From dba0578b63b4ed9ccac6dd438763ef31e48d9d2e Mon Sep 17 00:00:00 2001
From: patrick <pschoeps@localhost.localdomain>
Date: Thu, 21 Nov 2013 17:41:34 +0100
Subject: [PATCH] aufgabe3.1-ordner

---
 aufgabe3.1/iptables.rules | 61 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 aufgabe3.1/iptables.rules

diff --git a/aufgabe3.1/iptables.rules b/aufgabe3.1/iptables.rules
new file mode 100644
index 0000000..53c21cf
--- /dev/null
+++ b/aufgabe3.1/iptables.rules
@@ -0,0 +1,61 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+
+# allow established connections
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# allow traffic from private LAN
+-A INPUT -i eth1 -j ACCEPT
+-A FORWARD -i eth1 -j ACCEPT
+
+# allow ICMP (ping)
+-A INPUT -p icmp -j ACCEPT
+
+# allow loopback
+-A INPUT -i lo -j ACCEPT
+
+# uni subnets
+:uni - [0:0]
+-A INPUT -s 141.30.0.0/16 -j uni 
+-A INPUT -s 141.76.0.0/16 -j uni
+
+# public internet
+:public - [0:0]
+-A INPUT -j public
+
+# all traffic from here on is being logged
+:logging - [0:0]
+-A INPUT -j logging
+-A FORWARD -j logging
+
+# reject unknown traffic with nice errors
+-A INPUT -p tcp -j REJECT --reject-with tcp-reset
+-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
+-A INPUT -j REJECT --reject-with icmp-proto-unreachable
+
+# sshguard chain
+:sshguard - [0:0]
+
+# uni internal traffic
+-A uni -p tcp --dport 22 -j sshguard
+-A uni -p tcp --dport 22 -j ACCEPT
+
+# public traffic ---------------------------------------------------------------
+
+# traffic logging
+-A logging -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
+
+COMMIT
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+
+# masquerading (NAT)
+-A POSTROUTING -o eth0 -j MASQUERADE
+
+COMMIT