#!/bin/sh IT="/sbin/iptables" priv_ports="0:1023" unpriv_ports="1024:65535" DNS="192.168.0.254" #DNS="131.246.9.116" PROXY="192.168.0.254" #PROXY="0/0" POP3="213.133.123.93" SMTP="213.133.123.93" NTP="131.246.9.116" KEYSERVER1="69.36.240.251" KEYSERVER2="195.113.19.83" KEYSERVER3="212.247.204.136" KEYSERVER4="213.239.206.174" KEYSERVER5="213.239.212.133" modprobe ip_conntrack_ftp #modprobe ip_nat_ftp #Erst mal alle Chains flushen echo "flush" $IT -F INPUT $IT -F FORWARD $IT -F OUTPUT #standard-policies echo "policies" $IT -P INPUT DROP $IT -P FORWARD DROP $IT -P OUTPUT DROP #lo darf erstmal alles echo "lo" $IT -A INPUT -i lo -j ACCEPT $IT -A FORWARD -i lo -j ACCEPT $IT -A FORWARD -o lo -j ACCEPT $IT -A OUTPUT -o lo -j ACCEPT #icmp echo "icmp" $IT -A OUTPUT -p icmp -j ACCEPT $IT -A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT #for ftp # echo "IP-Forwarding aktivieren...." echo "0" > /proc/sys/net/ipv4/ip_forward #$IT -A INPUT -j LOG --log-level debug --log-prefix "IPTABLES " #DNS regeln echo "dns udp" $IT -A OUTPUT -p udp -d $DNS --dport 53 -j ACCEPT echo "dns tcp" $IT -A OUTPUT -p tcp -d $DNS --dport 53 -j ACCEPT echo "http" $IT -A OUTPUT -p tcp -d $PROXY --dport 80 -j ACCEPT $IT -A OUTPUT -p tcp -d $PROXY --dport 443 -j ACCEPT $IT -A OUTPUT -p tcp -d $PROXY --dport 3128 -j ACCEPT echo "pop3s" $IT -A OUTPUT -p tcp -d $POP3 --dport 995 -j ACCEPT $IT -A OUTPUT -p tcp -d $POP3 --dport 563 -j ACCEPT #nntps echo "smtp" $IT -A OUTPUT -p tcp -d $SMTP --dport 25 -j ACCEPT $IT -A OUTPUT -p tcp -d $SMTP --dport 8890 -j ACCEPT #httptunnel echo "ssh" $IT -A OUTPUT -p tcp --dport 22 -j ACCEPT echo "gpg keyserver" $IT -A OUTPUT -p tcp -d $KEYSERVER1 --dport hkp -j ACCEPT $IT -A OUTPUT -p tcp -d $KEYSERVER2 --dport hkp -j ACCEPT $IT -A OUTPUT -p tcp -d $KEYSERVER3 --dport hkp -j ACCEPT $IT -A OUTPUT -p tcp -d $KEYSERVER4 --dport hkp -j ACCEPT $IT -A OUTPUT -p tcp -d $KEYSERVER5 --dport hkp -j ACCEPT echo "ftp" #$IT -A OUTPUT -p tcp --dport 20 -m state --state NEW,ESTABLISHED,RELATED -m conntrack --ctproto 20 -j ACCEPT $IT -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IT -A OUTPUT -p tcp --dport 20 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT echo "ntp" $IT -A OUTPUT -p tcp -d $NTP --dport 123 -j ACCEPT $IT -A OUTPUT -p udp -d $NTP --dport 123 -j ACCEPT echo "printer" $IT -A OUTPUT -d 192.168.0.250 -j ACCEPT echo "state" $IT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #log den ganzen Rest echo "logging" $IT -A INPUT -j LOG --log-level debug --log-prefix "IPTABLES " $IT -A INPUT -j REJECT $IT -A OUTPUT -j REJECT $IT -A FORWARD -j REJECT echo "Fertig. Happy surfing"