Archiv verlassen und diese Seite im Standarddesign anzeigen : tftp durch firewall
Hallo Forum,
ich habe da mal wieder ein kleines Problem. Auf meinem Server läuft iptables als Firewall. Ich möchte nun aber von dem gleichen Server per tftp ein paar Klients booten. Wie mach ich das am besten. Ich habe per "iptables -A INPUT -i $intss -p udp --dport 69 -j ACCEPT" den Port 69 freigegeben. Funktioniert aber leider ncht. Warum? Was mache ich falsch? Ich habe von einem tftp_contrackt-modul für iptables gelesen. Brauche ich das?
Siehst Du den Port mit
nmap -A -p 69 <IP>
offen?
posten:
iptables -L
Also hier die Angaben:
Starting Nmap 4.60 ( http://nmap.org ) at 2008-11-08 14:33 CET
Interesting ports on dienste.imsteig.tkv (10.1.1.8):
PORT STATE SERVICE VERSION
69/tcp filtered tftp
target prot opt source destination
LOG all -- anywhere anywhere state INVALID limit: avg 2/sec burst 5 LOG level warning prefix `INPUT INVALID '
MY_DROP all -- anywhere anywhere state INVALID
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
MY_DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
MY_DROP tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH
MY_DROP tcp -- anywhere anywhere tcp flags:ACK,URG/URG
ACCEPT all -- anywhere anywhere
Intserv all -- 10.1.1.9 anywhere
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:domain
ACCEPT udp -- 10.1.1.0/24 anywhere state NEW udp dpt:domain
ACCEPT tcp -- 10.1.1.0/24 anywhere tcp dpt:ipp
ACCEPT udp -- 10.1.1.0/24 anywhere udp dpt:ipp
ACCEPT tcp -- 10.1.1.0/24 anywhere tcp dpt:ndl-aas state NEW
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:bootpc
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:sunrpc
ACCEPT udp -- 10.1.1.0/24 anywhere state NEW udp dpt:sunrpc
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:terabase
ACCEPT udp -- 10.1.1.0/24 anywhere state NEW udp dpt:terabase
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:nfs
ACCEPT udp -- 10.1.1.0/24 anywhere state NEW udp dpt:nfs
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:newoak
ACCEPT udp -- 10.1.1.0/24 anywhere state NEW udp dpt:newoak
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:pxc-spvr-ft
ACCEPT udp -- 10.1.1.0/24 anywhere state NEW udp dpt:pxc-spvr-ft
ACCEPT all -- 10.1.1.0/24 anywhere state RELATED,ESTABLISHED
Intserv tcp -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Endefirewall all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere state INVALID limit: avg 2/sec burst 5 LOG level warning prefix `FORWARD INVALID '
MY_DROP all -- anywhere anywhere state INVALID
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
MY_DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
MY_DROP tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH
MY_DROP tcp -- anywhere anywhere tcp flags:ACK,URG/URG
ACCEPT tcp -- anywhere 10.1.1.9 tcp dpt:ftp-data state NEW
ACCEPT tcp -- anywhere 10.1.1.9 tcp dpt:ftp state NEW
ACCEPT tcp -- 10.1.1.9 anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 10.1.1.9 state RELATED,ESTABLISHED
Intserv all -- anywhere anywhere
Intserv all -- anywhere anywhere
Intserv all -- anywhere anywhere
Intserv all -- anywhere anywhere
Endefirewall all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere state INVALID limit: avg 2/sec burst 5 LOG level warning prefix `OUTPUT INVALID '
MY_DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
Intserv all -- anywhere 10.1.1.9
ACCEPT all -- anywhere 10.1.1.0/24 state RELATED,ESTABLISHED
ACCEPT all -- anywhere brother440.imsteig.tkv state NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
Endefirewall all -- anywhere anywhere
Ohne Code-Tags gehts nicht weiter ...
Tschuldigung, ohne was? Was sind Code-Tags?
Lerne er gnädig die Suchfunktion zu benutzen.
Ich hoffe das es so passt
Chain INPUT (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere state INVALID limit: avg 2/sec burst 5 LOG level warning prefix `INPUT INVALID '
MY_DROP all -- anywhere anywhere state INVALID
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
MY_DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
MY_DROP tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH
MY_DROP tcp -- anywhere anywhere tcp flags:ACK,URG/URG
ACCEPT all -- anywhere anywhere
Intserv all -- 10.1.1.9 anywhere
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:domain
ACCEPT udp -- 10.1.1.0/24 anywhere state NEW udp dpt:domain
ACCEPT tcp -- 10.1.1.0/24 anywhere tcp dpt:ipp
ACCEPT udp -- 10.1.1.0/24 anywhere udp dpt:ipp
ACCEPT tcp -- 10.1.1.0/24 anywhere tcp dpt:ndl-aas state NEW
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:bootpc
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:sunrpc
ACCEPT udp -- 10.1.1.0/24 anywhere state NEW udp dpt:sunrpc
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:terabase
ACCEPT udp -- 10.1.1.0/24 anywhere state NEW udp dpt:terabase
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:nfs
ACCEPT udp -- 10.1.1.0/24 anywhere state NEW udp dpt:nfs
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:newoak
ACCEPT udp -- 10.1.1.0/24 anywhere state NEW udp dpt:newoak
ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp dpt:pxc-spvr-ft
ACCEPT udp -- 10.1.1.0/24 anywhere state NEW udp dpt:pxc-spvr-ft
ACCEPT all -- 10.1.1.0/24 anywhere state RELATED,ESTABLISHED
Intserv tcp -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Endefirewall all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere state INVALID limit: avg 2/sec burst 5 LOG level warning prefix `FORWARD INVALID '
MY_DROP all -- anywhere anywhere state INVALID
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
MY_DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
MY_DROP tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH
MY_DROP tcp -- anywhere anywhere tcp flags:ACK,URG/URG
ACCEPT tcp -- anywhere 10.1.1.9 tcp dpt:ftp-data state NEW
ACCEPT tcp -- anywhere 10.1.1.9 tcp dpt:ftp state NEW
ACCEPT tcp -- 10.1.1.9 anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 10.1.1.9 state RELATED,ESTABLISHED
Intserv all -- anywhere anywhere
Intserv all -- anywhere anywhere
Intserv all -- anywhere anywhere
Intserv all -- anywhere anywhere
Endefirewall all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere state INVALID limit: avg 2/sec burst 5 LOG level warning prefix `OUTPUT INVALID '
MY_DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
Intserv all -- anywhere 10.1.1.9
ACCEPT all -- anywhere 10.1.1.0/24 state RELATED,ESTABLISHED
ACCEPT all -- anywhere brother440.imsteig.tkv state NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
Endefirewall all -- anywhere anywhere
Chain Endefirewall (3 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix ` Am Ende herausgefallen '
DROP all -- anywhere anywhere
Chain Intserv (7 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix ` Interne Kette '
DROP all -- anywhere anywhere
Chain MY_DROP (17 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `PORTSCAN DROP '
DROP all -- anywhere anywhere
Poste Dein komplettes iptables-Skript, das Stück ist ohne Inhalt von "$intss" nicht zu beurteilen.
Beachte, dass Du alles mitnimmst. Es können mehrere Skripte sein.
Jetzt funktioniert es. Ich habe einen anderen Klient versucht über Netzwerk zu booten, und siehe da dieser macht es. Komisch. Jetzt muß ich erst einmal schauen woran das liegt. Ich bedanke mich bei Euch für Eure Unterstützung. Tut mir leid, daß ich Euch nach der Lösung für einen Fehler, der gar nicht da war, gefragt habe. Nächstes mal werde ich daher noch vorsichtiher sein.
Powered by vBulletin® Version 4.2.5 Copyright ©2024 Adduco Digital e.K. und vBulletin Solutions, Inc. Alle Rechte vorbehalten.