blabub
22.04.10, 22:39
Guten Abend zusammen
Situation:
Server mit folgenden Interfaces:
br0 Link encap:Ethernet HWaddr c2:97:dc:82:a8:25
eth0 Link encap:Ethernet HWaddr 00:24:21:29:ed:27
qtap0 Link encap:Ethernet HWaddr c2:97:dc:82:a8:25
bridge name bridge id STP enabled interfaces
br0 8000.c297dc82a825 no qtap0
virbr0 8000.000000000000 yes
qtab0 wird von einer KVM-Gast verwendet.
IPTables:
Chain INPUT (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere state INVALID limit: avg 2/sec burst 5 LOG level warning prefix `firewall: INVALID '
DROP all -- anywhere anywhere state INVALID
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
MY_DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
MY_DROP tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH
MY_DROP tcp -- anywhere anywhere tcp flags:ACK,URG/URG
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:www
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:58891
ACCEPT tcp -- anywhere anywhere state NEW tcp dpts:xmpp-client:5223
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:xmpp-server
ACCEPT udp -- anywhere anywhere state NEW udp dpt:9987
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:30033
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:10011
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT udp -- anywhere anywhere state NEW udp dpt:1200
ACCEPT udp -- anywhere anywhere state NEW udp dpts:27000:27015
ACCEPT tcp -- anywhere anywhere state NEW tcp dpts:27030:27039
MY_REJECT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere state INVALID limit: avg 2/sec burst 5 LOG level warning prefix `firewall: INVALID '
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
MY_REJECT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain MY_DROP (7 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `firewall: DROP '
DROP all -- anywhere anywhere
Chain MY_REJECT (2 references)
target prot opt source destination
LOG tcp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `firewall: TCP '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
LOG udp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `firewall: UDP '
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
LOG icmp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `firewall: ICMP '
DROP icmp -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `firewall: OTHER '
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
Problem:
Sobald ich meine Firewall anschalte kann der KVM-Gast nicht mehr nach Draußen verbinden, geschweige eine Verbindung empfangen.
Folgende IPTables-Ergänzungen habe ich gemacht:
iptables -I INPUT -i br0 -j ACCEPT
iptables -A OUTPUT -o br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT
iptables -A INPUT -i qtap0 -j ACCEPT
Jedoch änderte sich nichts an der Situation.
Ich kann nichts zu diesem Problem wirklich finden. Oder muss ich tatsächlich NAT verwenden (Das macht doch keinen Sinn?)?
br0 wird doch als phy. Eth. Karte behandelt, daher müsste IPTables sich doch ganz normal verhalten?
Für Anhaltspunkte bin ich dankbar. :)
Danke und Gruss
blabub
Situation:
Server mit folgenden Interfaces:
br0 Link encap:Ethernet HWaddr c2:97:dc:82:a8:25
eth0 Link encap:Ethernet HWaddr 00:24:21:29:ed:27
qtap0 Link encap:Ethernet HWaddr c2:97:dc:82:a8:25
bridge name bridge id STP enabled interfaces
br0 8000.c297dc82a825 no qtap0
virbr0 8000.000000000000 yes
qtab0 wird von einer KVM-Gast verwendet.
IPTables:
Chain INPUT (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere state INVALID limit: avg 2/sec burst 5 LOG level warning prefix `firewall: INVALID '
DROP all -- anywhere anywhere state INVALID
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
MY_DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
MY_DROP tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH
MY_DROP tcp -- anywhere anywhere tcp flags:ACK,URG/URG
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:www
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:58891
ACCEPT tcp -- anywhere anywhere state NEW tcp dpts:xmpp-client:5223
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:xmpp-server
ACCEPT udp -- anywhere anywhere state NEW udp dpt:9987
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:30033
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:10011
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT udp -- anywhere anywhere state NEW udp dpt:1200
ACCEPT udp -- anywhere anywhere state NEW udp dpts:27000:27015
ACCEPT tcp -- anywhere anywhere state NEW tcp dpts:27030:27039
MY_REJECT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere state INVALID limit: avg 2/sec burst 5 LOG level warning prefix `firewall: INVALID '
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
MY_REJECT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain MY_DROP (7 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `firewall: DROP '
DROP all -- anywhere anywhere
Chain MY_REJECT (2 references)
target prot opt source destination
LOG tcp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `firewall: TCP '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
LOG udp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `firewall: UDP '
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
LOG icmp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `firewall: ICMP '
DROP icmp -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `firewall: OTHER '
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
Problem:
Sobald ich meine Firewall anschalte kann der KVM-Gast nicht mehr nach Draußen verbinden, geschweige eine Verbindung empfangen.
Folgende IPTables-Ergänzungen habe ich gemacht:
iptables -I INPUT -i br0 -j ACCEPT
iptables -A OUTPUT -o br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT
iptables -A INPUT -i qtap0 -j ACCEPT
Jedoch änderte sich nichts an der Situation.
Ich kann nichts zu diesem Problem wirklich finden. Oder muss ich tatsächlich NAT verwenden (Das macht doch keinen Sinn?)?
br0 wird doch als phy. Eth. Karte behandelt, daher müsste IPTables sich doch ganz normal verhalten?
Für Anhaltspunkte bin ich dankbar. :)
Danke und Gruss
blabub