Iptables-vpn-template: Unterschied zwischen den Versionen

Aus xinux wiki
Wechseln zu: Navigation, Suche
(Die Seite wurde geleert.)
 
Zeile 1: Zeile 1:
*cat /etc/firewall
+
 
<pre>
 
#!/bin/bash
 
WANDEV="ens3"
 
LANDEV="ens6"
 
LAN="10.9.8.0/24"
 
VPNNET="10.76.76.0/24"
 
WANIP="94.130.248.217"
 
case $1 in
 
start)
 
echo "starte firewall"
 
iptables -F
 
iptables -F -t nat
 
iptables -P INPUT DROP
 
iptables -P OUTPUT DROP
 
iptables -P FORWARD DROP
 
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
iptables -A OUTPUT -o lo -j ACCEPT
 
iptables -A INPUT -i lo -j ACCEPT
 
iptables -A OUTPUT -m state --state NEW -j ACCEPT
 
iptables -A FORWARD -i $LANDEV -o $WANDEV -s $LAN -d $VPNNET -m policy --dir out --pol ipsec -m state --state NEW -j ACCEPT
 
iptables -A FORWARD -i $WANDEV -o $LANDEV -s $VPNNET -d $LAN -m policy --dir in  --pol ipsec -m state --state NEW -j ACCEPT
 
iptables -A INPUT -m state -i $WANDEV --state NEW -p tcp --dport 8472 -j ACCEPT
 
iptables -A INPUT -m state -i $WANDEV --state NEW -p udp -m multiport --dport 500,4500,1701,8472 -j ACCEPT
 
iptables -A INPUT -m state -i $WANDEV --state NEW -p esp -j ACCEPT
 
iptables -A INPUT -m state -i $LANDEV    --state NEW -j ACCEPT
 
iptables -t nat -A POSTROUTING -s $LAN -d $VPNNET -j RETURN
 
iptables -t nat -A POSTROUTING -s $LAN -j SNAT --to  $WANIP
 
iptables -A INPUT  -j LOG  --log-prefix "--iptables-in--"
 
iptables -A OUTPUT -j LOG  --log-prefix "--iptables-out--"
 
iptables -A FORWARD -j LOG --log-prefix "--iptables-for--"
 
;;
 
stop)
 
echo "stoppe firewall"
 
iptables -F
 
iptables -F -t nat
 
iptables -P INPUT ACCEPT
 
iptables -P OUTPUT ACCEPT
 
iptables -P FORWARD ACCEPT
 
;;
 
esac
 
</pre>
 

Aktuelle Version vom 17. April 2020, 12:30 Uhr