• Willkommen im Linux Club - dem deutschsprachigen Supportforum für GNU/Linux. Registriere dich kostenlos, um alle Inhalte zu sehen und Fragen zu stellen.

iptables Skript fehlerhaft?

R

rapthor

Hallo,

anbei mein iptables Skript, das ein paar Regeln zum Testen eines Netzwerks vorgibt.
Leider scheinen Fehler enthalten zu sein, nur weiß ich nicht genau, wie ich diese lokalisiere. Sind hier vielleicht nur Syntaxfehler enthalten? Oder auch inhaltliche Diskrepanzen?

Wäre nett, wenn mal jemand drüberschauen könnte ... DANKE im Voraus!

Code: 
#!/bin/bash

# main policy

        iptables -F
        iptables -P INPUT DROP
        iptables -P FORWARD DROP
        iptables -P OUTPUT DROP


        iptables -A INPUT -p udp --sport 123 -j ACCEPT           # allow NTP
        iptables -A INPUT -p udp --dport 123 -j ACCEPT


        iptables -A FORWARD -f -j DENY                           # don't allow fragments
        iptables -A FORWARD -m mac --mac-source 00:09:02:4E:A6:7E --mac-destination 00:46:F4:0A:B6:FB -j DROP            # don't allow test-mac to access-fw communication

        iptables -A FORWARD -p tcp -j TCP
        iptables -A FORWARD -p udp -j UDP
        iptables -A FORWARD -p icmp -j ICMP


        iptables -A OUTPUT -p udp --sport 123 -j ACCEPT           # allow NTP
        iptables -A OUTPUT -p udp --dport 123 -j ACCEPT

# protocol

        # process TCP packages
        iptables -N TCP
        iptables -P TCP DROP
        iptables -A TCP -p tcp --dport 53 -j DNS_POLICY
        iptables -A TCP -s 141.64.89.0/24 -j SUN_NET_s
        iptables -A TCP -s 141.64.63.0/24 -j TEST_NET_s
        iptables -A TCP -d 141.64.89.0/24 -j SUN_NET_d
        iptables -A TCP -d 141.64.63.0/24 -j TEST_NET_d

        # process UDP packages
        iptables -N UDP
        iptables -P UDP DROP
        iptables -A UDP -p udp --dport 53 -j DNS_POLICY
        iptables -A UDP -p udp --sport 123 -j ACCEPT              # allow NTP
        iptables -A UDP -p udp --dport 123 -j ACCEPT

         # process ICMP packages
        iptables -N ICMP
        iptables -P ICMP ACCEPT
        iptables -P ICMP -s 141.64.63.83 -j ICMP_TEST_WIN_s

# sub net

        # process TEST_NET_s packages
        iptables -N TEST_NET_s
        iptables -P TEST_NET_s DROP
        iptables -A TEST_NET_s -i eth0 -j TEST_NET_AUSSEN_s
        iptables -A TEST_NET_s -i eth1 -j TEST_NET_INNEN_s

        # process TEST_NET_d packages
        iptables -N TEST_NET_d
        iptables -P TEST_NET_d DROP
        iptables -A TEST_NET_d -i eth0 -j TEST_NET_AUSSEN_d
        iptables -A TEST_NET_d -i eth1 -j TEST_NET_INNEN_d


        # process TEST_NET_INNEN_s packages
        iptables -N TEST_NET_INNEN_s
        iptables -P TEST_NET_INNEN_s ACCEPT
        iptables -A TEST_NET_INNEN_s -s 141.64.63.82 -j TEST_SUSE_s
        iptables -A TEST_NET_INNEN_s -s 141.64.63.83 -j TEST_WIN_s
        iptables -A TEST_NET_INNEN_s -s 141.64.63.84 -j TEST_MAC_s

        # process TEST_NET_INNEN_d packages
        iptables -N TEST_NET_INNEN_d
        iptables -P TEST_NET_INNEN_d ACCEPT
        iptables -A TEST_NET_INNEN_d -d 141.64.63.82 -j TEST_SUSE_d
        iptables -A TEST_NET_INNEN_d -d 141.64.63.83 -j TEST_WIN_d
        iptables -A TEST_NET_INNEN_d -d 141.64.63.84 -j TEST_MAC_d


        # process TEST_NET_AUSSEN_s packages
        iptables -N TEST_NET_AUSSEN_s
        iptables -P TEST_NET_AUSSEN_s ACCEPT

        # process TEST_NET_AUSSEN_d packages
        iptables -N TEST_NET_AUSSEN_d
        iptables -P TEST_NET_AUSSEN_d ACCEPT


        # process SUN_NET_s packages
        iptables -N SUN_NET_s
        iptables -P SUN_NET_s ACCEPT

        # process SUN_NET_d packages
        iptables -N SUN_NET_d
        iptables -P SUN_NET_d ACCEPT


# client


        # process TEST_SUSE_s packages
        iptables -N TEST_SUSE_s
        iptables -P TEST_SUSE_s DROP
        iptables -A TEST_SUSE_s -p tcp --dport 80 -j ACCEPT       # allow http
        iptables -A TEST_SUSE_s -p tcp --dport 443 -j ACCEPT      # allow https

        # process TEST_SUSE_d packages
        iptables -N TEST_SUSE_d
        iptables -P TEST_SUSE_d DROP
        iptables -A TEST_SUSE_d -p tcp --sport 80 -j ACCEPT       # allow http
        iptables -A TEST_SUSE_d -p tcp --sport 443 -j ACCEPT      # allow https


        # process TEST_WIN_s packages
        iptables -N TEST_WIN_s
        iptables -P TEST_WIN_s DROP
        iptables -A TEST_WIN_s -p tcp --dport 5800 -j ACCEPT      # allow vnc login
        iptables -A TEST_WIN_s -p tcp --dport 5900 -j ACCEPT      # allow vnc viewer
        iptables -A TEST_WIN_s -p tcp --dport 80 -j ACCEPT        # allow http
        iptables -A TEST_WIN_s -p tcp --dport 443 -j ACCEPT       # allow https

        # process TEST_WIN_d packages
        iptables -N TEST_WIN_d
        iptables -P TEST_WIN_d DROP
        iptables -A TEST_WIN_d -p tcp --sport 5800 -j ACCEPT     # allow vnc login
        iptables -A TEST_WIN_d -p tcp --sport 5900 -j ACCEPT     # allow vnc viewer
        iptables -A TEST_WIN_d -p tcp --sport 80 -j ACCEPT       # allow http
        iptables -A TEST_WIN_d -p tcp --sport 443 -j ACCEPT      # allow https

        # process ICMP_TEST_WIN_s packages
        iptables -N ICMP_TEST_WIN_s
        iptables -P ICMP_TEST_WIN_s DROP
        iptables -A ICMP_TEST_WIN_s -d 141.64.0.0/16 -j ACCEPT    # allow tracert within TFH-Net


        # process TEST_MAC_s packages
        iptables -N TEST_MAC_s
        iptables -P TEST_MAC_s ACCEPT

        # process TEST_MAC_d packages
        iptables -N TEST_MAC_d
        iptables -P TEST_MAC_d ACCEPT


# port

        iptables -N DNS_POLICY
        iptables -P DNS_POLICY ACCEPT
        iptables -A DNS_POLICY -s 141.64.63.83 -j DROP            # Disable DNS for Test-Win
 
Du musst dich einloggen oder registrieren, um hier zu antworten.
Oben