# iptables --list-rules iptables --flush iptables --delete-chain iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -N FWD_LAN_SUBNET iptables -N FWD_SERVICE iptables -N INPUT_FIREWALL iptables -N INPUT_LAN_SUBNET iptables -A INPUT -s $192.168.0.0/24 -i br0 -p icmp -j ACCEPT iptables -A INPUT -p icmp -i ppp256 -j DROP iptables -A INPUT -p icmp -i gre+ -j DROP iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -j INPUT_LAN_SUBNET iptables -A INPUT -j INPUT_FIREWALL iptables -A FORWARD -m mark --mark 0x80000000/0x80000000 -j ACCEPT iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -j FWD_LAN_SUBNET iptables -A FORWARD -j FWD_SERVICE iptables -A FWD_LAN_SUBNET -s $192.168.0.0/24 ! -i br0 -j DROP iptables -A FWD_LAN_SUBNET ! -s $192.168.0.0/24 -i br0 -j DROP iptables -A FWD_LAN_SUBNET -i br0 -o rmnet0 -j DROP iptables -A FWD_LAN_SUBNET -d 192.168.0.0/16 -i br0 -o ppp256 -j DROP iptables -A FWD_LAN_SUBNET -d 172.16.0.0/12 -i br0 -o ppp256 -j DROP iptables -A FWD_LAN_SUBNET -d 10.0.0.0/8 -i br0 -o ppp256 -j DROP iptables -A FWD_LAN_SUBNET -d 192.168.0.0/16 -i br0 -o gre+ -j DROP iptables -A FWD_LAN_SUBNET -d 172.16.0.0/12 -i br0 -o gre+ -j DROP iptables -A FWD_LAN_SUBNET -d 10.0.0.0/8 -i br0 -o gre+ -j DROP iptables -A FWD_SERVICE -d 169.254.0.0/16 -i br0 -j DROP iptables -A FWD_SERVICE -s 169.254.0.0/16 ! -i br0 -j DROP iptables -A FWD_SERVICE -s 127.0.0.0/8 ! -i br0 -j DROP # # Wer VPN zur Fritzbox braucht # iptables -A FWD_SERVICE -d 192.168.0.12/32 -i gre+ -p udp -m udp --dport 1194 -j ACCEPT iptables -A FWD_SERVICE -d 192.168.0.12/32 -i gre+ -p tcp -m tcp --dport 1194 -j ACCEPT iptables -A FWD_SERVICE -d 192.168.0.12/32 -i ppp256 -p udp -m udp --dport 1194 -j ACCEPT iptables -A FWD_SERVICE -d 192.168.0.12/32 -i ppp256 -p tcp -m tcp--dport 1194 -j ACCEPT # # Wer HTTPS zur Fritzbox braucht # #iptables -A FWD_SERVICE -d $192.168.0.11/32 -i gre+ -p tcp -m tcp --dport 443 -j ACCEPT #iptables -A FWD_SERVICE -d $192.168.0.11/32 -i ppp256 -p tcp -m tcp --dport 443 -j ACCEPT # # Wer SIPGATE zur Fritzbox braucht # #iptables -A FWD_SERVICE -s 217.10.64.0/20 -d $192.168.0.11/32 -i gre+ -p udp -m udp --dport 7078:7109 -j ACCEPT #iptables -A FWD_SERVICE -s 217.116.112.0/20 -d $192.168.0.11/32 -i gre+ -p udp -m udp --dport 7078:7109 -j ACCEPT #iptables -A FWD_SERVICE -s 212.9.32.0/19 -d $192.168.0.11/32 -i gre+ -p udp -m udp --dport 7078:7109 -j ACCEPT #iptables -A FWD_SERVICE -s 217.10.79.9/32 -d $192.168.0.11/32 -i gre+ -p udp -m udp --dport 5060 -j ACCEPT #iptables -A FWD_SERVICE -s 217.10.68.147/32 -d $192.168.0.11/32 -i gre+ -p udp -m udp --dport 5060 -j ACCEPT #iptables -A FWD_SERVICE -s 217.10.68.150/32 -d $192.168.0.11/32 -i gre+ -p udp -m udp --dport 5060 -j ACCEPT #iptables -A FWD_SERVICE -s 217.10.64.0/20 -d $192.168.0.11/32 -i ppp256 -p udp -m udp --dport 7078:7109 -j ACCEPT #iptables -A FWD_SERVICE -s 217.116.112.0/20 -d $192.168.0.11/32 -i ppp256 -p udp -m udp --dport 7078:7109 -j ACCEPT #iptables -A FWD_SERVICE -s 212.9.32.0/19 -d $192.168.0.11/32 -i ppp256 -p udp -m udp --dport 7078:7109 -j ACCEPT #iptables -A FWD_SERVICE -s 217.10.79.9/32 -d $192.168.0.11/32 -i ppp256 -p udp -m udp --dport 5060 -j ACCEPT #iptables -A FWD_SERVICE -s 217.10.68.147/32 -d $192.168.0.11/32 -i ppp256 -p udp -m udp --dport 5060 -j ACCEPT #iptables -A FWD_SERVICE -s 217.10.68.150/32 -d $192.168.0.11/32 -i ppp256 -p udp -m udp --dport 5060 -j ACCEPT # # Telekom VoIP # iptables -A FWD_SERVICE -s 217.0.16.0/20 -d $192.168.0.11/32 -i ppp256 -p udp -m udp --dport 5060 -j ACCEPT iptables -A FWD_SERVICE -s 217.0.0.0/20 -d $192.168.0.11/32 -i ppp256 -p udp -m udp --dport 7078:7109 -j ACCEPT iptables -A FWD_SERVICE -d 217.0.16.0/20 -s $192.168.0.11/32 -i ppp256 -p udp -m udp --dport 5060 -j ACCEPT iptables -A FWD_SERVICE -d 217.0.0.0/20 -s $192.168.0.11/32 -i ppp256 -p udp -m udp --dport 7078:7109 -j ACCEPT iptables -A FWD_SERVICE -d $192.168.0.11/32 -i ppp256 -j DROP iptables -A FWD_SERVICE -d $192.168.0.11/32 -i gre+ -j DROP iptables -A INPUT_FIREWALL -d $192.168.0.10/32 -i br0 -p tcp -m tcp --dport 22 -j ACCEPT iptables -A INPUT_FIREWALL -d $192.168.0.10/32 -i br0 -p tcp -m tcp --dport 53 -j ACCEPT iptables -A INPUT_FIREWALL -d $192.168.0.10/32 -i br0 -p tcp -m tcp --dport 80 -j ACCEPT iptables -A INPUT_FIREWALL -d $192.168.0.10/32 -i br0 -p tcp -m tcp --dport 8080 -j ACCEPT iptables -A INPUT_FIREWALL -i br0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 10/sec --limit-burst 50 -j ACCEPT iptables -A INPUT_FIREWALL -i br0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP iptables -A INPUT_FIREWALL ! -i br0 -j DROP iptables -A INPUT_LAN_SUBNET -s $192.168.0.0/24 ! -i br0 -j DROP # iptables -t nat --list-rules iptables -t nat --flush iptables -t nat --delete-chain iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P INPUT ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t nat -A POSTROUTING -o gre2 -j MASQUERADE --mode fullcone iptables -t nat -A POSTROUTING -o gre1 -j MASQUERADE --mode fullcone iptables -t nat -A POSTROUTING -o ppp256 -j MASQUERADE --mode fullcone iptables -t nat -A POSTROUTING -m mark --mark 0x80000000/0x80000000 -j MASQUERADE iptables -t nat -A POSTROUTING -o ppp256 -m mark --mark 0x40000000/0xf0000000 -j MASQUERADE iptables -t nat -A POSTROUTING -o ppp256 -m mark --mark 0x20000000/0xf0000000 -j MASQUERADE iptables -t nat -A POSTROUTING -o ppp256 -m mark --mark 0x10000000/0xf0000000 -j MASQUERADE iptables -t nat -A PREROUTING -i gre+ -j DNAT --to-destination $192.168.0.11 iptables -t nat -A PREROUTING -i ppp256 -j DNAT --to-destination $192.168.0.11 # iptables -t mangle --list-rules iptables -t mangle --flush iptables -t mangle --delete-chain iptables -t mangle -P PREROUTING ACCEPT iptables -t mangle -P INPUT ACCEPT iptables -t mangle -P FORWARD ACCEPT iptables -t mangle -P OUTPUT ACCEPT iptables -t mangle -P POSTROUTING ACCEPT iptables -t mangle -N FORWARD_WAN_RULES iptables -t mangle -N FWD_FILTER_LIST iptables -t mangle -N ROUTE_CTL_LIST iptables -t mangle -A PREROUTING -i ppp256 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m tcpmss --mss 1412:65535 -j TCPMSS --set-mss 1412 iptables -t mangle -A PREROUTING -i ppp256 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN,ACK -m tcpmss --mss 1412:65535 -j TCPMSS --set-mss 1412 iptables -t mangle -A PREROUTING -i br0 -j ROUTE_CTL_LIST iptables -t mangle -A PREROUTING -i gre2 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m tcpmss --mss 1344:65535 -j TCPMSS --set-mss 1344 iptables -t mangle -A PREROUTING -i gre2 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN,ACK -m tcpmss --mss 1344:65535 -j TCPMSS --set-mss 1344 iptables -t mangle -A PREROUTING -i gre1 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m tcpmss --mss 1344:65535 -j TCPMSS --set-mss 1344 iptables -t mangle -A PREROUTING -i gre1 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN,ACK -m tcpmss --mss 1344:65535 -j TCPMSS --set-mss 1344 iptables -t mangle -A FORWARD -i br0 -j FORWARD_WAN_RULES iptables -t mangle -A OUTPUT -m mark --mark 0xe/0xf -j MARK --set-xmark 0x0/0xf iptables -t mangle -A OUTPUT -m mark --mark 0x9/0xf -j MARK --set-xmark 0x0/0xf iptables -t mangle -A OUTPUT -p udp -m udp --dport 53 -j MARK --set-xmark 0x6/0xf iptables -t mangle -A OUTPUT -m mark --mark 0x1000/0x1000 -j ROUTE_CTL_LIST iptables -t mangle -A POSTROUTING -o ppp256 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m tcpmss --mss 1412:65535 -j TCPMSS --set-mss 1412 iptables -t mangle -A POSTROUTING -o ppp256 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN,ACK -m tcpmss --mss 1412:65535 -j TCPMSS --set-mss 1412 iptables -t mangle -A POSTROUTING -o gre2 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m tcpmss --mss 1344:65535 -j TCPMSS --set-mss 1344 iptables -t mangle -A POSTROUTING -o gre2 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN,ACK -m tcpmss --mss 1344:65535 -j TCPMSS --set-mss 1344 iptables -t mangle -A POSTROUTING -o gre1 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m tcpmss --mss 1344:65535 -j TCPMSS --set-mss 1344 iptables -t mangle -A POSTROUTING -o gre1 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN,ACK -m tcpmss --mss 1344:65535 -j TCPMSS --set-mss 1344 iptables -t mangle -A FORWARD_WAN_RULES -j DSCP --set-dscp 0x00 iptables -t mangle -A FORWARD_WAN_RULES -p tcp -m tcp --tcp-flags ACK ACK -m length --length 40:64 -j MARK --set-xmark 0x6/0xf iptables -t mangle -A FWD_FILTER_LIST -m dscp --dscp 0x30 -j MARK --set-xmark 0x40000000/0xf0000000 iptables -t mangle -A FWD_FILTER_LIST -m dscp --dscp 0x28 -j MARK --set-xmark 0x40000000/0xf0000000 # # Telekom VoIP # iptables -t mangle -A FWD_FILTER_LIST -d 217.0.0.0/20 -p udp -m udp --dport 5060 -j MARK --set-xmark 0x10000000/0xf0000000 iptables -t mangle -A FWD_FILTER_LIST -d 217.0.0.0/20 -p udp -m udp --sport 5060 -j MARK --set-xmark 0x10000000/0xf0000000 iptables -t mangle -A FWD_FILTER_LIST -d 217.0.16.0/20 -p udp -m udp --dport 7078:7109 -j MARK --set-xmark 0x20000000/0xf0000000 iptables -t mangle -A FWD_FILTER_LIST -d 217.0.16.0/20 -p udp -m udp --sport 7078:7109 -j MARK --set-xmark 0x20000000/0xf0000000 # # # iptables -t mangle -A ROUTE_CTL_LIST -d $192.168.0.0/24 -j RETURN