mikeair
09.10.06, 17:30
Hi,
ich habe ein mir unverständliches Problem:
Hab den IPTABLES-Generator benutzt um mein Firewall-Script zu erstellen. Jetzt habe ich auch schon alles was Pakete dropped etc. auskommentiert und ich bekomme auf Teufel komm raus keine Verbindung zum Server über's Internet.
nmap zeigt mir auf einem anderen Server im Internet gestartet, ganz klar, dass ftp, ssh, usw. offen sind. Trotzdem kommt keine Verbindung zustande.
Ich verzeifle langsam:
#!/bin/bash
# ---------------------------------------------------------------------
# Linux-iptables-Firewallskript, Copyright (c) 2006 under the GPL
# Autogenerated by iptables Generator v1.22 (c) 2002-2006 by Harald Bertram*
# Please visit http://harry.homelinux.org for new versions of
# the iptables Generator (c).
#
# This Script was generated by request from:
# auctions@klefisch.com on: 2006-10-9 17:41.5 MET.
#
# If you have questions about the iptables Generator or about
# your Firewall-Skript feel free to take a look at out website or
# send me an E-Mail to webmaster@harry.homelinux.org.
#
# My special thanks are going to Lutz Heinrich (trinitywork at hotmail dot com)
# who made lots of Beta-Testing and gave me lots of well qualified
# Feedback that made me able to improve the iptables Generator.
# --------------------------------------------------------------------
#
### BEGIN INIT INFO
# Provides: IP-Paketfilter
# Required-Start: $network $local_fs
# Required-Stop: $local_fs
# Default-Start: 3 5
# Default-Stop: 0 1 2 4 6
# Short-Description: Harry's IP-Paketfilter
# Description: Harry's IP-Paketfilter provides reasonable
# IP-Security for Home-Computers and small networks
### END INIT INFO
#
case "$1" in
start)
echo "Starte IP-Paketfilter"
# iptables-Modul
modprobe ip_tables
# Connection-Tracking-Module
modprobe ip_conntrack
# Das Modul ip_conntrack_irc ist erst bei Kerneln >= 2.4.19 verfuegbar
modprobe ip_conntrack_irc
modprobe ip_conntrack_ftp
# Tabelle flushen
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
# Default-Policies setzen
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP
# MY_REJECT-Chain
# iptables -N MY_REJECT
# MY_REJECT fuellen
# iptables -A MY_REJECT -p tcp -m limit --limit 7200/h -j LOG --log-prefix "REJECT TCP "
# iptables -A MY_REJECT -p tcp -j REJECT --reject-with tcp-reset
# iptables -A MY_REJECT -p udp -m limit --limit 7200/h -j LOG --log-prefix "REJECT UDP "
# iptables -A MY_REJECT -p udp -j REJECT --reject-with icmp-port-unreachable
# iptables -A MY_REJECT -p icmp -m limit --limit 7200/h -j LOG --log-prefix "DROP ICMP "
# iptables -A MY_REJECT -p icmp -j DROP
# iptables -A MY_REJECT -m limit --limit 7200/h -j LOG --log-prefix "REJECT OTHER "
# iptables -A MY_REJECT -j REJECT --reject-with icmp-proto-unreachable
# MY_DROP-Chain
# iptables -N MY_DROP
# iptables -A MY_DROP -m limit --limit 7200/h -j LOG --log-prefix "PORTSCAN DROP "
# iptables -A MY_DROP -j DROP
# Alle verworfenen Pakete protokollieren
# iptables -A INPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "INPUT INVALID "
# iptables -A OUTPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "OUTPUT INVALID "
# iptables -A FORWARD -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "FORWARD INVALID "
# Korrupte Pakete zurueckweisen
# iptables -A INPUT -m state --state INVALID -j DROP
# iptables -A OUTPUT -m state --state INVALID -j DROP
# iptables -A FORWARD -m state --state INVALID -j DROP
# Stealth Scans etc. DROPpen
# Keine Flags gesetzt
# iptables -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP
# iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j MY_DROP
# SYN und FIN gesetzt
# iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
# iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
# SYN und RST gleichzeitig gesetzt
# iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
# iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
# FIN und RST gleichzeitig gesetzt
# iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
# iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
# FIN ohne ACK
# iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
# iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
# PSH ohne ACK
# iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
# iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
# URG ohne ACK
# iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP
# iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j MY_DROP
# Loopback-Netzwerk-Kommunikation zulassen
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Maximum Segment Size (MSS) für das Forwarding an PMTU anpassen
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# Connection-Tracking aktivieren
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ! ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# HTTP
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 80 -j ACCEPT
# FTP
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 21 -j ACCEPT
# SSH
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 22 -j ACCEPT
# ICMP Echo-Request (ping) zulassen und beantworten
iptables -A INPUT -m state --state NEW -p icmp --icmp-type echo-request -j ACCEPT
# LAN-Zugriff auf eth0
iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT
# Default-Policies mit REJECT
# iptables -A INPUT -j MY_REJECT
# iptables -A OUTPUT -j MY_REJECT
# iptables -A FORWARD -j MY_REJECT
# Forwarding/Routing
echo "Aktiviere IP-Routing"
echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null
# Masquerading
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# SYN-Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null
# Stop Source-Routing
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_source_route 2> /dev/null; done
# Stop Redirecting
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_redirects 2> /dev/null; done
# Reverse-Path-Filter
for i in /proc/sys/net/ipv4/conf/*; do echo 2 > $i/rp_filter 2> /dev/null; done
# Log Martians
for i in /proc/sys/net/ipv4/conf/*; do echo 1 > $i/log_martians 2> /dev/null; done
# BOOTP-Relaying ausschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/bootp_relay 2> /dev/null; done
# Proxy-ARP ausschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/proxy_arp 2> /dev/null; done
# Ungültige ICMP-Antworten ignorieren
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 2> /dev/null
# ICMP Echo-Broadcasts ignorieren
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null
# Max. 500/Sekunde (5/Jiffie) senden
echo 5 > /proc/sys/net/ipv4/icmp_ratelimit
# Speicherallozierung und -timing für IP-De/-Fragmentierung
echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh
echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh
echo 30 > /proc/sys/net/ipv4/ipfrag_time
# TCP-FIN-Timeout zum Schutz vor DoS-Attacken setzen
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
# Maximal 3 Antworten auf ein TCP-SYN
echo 3 > /proc/sys/net/ipv4/tcp_retries1
# TCP-Pakete maximal 15x wiederholen
echo 15 > /proc/sys/net/ipv4/tcp_retries2
;;
stop)
echo "Stoppe IP-Paketfilter"
# Tabelle flushen
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
echo "Deaktiviere IP-Routing"
echo 0 > /proc/sys/net/ipv4/ip_forward
# Default-Policies setzen
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
;;
status)
echo "Tabelle filter"
iptables -L -vn
echo "Tabelle nat"
iptables -t nat -L -vn
echo "Tabelle mangle"
iptables -t mangle -L -vn
;;
*)
echo "Fehlerhafter Aufruf"
echo "Syntax: $0 {start|stop|status}"
exit 1
;;
esac
ich habe ein mir unverständliches Problem:
Hab den IPTABLES-Generator benutzt um mein Firewall-Script zu erstellen. Jetzt habe ich auch schon alles was Pakete dropped etc. auskommentiert und ich bekomme auf Teufel komm raus keine Verbindung zum Server über's Internet.
nmap zeigt mir auf einem anderen Server im Internet gestartet, ganz klar, dass ftp, ssh, usw. offen sind. Trotzdem kommt keine Verbindung zustande.
Ich verzeifle langsam:
#!/bin/bash
# ---------------------------------------------------------------------
# Linux-iptables-Firewallskript, Copyright (c) 2006 under the GPL
# Autogenerated by iptables Generator v1.22 (c) 2002-2006 by Harald Bertram*
# Please visit http://harry.homelinux.org for new versions of
# the iptables Generator (c).
#
# This Script was generated by request from:
# auctions@klefisch.com on: 2006-10-9 17:41.5 MET.
#
# If you have questions about the iptables Generator or about
# your Firewall-Skript feel free to take a look at out website or
# send me an E-Mail to webmaster@harry.homelinux.org.
#
# My special thanks are going to Lutz Heinrich (trinitywork at hotmail dot com)
# who made lots of Beta-Testing and gave me lots of well qualified
# Feedback that made me able to improve the iptables Generator.
# --------------------------------------------------------------------
#
### BEGIN INIT INFO
# Provides: IP-Paketfilter
# Required-Start: $network $local_fs
# Required-Stop: $local_fs
# Default-Start: 3 5
# Default-Stop: 0 1 2 4 6
# Short-Description: Harry's IP-Paketfilter
# Description: Harry's IP-Paketfilter provides reasonable
# IP-Security for Home-Computers and small networks
### END INIT INFO
#
case "$1" in
start)
echo "Starte IP-Paketfilter"
# iptables-Modul
modprobe ip_tables
# Connection-Tracking-Module
modprobe ip_conntrack
# Das Modul ip_conntrack_irc ist erst bei Kerneln >= 2.4.19 verfuegbar
modprobe ip_conntrack_irc
modprobe ip_conntrack_ftp
# Tabelle flushen
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
# Default-Policies setzen
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP
# MY_REJECT-Chain
# iptables -N MY_REJECT
# MY_REJECT fuellen
# iptables -A MY_REJECT -p tcp -m limit --limit 7200/h -j LOG --log-prefix "REJECT TCP "
# iptables -A MY_REJECT -p tcp -j REJECT --reject-with tcp-reset
# iptables -A MY_REJECT -p udp -m limit --limit 7200/h -j LOG --log-prefix "REJECT UDP "
# iptables -A MY_REJECT -p udp -j REJECT --reject-with icmp-port-unreachable
# iptables -A MY_REJECT -p icmp -m limit --limit 7200/h -j LOG --log-prefix "DROP ICMP "
# iptables -A MY_REJECT -p icmp -j DROP
# iptables -A MY_REJECT -m limit --limit 7200/h -j LOG --log-prefix "REJECT OTHER "
# iptables -A MY_REJECT -j REJECT --reject-with icmp-proto-unreachable
# MY_DROP-Chain
# iptables -N MY_DROP
# iptables -A MY_DROP -m limit --limit 7200/h -j LOG --log-prefix "PORTSCAN DROP "
# iptables -A MY_DROP -j DROP
# Alle verworfenen Pakete protokollieren
# iptables -A INPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "INPUT INVALID "
# iptables -A OUTPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "OUTPUT INVALID "
# iptables -A FORWARD -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "FORWARD INVALID "
# Korrupte Pakete zurueckweisen
# iptables -A INPUT -m state --state INVALID -j DROP
# iptables -A OUTPUT -m state --state INVALID -j DROP
# iptables -A FORWARD -m state --state INVALID -j DROP
# Stealth Scans etc. DROPpen
# Keine Flags gesetzt
# iptables -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP
# iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j MY_DROP
# SYN und FIN gesetzt
# iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
# iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
# SYN und RST gleichzeitig gesetzt
# iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
# iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
# FIN und RST gleichzeitig gesetzt
# iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
# iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
# FIN ohne ACK
# iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
# iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
# PSH ohne ACK
# iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
# iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
# URG ohne ACK
# iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP
# iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j MY_DROP
# Loopback-Netzwerk-Kommunikation zulassen
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Maximum Segment Size (MSS) für das Forwarding an PMTU anpassen
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# Connection-Tracking aktivieren
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ! ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# HTTP
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 80 -j ACCEPT
# FTP
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 21 -j ACCEPT
# SSH
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 22 -j ACCEPT
# ICMP Echo-Request (ping) zulassen und beantworten
iptables -A INPUT -m state --state NEW -p icmp --icmp-type echo-request -j ACCEPT
# LAN-Zugriff auf eth0
iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT
# Default-Policies mit REJECT
# iptables -A INPUT -j MY_REJECT
# iptables -A OUTPUT -j MY_REJECT
# iptables -A FORWARD -j MY_REJECT
# Forwarding/Routing
echo "Aktiviere IP-Routing"
echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null
# Masquerading
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# SYN-Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null
# Stop Source-Routing
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_source_route 2> /dev/null; done
# Stop Redirecting
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_redirects 2> /dev/null; done
# Reverse-Path-Filter
for i in /proc/sys/net/ipv4/conf/*; do echo 2 > $i/rp_filter 2> /dev/null; done
# Log Martians
for i in /proc/sys/net/ipv4/conf/*; do echo 1 > $i/log_martians 2> /dev/null; done
# BOOTP-Relaying ausschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/bootp_relay 2> /dev/null; done
# Proxy-ARP ausschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/proxy_arp 2> /dev/null; done
# Ungültige ICMP-Antworten ignorieren
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 2> /dev/null
# ICMP Echo-Broadcasts ignorieren
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null
# Max. 500/Sekunde (5/Jiffie) senden
echo 5 > /proc/sys/net/ipv4/icmp_ratelimit
# Speicherallozierung und -timing für IP-De/-Fragmentierung
echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh
echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh
echo 30 > /proc/sys/net/ipv4/ipfrag_time
# TCP-FIN-Timeout zum Schutz vor DoS-Attacken setzen
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
# Maximal 3 Antworten auf ein TCP-SYN
echo 3 > /proc/sys/net/ipv4/tcp_retries1
# TCP-Pakete maximal 15x wiederholen
echo 15 > /proc/sys/net/ipv4/tcp_retries2
;;
stop)
echo "Stoppe IP-Paketfilter"
# Tabelle flushen
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
echo "Deaktiviere IP-Routing"
echo 0 > /proc/sys/net/ipv4/ip_forward
# Default-Policies setzen
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
;;
status)
echo "Tabelle filter"
iptables -L -vn
echo "Tabelle nat"
iptables -t nat -L -vn
echo "Tabelle mangle"
iptables -t mangle -L -vn
;;
*)
echo "Fehlerhafter Aufruf"
echo "Syntax: $0 {start|stop|status}"
exit 1
;;
esac