PDA

Archiv verlassen und diese Seite im Standarddesign anzeigen : HILFE! Firewall fehler internet geht damit nicht



Catonga
29.08.01, 01:49
Hilfe.

Also ich habe jetzt mal mir meine eigenes ipchains Firewall Script gebaut.

Wenn ich aber das benutze, dann kann ich nichtmal nen ping nach www.yahoo.de (http://www.yahoo.de) senden.
Außerdem wird ziemlich viel geloggt.

Kann sich das mal jemand anschauen, hier ist das script, die log und andere wichtige Daten:


Firewall Script:
----------------------------------
#!/bin/sh
# optimierstes (Router) Firewall Script von: http://home.foni.net/~bmueller/index.html

#--- Einstellungen ----------------------------------------------------
FTP_AKTIV="false"
MYSERVER="false"
echo FTP-Server = $MYSERVER
#KOMTEL="212.7.128.0/24"
#DEBIAN="debian_fileserver"

EXT="ppp0"
INT="eth0"
LAN="192.168.100.0/24"
UNPRIV="1024:65535"
IPC="/sbin/ipchains"

#--- Ermitteln der eigenen und remote IP-Adresse ------------------------------
LOCALIP=$PPP_LOCAL
if [ -z "${LOCALIP}" ]; then
LOCALIP="$(ifconfig $INT | awk '/addr:/ {print $2}' | sed s/addr://)"
if [ -z "${LOCALIP}" ]; then
echo Local-IP fehlt!
exit 1
fi
fi
REMOTEIP=$PPP_REMOTE
if [ -z "${REMOTEIP}" ]; then
# REMOTEIP="$(ifconfig $EXT | awk '/P-t-P:/ {print $3}' | sed s/P-t-P://)"
REMOTEIP=`ifconfig $EXT | grep inet | cut -d : -f 2 | cut -d ' ' -f 1`
if [ -z "${REMOTEIP}" ]; then
echo Remote-IP fehlt!
#REMOTEIP="212.134.23.43"
exit 1
fi
fi

echo "Setting up firewall ..."
echo "External Interface =" $EXT
echo "External IP = " $REMOTEIP
echo
echo "Local Interface = " $INT
echo "Local IP = " $LOCALIP

#--- Default Policy -----------------------------------------------------------
echo 0 > /proc/sys/net/ipv4/ip_forward
$IPC -P input DENY
$IPC -P forward REJECT
$IPC -P output REJECT
$IPC -F
$IPC -X
#--- Local Interfaces ---------------------------------------------------------
$IPC -A input -i ! $EXT -j ACCEPT
$IPC -A output -i ! $EXT -j ACCEPT
#--- Spoofed Packets ----------------------------------------------------------
$IPC -A input -i $EXT -s $LOCALIP -j DENY -l
$IPC -A output -i $EXT -s ! $LOCALIP -j REJECT -l
$IPC -A input -i $EXT -s 0.0.0.0 -j DENY -l
$IPC -A output -i $EXT -d 0.0.0.0 -j REJECT -l
$IPC -A input -i $EXT -s 10.0.0.0/8 -j DENY -l
$IPC -A output -i $EXT -d 10.0.0.0/8 -j REJECT -l
$IPC -A input -i $EXT -s 127.0.0.0/8 -j DENY -l
$IPC -A output -i $EXT -d 127.0.0.0/8 -j REJECT -l
$IPC -A input -i $EXT -s 169.254.0.0/16 -j DENY -l
$IPC -A output -i $EXT -d 169.254.0.0/16 -j REJECT -l
$IPC -A input -i $EXT -s 172.16.0.0/12 -j DENY -l
$IPC -A output -i $EXT -d 172.16.0.0/12 -j REJECT -l
$IPC -A input -i $EXT -s 192.0.2.0/24 -j DENY -l
$IPC -A output -i $EXT -d 192.0.2.0/24 -j REJECT -l
$IPC -A input -i $EXT -s 192.168.0.0/16 -j DENY -l
$IPC -A output -i $EXT -d 192.168.0.0/16 -j REJECT -l
$IPC -A input -i $EXT -s 224.0.0.0/3 -j DENY -l
$IPC -A output -i $EXT -d 224.0.0.0/3 -j REJECT -l
$IPC -A input -i $EXT -s 255.255.255.255 -j DENY -l
$IPC -A output -i $EXT -d 255.255.255.255 -j REJECT -l

# folgende Unprevelegierte Ports verbieten:
#--- Junkbuster ---------------------------------------------------------------
# $IPC -A input -i $EXT -p tcp --dport 5865 -j DENY -l
#--- X-Server -----------------------------------------------------------------
$IPC -A input -i $EXT -p tcp --dport 5999:6003 -j DENY -l
$IPC -A input -i $EXT -p udp --dport 5999:6003 -j DENY -l
#--- NFS ----------------------------------------------------------------------
$IPC -A input -i $EXT -p tcp --dport 2049 -j DENY -l
$IPC -A input -i $EXT -p udp --dport 2049 -j DENY -l
#--- Back Orifice -------------------------------------------------------------
$IPC -A input -i $EXT -p tcp --dport 31337 -j DENY -l
$IPC -A input -i $EXT -p udp --dport 31337 -j DENY -l
#--- Netbus -------------------------------------------------------------------
$IPC -A input -i $EXT -p tcp --dport 12345:12346 -j DENY -l
$IPC -A input -i $EXT -p udp --dport 12345:12346 -j DENY -l
#--- Trin ---------------------------------------------------------------------
$IPC -A input -i $EXT -p tcp --dport 1524 -j DENY -l
$IPC -A input -i $EXT -p tcp --dport 27665 -j DENY -l

# Vor diesem Punkt müssen alle unprivilegierten Ports (> 1024) gesperrt
# werden, die nicht offen sein dürfen. (z.b. Netbus, Back Orifice, X-Server)!!!


#--- ICMP incoming ------------------------------------------------------------
$IPC -A input -i $EXT -p icmp --icmp-type 0 -j ACCEPT
$IPC -A input -i $EXT -p icmp --icmp-type 3 -j ACCEPT
$IPC -A input -i $EXT -p icmp --icmp-type 11 -j ACCEPT
#--- ICMP outgoing ------------------------------------------------------------
$IPC -A output -i $EXT -p icmp --icmp-type 8 -j ACCEPT
#$IPC -A output -i $EXT -p icmp -d $KOMTEL --icmp-type 3 -j ACCEPT
#$IPC -A output -i $EXT -p icmp -d $DEBIAN --icmp-type 3 -j ACCEPT
#--- DNS Requests (UDP) -------------------------------------------------------
$IPC -A input -i $EXT -p udp --sport domain --dport $UNPRIV -j ACCEPT
$IPC -A output -i $EXT -p udp --sport $UNPRIV --dport domain -j ACCEPT
#--- DNS Requests (TCP) -------------------------------------------------------
$IPC -A input -i $EXT -p tcp --sport domain --dport $UNPRIV ! -y -j ACCEPT
$IPC -A output -i $EXT -p tcp --sport $UNPRIV --dport domain -j ACCEPT
#--- Authentification ---------------------------------------------------------
#$IPC -A input -i $EXT -p tcp -s $KOMTEL $UNPRIV --dport auth -j REJECT
#$IPC -A input -i $EXT -p tcp -s $DEBIAN $UNPRIV --dport auth -j REJECT


if [ $MYSERVER = true ]; then
echo -n "setting up FTP Server access"
#--- FTP Server (Aktiv) -------------------------------------------------------
$IPC -A input -i $EXT -p tcp --sport $UNPRIV --dport ftp-data ! -y -j ACCEPT
$IPC -A output -i $EXT -p tcp --sport ftp-data --dport $UNPRIV -j ACCEPT
#--- FTP Server (Aktiv & Passiv) ----------------------------------------------
$IPC -A input -i $EXT -p tcp --sport $UNPRIV --dport ftp -y -j ACCEPT -l
$IPC -A input -i $EXT -p tcp --sport $UNPRIV --dport ftp -j ACCEPT
$IPC -A output -i $EXT -p tcp --sport ftp --dport $UNPRIV ! -y -j ACCEPT
#--- FTP Server (Passiv) ------------------------------------------------------
$IPC -A input -i $EXT -p tcp --sport $UNPRIV --dport $UNPRIV -y -j ACCEPT -l
$IPC -A input -i $EXT -p tcp --sport $UNPRIV --dport $UNPRIV -j ACCEPT
$IPC -A output -i $EXT -p tcp --sport $UNPRIV --dport $UNPRIV ! -y -j ACCEPT
#--- Authentification FTP-Server ----------------------------------------------
$IPC -A input -i $EXT -p tcp --sport auth --dport $UNPRIV ! -y -j ACCEPT
$IPC -A output -i $EXT -p tcp --sport $UNPRIV --dport auth -j ACCEPT
fi

if [ $FTP_AKTIV = true ]; then
echo -n "setting up FTP Active Client access"
#--- FTP Client (Aktiv) -------------------------------------------------------
$IPC -A input -i $EXT -p tcp --sport ftp-data --dport $UNPRIV -y -j ACCEPT -l
$IPC -A input -i $EXT -p tcp --sport ftp-data --dport $UNPRIV -j ACCEPT
$IPC -A output -i $EXT -p tcp --sport $UNPRIV --dport ftp-data ! -y -j ACCEPT
fi

# Hier kommen alle anderen erlaubten Dienste rein:
#--- FTP Client (Aktiv & Passiv) ----------------------------------------------
$IPC -A input -i $EXT -p tcp --sport ftp --dport $UNPRIV ! -y -j ACCEPT
$IPC -A output -i $EXT -p tcp --sport $UNPRIV --dport ftp -j ACCEPT
#--- FTP Client (Passiv) ------------------------------------------------------
$IPC -A input -i $EXT -p tcp --sport $UNPRIV --dport $UNPRIV ! -y -j ACCEPT
$IPC -A output -i $EXT -p tcp --sport $UNPRIV --dport $UNPRIV -j ACCEPT
#--- News ---------------------------------------------------------------------
$IPC -A input -i $EXT -p tcp --sport nntp --dport $UNPRIV ! -y -j ACCEPT
$IPC -A output -i $EXT -p tcp --sport $UNPRIV --dport nntp -j ACCEPT
#--- HTTP ---------------------------------------------------------------------
$IPC -A input -i $EXT -p tcp --sport www --dport $UNPRIV ! -y -j ACCEPT
$IPC -A output -i $EXT -p tcp --sport $UNPRIV --dport www -j ACCEPT
#--- HTTP secure --------------------------------------------------------------
$IPC -A input -i $EXT -p tcp --sport 443 --dport $UNPRIV ! -y -j ACCEPT
$IPC -A output -i $EXT -p tcp --sport $UNPRIV --dport 443 -j ACCEPT
#--- ICQ Client to Server -------------------------------------Selfmade--------
#$IPC -A input -i $EXT -p tcp --sport 5190 --dport $UNPRIV ! -y -j ACCEPT
#$IPC -A output -i $EXT -p tcp --sport $UNPRIV --dport 5190 -j ACCEPT
#--- ICQ Client to Client -------------------------------------Selfmade--------
#$IPC -A input -i $EXT -p tcp --sport 4000 --dport $UNPRIV ! -y -j ACCEPT
#$IPC -A output -i $EXT -p tcp --sport $UNPRIV --dport 4000 -j ACCEPT
#--- ICQ Client to Client unsecure------------------------------Selfmade--------
#$IPC -A input -i $EXT -p tcp --sport 4001:4030 --dport $UNPRIV ! -y -j ACCEPT
#$IPC -A output -i $EXT -p tcp --sport $UNPRIV --dport 4001:4030 -j ACCEPT
#--- Quicktime Realplayer -------------------------------------Selfmade--------
#$IPC -A input -i $EXT -p tcp --sport 554 --dport $UNPRIV ! -y -j ACCEPT
#$IPC -A output -i $EXT -p tcp --sport $UNPRIV --dport 554 -j ACCEPT
#$IPC -A input -i $EXT -p udp --sport 6970:6999 --dport $UNPRIV ! -y -j ACCEPT
#$IPC -A output -i $EXT -p udp --sport $UNPRIV --dport 6970:6999 -j ACCEPT
#--- IRC ------------------------------------------------------Selfmade--------
#$IPC -A input -i $EXT -p tcp --sport irc --dport $UNPRIV ! -y -j ACCEPT
#$IPC -A output -i $EXT -p tcp --sport $UNPRIV --dport irc -j ACCEPT

#--- eMail incoming -----------------------------------------------------------
$IPC -A input -i $EXT -p tcp --sport pop3 --dport $UNPRIV ! -y -j ACCEPT
$IPC -A output -i $EXT -p tcp --sport $UNPRIV --dport pop3 -j ACCEPT
#--- eMail outgoing -----------------------------------------------------------
$IPC -A input -i $EXT -p tcp --sport smtp --dport $UNPRIV ! -y -j ACCEPT
$IPC -A output -i $EXT -p tcp --sport $UNPRIV --dport smtp -j ACCEPT
#--- Telnet -------------------------------------------------------------------
$IPC -A input -i $EXT -p tcp --sport telnet --dport $UNPRIV ! -y -j ACCEPT
$IPC -A output -i $EXT -p tcp --sport $UNPRIV --dport telnet -j ACCEPT
#--- Whois Requests -----------------------------------------------------------
$IPC -A input -i $EXT -p tcp --sport whois --dport $UNPRIV ! -y -j ACCEPT
$IPC -A output -i $EXT -p tcp --sport $UNPRIV --dport whois -j ACCEPT
#--- Traceroute ---------------------------------------------------------------
$IPC -A output -i $EXT -p udp --sport $UNPRIV --dport $UNPRIV -j ACCEPT


#--- Timesynchronisation ------------------------------------------------------
# $IPC -A input -i $EXT -p udp -s TS_1 ntp --dport ntp -j ACCEPT
# $IPC -A output -i $EXT -p udp --sport ntp -d TS_1 ntp -j ACCEPT
# $IPC -A input -i $EXT -p udp -s TS_2 ntp --dport ntp -j ACCEPT
# $IPC -A output -i $EXT -p udp --sport ntp -d TS_2 ntp -j ACCEPT
# $IPC -A input -i $EXT -p udp -s TS_3 ntp --dport ntp -j ACCEPT
# $IPC -A output -i $EXT -p udp --sport ntp -d TS_3 ntp -j ACCEPT
#--- Anything else ------------------------------------------------------------
$IPC -A input -i $EXT -l
$IPC -A output -i $EXT -l


#--- Masquerade ---------------------------------------------------------------
echo -n "setting up masquerading ..."
$IPC -A forward -i $EXT -s $LAN -j MASQ --no-warnings
$IPC -A forward -i $EXT -l --no-warnings
echo 1 > /proc/sys/net/ipv4/ip_forward
#------------------------------------------------------------------------------
echo " done."

--------------------------------------------------


Logs Fehlermeldungen
---------------------------------------------
Aug 29 01:36:16 wood kernel: Packet log: output REJECT ppp0 PROTO=17 217.83.182.254:63243 194.25.2.129:53 L=62 S=0x00 I=16581 F=0x0000 T=127 (#2)
Aug 29 01:36:16 wood kernel: Packet log: output REJECT ppp0 PROTO=17 217.83.182.254:1024 193.158.142.133:53 L=73 S=0x00 I=3233 F=0x0000 T=64 (#2)
....
--------------------------------------------------------------------------

ifconfig Ausgabe (Angaben wie z.b. der IP Addresse zu dem Zeitpunkt wo die logs gemacht wurden etc).
-----------------------------------------------
eth0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
inet addr:192.168.100.5 Bcast:192.168.100.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:24114 errors:0 dropped:0 overruns:0 frame:22
TX packets:23971 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:3 Base address:0x300

eth1 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:22533 errors:0 dropped:0 overruns:0 frame:227
TX packets:21472 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:10 Base address:0x320

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:137 errors:0 dropped:0 overruns:0 frame:0
TX packets:137 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

ppp0 Link encap:Point-to-Point Protocol
inet addr:217.83.182.254 P-t-P:217.5.98.40 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:11 errors:0 dropped:0 overruns:0 frame:0
TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
-------------------------------------------------------------


Ausgabe der Firewall Regeln bei eingeben von
ipchains -L -v
-----------------------------------------------
Chain input (policy DENY: 41248 packets, 17629888 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports
202 14959 ACCEPT all ------ 0xFF 0x00 !ppp0 anywhere anywhere n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0 wood.WORKGROUP anywhere n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0 0.0.0.0 anywhere n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0 10.0.0.0/8 anywhere n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0 loopback/8 anywhere n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0 169.254.0.0/16 anywhere n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0 172.16.0.0/12 anywhere n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0 192.0.2.0/24 anywhere n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0 192.168.0.0/16 anywhere n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0 224.0.0.0/3 anywhere n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0 255.255.255.255 anywhere n/a
0 0 DENY tcp ----l- 0xFF 0x00 ppp0 anywhere anywhere any -> 5999:6003
0 0 DENY udp ----l- 0xFF 0x00 ppp0 anywhere anywhere any -> 5999:6003
0 0 DENY tcp ----l- 0xFF 0x00 ppp0 anywhere anywhere any -> 2049
0 0 DENY udp ----l- 0xFF 0x00 ppp0 anywhere anywhere any -> 2049
0 0 DENY tcp ----l- 0xFF 0x00 ppp0 anywhere anywhere any -> 31337
0 0 DENY udp ----l- 0xFF 0x00 ppp0 anywhere anywhere any -> 31337
0 0 DENY tcp ----l- 0xFF 0x00 ppp0 anywhere anywhere any -> 12345:12346
0 0 DENY udp ----l- 0xFF 0x00 ppp0 anywhere anywhere any -> 12345:12346
0 0 DENY tcp ----l- 0xFF 0x00 ppp0 anywhere anywhere any -> ingreslock
0 0 DENY tcp ----l- 0xFF 0x00 ppp0 anywhere anywhere any -> 27665
0 0 ACCEPT icmp ------ 0xFF 0x00 ppp0 anywhere anywhere echo-reply
0 0 ACCEPT icmp ------ 0xFF 0x00 ppp0 anywhere anywhere destination-unreachable
0 0 ACCEPT icmp ------ 0xFF 0x00 ppp0 anywhere anywhere time-exceeded
0 0 ACCEPT udp ------ 0xFF 0x00 ppp0 anywhere anywhere domain -> 1024:65535
0 0 ACCEPT tcp !y---- 0xFF 0x00 ppp0 anywhere anywhere domain -> 1024:65535
0 0 ACCEPT tcp !y---- 0xFF 0x00 ppp0 anywhere anywhere ftp -> 1024:65535
0 0 ACCEPT tcp !y---- 0xFF 0x00 ppp0 anywhere anywhere 1024:65535 -> 1024:65535
0 0 ACCEPT tcp !y---- 0xFF 0x00 ppp0 anywhere anywhere nntp -> 1024:65535
0 0 ACCEPT tcp !y---- 0xFF 0x00 ppp0 anywhere anywhere www -> 1024:65535
0 0 ACCEPT tcp !y---- 0xFF 0x00 ppp0 anywhere anywhere 443 -> 1024:65535
0 0 ACCEPT tcp !y---- 0xFF 0x00 ppp0 anywhere anywhere pop3 -> 1024:65535
0 0 ACCEPT tcp !y---- 0xFF 0x00 ppp0 anywhere anywhere smtp -> 1024:65535
0 0 ACCEPT tcp !y---- 0xFF 0x00 ppp0 anywhere anywhere telnet -> 1024:65535
0 0 ACCEPT tcp !y---- 0xFF 0x00 ppp0 anywhere anywhere whois -> 1024:65535
0 0 - all ----l- 0xFF 0x00 ppp0 anywhere anywhere n/a
Chain forward (policy REJECT: 13 packets, 841 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports
61 3902 MASQ all ------ 0xFF 0x00 ppp0 localnet/24 anywhere n/a
0 0 - all ----l- 0xFF 0x00 ppp0 anywhere anywhere n/a
Chain output (policy REJECT: 40739 packets, 17563585 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports
125 11490 ACCEPT all ------ 0xFF 0x00 !ppp0 anywhere anywhere n/a
309 21876 REJECT all ----l- 0xFF 0x00 ppp0 !wood.WORKGROUP anywhere n/a
0 0 REJECT all ----l- 0xFF 0x00 ppp0 anywhere 0.0.0.0 n/a
0 0 REJECT all ----l- 0xFF 0x00 ppp0 anywhere 10.0.0.0/8 n/a
0 0 REJECT all ----l- 0xFF 0x00 ppp0 anywhere loopback/8 n/a
0 0 REJECT all ----l- 0xFF 0x00 ppp0 anywhere 169.254.0.0/16 n/a
0 0 REJECT all ----l- 0xFF 0x00 ppp0 anywhere 172.16.0.0/12 n/a
0 0 REJECT all ----l- 0xFF 0x00 ppp0 anywhere 192.0.2.0/24 n/a
0 0 REJECT all ----l- 0xFF 0x00 ppp0 anywhere 192.168.0.0/16 n/a
0 0 REJECT all ----l- 0xFF 0x00 ppp0 anywhere 224.0.0.0/3 n/a
0 0 REJECT all ----l- 0xFF 0x00 ppp0 anywhere 255.255.255.255 n/a
0 0 ACCEPT icmp ------ 0xFF 0x00 ppp0 anywhere anywhere echo-request
0 0 ACCEPT udp ------ 0xFF 0x00 ppp0 anywhere anywhere 1024:65535 -> domain
0 0 ACCEPT tcp ------ 0xFF 0x00 ppp0 anywhere anywhere 1024:65535 -> domain
0 0 ACCEPT tcp ------ 0xFF 0x00 ppp0 anywhere anywhere 1024:65535 -> ftp
0 0 ACCEPT tcp ------ 0xFF 0x00 ppp0 anywhere anywhere 1024:65535 -> 1024:65535
0 0 ACCEPT tcp ------ 0xFF 0x00 ppp0 anywhere anywhere 1024:65535 -> nntp
0 0 ACCEPT tcp ------ 0xFF 0x00 ppp0 anywhere anywhere 1024:65535 -> www
0 0 ACCEPT tcp ------ 0xFF 0x00 ppp0 anywhere anywhere 1024:65535 -> 443
0 0 ACCEPT tcp ------ 0xFF 0x00 ppp0 anywhere anywhere 1024:65535 -> pop3
0 0 ACCEPT tcp ------ 0xFF 0x00 ppp0 anywhere anywhere 1024:65535 -> smtp
0 0 ACCEPT tcp ------ 0xFF 0x00 ppp0 anywhere anywhere 1024:65535 -> telnet
0 0 ACCEPT tcp ------ 0xFF 0x00 ppp0 anywhere anywhere 1024:65535 -> whois
0 0 ACCEPT udp ------ 0xFF 0x00 ppp0 anywhere anywhere 1024:65535 -> 1024:65535
0 0 - all ----l- 0xFF 0x00 ppp0 anywhere anywhere n/a
------------------------------------------------------

So, daß waren eigentlich alle informationen.
Ich hoffe jemand kann mir sagen, was das Problem ist, bzw. wiso das net funktioniert.

Die Verbindung geht übrigens per T-DSL.
Das programm ist roaring pinguin.

Bei ifconfig sind beim ppp0 device 2 Ip Nummern eingebenen.
Ich habe auch mal versucht diese p-v-p IP im Firewall script zu verwenden, das hat auch nicht geholfen.


Langsam wirds mir echt zu blöd.
Hab schon mehrere Firewall Scripte ausprobiert und bei allen gibt es immer irgendwelche Fehler, so daß die Firewall nicht funktioniert.

Catonga
29.08.01, 02:32
Hab jetzt das Problem gefunden.

Lag daran, das im 2. Anti Spoof Befehl, die Falsche IP Verwendet wurde:
------------------
#--- Spoofed Packets ----------------------------------------------------------
$IPC -A input -i $EXT -s $LOCALIP -j DENY -l
$IPC -A output -i $EXT -s ! $LOCALIP -j REJECT -l------------------------


Es mußte heißen:
---------------------------
#--- Spoofed Packets ----------------------------------------------------------
$IPC -A input -i $EXT -s $LOCALIP -j DENY -l
$IPC -A output -i $EXT -s ! $REMOTEIP -j REJECT -l
--------------------------

Leider hab ich jetzt ein anderes Problem,
werde mal daran arbeiten. Internet und Mail geht schon mal.
Ich meld mich dann wieder.

Catonga
29.08.01, 05:36
Juhuu :)

Ich habe jetzt den Selbsttest auf dieser Seite: http://www.lfd.niedersachsen.de/service/service_selbstt.html
(und einige andere Seiten)
durchgeführt und mein ipchains Firewall script hat alle Tests mit Bravour bestanden. :)


Jetzt müßte ich es nur noch mit nessus und nmap testen. :D

Falls jemand dennoch einen Fehler oder eine Sicherheitslücke in meinem Firewall Script (siehe oben) finden sollte, bitte sagt mir das, ok.
danke.

[ 29. August 2001: Beitrag editiert von: Catonga ]