#/bin/sh # Default = 192.168.2.1 SPHIP="192.168.x.x" #Default = 192.168.2.0 SPHLAN="192.168.x.x" #Default = 192.168.2.2 FRITZBOXIP="192.168.x.x" # ipt iptables --list-rules ipt iptables --flush ipt iptables --delete-chain ipt iptables -P INPUT ACCEPT ipt iptables -P FORWARD ACCEPT ipt iptables -P OUTPUT ACCEPT ipt iptables -N FWD_LAN_SUBNET ipt iptables -N FWD_SERVICE ipt iptables -N INPUT_FIREWALL ipt iptables -N INPUT_LAN_SUBNET ipt iptables -A INPUT -s $SPHLAN/24 -i br0 -p icmp -j ACCEPT ipt iptables -A INPUT -p icmp -i ppp256 -j DROP ipt iptables -A INPUT -p icmp -i gre+ -j DROP ipt iptables -A INPUT -i lo -j ACCEPT ipt iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ipt iptables -A INPUT -j INPUT_LAN_SUBNET ipt iptables -A INPUT -j INPUT_FIREWALL ipt iptables -A FORWARD -m mark --mark 0x80000000/0x80000000 -j ACCEPT ipt iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu ipt iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT ipt iptables -A FORWARD -j FWD_LAN_SUBNET ipt iptables -A FORWARD -j FWD_SERVICE ipt iptables -A FWD_LAN_SUBNET -s $SPHLAN/24 ! -i br0 -j DROP ipt iptables -A FWD_LAN_SUBNET ! -s $SPHLAN/24 -i br0 -j DROP ipt iptables -A FWD_LAN_SUBNET -i br0 -o rmnet0 -j DROP ipt iptables -A FWD_LAN_SUBNET -d 192.168.0.0/16 -i br0 -o ppp256 -j DROP ipt iptables -A FWD_LAN_SUBNET -d 172.16.0.0/12 -i br0 -o ppp256 -j DROP ipt iptables -A FWD_LAN_SUBNET -d 10.0.0.0/8 -i br0 -o ppp256 -j DROP ipt iptables -A FWD_LAN_SUBNET -d 192.168.0.0/16 -i br0 -o gre+ -j DROP ipt iptables -A FWD_LAN_SUBNET -d 172.16.0.0/12 -i br0 -o gre+ -j DROP ipt iptables -A FWD_LAN_SUBNET -d 10.0.0.0/8 -i br0 -o gre+ -j DROP ipt iptables -A FWD_SERVICE -d 169.254.0.0/16 -i br0 -j DROP ipt iptables -A FWD_SERVICE -s 169.254.0.0/16 ! -i br0 -j DROP ipt iptables -A FWD_SERVICE -s 127.0.0.0/8 ! -i br0 -j DROP # # Wer VPN zur Fritzbox braucht # ipt iptables -A FWD_SERVICE -d $FRITZBOXIP/32 -i gre+ -p udp -m udp --dport 500 -j ACCEPT ipt iptables -A FWD_SERVICE -d $FRITZBOXIP/32 -i gre+ -p udp -m udp --dport 4500 -j ACCEPT ipt iptables -A FWD_SERVICE -d $FRITZBOXIP/32 -i ppp256 -p udp -m udp --dport 500 -j ACCEPT ipt iptables -A FWD_SERVICE -d $FRITZBOXIP/32 -i ppp256 -p udp -m udp --dport 4500 -j ACCEPT # # Wer HTTPS zur Fritzbox braucht # #ipt iptables -A FWD_SERVICE -d $FRITZBOXIP/32 -i gre+ -p tcp -m tcp --dport 443 -j ACCEPT #ipt iptables -A FWD_SERVICE -d $FRITZBOXIP/32 -i ppp256 -p tcp -m tcp --dport 443 -j ACCEPT # # Wer SIPGATE zur Fritzbox braucht # ipt iptables -A FWD_SERVICE -s 217.10.64.0/20 -d $FRITZBOXIP/32 -i gre+ -p udp -m udp --dport 7078:7109 -j ACCEPT ipt iptables -A FWD_SERVICE -s 217.116.112.0/20 -d $FRITZBOXIP/32 -i gre+ -p udp -m udp --dport 7078:7109 -j ACCEPT ipt iptables -A FWD_SERVICE -s 212.9.32.0/19 -d $FRITZBOXIP/32 -i gre+ -p udp -m udp --dport 7078:7109 -j ACCEPT ipt iptables -A FWD_SERVICE -s 217.10.79.9/32 -d $FRITZBOXIP/32 -i gre+ -p udp -m udp --dport 5060 -j ACCEPT ipt iptables -A FWD_SERVICE -s 217.10.68.147/32 -d $FRITZBOXIP/32 -i gre+ -p udp -m udp --dport 5060 -j ACCEPT ipt iptables -A FWD_SERVICE -s 217.10.68.150/32 -d $FRITZBOXIP/32 -i gre+ -p udp -m udp --dport 5060 -j ACCEPT ipt iptables -A FWD_SERVICE -s 217.10.64.0/20 -d $FRITZBOXIP/32 -i ppp256 -p udp -m udp --dport 7078:7109 -j ACCEPT ipt iptables -A FWD_SERVICE -s 217.116.112.0/20 -d $FRITZBOXIP/32 -i ppp256 -p udp -m udp --dport 7078:7109 -j ACCEPT ipt iptables -A FWD_SERVICE -s 212.9.32.0/19 -d $FRITZBOXIP/32 -i ppp256 -p udp -m udp --dport 7078:7109 -j ACCEPT ipt iptables -A FWD_SERVICE -s 217.10.79.9/32 -d $FRITZBOXIP/32 -i ppp256 -p udp -m udp --dport 5060 -j ACCEPT ipt iptables -A FWD_SERVICE -s 217.10.68.147/32 -d $FRITZBOXIP/32 -i ppp256 -p udp -m udp --dport 5060 -j ACCEPT ipt iptables -A FWD_SERVICE -s 217.10.68.150/32 -d $FRITZBOXIP/32 -i ppp256 -p udp -m udp --dport 5060 -j ACCEPT # # Telekom VoIP # ipt iptables -A FWD_SERVICE -s 217.0.16.0/20 -d $FRITZBOXIP/32 -i ppp256 -p udp -m udp --dport 5060 -j ACCEPT ipt iptables -A FWD_SERVICE -s 217.0.0.0/20 -d $FRITZBOXIP/32 -i ppp256 -p udp -m udp --dport 7078:7109 -j ACCEPT ipt iptables -A FWD_SERVICE -d 217.0.16.0/20 -s $FRITZBOXIP/32 -i ppp256 -p udp -m udp --dport 5060 -j ACCEPT ipt iptables -A FWD_SERVICE -d 217.0.0.0/20 -s $FRITZBOXIP/32 -i ppp256 -p udp -m udp --dport 7078:7109 -j ACCEPT ipt iptables -A FWD_SERVICE -d $FRITZBOXIP/32 -i ppp256 -j DROP ipt iptables -A FWD_SERVICE -d $FRITZBOXIP/32 -i gre+ -j DROP ipt iptables -A INPUT_FIREWALL -d $SPHIP/32 -i br0 -p tcp -m tcp --dport 22 -j ACCEPT ipt iptables -A INPUT_FIREWALL -d $SPHIP/32 -i br0 -p tcp -m tcp --dport 53 -j ACCEPT ipt iptables -A INPUT_FIREWALL -d $SPHIP/32 -i br0 -p tcp -m tcp --dport 80 -j ACCEPT ipt iptables -A INPUT_FIREWALL -d $SPHIP/32 -i br0 -p tcp -m tcp --dport 8080 -j ACCEPT ipt iptables -A INPUT_FIREWALL -i br0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 10/sec --limit-burst 50 -j ACCEPT ipt iptables -A INPUT_FIREWALL -i br0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP ipt iptables -A INPUT_FIREWALL ! -i br0 -j DROP ipt iptables -A INPUT_LAN_SUBNET -s $SPHLAN/24 ! -i br0 -j DROP # ipt iptables -t nat --list-rules ipt iptables -t nat --flush ipt iptables -t nat --delete-chain ipt iptables -t nat -P PREROUTING ACCEPT ipt iptables -t nat -P INPUT ACCEPT ipt iptables -t nat -P OUTPUT ACCEPT ipt iptables -t nat -P POSTROUTING ACCEPT ipt iptables -t nat -A POSTROUTING -o gre2 -j MASQUERADE --mode fullcone ipt iptables -t nat -A POSTROUTING -o gre1 -j MASQUERADE --mode fullcone ipt iptables -t nat -A POSTROUTING -o ppp256 -j MASQUERADE --mode fullcone ipt iptables -t nat -A POSTROUTING -m mark --mark 0x80000000/0x80000000 -j MASQUERADE ipt iptables -t nat -A POSTROUTING -o ppp256 -m mark --mark 0x40000000/0xf0000000 -j MASQUERADE ipt iptables -t nat -A POSTROUTING -o ppp256 -m mark --mark 0x20000000/0xf0000000 -j MASQUERADE ipt iptables -t nat -A POSTROUTING -o ppp256 -m mark --mark 0x10000000/0xf0000000 -j MASQUERADE ipt iptables -t nat -A PREROUTING -i gre+ -j DNAT --to-destination $FRITZBOXIP ipt iptables -t nat -A PREROUTING -i ppp256 -j DNAT --to-destination $FRITZBOXIP # ipt iptables -t mangle --list-rules ipt iptables -t mangle --flush ipt iptables -t mangle --delete-chain ipt iptables -t mangle -P PREROUTING ACCEPT ipt iptables -t mangle -P INPUT ACCEPT ipt iptables -t mangle -P FORWARD ACCEPT ipt iptables -t mangle -P OUTPUT ACCEPT ipt iptables -t mangle -P POSTROUTING ACCEPT ipt iptables -t mangle -N FORWARD_WAN_RULES ipt iptables -t mangle -N FWD_FILTER_LIST ipt iptables -t mangle -N ROUTE_CTL_LIST ipt iptables -t mangle -A PREROUTING -i ppp256 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m tcpmss --mss 1412:65535 -j TCPMSS --set-mss 1412 ipt iptables -t mangle -A PREROUTING -i ppp256 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN,ACK -m tcpmss --mss 1412:65535 -j TCPMSS --set-mss 1412 ipt iptables -t mangle -A PREROUTING -i br0 -j ROUTE_CTL_LIST ipt iptables -t mangle -A PREROUTING -i gre2 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m tcpmss --mss 1344:65535 -j TCPMSS --set-mss 1344 ipt iptables -t mangle -A PREROUTING -i gre2 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN,ACK -m tcpmss --mss 1344:65535 -j TCPMSS --set-mss 1344 ipt iptables -t mangle -A PREROUTING -i gre1 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m tcpmss --mss 1344:65535 -j TCPMSS --set-mss 1344 ipt iptables -t mangle -A PREROUTING -i gre1 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN,ACK -m tcpmss --mss 1344:65535 -j TCPMSS --set-mss 1344 ipt iptables -t mangle -A FORWARD -i br0 -j FORWARD_WAN_RULES ipt iptables -t mangle -A OUTPUT -m mark --mark 0xe/0xf -j MARK --set-xmark 0x0/0xf ipt iptables -t mangle -A OUTPUT -m mark --mark 0x9/0xf -j MARK --set-xmark 0x0/0xf ipt iptables -t mangle -A OUTPUT -p udp -m udp --dport 53 -j MARK --set-xmark 0x6/0xf ipt iptables -t mangle -A OUTPUT -m mark --mark 0x1000/0x1000 -j ROUTE_CTL_LIST ipt iptables -t mangle -A POSTROUTING -o ppp256 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m tcpmss --mss 1412:65535 -j TCPMSS --set-mss 1412 ipt iptables -t mangle -A POSTROUTING -o ppp256 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN,ACK -m tcpmss --mss 1412:65535 -j TCPMSS --set-mss 1412 ipt iptables -t mangle -A POSTROUTING -o gre2 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m tcpmss --mss 1344:65535 -j TCPMSS --set-mss 1344 ipt iptables -t mangle -A POSTROUTING -o gre2 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN,ACK -m tcpmss --mss 1344:65535 -j TCPMSS --set-mss 1344 ipt iptables -t mangle -A POSTROUTING -o gre1 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m tcpmss --mss 1344:65535 -j TCPMSS --set-mss 1344 ipt iptables -t mangle -A POSTROUTING -o gre1 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN,ACK -m tcpmss --mss 1344:65535 -j TCPMSS --set-mss 1344 ipt iptables -t mangle -A FORWARD_WAN_RULES -j DSCP --set-dscp 0x00 ipt iptables -t mangle -A FORWARD_WAN_RULES -p tcp -m tcp --tcp-flags ACK ACK -m length --length 40:64 -j MARK --set-xmark 0x6/0xf ipt iptables -t mangle -A FWD_FILTER_LIST -m dscp --dscp 0x30 -j MARK --set-xmark 0x40000000/0xf0000000 ipt iptables -t mangle -A FWD_FILTER_LIST -m dscp --dscp 0x28 -j MARK --set-xmark 0x40000000/0xf0000000 # # Telekom VoIP # ipt iptables -t mangle -A FWD_FILTER_LIST -d 217.0.0.0/20 -p udp -m udp --dport 5060 -j MARK --set-xmark 0x10000000/0xf0000000 ipt iptables -t mangle -A FWD_FILTER_LIST -d 217.0.0.0/20 -p udp -m udp --sport 5060 -j MARK --set-xmark 0x10000000/0xf0000000 ipt iptables -t mangle -A FWD_FILTER_LIST -d 217.0.16.0/20 -p udp -m udp --dport 7078:7109 -j MARK --set-xmark 0x20000000/0xf0000000 ipt iptables -t mangle -A FWD_FILTER_LIST -d 217.0.16.0/20 -p udp -m udp --sport 7078:7109 -j MARK --set-xmark 0x20000000/0xf0000000 # # # ipt iptables -t mangle -A ROUTE_CTL_LIST -d $SPHLAN/24 -j RETURN