Eigenes Script mit Suse 11.3 starten lassen

ln -s /home/gTux/fwRulesAdd.sh /h /etc/init.d/rc3.d/S12fwRulesAdd

#!/bin/sh

iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j SNAT --to 10.20.30.400

insserv -v /etc/init.d/fwRulesAdd.sh,start=3
insserv: warning: script 'fwRulesAdd.sh' missing LSB tags and overrides
insserv: Default-Start undefined, assuming default start runlevel(s) for script `fwRulesAdd.sh'
insserv: remove service /etc/init.d/rc2.d/K01stoppreload
insserv: enable service ../stoppreload -> /etc/init.d/rc2.d/K02stoppreload
insserv: remove service /etc/init.d/rc3.d/K01stoppreload
insserv: enable service ../stoppreload -> /etc/init.d/rc3.d/K02stoppreload
insserv: enable service ../fwRulesAdd.sh -> /etc/init.d/rc3.d/S01fwRulesAdd.sh
insserv: enable service ../fwRulesAdd.sh -> /etc/init.d/rc3.d/K01fwRulesAdd.sh
insserv: remove service /etc/init.d/rc5.d/K01stoppreload
insserv: enable service ../stoppreload -> /etc/init.d/rc5.d/K02stoppreload
insserv: creating .depend.boot
insserv: creating .depend.start
insserv: creating .depend.halt
insserv: creating .depend.stop

#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"

iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j SNAT --to 10.20.30.400

fw_custom_before_denyall() { # could also be named "after_forwardmasq()"
    # these are the rules to be loaded after IP forwarding and masquerading
    # but before the logging and deny all section is set by SuSEfirewall2.
    # You can use this hook to prevent the logging of annoying packets.

#example: prevent logging of talk requests from anywhere
#for chain in input_ext input_dmz input_int forward_int forward_ext forward_dmz; do
=======>>>> hier die Regel #    iptables -A $chain -j DROP -p udp --dport 517:518
#done

insserv -r fwRulesAdd.sh

### BEGIN INIT INFO 
# Provides: named 
# Required-Start: $network $remote_fs $syslog 
# Required-Stop: 
# Default-Start: 3 5 
# Default-Stop: 
# Description: Starts internet domain name server (DNS) BIND 9 
### END INIT INFO

rcfwRulesAdd start

#!/bin/bash
### BEGIN INIT INFO
# Provides: iptables
# Required-Start: $network $iptables $syslog
# Required-Stop:
# Default-Start: 3
# Default-Stop:
# Description: opens the iptables firewall for VPN
### END INIT INFO

sleep 6;
iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j SNAT --to 10.20.30.400

echo "Firewall geoeffnet";

#exit;

iptables-save

iptables-save
# Generated by iptables-save v1.4.8 on Thu Oct 21 00:35:18 2010
*nat
:PREROUTING ACCEPT [2:140]
:OUTPUT ACCEPT [17:1194]
:POSTROUTING ACCEPT [17:1194]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 10.20.30.400
COMMIT
# Completed on Thu Oct 21 00:35:18 2010
# Generated by iptables-save v1.4.8 on Thu Oct 21 00:35:18 2010
*raw
:PREROUTING ACCEPT [97:10695]
:OUTPUT ACCEPT [89:17962]
-A PREROUTING -i lo -j NOTRACK
-A OUTPUT -o lo -j NOTRACK
COMMIT
# Completed on Thu Oct 21 00:35:18 2010
# Generated by iptables-save v1.4.8 on Thu Oct 21 00:35:18 2010
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forward_ext - [0:0]
:input_ext - [0:0]
:reject_func - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED -j ACCEPT
-A INPUT -i eth0 -j input_ext
-A INPUT -i tun0 -j input_ext
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0 -j forward_ext
-A FORWARD -i tun0 -j forward_ext
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A forward_ext -m pkttype --pkt-type multicast -j DROP
-A forward_ext -m pkttype --pkt-type broadcast -j DROP
-A forward_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p udp -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 1194 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 1194 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 22 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 21 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 30000:30100 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 30000:30100 -j ACCEPT
-A input_ext -p udp -m udp --dport 1194 -j ACCEPT
-A input_ext -s 10.8.0.0/24 -p tcp -m tcp --sport 1194 --dport 1194 -m state --state NEW -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-ACC " --log-tcp-options --log-ip-options
-A input_ext -s 10.8.0.0/24 -p tcp -m tcp --sport 1194 --dport 1194 -j ACCEPT
-A input_ext -s 10.8.0.0/24 -p udp -m udp --sport 1194 --dport 1194 -m state --state NEW -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-ACC " --log-tcp-options --log-ip-options
-A input_ext -s 10.8.0.0/24 -p udp -m udp --sport 1194 --dport 1194 -j ACCEPT
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Thu Oct 21 00:35:18 2010

logger -t test "IPTABLES CUSTOM CALLED"

network restart

grep -i test: /var/log/messages

iptables -L | grep -i <irgendeinString aus Deinem iptables Befehl>

-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 10.20.30.400

grep -i test: /var/log/messages
Oct 22 06:20:33 suse1 test: IPTABLES CUSTOM CALLED
Oct 22 06:21:50 suse1 test: IPTABLES CUSTOM CALLED