/etc/iptables
Du kannst nicht mehr als 25 Themen auswählen Themen müssen mit entweder einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.

rules.v4 4.7KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455
  1. # Generated by iptables-save v1.8.7 on Mon Oct 2 20:48:26 2023
  2. *filter
  3. :INPUT DROP [0:0]
  4. :FORWARD DROP [0:0]
  5. :OUTPUT DROP [0:0]
  6. -A INPUT -p icmp -m icmp --icmp-type 8 -m comment --comment "accept incomming pings" -j ACCEPT
  7. -A INPUT -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment "accept incomming dhcp" -j ACCEPT
  8. -A INPUT -p udp -m udp --dport 53 -m comment --comment "accept incomming dns" -j ACCEPT
  9. -A INPUT -p tcp -m tcp --dport 53 -m comment --comment "accept incomming dns" -j ACCEPT
  10. -A INPUT -p udp -m udp --dport 123 -m comment --comment "accept incomming ntp" -j ACCEPT
  11. -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "accept all incomming established and related trafic" -j ACCEPT
  12. -A INPUT -i lo -m comment --comment "accept all incoming traffic of loopback device" -j ACCEPT
  13. -A INPUT -i eth0.30 -m comment --comment "accept all incoming traffic of eth0.30 device" -j ACCEPT
  14. -A INPUT -m comment --comment "Reject all remaining traffic" -j REJECT --reject-with icmp-port-unreachable
  15. -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "forward all established and related traffic" -j ACCEPT
  16. -A FORWARD -p icmp -m icmp --icmp-type 8 -m comment --comment "forward all pings" -j ACCEPT
  17. -A FORWARD -p udp -m udp --dport 123 -m comment --comment "forward all ntp request" -j ACCEPT
  18. -A FORWARD -p udp -m udp --sport 123 -m comment --comment "forward all ntp request" -j ACCEPT
  19. -A FORWARD ! -d 192.168.0.0/16 -i eth0.30 -o eth0 -m comment --comment "forward all traffic from vlan30 to the internet" -j ACCEPT
  20. -A FORWARD -d 192.168.0.0/24 -i eth0.30 -o eth0 -m comment --comment "forward all traffic from vlan30 to vlan10" -j ACCEPT
  21. -A FORWARD ! -d 192.168.0.0/16 -i eth0.40 -o eth0 -p tcp -m tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan40 to the internet" -j ACCEPT
  22. -A FORWARD ! -d 192.168.0.0/16 -i eth0.40 -o eth0 -p tcp -m tcp --dport 8080 -m comment --comment "forward port 8080 to the internet for siemens dishwasher" -j ACCEPT
  23. -A FORWARD ! -d 192.168.0.0/16 -i eth0.60 -o eth0 -p tcp -m tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan60 to the internet" -j ACCEPT
  24. -A FORWARD -d 192.168.20.0/24 -i eth0.30 -o eth0.20 -m comment --comment "forward traffic from vlan30 to VLAN20" -j ACCEPT
  25. -A FORWARD -d 192.168.30.0/24 -i eth0.40 -o eth0.30 -p tcp -m tcp --dport 1883 -m comment --comment "forward mqtt traffic from vlan40 to VLAN30" -j ACCEPT
  26. -A FORWARD -d 192.168.30.0/24 -i eth0.50 -o eth0.30 -p tcp -m tcp --dport 1883 -m comment --comment "forward mqtt traffic from vlan50 to VLAN30" -j ACCEPT
  27. -A FORWARD -d 192.168.30.0/24 -i eth0.50 -o eth0.30 -p tcp -m tcp --dport 21 -m comment --comment "forward ftp traffic from vlan50 to VLAN30 (brother printer)" -j ACCEPT
  28. -A FORWARD -d 192.168.40.0/24 -i eth0.30 -o eth0.40 -m comment --comment "forward traffic from vlan30 to VLAN40" -j ACCEPT
  29. -A FORWARD -d 192.168.50.0/24 -i eth0.30 -o eth0.50 -m comment --comment "forward traffic from vlan30 to VLAN50" -j ACCEPT
  30. -A OUTPUT -p icmp -m icmp --icmp-type 8 -m comment --comment "accept outgoing pings" -j ACCEPT
  31. -A OUTPUT -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment "accept outgoing dhcp" -j ACCEPT
  32. -A OUTPUT -p udp -m udp --dport 53 -m comment --comment "accept outgoing dns" -j ACCEPT
  33. -A OUTPUT -p tcp -m tcp --dport 53 -m comment --comment "accept outgoing dns" -j ACCEPT
  34. -A OUTPUT -p udp -m udp --dport 123 -m comment --comment "accept outgoing ntp" -j ACCEPT
  35. -A OUTPUT -p tcp -m tcp --dport 22 -m comment --comment "accept outgoing ssh" -j ACCEPT
  36. -A OUTPUT -p tcp -m tcp --dport 80 -m comment --comment "accept outgoing http" -j ACCEPT
  37. -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "accept all outgoing established and related trafic" -j ACCEPT
  38. -A OUTPUT -o lo -m comment --comment "accept all outgoing traffic of the loopback device" -j ACCEPT
  39. -A OUTPUT -o eth0.30 -m comment --comment "accept all outgoing traffic of the eth0.30 device" -j ACCEPT
  40. -A OUTPUT ! -d 192.168.0.0/16 -o eth0 -m comment --comment "accept all outgoing traffic to the internet" -j ACCEPT
  41. COMMIT
  42. # Completed on Mon Oct 2 20:48:26 2023
  43. # Generated by iptables-save v1.8.7 on Mon Oct 2 20:48:26 2023
  44. *nat
  45. :PREROUTING ACCEPT [0:0]
  46. :INPUT ACCEPT [0:0]
  47. :OUTPUT ACCEPT [0:0]
  48. :POSTROUTING ACCEPT [0:0]
  49. -A POSTROUTING -o eth0 -m comment --comment "masquerade ->eth0.10" -j MASQUERADE
  50. -A POSTROUTING -o eth0.20 -m comment --comment "masquerade ->eth0.20" -j MASQUERADE
  51. -A POSTROUTING -o eth0.30 -m comment --comment "masquerade ->eth0.30" -j MASQUERADE
  52. -A POSTROUTING -o eth0.40 -m comment --comment "masquerade ->eth0.40" -j MASQUERADE
  53. -A POSTROUTING -o eth0.50 -m comment --comment "masquerade ->eth0.50" -j MASQUERADE
  54. COMMIT
  55. # Completed on Mon Oct 2 20:48:26 2023