iptables emailabruf durchleiten

10/06/2009 - 19:39 von Karl-Heinz Huber | Report spam
Hallo zusammen,

folgendes szenario
intranet - server -- internet -- emailhoster
der server hat logischerwweise 2 netzkarten
auf ihm làuft noch ein samba und squid
ich weiss dass das aus Sicht der Sicherheit keine optimale lösung ist,
trotzdem muss es erstmal so bleiben.
Ich hab jetzt die iptables zusammengebaut, es funktioniert soweit alles bis
auf eben der mailabruf per IMAP

was mach ich falsch ?
nachfolgend das script und die ausgabe der iptables


#!/bin/sh
#############################################################################################################
# firewall_start.sh
# script zum start der Firewall
#
#
############################################################################################################
# Variablendefinition
IPTABLES=/usr/local/sbin/iptables
IFCONFIG=/sbin/ifconfig
INT_IF="eth1"
EXT_IF="eth0"
INT_IP="192.168.2.100"
EXT_IP=$($IFCONFIG eth0| grep "inet addr:" | cut -f1 -d "B" | cut -f2 -d
":")


# erstmal Werte zurücksetzen
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X

#eigene chains
$IPTABLES -N ext-in
$IPTABLES -N ext-out
$IPTABLES -N int-fw
$IPTABLES -N ext-fw

# eingang dichtmachen

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

# Forwarding/Routing
echo "Aktiviere IP-Routing"
echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null

# zugriff firewall
$IPTABLES -A ext-in -p tcp --dport 1024:65535 --sport 25 ! --syn -j ACCEPT
$IPTABLES -A ext-out -p tcp --sport 1024:65535 --dport 25 -j ACCEPT
#forwarding

$IPTABLES -A int-fw -p tcp --sport 1024:65535 --dport 25 -j ACCEPT
$IPTABLES -A ext-fw -p tcp --dport 1024:65535 --sport 25 ! --syn -j ACCEPT

# zugriff firewall
$IPTABLES -A ext-in -p tcp --dport 1024:65535 --sport 143 ! --syn -j ACCEPT
$IPTABLES -A ext-out -p tcp --sport 1024:65535 --dport 143 -j ACCEPT
#forwarding

$IPTABLES -A int-fw -p tcp --sport 1024:65535 --dport 143 -j ACCEPT
$IPTABLES -A ext-fw -p tcp --dport 1024:65535 --sport 143 ! --syn -j
ACCEPT

# port 80 und weiterleitung an den Proxy SQUID
$IPTABLES -A INPUT -p tcp -i $INT_IF --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p udp -i $INT_IF --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i $INT_IF --dport 3128 -j ACCEPT
$IPTABLES -A INPUT -p udp -i $INT_IF --dport 3128 -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp --dport 1024:65535 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 1024:65535 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $INT_IF -p tcp --dport 80 -j DNAT --to
$INT_IP:3128
$IPTABLES -t nat -A PREROUTING -i $INT_IF -p tcp --dport 80 -j
REDIRECT --to-port 3128
#port 25
$IPTABLES -A INPUT -p tcp -i $INT_IF --dport 25 -j ACCEPT
$IPTABLES -A INPUT -p udp -i $INT_IF --dport 25 -j ACCEPT
# lokale pakete erlauben

$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# ping erlauben
# von aussen
$IPTABLES -A INPUT -p icmp --icmp-type 8 -s 0/0 -d $EXT_IP -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 0 -s $EXT_IP -d 0/0 -m state --state
ESTABLISHED,RELATED -j ACCEPT
# von innen
$IPTABLES -A INPUT -p icmp --icmp-type 8 -s 0/0 -d $INT_IP -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 0 -s $INT_IP -d 0/0 -m state --state
ESTABLISHED,RELATED -j ACCEPT




#ssh von aussen erlauben
$IPTABLES -A INPUT -p tcp -i $EXT_IF --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -o $EXT_IF --sport 22 -j ACCEPT

#ssh von innen erlauben
$IPTABLES -A INPUT -p tcp -i $INT_IF --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -o $INT_IF --sport 22 -j ACCEPT

# SAMBA freigeben nur von innen

$IPTABLES -A INPUT -p udp -m udp --sport 137 --dport 137 -m state --state
NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp --sport 1000:65535 --dport 137 -m
state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp --sport 138 --dport 138 -m state --state
NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp --sport 1000:65535 --dport 138 -m
state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --sport 1000:65535 --dport 139 -m
state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --sport 1000:65535 --dport 445 -m
state --state NEW,ESTABLISHED -j ACCEPT

$IPTABLES -A OUTPUT -p udp -m udp --sport 137 --dport 137 -m state --state
NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp -m udp --sport 137 --dport 1000:65535 -m
state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp -m udp --sport 138 --dport 138 -m state --state
ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp -m udp --sport 138 --dport 1000:65535 -m
state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m tcp --sport 139 --dport 1000:65535 -m
state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m tcp --sport 445 --dport 1000:65535 -m
state --state ESTABLISHED -j ACCEPT


echo "Firewall gestartet"


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT udp -- anywhere anywhere udp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:3128
ACCEPT udp -- anywhere anywhere udp dpt:3128
ACCEPT udp -- anywhere anywhere udp
dpts:1024:65535
ACCEPT tcp -- anywhere anywhere tcp
dpts:1024:65535
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT udp -- anywhere anywhere udp dpt:25
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere 192.168.1.107 icmp
echo-request state NEW,RELATED,ESTABLISHED
ACCEPT icmp -- anywhere 192.168.2.100 icmp
echo-request state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp
spt:netbios-ns dpt:netbios-ns state NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp
spts:1000:65535 dpt:netbios-ns state NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp
spt:netbios-dgm dpt:netbios-dgm state NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp
spts:1000:65535 dpt:netbios-dgm state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp
spts:1000:65535 dpt:netbios-ssn state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp
spts:1000:65535 dpt:microsoft-ds state NEW,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- 192.168.1.107 anywhere icmp echo-reply
state RELATED,ESTABLISHED
ACCEPT icmp -- 192.168.2.100 anywhere icmp echo-reply
state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
ACCEPT udp -- anywhere anywhere udp
spt:netbios-ns dpt:netbios-ns state NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp
spt:netbios-ns dpts:1000:65535 state NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp
spt:netbios-dgm dpt:netbios-dgm state ESTABLISHED
ACCEPT udp -- anywhere anywhere udp
spt:netbios-dgm dpts:1000:65535 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp
spt:netbios-ssn dpts:1000:65535 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp
spt:microsoft-ds dpts:1000:65535 state ESTABLISHED

Chain ext-fw (0 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:smtp
dpts:1024:65535 flags:!FIN,SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp spt:imap2
dpts:1024:65535 flags:!FIN,SYN,RST,ACK/SYN

Chain ext-in (0 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:smtp
dpts:1024:65535 flags:!FIN,SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp spt:imap2
dpts:1024:65535 flags:!FIN,SYN,RST,ACK/SYN

Chain ext-out (0 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp
spts:1024:65535 dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp
spts:1024:65535 dpt:imap2

Chain int-fw (0 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp
spts:1024:65535 dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp
spts:1024:65535 dpt:imap2
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:www
to:192.168.2.100:3128
REDIRECT tcp -- anywhere anywhere tcp dpt:www
redir ports 3128

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


danke gruss Kh
 

Lesen sie die antworten

#1 Enrico Labedzki
10/06/2009 - 20:00 | Warnen spam
Karl-Heinz Huber schrieb:

ACCEPT udp -- anywhere anywhere udp dpt:www



Warum ???

Mfg Enrico

Ähnliche fragen