUTING -m set --match-set Auth-ext src -m set --match-set Localnet dst -j RETURN
-A PREROUTING -m set --match-set Martians dst -j DROP
-A PREROUTING -p udp -m udp --dport 7 -j SET --add-set Auth-ext src
-A PREROUTING -p udp -m multiport --ports 161,162 -j DROP
-A PREROUTING -p icmp -j DROP
-A PREROUTING
-P POSTROUTING ACCEPT
-A POSTROUTING ! -o $1 -j ACCEPT
-A POSTROUTING -m state --state RELATED,ESTABLISHED -j MARK --set-xmark 0x8/0x8
-A POSTROUTING -m state --state INVALID -j DROP
-A POSTROUTING -m set ! --match-set Localnet src -m comment --comment "Gebot_2/3" -j MARK --set-xmark 0x1/0x1
-A POSTROUTING -m set ! --match-set Localnet src -m comment --comment "Gebot_2/3" -j LOG
-A POSTROUTING -m addrtype --dst-type BROADCAST -m comment --comment Gebot_6 -j MARK --set-xmark 0x1/0x1
-A POSTROUTING -m set --match-set Martians dst -m comment --comment "Gebot_4/5" -j MARK --set-xmark 0x1/0x1
-A POSTROUTING -p udp -m multiport --ports 161,162 -m comment --comment Gebot_9 -j DROP
-A POSTROUTING -d 192.168.178.1/32 -p udp -m udp --dport 53 -m comment --comment DNS -j MARK --set-xmark 0x8/0x8
-A POSTROUTING -m mark --mark 0x8/0x9 -m comment --comment The_Good -j ACCEPT
-A POSTROUTING -m mark --mark 0x1/0x9 -m comment --comment the_Bad -j DROP
-A POSTROUTING -m mark --mark 0x9/0x9 -m comment --comment and_the_Ugly -j RETURN
-A POSTROUTING -m comment --comment Catch-All -j ACCEPT
MANGLE
TABLE=nat IPT <<- NAT
-P POSTROUTING ACCEPT
-A POSTROUTING -o $1 -m set --match-set Localnet src -j MASQUERADE
NAT
|
Das Skript zum Artikel Router/Paketfilter. Es fasst die im Artikel erläuterten Skript-Schnipsel zusammen.
Beachte: Dieses Skript installiert nur die Regeln für den beschriebenen Firewall. Für die generellen Einstellungen zur Funktion eines Routers lese die anderen Teile der Artikelserie.