bluesky666
27.03.02, 00:42
Hi, ich hab ein Problem mit meinem Firewall script,
ich kann auf den clients kein nslookup ausführen
script:
#!/bin/sh
# Regeln löschen
iptables -F
iptables -t nat -F
iptables -X
# Server dicht machen
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# dynamische Kernelparameter setzen
echo "1" > /proc/sys/net/ipv4/ip_forward # erstmal abschalten
echo "1" > /proc/sys/net/ipv4/tcp_syncookies # DoS abwehren
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Broadcast Pings abstellen
#echo "5" > /proc/sys/net/ipv4/icmp_destunreach_rate # nichtereichbare Pings abstellen
#echo "5" > /proc/sys/net/ipv4/icmp_echoreply_rate # Ping Rate einstellen
#echo "5" > /proc/sys/net/ipv4/icmp_paramprob_rate
#echo "10" > /proc/sys/net/ipv4/icmp_timeexceed_rate
# extern
echo "1" > /proc/sys/net/ipv4/conf/ppp0/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/ppp0/accept_redirects
echo "1" > /proc/sys/net/ipv4/conf/ppp0/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/ppp0/bootp_relay
echo "1" > /proc/sys/net/ipv4/conf/ppp0/log_martians
# intern
echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/eth0/accept_redirects
echo "1" > /proc/sys/net/ipv4/conf/eth0/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/eth0/bootp_relay
echo "1" > /proc/sys/net/ipv4/conf/eth0/log_martians
# Masquerading aktivieren
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Webserver Weiterleitung
#iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -d x.x.x.x -p TCP --dport 80 -j ACCEPT
#iptables -t nat -A PREROUTING -p tcp --dport 80 -d x.x.x.x-j DNAT --to x.x.x.x :80
# Mailserver Weiterleitung
#iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -d x.x.x.x -p TCP --dport 25 -j ACCEPT
#iptables -t nat -A PREROUTING -p tcp --dport 25 -d x.x.x.x -j DNAT --to x.x.x.x :25
# inter weiterleiten
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i eth1 -o eth0 -j ACCEPT
# intern alles erlauben
iptables -A INPUT -p TCP -i eth0 -j ACCEPT
iptables -A OUTPUT -p TCP -o eth0 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -j ACCEPT
iptables -A OUTPUT -p UDP -o eth0 -j ACCEPT
# lokal alles erlauben
iptables -A INPUT -p TCP -i lo -j ACCEPT
iptables -A OUTPUT -p TCP -o lo -j ACCEPT
iptables -A INPUT -p UDP -i lo -j ACCEPT
iptables -A OUTPUT -p UDP -o lo -j ACCEPT
# extern --> intern
# Port 20 : FTP-Data
iptables -A INPUT -p TCP --sport 1024: --dport ftp-data -j ACCEPT
iptables -A OUTPUT -p TCP --dport 1024: --sport ftp-data -j ACCEPT
# Port 21 : FTP
iptables -A INPUT -p TCP --sport 1024: --dport ftp -j ACCEPT
iptables -A OUTPUT -p TCP --dport 1024: --sport ftp -j ACCEPT
# Port 22 : SSH
iptables -A INPUT -p TCP --sport 1024: --dport ssh -j ACCEPT
iptables -A OUTPUT -p TCP --dport 1024: --sport ssh -j ACCEPT
# Port 25 : SMTP
iptables -A INPUT -p TCP --sport 1024: --dport smtp -j ACCEPT
iptables -A OUTPUT -p TCP --dport 1024: --sport smtp -j ACCEPT
# Port 80 : Webzugriffe
iptables -A INPUT -p TCP --sport 1024: --dport http -j ACCEPT
iptables -A OUTPUT -p TCP --dport 1024: --sport http -j ACCEPT
# Port 113 : Ident
iptables -A INPUT -p TCP --sport 1024: --dport auth -j ACCEPT
iptables -A OUTPUT -p TCP --dport 1024: --sport auth -j ACCEPT
# Port 443 : Webzugriffe-SSL
iptables -A INPUT -p TCP --sport 1024: --dport https -j ACCEPT
iptables -A OUTPUT -p TCP --dport 1024: --sport https -j ACCEPT
# VNC intern
iptables -A INPUT -p TCP -i eth0 --sport 1024: --dport 5900:5910 -j ACCEPT
iptables -A OUTPUT -p TCP -o eth0 --dport 1024: --sport 5900:5910 -j ACCEPT
# Port 10666: Webmin
iptables -A INPUT -p TCP --sport 1024: --dport 10666 -j ACCEPT
iptables -A OUTPUT -p TCP --dport 1024: --sport 10666 -j ACCEPT
# intern --> extern
# Port 7
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p TCP --sport 1024: --dport 7 -j ACCEPT
iptables -A INPUT -p TCP --dport 1024: --sport 7 -j ACCEPT
# Port 13: Daytime
iptables -A OUTPUT -p TCP --sport 1024: --dport daytime -j ACCEPT
iptables -A INPUT -p TCP --dport 1024: --sport daytime -j ACCEPT
# Port 20: FTP-Data
iptables -A OUTPUT -p TCP --sport 1024: --dport ftp-data -j ACCEPT
iptables -A INPUT -p TCP --dport 1024: --sport ftp-data -j ACCEPT
# Port 21 : FTP
iptables -A OUTPUT -p TCP --sport 1024: --dport ftp -j ACCEPT
iptables -A INPUT -p TCP --dport 1024: --sport ftp -j ACCEPT
# Port 22 : SSH
iptables -A OUTPUT -p TCP --sport 1024: --dport ssh -j ACCEPT
iptables -A INPUT -p TCP --dport 1024: --sport ssh -j ACCEPT
# Port 25 : SMTP
iptables -A OUTPUT -p TCP --sport 1024: --dport smtp -j ACCEPT
iptables -A INPUT -p TCP --dport 1024: --sport smtp -j ACCEPT
# DNS
iptables -A OUTPUT -p UDP --sport 1024: --dport domain -j ACCEPT
iptables -A INPUT -p UDP --dport 1024: --sport domain -j ACCEPT
iptables -A OUTPUT -p TCP --sport 1024: --dport domain -j ACCEPT
iptables -A INPUT -p TCP --dport 1024: --sport domain -j ACCEPT
# WEB
iptables -A OUTPUT -p TCP --sport 1024: --dport http -j ACCEPT
iptables -A INPUT -p TCP --dport 1024: --sport http -j ACCEPT
# POP3
iptables -A OUTPUT -p TCP --sport 1024: --dport pop3 -j ACCEPT
iptables -A INPUT -p TCP --dport 1024: --sport pop3 -j ACCEPT
# Timeserver
iptables -A INPUT -p UDP --sport 123 --dport ntp -j ACCEPT
iptables -A OUTPUT -p UDP --dport 123 --sport ntp -j ACCEPT
# Ident
iptables -A INPUT -p UDP --sport 1024: --dport auth -j ACCEPT
iptables -A OUTPUT -p UDP --dport 1024: --sport auth -j ACCEPT
# WEB-SSL
iptables -A OUTPUT -p TCP --sport 1024: --dport https -j ACCEPT
iptables -A INPUT -p TCP --dport 1024: --sport https -j ACCEPT
# Squid
iptables -A INPUT -p UDP --sport 1024: --dport 3128 -j ACCEPT
iptables -A OUTPUT -p UDP --dport 1024: --sport 3128 -j ACCEPT
# Schluss und Logging
iptables -A INPUT -j LOG
iptables -A INPUT -j REJECT
iptables -A FORWARD -j LOG
iptables -A FORWARD -j REJECT
iptables -A OUTPUT -j LOG
iptables -A OUTPUT -j REJECT
hoffe jemand kann mir einen Tip geben.
Gruß
Helge
ich kann auf den clients kein nslookup ausführen
script:
#!/bin/sh
# Regeln löschen
iptables -F
iptables -t nat -F
iptables -X
# Server dicht machen
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# dynamische Kernelparameter setzen
echo "1" > /proc/sys/net/ipv4/ip_forward # erstmal abschalten
echo "1" > /proc/sys/net/ipv4/tcp_syncookies # DoS abwehren
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Broadcast Pings abstellen
#echo "5" > /proc/sys/net/ipv4/icmp_destunreach_rate # nichtereichbare Pings abstellen
#echo "5" > /proc/sys/net/ipv4/icmp_echoreply_rate # Ping Rate einstellen
#echo "5" > /proc/sys/net/ipv4/icmp_paramprob_rate
#echo "10" > /proc/sys/net/ipv4/icmp_timeexceed_rate
# extern
echo "1" > /proc/sys/net/ipv4/conf/ppp0/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/ppp0/accept_redirects
echo "1" > /proc/sys/net/ipv4/conf/ppp0/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/ppp0/bootp_relay
echo "1" > /proc/sys/net/ipv4/conf/ppp0/log_martians
# intern
echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/eth0/accept_redirects
echo "1" > /proc/sys/net/ipv4/conf/eth0/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/eth0/bootp_relay
echo "1" > /proc/sys/net/ipv4/conf/eth0/log_martians
# Masquerading aktivieren
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Webserver Weiterleitung
#iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -d x.x.x.x -p TCP --dport 80 -j ACCEPT
#iptables -t nat -A PREROUTING -p tcp --dport 80 -d x.x.x.x-j DNAT --to x.x.x.x :80
# Mailserver Weiterleitung
#iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -d x.x.x.x -p TCP --dport 25 -j ACCEPT
#iptables -t nat -A PREROUTING -p tcp --dport 25 -d x.x.x.x -j DNAT --to x.x.x.x :25
# inter weiterleiten
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i eth1 -o eth0 -j ACCEPT
# intern alles erlauben
iptables -A INPUT -p TCP -i eth0 -j ACCEPT
iptables -A OUTPUT -p TCP -o eth0 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -j ACCEPT
iptables -A OUTPUT -p UDP -o eth0 -j ACCEPT
# lokal alles erlauben
iptables -A INPUT -p TCP -i lo -j ACCEPT
iptables -A OUTPUT -p TCP -o lo -j ACCEPT
iptables -A INPUT -p UDP -i lo -j ACCEPT
iptables -A OUTPUT -p UDP -o lo -j ACCEPT
# extern --> intern
# Port 20 : FTP-Data
iptables -A INPUT -p TCP --sport 1024: --dport ftp-data -j ACCEPT
iptables -A OUTPUT -p TCP --dport 1024: --sport ftp-data -j ACCEPT
# Port 21 : FTP
iptables -A INPUT -p TCP --sport 1024: --dport ftp -j ACCEPT
iptables -A OUTPUT -p TCP --dport 1024: --sport ftp -j ACCEPT
# Port 22 : SSH
iptables -A INPUT -p TCP --sport 1024: --dport ssh -j ACCEPT
iptables -A OUTPUT -p TCP --dport 1024: --sport ssh -j ACCEPT
# Port 25 : SMTP
iptables -A INPUT -p TCP --sport 1024: --dport smtp -j ACCEPT
iptables -A OUTPUT -p TCP --dport 1024: --sport smtp -j ACCEPT
# Port 80 : Webzugriffe
iptables -A INPUT -p TCP --sport 1024: --dport http -j ACCEPT
iptables -A OUTPUT -p TCP --dport 1024: --sport http -j ACCEPT
# Port 113 : Ident
iptables -A INPUT -p TCP --sport 1024: --dport auth -j ACCEPT
iptables -A OUTPUT -p TCP --dport 1024: --sport auth -j ACCEPT
# Port 443 : Webzugriffe-SSL
iptables -A INPUT -p TCP --sport 1024: --dport https -j ACCEPT
iptables -A OUTPUT -p TCP --dport 1024: --sport https -j ACCEPT
# VNC intern
iptables -A INPUT -p TCP -i eth0 --sport 1024: --dport 5900:5910 -j ACCEPT
iptables -A OUTPUT -p TCP -o eth0 --dport 1024: --sport 5900:5910 -j ACCEPT
# Port 10666: Webmin
iptables -A INPUT -p TCP --sport 1024: --dport 10666 -j ACCEPT
iptables -A OUTPUT -p TCP --dport 1024: --sport 10666 -j ACCEPT
# intern --> extern
# Port 7
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p TCP --sport 1024: --dport 7 -j ACCEPT
iptables -A INPUT -p TCP --dport 1024: --sport 7 -j ACCEPT
# Port 13: Daytime
iptables -A OUTPUT -p TCP --sport 1024: --dport daytime -j ACCEPT
iptables -A INPUT -p TCP --dport 1024: --sport daytime -j ACCEPT
# Port 20: FTP-Data
iptables -A OUTPUT -p TCP --sport 1024: --dport ftp-data -j ACCEPT
iptables -A INPUT -p TCP --dport 1024: --sport ftp-data -j ACCEPT
# Port 21 : FTP
iptables -A OUTPUT -p TCP --sport 1024: --dport ftp -j ACCEPT
iptables -A INPUT -p TCP --dport 1024: --sport ftp -j ACCEPT
# Port 22 : SSH
iptables -A OUTPUT -p TCP --sport 1024: --dport ssh -j ACCEPT
iptables -A INPUT -p TCP --dport 1024: --sport ssh -j ACCEPT
# Port 25 : SMTP
iptables -A OUTPUT -p TCP --sport 1024: --dport smtp -j ACCEPT
iptables -A INPUT -p TCP --dport 1024: --sport smtp -j ACCEPT
# DNS
iptables -A OUTPUT -p UDP --sport 1024: --dport domain -j ACCEPT
iptables -A INPUT -p UDP --dport 1024: --sport domain -j ACCEPT
iptables -A OUTPUT -p TCP --sport 1024: --dport domain -j ACCEPT
iptables -A INPUT -p TCP --dport 1024: --sport domain -j ACCEPT
# WEB
iptables -A OUTPUT -p TCP --sport 1024: --dport http -j ACCEPT
iptables -A INPUT -p TCP --dport 1024: --sport http -j ACCEPT
# POP3
iptables -A OUTPUT -p TCP --sport 1024: --dport pop3 -j ACCEPT
iptables -A INPUT -p TCP --dport 1024: --sport pop3 -j ACCEPT
# Timeserver
iptables -A INPUT -p UDP --sport 123 --dport ntp -j ACCEPT
iptables -A OUTPUT -p UDP --dport 123 --sport ntp -j ACCEPT
# Ident
iptables -A INPUT -p UDP --sport 1024: --dport auth -j ACCEPT
iptables -A OUTPUT -p UDP --dport 1024: --sport auth -j ACCEPT
# WEB-SSL
iptables -A OUTPUT -p TCP --sport 1024: --dport https -j ACCEPT
iptables -A INPUT -p TCP --dport 1024: --sport https -j ACCEPT
# Squid
iptables -A INPUT -p UDP --sport 1024: --dport 3128 -j ACCEPT
iptables -A OUTPUT -p UDP --dport 1024: --sport 3128 -j ACCEPT
# Schluss und Logging
iptables -A INPUT -j LOG
iptables -A INPUT -j REJECT
iptables -A FORWARD -j LOG
iptables -A FORWARD -j REJECT
iptables -A OUTPUT -j LOG
iptables -A OUTPUT -j REJECT
hoffe jemand kann mir einen Tip geben.
Gruß
Helge