PDA

Archiv verlassen und diese Seite im Standarddesign anzeigen : tftp durch firewall



linuxdxs
08.11.08, 14:08
Hallo Forum,

ich habe da mal wieder ein kleines Problem. Auf meinem Server läuft iptables als Firewall. Ich möchte nun aber von dem gleichen Server per tftp ein paar Klients booten. Wie mach ich das am besten. Ich habe per "iptables -A INPUT -i $intss -p udp --dport 69 -j ACCEPT" den Port 69 freigegeben. Funktioniert aber leider ncht. Warum? Was mache ich falsch? Ich habe von einem tftp_contrackt-modul für iptables gelesen. Brauche ich das?

Aqualung
08.11.08, 14:32
Siehst Du den Port mit


nmap -A -p 69 <IP>

offen?

posten:


iptables -L

linuxdxs
08.11.08, 14:45
Also hier die Angaben:

Starting Nmap 4.60 ( http://nmap.org ) at 2008-11-08 14:33 CET
Interesting ports on dienste.imsteig.tkv (10.1.1.8):
PORT STATE SERVICE VERSION
69/tcp filtered tftp


target prot opt source destination
LOG all -- anywhere anywhere state INVALID limit: avg 2/sec burst 5 LOG level warning prefix `INPUT INVALID '
MY_DROP all -- anywhere anywhere state INVALID
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
MY_DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
MY_DROP tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH
MY_DROP tcp -- anywhere anywhere tcp flags:ACK,URG/URG
ACCEPT all -- anywhere anywhere
Intserv all -- 10.1.1.9 anywhere
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:domain
ACCEPT udp -- 10.1.1.0/24 anywhere state NEW udp dpt:domain
ACCEPT tcp -- 10.1.1.0/24 anywhere tcp dpt:ipp
ACCEPT udp -- 10.1.1.0/24 anywhere udp dpt:ipp
ACCEPT tcp -- 10.1.1.0/24 anywhere tcp dpt:ndl-aas state NEW
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:bootpc
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:sunrpc
ACCEPT udp -- 10.1.1.0/24 anywhere state NEW udp dpt:sunrpc
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:terabase
ACCEPT udp -- 10.1.1.0/24 anywhere state NEW udp dpt:terabase
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:nfs
ACCEPT udp -- 10.1.1.0/24 anywhere state NEW udp dpt:nfs
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:newoak
ACCEPT udp -- 10.1.1.0/24 anywhere state NEW udp dpt:newoak
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:pxc-spvr-ft
ACCEPT udp -- 10.1.1.0/24 anywhere state NEW udp dpt:pxc-spvr-ft
ACCEPT all -- 10.1.1.0/24 anywhere state RELATED,ESTABLISHED
Intserv tcp -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Endefirewall all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere state INVALID limit: avg 2/sec burst 5 LOG level warning prefix `FORWARD INVALID '
MY_DROP all -- anywhere anywhere state INVALID
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
MY_DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
MY_DROP tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH
MY_DROP tcp -- anywhere anywhere tcp flags:ACK,URG/URG
ACCEPT tcp -- anywhere 10.1.1.9 tcp dpt:ftp-data state NEW
ACCEPT tcp -- anywhere 10.1.1.9 tcp dpt:ftp state NEW
ACCEPT tcp -- 10.1.1.9 anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 10.1.1.9 state RELATED,ESTABLISHED
Intserv all -- anywhere anywhere
Intserv all -- anywhere anywhere
Intserv all -- anywhere anywhere
Intserv all -- anywhere anywhere
Endefirewall all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere state INVALID limit: avg 2/sec burst 5 LOG level warning prefix `OUTPUT INVALID '
MY_DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
Intserv all -- anywhere 10.1.1.9
ACCEPT all -- anywhere 10.1.1.0/24 state RELATED,ESTABLISHED
ACCEPT all -- anywhere brother440.imsteig.tkv state NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
Endefirewall all -- anywhere anywhere

Aqualung
08.11.08, 14:50
Ohne Code-Tags gehts nicht weiter ...

linuxdxs
08.11.08, 14:58
Tschuldigung, ohne was? Was sind Code-Tags?

Aqualung
08.11.08, 15:00
Lerne er gnädig die Suchfunktion zu benutzen.

linuxdxs
08.11.08, 15:18
Ich hoffe das es so passt


Chain INPUT (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere state INVALID limit: avg 2/sec burst 5 LOG level warning prefix `INPUT INVALID '
MY_DROP all -- anywhere anywhere state INVALID
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
MY_DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
MY_DROP tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH
MY_DROP tcp -- anywhere anywhere tcp flags:ACK,URG/URG
ACCEPT all -- anywhere anywhere
Intserv all -- 10.1.1.9 anywhere
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:domain
ACCEPT udp -- 10.1.1.0/24 anywhere state NEW udp dpt:domain
ACCEPT tcp -- 10.1.1.0/24 anywhere tcp dpt:ipp
ACCEPT udp -- 10.1.1.0/24 anywhere udp dpt:ipp
ACCEPT tcp -- 10.1.1.0/24 anywhere tcp dpt:ndl-aas state NEW
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:bootpc
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:sunrpc
ACCEPT udp -- 10.1.1.0/24 anywhere state NEW udp dpt:sunrpc
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:terabase
ACCEPT udp -- 10.1.1.0/24 anywhere state NEW udp dpt:terabase
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:nfs
ACCEPT udp -- 10.1.1.0/24 anywhere state NEW udp dpt:nfs
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:newoak
ACCEPT udp -- 10.1.1.0/24 anywhere state NEW udp dpt:newoak
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:pxc-spvr-ft
ACCEPT udp -- 10.1.1.0/24 anywhere state NEW udp dpt:pxc-spvr-ft
ACCEPT all -- 10.1.1.0/24 anywhere state RELATED,ESTABLISHED
Intserv tcp -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Endefirewall all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere state INVALID limit: avg 2/sec burst 5 LOG level warning prefix `FORWARD INVALID '
MY_DROP all -- anywhere anywhere state INVALID
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
MY_DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
MY_DROP tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH
MY_DROP tcp -- anywhere anywhere tcp flags:ACK,URG/URG
ACCEPT tcp -- anywhere 10.1.1.9 tcp dpt:ftp-data state NEW
ACCEPT tcp -- anywhere 10.1.1.9 tcp dpt:ftp state NEW
ACCEPT tcp -- 10.1.1.9 anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 10.1.1.9 state RELATED,ESTABLISHED
Intserv all -- anywhere anywhere
Intserv all -- anywhere anywhere
Intserv all -- anywhere anywhere
Intserv all -- anywhere anywhere
Endefirewall all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere state INVALID limit: avg 2/sec burst 5 LOG level warning prefix `OUTPUT INVALID '
MY_DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
Intserv all -- anywhere 10.1.1.9
ACCEPT all -- anywhere 10.1.1.0/24 state RELATED,ESTABLISHED
ACCEPT all -- anywhere brother440.imsteig.tkv state NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
Endefirewall all -- anywhere anywhere

Chain Endefirewall (3 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix ` Am Ende herausgefallen '
DROP all -- anywhere anywhere

Chain Intserv (7 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix ` Interne Kette '
DROP all -- anywhere anywhere

Chain MY_DROP (17 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `PORTSCAN DROP '
DROP all -- anywhere anywhere

Aqualung
08.11.08, 16:02
Poste Dein komplettes iptables-Skript, das Stück ist ohne Inhalt von "$intss" nicht zu beurteilen.
Beachte, dass Du alles mitnimmst. Es können mehrere Skripte sein.

linuxdxs
08.11.08, 16:15
Jetzt funktioniert es. Ich habe einen anderen Klient versucht über Netzwerk zu booten, und siehe da dieser macht es. Komisch. Jetzt muß ich erst einmal schauen woran das liegt. Ich bedanke mich bei Euch für Eure Unterstützung. Tut mir leid, daß ich Euch nach der Lösung für einen Fehler, der gar nicht da war, gefragt habe. Nächstes mal werde ich daher noch vorsichtiher sein.

Aqualung
08.11.08, 16:22
bootptab etc. pp.