Anhang: border-router-skript
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 | #! /bin/bash -e # Border Router Skript UU # (c) 2022 kB @ UbuntuUsers.de # SPDX-License-Identifier: GLWTPL # https://spdx.org/licenses/GLWTPL.html # Dokumentation: https://wiki.ubuntuusers.de/Router/Paketfilter/ test $UID = 0 || exec sudo "$0" "$@" # Mach mich Admin! test -e /sys/class/net/${1? Bitte gib die externe Schnittstelle an!} || { echo "??? $1 ignoriert." ; false ;} >&2 IPT() while read ; do iptables -t ${TABLE:=filter} $REPLY ; done for TABLE in filter mangle nat raw security ; do IPT <<< '-F' ; done ipset destroy ipset create Localnet hash:net ip -4 route show table all scope link type unicast | grep -v ^169.254 | while read x _ ; do ipset add Localnet $x || true ; done ipset create Martians hash:net for x in 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 \ 192.168.0.0/16 192.0.0.0/24 192.0.2.0/24 198.51.100.0/24 \ 203.0.113.0/24 224.0.0.0/4 240.0.0.0/4 0.0.0.0/8 do ipset add Martians $x ; done ipset create Internet hash:ip ipset create Auth-ext hash:ip timeout 60 TABLE=mangle IPT <<- MANGLE -P PREROUTING ACCEPT -A PREROUTING ! -i $1 -j ACCEPT -A PREROUTING -m state --state INVALID -j DROP -A PREROUTING -m state --state RELATED,ESTABLISHED -j RETURN -A PREROUTING -m addrtype --src-type LOCAL --limit-iface-in -j DROP -A PREROUTING -m set --match-set Localnet src -j DROP -A PREROUTING -m set --match-set Martians src -j DROP -A PREROUTING -m addrtype --dst-type BROADCAST -j DROP -A PREROUTING -m set --match-set Internet src -m addrtype --dst-type LOCAL --limit-iface-in -j RETURN -A PREROUTING -m set --match-set Internet src -m set --match-set Localnet dst -j RETURN -A PREROUTING -m set --match-set Auth-ext src -m addrtype --dst-type LOCAL --limit-iface-in -j RETURN -A PREROUTING -m set --match-set Auth-ext src -m set --match-set Localnet dst -j RETURN -A PREROUTING -m set --match-set Martians dst -j DROP -A PREROUTING -p udp -m udp --dport 7 -j SET --add-set Auth-ext src -A PREROUTING -p udp -m multiport --ports 161,162 -j DROP -A PREROUTING -p icmp -j DROP -A PREROUTING -P POSTROUTING ACCEPT -A POSTROUTING ! -o $1 -j ACCEPT -A POSTROUTING -m state --state RELATED,ESTABLISHED -j MARK --set-xmark 0x8/0x8 -A POSTROUTING -m state --state INVALID -j DROP -A POSTROUTING -m set ! --match-set Localnet src -m comment --comment "Gebot_2/3" -j MARK --set-xmark 0x1/0x1 -A POSTROUTING -m set ! --match-set Localnet src -m comment --comment "Gebot_2/3" -j LOG -A POSTROUTING -m addrtype --dst-type BROADCAST -m comment --comment Gebot_6 -j MARK --set-xmark 0x1/0x1 -A POSTROUTING -m set --match-set Martians dst -m comment --comment "Gebot_4/5" -j MARK --set-xmark 0x1/0x1 -A POSTROUTING -p udp -m multiport --ports 161,162 -m comment --comment Gebot_9 -j DROP -A POSTROUTING -d 192.168.178.1/32 -p udp -m udp --dport 53 -m comment --comment DNS -j MARK --set-xmark 0x8/0x8 -A POSTROUTING -m mark --mark 0x8/0x9 -m comment --comment The_Good -j ACCEPT -A POSTROUTING -m mark --mark 0x1/0x9 -m comment --comment the_Bad -j DROP -A POSTROUTING -m mark --mark 0x9/0x9 -m comment --comment and_the_Ugly -j RETURN -A POSTROUTING -m comment --comment Catch-All -j ACCEPT MANGLE TABLE=nat IPT <<- NAT -P POSTROUTING ACCEPT -A POSTROUTING -o $1 -m set --match-set Localnet src -j MASQUERADE NAT |
Das Skript zum Artikel Router/Paketfilter. Es fasst die im Artikel erläuterten Skript-Schnipsel zusammen.
Beachte: Dieses Skript installiert nur die Regeln für den beschriebenen Firewall. Für die generellen Einstellungen zur Funktion eines Routers lese die anderen Teile der Artikelserie.