PDA

Archiv verlassen und diese Seite im Standarddesign anzeigen : Suse Firewall + Apache Problem


realtec
30.07.02, 21:52
Hallo, ich verwende Suse Linux 8.0. Apache Webserver läuft auch ohne Probleme wenn ich http://linux-server von einer Windows Kiste aufrufe....
Wenn ich aber von der Windowskiste mit http://aktuelleDSLip "über das Internet" auf den Websever will, bekomme ich "Seite kann nicht......"
In der Suse Firewall habe ich ALLE Dienste freigegeben.

iptables -L liefert folgendes:

Linux-Server:~ # iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere state NEW,RELATED,ES
TABLISHED udp dpts:netbios-ns:netbios-dgm
DROP all -- loopback/8 anywhere
DROP all -- anywhere loopback/8
DROP all -- Linux-Server.local anywhere
DROP all -- p50837AB5.dip.t-dialin.net anywhere
input_ext all -- anywhere p50837AB5.dip.t-dialin.net
input_int all -- anywhere Linux-Server.local
DROP all -- anywhere 192.168.0.255
DROP all -- anywhere 255.255.255.255
LOG all -- anywhere p50837AB5.dip.t-dialin.netLOG level war
ning tcp-options ip-options prefix `SuSE-FW-NO_ACCESS_INT->FWEXT '
DROP all -- anywhere p50837AB5.dip.t-dialin.net
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SY
N TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
forward_ext all -- anywhere anywhere
forward_int all -- anywhere anywhere
DROP all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,ES
TABLISHED
LOG all -- anywhere anywhere LOG level warning tc
p-options ip-options prefix `SuSE-FW-FORWARD-ERROR '

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp port-unreachabl
e
ACCEPT icmp -- anywhere anywhere icmp fragmentation-n
eeded
ACCEPT icmp -- anywhere anywhere icmp network-prohibi
ted
ACCEPT icmp -- anywhere anywhere icmp host-prohibited

ACCEPT icmp -- anywhere anywhere icmp communication-p
rohibited
DROP icmp -- anywhere anywhere icmp destination-unr
eachable
ACCEPT all -- anywhere anywhere state NEW,RELATED,ES
TABLISHED
LOG all -- anywhere anywhere LOG level warning tc
p-options ip-options prefix `SuSE-FW-OUTPUT-ERROR '

Chain forward_dmz (0 references)
target prot opt source destination
DROP all -- p50837AB5.dip.t-dialin.net anywhere
DROP all -- 192.168.0.0/24 anywhere
DROP all -- anywhere Linux-Server.local
DROP all -- anywhere p50837AB5.dip.t-dialin.net
ACCEPT icmp -- anywhere anywhere state RELATED icmp d
estination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABL
ISHED icmp echo-reply
ACCEPT all -- anywhere anywhere state NEW,RELATED,ES
TABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED
DROP all -- anywhere anywhere

Chain forward_ext (1 references)
target prot opt source destination
DROP all -- 192.168.0.0/24 anywhere
DROP all -- anywhere Linux-Server.local
ACCEPT icmp -- anywhere anywhere state RELATED icmp d
estination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABL
ISHED icmp echo-reply
ACCEPT all -- anywhere anywhere state NEW,RELATED,ES
TABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED
DROP all -- anywhere anywhere

Chain forward_int (1 references)
target prot opt source destination
DROP all -- p50837AB5.dip.t-dialin.net anywhere
DROP all -- anywhere p50837AB5.dip.t-dialin.net
ACCEPT icmp -- anywhere anywhere state RELATED icmp d
estination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABL
ISHED icmp echo-reply
ACCEPT all -- anywhere anywhere state NEW,RELATED,ES
TABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED
DROP all -- anywhere anywhere

Chain input_dmz (0 references)
target prot opt source destination
DROP all -- p50837AB5.dip.t-dialin.net anywhere
DROP all -- 192.168.0.0/24 anywhere
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABL
ISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABL
ISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABL
ISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABL
ISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABL
ISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABL
ISHED icmp address-mask-reply
DROP icmp -- anywhere anywhere
REJECT tcp -- anywhere anywhere tcp dpt:ident flags:
SYN,RST,ACK/SYN reject-with tcp-reset
DROP tcp -- anywhere anywhere tcp dpt:ssh flags:SY
N,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp dpt:telnet flags
:SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp dpt:time flags:S
YN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp dpt:finger flags
:SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp dpt:sunrpc flags
:SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn
flags:SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp dpt:login flags:
SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp dpt:printer flag
s:SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp dpt:swat flags:S
YN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp dpt:mysql flags:
SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp dpt:x11 flags:SY
N,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state ESTABLISHED tc
p dpts:ipcserver:65535 flags:!SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state ESTABLISHED tc
p dpt:ftp-data flags:!SYN,RST,ACK/SYN
ACCEPT udp -- anywhere anywhere state NEW,RELATED,ES
TABLISHED udp dpt:1024
ACCEPT udp -- www-proxy.SB1.srv.t-online.de anywhere state NEW,
RELATED,ESTABLISHED udp spt:domain dpts:1024:65535
ACCEPT udp -- dns03.btx.dtag.de anywhere state NEW,RELATED,ES
TABLISHED udp spt:domain dpts:1024:65535
DROP udp -- anywhere anywhere udp dpt:ssh
DROP udp -- anywhere anywhere udp dpt:telnet
DROP udp -- anywhere anywhere udp dpt:time
DROP udp -- anywhere anywhere udp dpt:time
DROP udp -- anywhere anywhere udp dpt:finger
DROP udp -- anywhere anywhere udp dpt:sunrpc
DROP udp -- anywhere anywhere udp dpt:sunrpc
DROP udp -- anywhere anywhere udp dpt:netbios-ns
DROP udp -- anywhere anywhere udp dpt:netbios-dgm
DROP udp -- anywhere anywhere udp dpt:netbios-ssn
DROP udp -- anywhere anywhere udp dpt:who
DROP udp -- anywhere anywhere udp dpt:printer
DROP udp -- anywhere anywhere udp dpt:smpnameres
DROP udp -- anywhere anywhere udp dpt:mysql
DROP udp -- anywhere anywhere udp dpt:x11
ACCEPT udp -- anywhere anywhere state NEW,RELATED,ES
TABLISHED udp dpts:1024:65535
DROP all -- anywhere anywhere

Chain input_ext (1 references)
target prot opt source destination
DROP all -- 192.168.0.0/24 anywhere
ACCEPT icmp -- p50837AB5.dip.t-dialin.net anywhere icmp source-q
uench
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABL
ISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABL
ISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABL
ISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABL
ISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABL
ISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABL
ISHED icmp address-mask-reply
DROP icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ES
TABLISHED tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ES
TABLISHED tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ES
TABLISHED tcp dpt:imap
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ES
TABLISHED tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ES
TABLISHED tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ES
TABLISHED tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ES
TABLISHED tcp dpt:rsync
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ES
TABLISHED tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ES
TABLISHED tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ES
TABLISHED tcp dpt:telnet
REJECT tcp -- anywhere anywhere tcp dpt:ident flags:
SYN,RST,ACK/SYN reject-with tcp-reset
DROP tcp -- anywhere anywhere tcp dpt:ssh flags:SY
N,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp dpt:telnet flags
:SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp dpt:time flags:S
YN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp dpt:finger flags
:SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp dpt:sunrpc flags
:SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn
flags:SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp dpt:login flags:
SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp dpt:printer flag
s:SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp dpt:swat flags:S
YN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp dpt:mysql flags:
SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp dpt:x11 flags:SY
N,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state ESTABLISHED tc
p dpts:ipcserver:65535 flags:!SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state ESTABLISHED tc
p dpt:ftp-data flags:!SYN,RST,ACK/SYN
ACCEPT udp -- anywhere anywhere state NEW,RELATED,ES
TABLISHED udp dpt:1024
ACCEPT udp -- www-proxy.SB1.srv.t-online.de anywhere state NEW,
RELATED,ESTABLISHED udp spt:domain dpts:1024:65535
ACCEPT udp -- dns03.btx.dtag.de anywhere state NEW,RELATED,ES
TABLISHED udp spt:domain dpts:1024:65535
DROP udp -- anywhere anywhere udp dpt:ssh
DROP udp -- anywhere anywhere udp dpt:telnet
DROP udp -- anywhere anywhere udp dpt:time
DROP udp -- anywhere anywhere udp dpt:time
DROP udp -- anywhere anywhere udp dpt:finger
DROP udp -- anywhere anywhere udp dpt:sunrpc
DROP udp -- anywhere anywhere udp dpt:sunrpc
DROP udp -- anywhere anywhere udp dpt:netbios-ns
DROP udp -- anywhere anywhere udp dpt:netbios-dgm
DROP udp -- anywhere anywhere udp dpt:netbios-ssn
DROP udp -- anywhere anywhere udp dpt:who
DROP udp -- anywhere anywhere udp dpt:printer
DROP udp -- anywhere anywhere udp dpt:smpnameres
DROP udp -- anywhere anywhere udp dpt:mysql
DROP udp -- anywhere anywhere udp dpt:x11
ACCEPT udp -- anywhere anywhere state NEW,RELATED,ES
TABLISHED udp dpts:1024:65535
ACCEPT udp -- anywhere anywhere state ESTABLISHED ud
p dpts:61000:65095
DROP all -- anywhere anywhere

Chain input_int (1 references)
target prot opt source destination
DROP all -- p50837AB5.dip.t-dialin.net anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABL
ISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABL
ISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABL
ISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABL
ISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABL ISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABL ISHED icmp address-mask-reply
DROP icmp -- anywhere anywhere
REJECT tcp -- anywhere anywhere tcp dpt:ident flags: SYN,RST,ACK/SYN reject-with tcp-reset
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABL ISHED tcp dpts:1024:65535
ACCEPT tcp -- anywhere anywhere state ESTABLISHED tc p dpts:ipcserver:65535 flags:!SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state ESTABLISHED tc p dpt:ftp-data flags:!SYN,RST,ACK/SYN
ACCEPT udp -- anywhere anywhere state NEW,RELATED,ES TABLISHED udp dpt:1024
ACCEPT udp -- www-proxy.SB1.srv.t-online.de anywhere state NEW, RELATED,ESTABLISHED udp spt:domain dpts:1024:65535
ACCEPT udp -- dns03.btx.dtag.de anywhere state NEW,RELATED,ES TABLISHED udp spt:domain dpts:1024:65535
ACCEPT udp -- anywhere anywhere state NEW,RELATED,ES TABLISHED udp dpts:1024:65535
DROP all -- anywhere anywhere
Linux-Server:~ #

------------------------------------------ ENDE ----------------------------

Weiss jmd. wo der Fehler in der Firewall liegt?
b-tommy
31.07.02, 07:38
2 mögliche lösungen...

1. ist der apache an eine netzwerkkarte/ip-adrese gebunden?
wenn ja ändern auf 0.0.0.0/0

2. flush die regeln mal und setz die defaultrules auf accept...damit kannst du ziemlich schnell überprüfen, ob es wirklich am ruleset liegt oder an etwas anderem....

ich hab mir das ruleset nicht durchgelesen...halte es aber nach dem ersten eindruck für sehr unübersichtlich...ich würde en deiner stelle das suse-script eh kicken und nen eigenes reinsetzen..dann weisst du wenigstens was passiert und warum...

iptables bietet übrigens genau für dein problem einen checkmode, über den man ausprobieren kann welche regel im obigen fall matcht...hab ich allerdings nicht im kopf -> man iptables


ciao

tommy