#/bin/sh # Default = 192.168.2.1 SPHIP="192.168.x.x" #Default = 192.168.2.0 SPHLAN="192.168.x.x" #Default = 192.168.2.2 FRITZBOXIP="192.168.x.x" # ipt iptables --list-rules ipt iptables --flush ipt iptables --delete-chain ipt iptables -P INPUT DROP ipt iptables -P FORWARD ACCEPT ipt iptables -P OUTPUT ACCEPT ipt iptables -A INPUT -i lo -j ACCEPT # # ICMP generell erlauben # ipt iptables -A INPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT # # # ipt iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ipt iptables -A INPUT ! -i in_0 -p udp -m udp --dport 69 -j DROP ipt iptables -A INPUT -d 172.10.10.10/32 -p udp -m udp --dport 69 -j ACCEPT ipt iptables -A INPUT -d 255.255.255.255/32 -p 47 -j DROP ipt iptables -A INPUT -s 169.254.0.0/16 ! -i br0 -j DROP ipt iptables -A INPUT -s 127.0.0.0/8 ! -i br0 -j DROP ipt iptables -A INPUT -s $SPHLAN/24 ! -i br0 -j DROP ipt iptables -A INPUT -i br0 -p udp -m udp --dport 67 -j ACCEPT ipt iptables -A INPUT -d $SPHIP/32 -i br0 -p icmp -j ACCEPT ipt iptables -A INPUT -d $SPHIP/32 -i br0 -p tcp -m tcp --dport 22 -j ACCEPT ipt iptables -A INPUT -d $SPHIP/32 -i br0 -p tcp -m tcp --dport 23 -j ACCEPT ipt iptables -A INPUT -d $SPHIP/32 -i br0 -p tcp -m tcp --dport 53 -j ACCEPT ipt iptables -A INPUT -d $SPHIP/32 -i br0 -p udp -m udp --dport 53 -j ACCEPT ipt iptables -A INPUT -d $SPHIP/32 -i br0 -p tcp -m tcp --dport 80 -j ACCEPT ipt iptables -A INPUT -d $SPHIP/32 -i br0 -p tcp -m tcp --dport 8080 -j ACCEPT ipt iptables -A INPUT -i br0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 10/sec --limit-burst 50 -j ACCEPT ipt iptables -A INPUT -i br0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP ipt iptables -A INPUT ! -i br0 -j DROP ipt iptables -A OUTPUT -d 127.0.0.1/32 -o ppp256 -j DROP ipt iptables -A OUTPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT ipt iptables -A FORWARD -d 172.10.10.1/32 -j ACCEPT ipt iptables -A FORWARD -m mark --mark 0x80000000/0x80000000 -j ACCEPT ipt iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu ipt iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT ipt iptables -A FORWARD -s $SPHLAN/24 ! -i br0 -j DROP ipt iptables -A FORWARD ! -s $SPHLAN/24 -i br0 -j DROP ipt iptables -A FORWARD -i br0 -o rmnet0 -j DROP ipt iptables -A FORWARD -s $SPHLAN/24 -i br0 -j ACCEPT ipt iptables -A FORWARD -d 192.168.0.0/16 -i br0 -o ppp256 -j DROP ipt iptables -A FORWARD -d 172.16.0.0/12 -i br0 -o ppp256 -j DROP ipt iptables -A FORWARD -d 10.0.0.0/8 -i br0 -o ppp256 -j DROP ipt iptables -A FORWARD -d 192.168.0.0/16 -i br0 -o gre+ -j DROP ipt iptables -A FORWARD -d 172.16.0.0/12 -i br0 -o gre+ -j DROP ipt iptables -A FORWARD -d 10.0.0.0/8 -i br0 -o gre+ -j DROP ipt iptables -A FORWARD -i nas+ -o ppp+ -j DROP ipt iptables -A FORWARD -i ppp+ -o nas+ -j DROP ipt iptables -A FORWARD -d 169.254.0.0/16 -i br0 -j DROP ipt iptables -A FORWARD -s 169.254.0.0/16 ! -i br0 -j DROP ipt iptables -A FORWARD -s 127.0.0.0/8 ! -i br0 -j DROP # # Wer VPN zur Fritzbox braucht # ipt iptables -A FORWARD -d $FRITZBOXIP/32 -i gre+ -p udp -m udp --dport 500 -j ACCEPT ipt iptables -A FORWARD -d $FRITZBOXIP/32 -i gre+ -p udp -m udp --dport 4500 -j ACCEPT ipt iptables -A FORWARD -d $FRITZBOXIP/32 -i ppp256 -p udp -m udp --dport 500 -j ACCEPT ipt iptables -A FORWARD -d $FRITZBOXIP/32 -i ppp256 -p udp -m udp --dport 4500 -j ACCEPT # # Wer HTTPS zur Fritzbox braucht # #ipt iptables -A FORWARD -d $FRITZBOXIP/32 -i gre+ -p tcp -m tcp --dport 443 -j ACCEPT #ipt iptables -A FORWARD -d $FRITZBOXIP/32 -i ppp256 -p tcp -m tcp --dport 443 -j ACCEPT # # Wer SIP von aussen zur Fritzbox braucht - noch nicht final getestet # #ipt iptables -A FWD_SERVICE -d $FRITZBOXIP/32 -i gre+ -p tcp -m tcp --dport 5060 -j ACCEPT #ipt iptables -A FWD_SERVICE -d $FRITZBOXIP/32 -i gre+ -p udp -m udp --dport 5060 -j ACCEPT #ipt iptables -A FWD_SERVICE -d $FRITZBOXIP/32 -i gre+ -p udp -m multiport --dport 7078:7109 -j ACCEPT # # Wer SIPGATE zur Fritzbox braucht # #ipt iptables -A FORWARD -s 217.10.64.0/20 -d $FRITZBOXIP/32 -i gre+ -p udp -m multiport --dport 7078:7109 -j ACCEPT #ipt iptables -A FORWARD -s 217.116.112.0/20 -d $FRITZBOXIP/32 -i gre+ -p udp -m multiport --dport 7078:7109 -j ACCEPT #ipt iptables -A FORWARD -s 212.9.32.0/19 -d $FRITZBOXIP/32 -i gre+ -p udp -m multiport --dport 7078:7109 -j ACCEPT #ipt iptables -A FORWARD -s 217.10.79.9/32 -d $FRITZBOXIP/32 -i gre+ -p udp -m udp --dport 5060 -j ACCEPT #ipt iptables -A FORWARD -s 217.10.68.147/32 -d $FRITZBOXIP/32 -i gre+ -p udp -m udp --dport 5060 -j ACCEPT #ipt iptables -A FORWARD -s 217.10.68.150/32 -d $FRITZBOXIP/32 -i gre+ -p udp -m udp --dport 5060 -j ACCEPT #ipt iptables -A FORWARD -s 217.10.64.0/20 -d $FRITZBOXIP/32 -i ppp256 -p udp -m multiport --dport 7078:7109 -j ACCEPT #ipt iptables -A FORWARD -s 217.116.112.0/20 -d $FRITZBOXIP/32 -i ppp256 -p udp -m multiport --dport 7078:7109 -j ACCEPT #ipt iptables -A FORWARD -s 212.9.32.0/19 -d $FRITZBOXIP/32 -i ppp256 -p udp -m multiport --dport 7078:7109 -j ACCEPT #ipt iptables -A FORWARD -s 217.10.79.9/32 -d $FRITZBOXIP/32 -i ppp256 -p udp -m udp --dport 5060 -j ACCEPT #ipt iptables -A FORWARD -s 217.10.68.147/32 -d $FRITZBOXIP/32 -i ppp256 -p udp -m udp --dport 5060 -j ACCEPT #ipt iptables -A FORWARD -s 217.10.68.150/32 -d $FRITZBOXIP/32 -i ppp256 -p udp -m udp --dport 5060 -j ACCEPT # # Telekom VoIP # ipt iptables -A FORWARD -s 217.0.16.0/20 -d $FRITZBOXIP/32 -i ppp256 -p udp -m udp --dport 5060 -j ACCEPT ipt iptables -A FORWARD -s 217.0.0.0/20 -d $FRITZBOXIP/32 -i ppp256 -p udp -m multiport --dport 7078:7109 -j ACCEPT # # Wer alles zur Fritzbox weiterleiten möchte # #ipt iptables -A FORWARD -d $FRITZBOXIP/32 -i ppp256 -p udp -m multiport --dport 1:65535 -j ACCEPT #ipt iptables -A FORWARD -d $FRITZBOXIP/32 -i gre+ -p tcp -m multiport --dport 1:65535 -j ACCEPT # # # ipt iptables -A FORWARD -j DROP # iptables -t nat --list-rules ipt iptables -t nat --flush ipt iptables -t nat --delete-chain ipt iptables -t nat -P PREROUTING ACCEPT ipt iptables -t nat -P INPUT ACCEPT ipt iptables -t nat -P OUTPUT ACCEPT ipt iptables -t nat -P POSTROUTING ACCEPT ipt iptables -t nat -A POSTROUTING -o gre2 -j MASQUERADE --mode fullcone ipt iptables -t nat -A POSTROUTING -o gre1 -j MASQUERADE --mode fullcone ipt iptables -t nat -A POSTROUTING -o ppp256 -j MASQUERADE --mode fullcone ipt iptables -t nat -A POSTROUTING -s $SPHLAN/24 -o in_0 -j MASQUERADE --mode fullcone ipt iptables -t nat -A POSTROUTING -m mark --mark 0x80000000/0x80000000 -j MASQUERADE ipt iptables -t nat -A POSTROUTING -o ppp256 -m mark --mark 0x40000000/0xf0000000 -j MASQUERADE ipt iptables -t nat -A POSTROUTING -o ppp256 -m mark --mark 0x20000000/0xf0000000 -j MASQUERADE ipt iptables -t nat -A POSTROUTING -o ppp256 -m mark --mark 0x10000000/0xf0000000 -j MASQUERADE # # Wer VPN zur Fritzbox braucht # ipt iptables -t nat -A PREROUTING -i gre+ -p udp --dport 500 -j DNAT --to-destination $FRITZBOXIP ipt iptables -t nat -A PREROUTING -i gre+ -p udp --dport 4500 -j DNAT --to-destination $FRITZBOXIP # # Wer HTTPS zur Fritzbox braucht # #ipt iptables -t nat -A PREROUTING -i gre+ -p tcp --dport 443 -j DNAT --to-destination $FRITZBOXIP #ipt iptables -t nat -A PREROUTING -i ppp256 -p tcp --dport 443 -j DNAT --to-destination $FRITZBOXIP # # # ipt iptables -t nat -A PREROUTING -i gre+ -p udp --dport 5060 -j DNAT --to-destination $FRITZBOXIP ipt iptables -t nat -A PREROUTING -i gre+ -p udp -m multiport --dport 7078:7109 -j DNAT --to-destination $FRITZBOXIP ipt iptables -t nat -A PREROUTING -i ppp256 -p udp --dport 5060 -j DNAT --to-destination $FRITZBOXIP ipt iptables -t nat -A PREROUTING -i ppp256 -p udp -m multiport --dport 7078:7109 -j DNAT --to-destination $FRITZBOXIP # # Wer alles zur Fritzbox weiterleiten möchte # #ipt iptables -t nat -A PREROUTING -i gre+ -j DNAT --to-destination $FRITZBOXIP #ipt iptables -t nat -A PREROUTING -i ppp256 -j DNAT --to-destination $FRITZBOXIP # iptables -t mangle --list-rules ipt iptables -t mangle --flush ipt iptables -t mangle --delete-chain ipt iptables -t mangle -P PREROUTING ACCEPT ipt iptables -t mangle -P INPUT ACCEPT ipt iptables -t mangle -P FORWARD ACCEPT ipt iptables -t mangle -P OUTPUT ACCEPT ipt iptables -t mangle -P POSTROUTING ACCEPT ipt iptables -t mangle -N FWD_FILTER_LIST ipt iptables -t mangle -N ROUTE_CTL_LIST ipt iptables -t mangle -A PREROUTING -i ppp256 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m tcpmss --mss 1412:65535 -j TCPMSS --set-mss 1412 ipt iptables -t mangle -A PREROUTING -i ppp256 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN,ACK -m tcpmss --mss 1412:65535 -j TCPMSS --set-mss 1412 ipt iptables -t mangle -A PREROUTING -i br0 -j ROUTE_CTL_LIST ipt iptables -t mangle -A PREROUTING -i gre2 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m tcpmss --mss 1344:65535 -j TCPMSS --set-mss 1344 ipt iptables -t mangle -A PREROUTING -i gre2 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN,ACK -m tcpmss --mss 1344:65535 -j TCPMSS --set-mss 1344 ipt iptables -t mangle -A PREROUTING -i gre1 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m tcpmss --mss 1344:65535 -j TCPMSS --set-mss 1344 ipt iptables -t mangle -A PREROUTING -i gre1 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN,ACK -m tcpmss --mss 1344:65535 -j TCPMSS --set-mss 1344 ipt iptables -t mangle -A FORWARD -i br0 -j DSCP --set-dscp 0x00 ipt iptables -t mangle -A FORWARD -i br0 -p tcp -m tcp --tcp-flags ACK ACK -m length --length 40:64 -j MARK --set-xmark 0x6/0xf ipt iptables -t mangle -A OUTPUT -m mark --mark 0xe/0xf -j MARK --set-xmark 0x0/0xf ipt iptables -t mangle -A OUTPUT -m mark --mark 0x9/0xf -j MARK --set-xmark 0x0/0xf ipt iptables -t mangle -A OUTPUT -p udp -m udp --dport 53 -j MARK --set-xmark 0x6/0xf ipt iptables -t mangle -A OUTPUT -m mark --mark 0x1000/0x1000 -j ROUTE_CTL_LIST ipt iptables -t mangle -A POSTROUTING -o ppp256 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m tcpmss --mss 1412:65535 -j TCPMSS --set-mss 1412 ipt iptables -t mangle -A POSTROUTING -o ppp256 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN,ACK -m tcpmss --mss 1412:65535 -j TCPMSS --set-mss 1412 ipt iptables -t mangle -A POSTROUTING -o gre2 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m tcpmss --mss 1344:65535 -j TCPMSS --set-mss 1344 ipt iptables -t mangle -A POSTROUTING -o gre2 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN,ACK -m tcpmss --mss 1344:65535 -j TCPMSS --set-mss 1344 ipt iptables -t mangle -A POSTROUTING -o gre1 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m tcpmss --mss 1344:65535 -j TCPMSS --set-mss 1344 ipt iptables -t mangle -A POSTROUTING -o gre1 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN,ACK -m tcpmss --mss 1344:65535 -j TCPMSS --set-mss 1344 ipt iptables -t mangle -A FWD_FILTER_LIST -m dscp --dscp 0x30 -j MARK --set-xmark 0x40000000/0xf0000000 ipt iptables -t mangle -A FWD_FILTER_LIST -m dscp --dscp 0x28 -j MARK --set-xmark 0x40000000/0xf0000000 # # Telekom VoIP # ipt iptables -t mangle -A FWD_FILTER_LIST -d 217.0.0.0/20 -p udp -m udp --dport 5060 -j MARK --set-xmark 0x10000000/0xf0000000 ipt iptables -t mangle -A FWD_FILTER_LIST -d 217.0.0.0/20 -p udp -m udp --sport 5060 -j MARK --set-xmark 0x10000000/0xf0000000 ipt iptables -t mangle -A FWD_FILTER_LIST -d 217.0.16.0/20 -p udp -m multiport --dport 7078:7109 -j MARK --set-xmark 0x20000000/0xf0000000 ipt iptables -t mangle -A FWD_FILTER_LIST -d 217.0.16.0/20 -p udp -m multiport --sport 7078:7109 -j MARK --set-xmark 0x20000000/0xf0000000 # # # ipt iptables -t mangle -A ROUTE_CTL_LIST -d 172.10.10.0/24 -j RETURN ipt iptables -t mangle -A ROUTE_CTL_LIST -d $SPHLAN/24 -j RETURN ipt iptables -t mangle -A ROUTE_CTL_LIST -m mark --mark 0x80000000/0x80000000 -j ACCEPT ipt iptables -t mangle -A ROUTE_CTL_LIST -j FWD_FILTER_LIST