[bwm-tools-tech] Question to create the Firewall
Brought to you by:
nkukard
Menu
▾
▴
[bwm-tools-tech] Question to create the Firewall
|
From: <ral...@ra...> - 2005-04-14 10:41:45
|
Hi again from Germany,
at first, thank you very much Nigel, that you integrate the MASQUERADE
funktion so fast !
But i have any problem to create the firewall.
At first i try to create my own little firewall, but she don't work.
So i take the old rules from the Suse 9.2 firewall (this works ok yet)
and create with it the firewall.xml for the bwm_tool.
I take all the same rules, only without the dmz-part.
Now i have the problem, that i can't open any new websites.
When i ask for website, which chached in the squid proxy, i see them. But
with this sites i havn't any traffic over the traffic-control, only by the INPUT
and OUTPUT chains.
When i open any webinterfaces over https from devices in my own network, then
its ok. I see all sites and then the traffic go over my ip and the bwm_tool.
(Hope you understand what i want to say, because i know my english is not the best.)
OK, now here my rules and the outputfile.
Hope any can help me to create the right rules.
I think it is any wrong in the INPUT-chains, and i try here a lot, but nothing works
right.
the firewire.xml:
- <firewall>
# Global configuration and access classes
- <global>
- <modules>
<load name="ip_queue" />
<load name="ip_conntrack_ftp" />
<load name="ip_nat_ftp" />
</modules>
# Firewall All
- <class name="ftp_data">
<address proto="tcp" dst-port="20" />
<address proto="udp" dst-port="20" />
</class>
- <class name="ftp">
<address proto="tcp" dst-port="21" />
<address proto="udp" dst-port="21" />
</class>
- <class name="dns">
<address proto="tcp" dst-port="53" />
<address proto="udp" dst-port="53" />
</class>
- <class name="http">
<address proto="tcp" dst-port="80" />
<address proto="udp" dst-port="80" />
</class>
- <class name="ntp">
<address proto="tcp" dst-port="123" />
<address proto="udp" dst-port="123" />
</class>
- <class name="https">
<address proto="tcp" dst-port="443" />
<address proto="udp" dst-port="443" />
</class>
- <class name="openvpn">
<address proto="tcp" dst-port="1194" />
<address proto="udp" dst-port="1194" />
</class>
- <class name="pptp">
<address proto="tcp" dst-port="1723" />
<address proto="udp" dst-port="1723" />
</class>
- <class name="Radius">
<address proto="tcp" dst-port="1812" />
<address proto="tcp" dst-port="1813" />
<address proto="tcp" dst-port="1814" />
<address proto="udp" dst-port="1812" />
<address proto="udp" dst-port="1813" />
<address proto="udp" dst-port="1814" />
</class>
- <class name="http_proxy">
<address proto="tcp" dst-port="3128" />
</class>
# For Mangle
- <class name="mangle_sport20">
<address proto="tcp -m tcp" src-port="20" />
</class>
- <class name="mangle_dport20">
<address proto="tcp -m tcp" dst-port="20" />
</class>
- <class name="mangle_tcp_sport53">
<address proto="tcp -m tcp" src-port="53" />
</class>
- <class name="mangle_tcp_dport53">
<address proto="tcp -m tcp" dst-port="53" />
</class>
- <class name="mangle_udp_sport53">
<address proto="udp -m udp" src-port="53" />
</class>
- <class name="mangle_udp_dport53">
<address proto="udp -m udp" dst-port="53" />
</class>
- <class name="mangle_sport80">
<address proto="tcp -m tcp" src-port="80" />
</class>
- <class name="mangle_dport80">
<address proto="tcp -m tcp" dst-port="80" />
</class>
# For Filter
- <class name="lo">
<address src-iface="lo" />
</class>
- <class name="tcp_related">
<address proto="tcp -m state" cmd-line="--state RELATED,ESTABLISHED" />
</class>
- <class name="udp_related">
<address proto="udp -m state" cmd-line="--state RELATED,ESTABLISHED" />
</class>
- <class name="dir_in">
<address cmd-line="-m policy --dir in --pol ipsec --proto esp" />
</class>
- <class name="eth0">
<address src-iface="eth0" />
</class>
- <class name="eth1">
<address src-iface="eth1" />
</class>
- <class name="input_drop">
<address />
</class>
- <class name="tcp_flags">
<address proto="tcp -m tcp" cmd-line="--tcp-flags SYN,RST SYN" />
</class>
- <class name="forward_drop">
<address />
</class>
- <class name="loo">
<address cmd-line="-o lo" />
</class>
- <class name="output_related">
<address cmd-line="-m state --state NEW,RELATED,ESTABLISHED" />
</class>
- <class name="icmp1">
<address proto="icmp -m icmp" cmd-line="--icmp-type 11" />
</class>
- <class name="icmp2">
<address proto="icmp -m icmp" cmd-line="--icmp-type 3/3" />
</class>
- <class name="icmp3">
<address proto="icmp -m icmp" cmd-line="--icmp-type 3/4" />
</class>
- <class name="icmp4">
<address proto="icmp -m icmp" cmd-line="--icmp-type 3/9" />
</class>
- <class name="icmp5">
<address proto="icmp -m icmp" cmd-line="--icmp-type 3/10" />
</class>
- <class name="icmp6">
<address proto="icmp -m icmp" cmd-line="--icmp-type 3/13" />
</class>
- <class name="icmp_drop">
<address proto="icmp -m icmp" cmd-line="--icmp-type 3" />
</class>
- <class name="for_ext_state">
<address cmd-line="-m state --state INVALID" />
</class>
- <class name="for_ext_related">
<address proto="icmp -m state" cmd-line="--state RELATED -m icmp --icmp-type 3" />
</class>
- <class name="for_ext_related2">
<address proto="icmp -m state" cmd-line="--state RELATED,ESTABLISHED -m icmp --icmp-type 0" />
</class>
- <class name="for_ext_related3">
<address cmd-line="-o eth0 -m state --state NEW,RELATED,ESTABLISHED" />
</class>
- <class name="for_ext_related4">
<address cmd-line="-i eth0 -m state --state RELATED,ESTABLISHED" />
</class>
- <class name="for_int_state">
<address cmd-line="-m state --state INVALID" />
</class>
- <class name="in_ext_broadcast">
<address cmd-line="-m pkttype --pkt-type broadcast" />
</class>
- <class name="in_ext_icmp4">
<address proto="icmp -m icmp" cmd-line="--icmp-type 4" />
</class>
- <class name="in_ext_icmp8">
<address proto="icmp -m icmp" cmd-line="--icmp-type 8" />
</class>
- <class name="in_ext_icmp_related">
<address proto="icmp -m state" cmd-line="--state RELATED,ESTABLISHED -m icmp --icmp-type 0" />
</class>
- <class name="in_ext_icmp_related3">
<address proto="icmp -m state" cmd-line="--state RELATED,ESTABLISHED -m icmp --icmp-type 3" />
</class>
- <class name="in_ext_icmp_related11">
<address proto="icmp -m state" cmd-line="--state RELATED,ESTABLISHED -m icmp --icmp-type 11" />
</class>
- <class name="in_ext_icmp_related12">
<address proto="icmp -m state" cmd-line="--state RELATED,ESTABLISHED -m icmp --icmp-type 12" />
</class>
- <class name="in_ext_icmp_related14">
<address proto="icmp -m state" cmd-line="--state RELATED,ESTABLISHED -m icmp --icmp-type 14" />
</class>
- <class name="in_ext_icmp_related18">
<address proto="icmp -m state" cmd-line="--state RELATED,ESTABLISHED -m icmp --icmp-type 18" />
</class>
- <class name="in_ext_dp53">
<address proto="tcp -m tcp" cmd-line="--dport 53" />
</class>
- <class name="in_ext_u_dp53">
<address proto="udp -m udp" cmd-line="--dport 53" />
</class>
- <class name="in_ext_dp80">
<address proto="tcp -m tcp" cmd-line="--dport 80" />
</class>
- <class name="in_ext_u_dp80">
<address proto="udp -m udp" cmd-line="--dport 80" />
</class>
- <class name="in_ext_dp123">
<address proto="tcp -m tcp" cmd-line="--dport 123" />
</class>
- <class name="in_ext_u_dp123">
<address proto="udp -m udp" cmd-line="--dport 123" />
</class>
- <class name="in_ext_dp443">
<address proto="tcp -m tcp" cmd-line="--dport 443" />
</class>
- <class name="in_ext_u_dp443">
<address proto="udp -m udp" cmd-line="--dport 443" />
</class>
- <class name="in_ext_dp1194">
<address proto="tcp -m tcp" cmd-line="--dport 1194" />
</class>
- <class name="in_ext_dp1723">
<address proto="tcp -m tcp" cmd-line="--dport 1723" />
</class>
- <class name="in_ext_dp1812">
<address proto="tcp -m tcp" cmd-line="--dport 1812" />
</class>
- <class name="in_ext_u_dp1812">
<address proto="udp -m udp" cmd-line="--dport 1812" />
</class>
- <class name="in_ext_dp1813">
<address proto="tcp -m tcp" cmd-line="--dport 1813" />
</class>
- <class name="in_ext_u_dp1813">
<address proto="udp -m udp" cmd-line="--dport 1813" />
</class>
- <class name="in_ext_dp1814">
<address proto="tcp -m tcp" cmd-line="--dport 1814" />
</class>
- <class name="in_ext_u_dp1814">
<address proto="udp -m udp" cmd-line="--dport 1814" />
</class>
- <class name="in_ext_dprest">
<address proto="tcp -m tcp" cmd-line="--dport 1024:65535" />
</class>
- <class name="in_ext_dp113">
<address proto="tcp -m tcp" cmd-line="--dport 113 -m state --state NEW" />
</class>
- <class name="in_ext_u_dprest">
<address proto="udp -m state" cmd-line="--state NEW -m udp --dport 1024:65535" />
</class>
- <class name="in_int_acc">
<address />
</class>
- <class name="in_int_esp">
<address proto="esp" />
</class>
- <class name="reject">
<address />
</class>
- <class name="reject_tcp">
<address proto="tcp" />
</class>
- <class name="reject_udp">
<address proto="udp" />
</class>
# For Nat
- <class name="proxy_redirect">
<address cmd-line="-s 192.168.125.0/255.255.255.0 -p tcp -m tcp --dport 80" />
</class>
- <class name="internal_traffic">
<address dst-iface="eth0" />
</class>
# For Traffic
- <class name="out_other">
<address name="out_other_tcp" src-iface="eth1" proto="tcp" />
<address name="out_other_udp" src-iface="eth1" proto="udp" />
</class>
- <class name="out_RaBuLap">
<address name="out_RaBuLap_tcp" src-iface="eth1" proto="tcp" src="192.168.125.5" dst="! 192.168.125.0/24" />
<address name="out_RaBuLap_udp" src-iface="eth1" proto="udp" src="192.168.125.5" dst="! 192.168.125.0/24" />
</class>
- <class name="out_karsten">
<address name="out_karsten_tcp" src-iface="eth1" proto="tcp" src="192.168.125.102" dst="! 192.168.125.0/24" />
<address name="out_karsten_udp" src-iface="eth1" proto="udp" src="192.168.125.102" dst="! 192.168.125.0/24" />
</class>
- <class name="out_test">
<address name="out_test_tcp" src-iface="eth1" proto="tcp" src="192.168.125.110" dst="! 192.168.125.0/24" />
<address name="out_test_udp" src-iface="eth1" proto="udp" src="192.168.125.110" dst="! 192.168.125.0/24" />
</class>
- <class name="in_other">
<address name="in_other_tcp" src-iface="eth1" proto="tcp" />
<address name="in_other_udp" src-iface="eth1" proto="udp" />
</class>
- <class name="in_RaBuLap">
<address name="in_RaBuLap_tcp" src-iface="eth1" proto="tcp" src="192.168.125.5" dst="! 192.168.125.0/24" />
<address name="in_RaBuLap_udp" src-iface="eth1" proto="udp" src="192.168.125.5" dst="! 192.168.125.0/24" />
</class>
- <class name="in_karsten">
<address name="in_karsten_tcp" src-iface="eth1" proto="tcp" src="192.168.125.102" dst="! 192.168.125.0/24" />
<address name="in_karsten_udp" src-iface="eth1" proto="udp" src="192.168.125.102" dst="! 192.168.125.0/24" />
</class>
- <class name="in_test">
<address name="in_test_tcp" src-iface="eth1" proto="tcp" src="192.168.125.110" dst="! 192.168.125.0/24" />
<address name="in_test_udp" src-iface="eth1" proto="udp" src="192.168.125.110" dst="! 192.168.125.0/24" />
</class>
</global>
# ACL
- <acl>
- <table name="mangle">
- <chain name="PREROUTING" default="ACCEPT">
<rule name="allow_traffic" target="TOS --set-tos 0x08">mangle_sport20 mangle_dport20</rule>
<rule name="allow_traffic" target="TOS --set-tos 0x08">mangle_sport80 mangle_dport80</rule>
<rule name="allow_traffic" target="TOS --set-tos 0x10">mangle_tcp_sport53 mangle_tcp_dport53 mangle_udp_sport53 mangle_udp_dport53</rule>
</chain>
<chain name="POSTROUTING" default="ACCEPT" />
- <chain name="OUTPUT" default="ACCEPT">
<rule name="allow_traffic" target="TOS --set-tos 0x08">mangle_sport20 mangle_dport20</rule>
<rule name="allow_traffic" target="TOS --set-tos 0x08">mangle_sport80 mangle_dport80</rule>
<rule name="allow_traffic" target="TOS --set-tos 0x10">mangle_tcp_sport53 mangle_tcp_dport53 mangle_udp_sport53 mangle_udp_dport53</rule>
</chain>
</table>
- <table name="filter">
# Custom Rules
<chain name="PREROUTING" />
<chain name="POSTROUTING" />
- <chain name="INPUT" default="DROP">
<rule name="allowed_traffic" target="ACCEPT">
ftp_data
ftp
dns
http
ntp
https
openvpn
Radius
pptp
http_proxy</rule>
<rule name="allow_traffic" target="ACCEPT">
lo
tcp_related
udp_related</rule>
<rule name="allow_traffic" target="input_int">dir_in eth1</rule>
<rule name="allow_traffic" target="input_ext">eth0</rule>
<rule target="DROP">input_drop</rule>
</chain>
- <chain name="FORWARD" default="DROP">
<rule name="allow_traffic" target="TCPMSS --clamp-mss-to-pmtu">tcp_flags</rule>
<rule name="allow_traffic" target="forward_int">dir_in eth1</rule>
<rule name="allow_traffic" target="forward_ext">eth0</rule>
<rule target="DROP">forward_drop</rule>
</chain>
- <chain name="OUTPUT" default="DROP">
<rule name="allow_traffic" target="ACCEPT">
loo
output_related
icmp1
icmp2
icmp3
icmp4
icmp5
icmp6</rule>
<rule target="DROP">icmp_drop</rule>
</chain>
# System Forward Rules
- <chain name="forward_ext">
<rule name="allow_traffic" target="ACCEPT">
for_ext_related
for_ext_related2
for_ext_related3
for_ext_related4</rule>
<rule target="DROP">for_ext_state forward_drop</rule>
</chain>
- <chain name="forward_int">
<rule name="allow_traffic" target="ACCEPT">
for_ext_related
for_ext_related2
for_ext_related3
for_ext_related4</rule>
<rule target="DROP">for_int_state forward_drop</rule>
</chain>
# System Input Rules
- <chain name="input_ext">
<rule Name="allow_traffic" target="ACCEPT">
in_ext_icmp4
in_ext_icmp8
in_ext_icmp_related
in_ext_icmp_related3
in_ext_icmp_related11
in_ext_icmp_related12
in_ext_icmp_related14
in_ext_icmp_related18
in_ext_dp53
in_ext_dp80
in_ext_dp123
in_ext_dp443
in_ext_dp1194
in_ext_dp1723
in_ext_dp1812
in_ext_dp1813
in_ext_dp1814
in_ext_dprest
in_ext_u_dp53
in_ext_u_dp80
in_ext_u_dp123
in_ext_u_dp443
in_ext_u_dp1812
in_ext_u_dp1813
in_ext_u_dp1814
in_ext_u_dprest</rule>
<rule target="DROP">
in_ext_broadcast
for_int_state
forward_drop</rule>
<rule target="reject_func">in_ext_dp113</rule>
</chain>
- <chain name="input_int">
<rule target="ACCEPT">
in_int_acc
in_ext_icmp4
in_ext_icmp8
in_ext_icmp_related
in_ext_icmp_related3
in_ext_icmp_related11
in_ext_icmp_related12
in_ext_icmp_related14
in_ext_icmp_related18
in_int_esp
in_ext_dp53
in_ext_dp80
in_ext_dp123
in_ext_dp443
in_ext_dp1194
in_ext_dp1723
in_ext_dp1812
in_ext_dp1813
in_ext_dp1814
in_ext_dprest
in_ext_u_dp53
in_ext_u_dp80
in_ext_u_dp123
in_ext_u_dp443
in_ext_u_dp1812
in_ext_u_dp1813
in_ext_u_dp1814
in_ext_u_dprest</rule>
<rule target="DROP">for_int_state forward_drop</rule>
</chain>
# System Reject Rules
- <chain name="reject_func">
<rule target="REJECT --reject-with tcp-reset">reject_tcp</rule>
<rule target="REJECT --reject-with icmp-port-unreachable">reject_udp</rule>
<rule target="REJECT --reject-with icmp-proto-unreachable">reject</rule>
</chain>
</table>
# NAT
- <table name="nat">
- <chain name="PREROUTING">
<rule target="REDIRECT --to-ports 3128">proxy_redirect</rule>
</chain>
- <chain name="POSTROUTING">
<rule target="MASQUERADE">internal_traffic</rule>
</chain>
</table>
</acl>
# NAT # Traffic flows
- <traffic>
# Rate can be specified in either IN, OUT or TOTAL (rate-total) # If rate-total == 0, no rate limits
- <flow name="out_dsl" stats-len="5" queue-size="524288" queue-len="4000" max-rate="358225" burst-rate="384000" report-timeout="60">
- <flow name="out_other" max-rate="14400" burst-rate="16000" queue-size="8192" stats-len="5" report-timeout="60">
<queue prio="90" nfmark="1300">out_other;</queue>
</flow>
- <flow name="out_RaBuLap" max-rate="230400" burst-rate="256000" queue-size="16384" stats-len="5" report-timeout="60">
<queue prio="10" nfmark="1251">out_RaBuLap;</queue>
</flow>
- <flow name="out_karsten" max-rate="115200" burst-rate="128000" queue-size="16384" stats-len="5" report-timeout="60">
<queue prio="30" nfmark="1252">out_karsten;</queue>
</flow>
- <flow name="out_test" max-rate="57600" burst-rate="64000" queue-size="16384" stats-len="5" report-timeout="60">
<queue prio="50" nfmark="1253">out_test;</queue>
</flow>
</flow>
- <flow name="in_dsl" stats-len="5" queue-size="262144" queue-len="3000" max-rate="58982" burst-rate="65536" report-timeout="60">
- <flow name="in_other" max-rate="922" burst-rate="1024" queue-size="8192" stats-len="5" report-timeout="60">
<queue prio="90" nfmark="2300">out_other;</queue>
</flow>
- <flow name="in_RaBuLap" max-rate="29491" burst-rate="32768" queue-size="16384" stats-len="5" report-timeout="60">
<queue prio="10" nfmark="2251">out_RaBuLap;</queue>
</flow>
- <flow name="in_karsten" max-rate="14746" burst-rate="16384" queue-size="16384" stats-len="5" report-timeout="60">
<queue prio="30" nfmark="2252">out_karsten;</queue>
</flow>
- <flow name="in_test" max-rate="7373" burst-rate="8192" queue-size="16384" stats-len="5" report-timeout="60">
<queue prio="50" nfmark="2253">out_test;</queue>
</flow>
</flow>
</traffic>
</firewall>
and here the outputfile from this firewall.xml
# Generated using BWM Firewall v0.2.0: Thu Apr 14 08:48:06 2005
*mangle
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
:INPUT ACCEPT
:FORWARD ACCEPT
:PREROUTING ACCEPT
-A OUTPUT --protocol tcp -m tcp --source-port 20 -j TOS --set-tos 0x08
-A OUTPUT --protocol tcp -m tcp --destination-port 20 -j TOS --set-tos 0x08
-A OUTPUT --protocol tcp -m tcp --source-port 80 -j TOS --set-tos 0x08
-A OUTPUT --protocol tcp -m tcp --destination-port 80 -j TOS --set-tos 0x08
-A OUTPUT --protocol tcp -m tcp --source-port 53 -j TOS --set-tos 0x10
-A OUTPUT --protocol tcp -m tcp --destination-port 53 -j TOS --set-tos 0x10
-A OUTPUT --protocol udp -m udp --source-port 53 -j TOS --set-tos 0x10
-A OUTPUT --protocol udp -m udp --destination-port 53 -j TOS --set-tos 0x10
-A FORWARD --protocol tcp --in-interface eth1 -j MARK --set-mark 1300
-A FORWARD --protocol udp --in-interface eth1 -j MARK --set-mark 1300
-A FORWARD --destination ! 192.168.125.0/24 --source 192.168.125.5 --protocol tcp --in-interface eth1 -j MARK --set-mark 1251
-A FORWARD --destination ! 192.168.125.0/24 --source 192.168.125.5 --protocol udp --in-interface eth1 -j MARK --set-mark 1251
-A FORWARD --destination ! 192.168.125.0/24 --source 192.168.125.102 --protocol tcp --in-interface eth1 -j MARK --set-mark 1252
-A FORWARD --destination ! 192.168.125.0/24 --source 192.168.125.102 --protocol udp --in-interface eth1 -j MARK --set-mark 1252
-A FORWARD --destination ! 192.168.125.0/24 --source 192.168.125.110 --protocol tcp --in-interface eth1 -j MARK --set-mark 1253
-A FORWARD --destination ! 192.168.125.0/24 --source 192.168.125.110 --protocol udp --in-interface eth1 -j MARK --set-mark 1253
-A FORWARD --protocol tcp --in-interface eth1 -j MARK --set-mark 2300
-A FORWARD --protocol udp --in-interface eth1 -j MARK --set-mark 2300
-A FORWARD --destination ! 192.168.125.0/24 --source 192.168.125.5 --protocol tcp --in-interface eth1 -j MARK --set-mark 2251
-A FORWARD --destination ! 192.168.125.0/24 --source 192.168.125.5 --protocol udp --in-interface eth1 -j MARK --set-mark 2251
-A FORWARD --destination ! 192.168.125.0/24 --source 192.168.125.102 --protocol tcp --in-interface eth1 -j MARK --set-mark 2252
-A FORWARD --destination ! 192.168.125.0/24 --source 192.168.125.102 --protocol udp --in-interface eth1 -j MARK --set-mark 2252
-A FORWARD --destination ! 192.168.125.0/24 --source 192.168.125.110 --protocol tcp --in-interface eth1 -j MARK --set-mark 2253
-A FORWARD --destination ! 192.168.125.0/24 --source 192.168.125.110 --protocol udp --in-interface eth1 -j MARK --set-mark 2253
-A PREROUTING --protocol tcp -m tcp --source-port 20 -j TOS --set-tos 0x08
-A PREROUTING --protocol tcp -m tcp --destination-port 20 -j TOS --set-tos 0x08
-A PREROUTING --protocol tcp -m tcp --source-port 80 -j TOS --set-tos 0x08
-A PREROUTING --protocol tcp -m tcp --destination-port 80 -j TOS --set-tos 0x08
-A PREROUTING --protocol tcp -m tcp --source-port 53 -j TOS --set-tos 0x10
-A PREROUTING --protocol tcp -m tcp --destination-port 53 -j TOS --set-tos 0x10
-A PREROUTING --protocol udp -m udp --source-port 53 -j TOS --set-tos 0x10
-A PREROUTING --protocol udp -m udp --destination-port 53 -j TOS --set-tos 0x10
COMMIT
*filter
:OUTPUT DROP
:input_ext -
:forward_ext -
:bwmd -
:input_int -
:POSTROUTING -
:forward_int -
:reject_func -
:INPUT DROP
:FORWARD DROP
:PREROUTING -
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT --protocol icmp -m icmp --icmp-type 11 -j ACCEPT
-A OUTPUT --protocol icmp -m icmp --icmp-type 3/3 -j ACCEPT
-A OUTPUT --protocol icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A OUTPUT --protocol icmp -m icmp --icmp-type 3/9 -j ACCEPT
-A OUTPUT --protocol icmp -m icmp --icmp-type 3/10 -j ACCEPT
-A OUTPUT --protocol icmp -m icmp --icmp-type 3/13 -j ACCEPT
-A OUTPUT --protocol icmp -m icmp --icmp-type 3 -j DROP
-A input_ext --protocol icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext --protocol icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext --protocol icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A input_ext --protocol icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A input_ext --protocol icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A input_ext --protocol icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A input_ext --protocol icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A input_ext --protocol icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A input_ext --protocol tcp -m tcp --dport 53 -j ACCEPT
-A input_ext --protocol tcp -m tcp --dport 80 -j ACCEPT
-A input_ext --protocol tcp -m tcp --dport 123 -j ACCEPT
-A input_ext --protocol tcp -m tcp --dport 443 -j ACCEPT
-A input_ext --protocol tcp -m tcp --dport 1194 -j ACCEPT
-A input_ext --protocol tcp -m tcp --dport 1723 -j ACCEPT
-A input_ext --protocol tcp -m tcp --dport 1812 -j ACCEPT
-A input_ext --protocol tcp -m tcp --dport 1813 -j ACCEPT
-A input_ext --protocol tcp -m tcp --dport 1814 -j ACCEPT
-A input_ext --protocol tcp -m tcp --dport 1024:65535 -j ACCEPT
-A input_ext --protocol udp -m udp --dport 53 -j ACCEPT
-A input_ext --protocol udp -m udp --dport 80 -j ACCEPT
-A input_ext --protocol udp -m udp --dport 123 -j ACCEPT
-A input_ext --protocol udp -m udp --dport 443 -j ACCEPT
-A input_ext --protocol udp -m udp --dport 1812 -j ACCEPT
-A input_ext --protocol udp -m udp --dport 1813 -j ACCEPT
-A input_ext --protocol udp -m udp --dport 1814 -j ACCEPT
-A input_ext --protocol udp -m state --state NEW -m udp --dport 1024:65535 -j ACCEPT
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -m state --state INVALID -j DROP
-A input_ext -j DROP
-A input_ext --protocol tcp -m tcp --dport 113 -m state --state NEW -j reject_func
-A forward_ext --protocol icmp -m state --state RELATED -m icmp --icmp-type 3 -j ACCEPT
-A forward_ext --protocol icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_ext -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A forward_ext -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A forward_ext -m state --state INVALID -j DROP
-A forward_ext -j DROP
-A bwmd -m mark ! --mark 0 -j QUEUE
-A input_int -j bwmd
-A input_int --protocol icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_int --protocol icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_int --protocol icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A input_int --protocol icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A input_int --protocol icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A input_int --protocol icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A input_int --protocol icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A input_int --protocol icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A input_int --protocol esp -j ACCEPT
-A input_int --protocol tcp -m tcp --dport 53 -j ACCEPT
-A input_int --protocol tcp -m tcp --dport 80 -j ACCEPT
-A input_int --protocol tcp -m tcp --dport 123 -j ACCEPT
-A input_int --protocol tcp -m tcp --dport 443 -j ACCEPT
-A input_int --protocol tcp -m tcp --dport 1194 -j ACCEPT
-A input_int --protocol tcp -m tcp --dport 1723 -j ACCEPT
-A input_int --protocol tcp -m tcp --dport 1812 -j ACCEPT
-A input_int --protocol tcp -m tcp --dport 1813 -j ACCEPT
-A input_int --protocol tcp -m tcp --dport 1814 -j ACCEPT
-A input_int --protocol tcp -m tcp --dport 1024:65535 -j ACCEPT
-A input_int --protocol udp -m udp --dport 53 -j ACCEPT
-A input_int --protocol udp -m udp --dport 80 -j ACCEPT
-A input_int --protocol udp -m udp --dport 123 -j ACCEPT
-A input_int --protocol udp -m udp --dport 443 -j ACCEPT
-A input_int --protocol udp -m udp --dport 1812 -j ACCEPT
-A input_int --protocol udp -m udp --dport 1813 -j ACCEPT
-A input_int --protocol udp -m udp --dport 1814 -j ACCEPT
-A input_int --protocol udp -m state --state NEW -m udp --dport 1024:65535 -j ACCEPT
-A input_int -m state --state INVALID -j DROP
-A input_int -j DROP
-A forward_int --protocol icmp -m state --state RELATED -m icmp --icmp-type 3 -j ACCEPT
-A forward_int --protocol icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_int -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A forward_int -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A forward_int -m state --state INVALID -j DROP
-A forward_int -j DROP
-A reject_func --protocol tcp -j REJECT --reject-with tcp-reset
-A reject_func --protocol udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
-A INPUT --protocol tcp --destination-port 20 -j ACCEPT
-A INPUT --protocol udp --destination-port 20 -j ACCEPT
-A INPUT --protocol tcp --destination-port 21 -j ACCEPT
-A INPUT --protocol udp --destination-port 21 -j ACCEPT
-A INPUT --protocol tcp --destination-port 53 -j ACCEPT
-A INPUT --protocol udp --destination-port 53 -j ACCEPT
-A INPUT --protocol tcp --destination-port 80 -j ACCEPT
-A INPUT --protocol udp --destination-port 80 -j ACCEPT
-A INPUT --protocol tcp --destination-port 123 -j ACCEPT
-A INPUT --protocol udp --destination-port 123 -j ACCEPT
-A INPUT --protocol tcp --destination-port 443 -j ACCEPT
-A INPUT --protocol udp --destination-port 443 -j ACCEPT
-A INPUT --protocol tcp --destination-port 1194 -j ACCEPT
-A INPUT --protocol udp --destination-port 1194 -j ACCEPT
-A INPUT --protocol tcp --destination-port 1812 -j ACCEPT
-A INPUT --protocol tcp --destination-port 1813 -j ACCEPT
-A INPUT --protocol tcp --destination-port 1814 -j ACCEPT
-A INPUT --protocol udp --destination-port 1812 -j ACCEPT
-A INPUT --protocol udp --destination-port 1813 -j ACCEPT
-A INPUT --protocol udp --destination-port 1814 -j ACCEPT
-A INPUT --protocol tcp --destination-port 1723 -j ACCEPT
-A INPUT --protocol udp --destination-port 1723 -j ACCEPT
-A INPUT --protocol tcp --destination-port 3128 -j ACCEPT
-A INPUT --in-interface lo -j bwmd
-A INPUT --protocol tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT --protocol udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m policy --dir in --pol ipsec --proto esp -j input_int
-A INPUT --in-interface eth1 -j input_int
-A INPUT --in-interface eth0 -j input_ext
-A INPUT -j DROP
-A FORWARD --protocol tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m policy --dir in --pol ipsec --proto esp -j forward_int
-A FORWARD --in-interface eth1 -j forward_int
-A FORWARD --in-interface eth0 -j forward_ext
-A FORWARD -j DROP
COMMIT
*nat
:POSTROUTING -
:PREROUTING -
-A POSTROUTING --out-interface eth0 -j MASQUERADE
-A PREROUTING -s 192.168.125.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
COMMIT
Sorry for this long mail !
One question at last ...
When at some times my firewall.xml work, i want to write a script for autostart the bwmd when i must reboot the PC.
When i start then the bwm_tool with the script, will be load the iptables from the firewall.xml automatic ?
Best Regards
Ralph Buchmann
To: bwm...@li...
bwm...@li...
bwm...@li...
Cc: nk...@lb...
|
