2002de Dortmundda SuSE Security Sertifikası aldığım zamanlarda yazdığım script :
#!/bin/bash
# Laden der Module fuer das Connection-Tracking
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# IP-Forwarding zunaechst deaktivieren
echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -F
###
# FORWARD-Table
###
# Default-Policy
iptables -P FORWARD DROP
# Korrupte Datagramme grundsaetzlich ablehnen
iptables -A FORWARD -m state --state INVALID -j REJECT
# Client -> Server
# HTTP
iptables -A FORWARD -i eth0 -o ppp0 -s 10.0.0.0/16 -p tcp --sport 1024: --dport 80 \
-m state --state NEW -j ACCEPT
# DNS
iptables -A FORWARD -i eth0 -o ppp0 -s 10.0.0.0/16 -p udp --dport 53 \
-m state --state NEW -j ACCEPT
# FTP
iptables -A FORWARD -i eth0 -o ppp0 -s 10.0.0.0/16 -p tcp --dport 21 \
-m state --state NEW -j ACCEPT
# Alle zu einer Verbindung gehoerenden Pakete zulassen
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Log-Regel mit Limitierung
iptables -A FORWARD -m limit --limit 100/m -j LOG
# Jetzt erst das Routing aktivieren
echo 1 > /proc/sys/net/ipv4/ip_forward
###
# INPUT-Chain
###
iptables -A INPUT -m state --state INVALID -j REJECT
iptables -A INPUT -m state --state RELATED -j ACCEPT
iptables -A INPUT -m limit --limit 100/m -j LOG
###
# OUTPUT-Chain
###
iptables -A OUTPUT -m state --state INVALID -j REJECT
iptables -A OUTPUT -m state --state RELATED -j ACCEPT
iptables -A OUTPUT -m limit --limit 100/m -j LOG
static router için de var onu sonra ilava ederiz.
:vic