port forwarding - geht nicht - warum?

[sutterp]

Hallo und Guten Tag,

Ich plage mich seit Tagen mit iptables masquerading und port forwarding.
Die Installation ist ein SuSE V8 Linux mit firewall2. Die Kiste dient als Router/Gateway, hat ein 192.168 Network auf eth0 und ein ppp0 (dial-up) mit fixer ip Adresse. Nennen wir diese Maschine GW. An dem 192.168 Network hängt auch eine IBM AS400 namens AS400.

Was ich möchte ist folgendes:

Vom Internet her sollen telnet Verbindungen zu GW erlaubt sein.
Vom Internet her sollen telnet verbindungen zu AS400 erlaubt sein.
Vom Intranet soll aller augehende Verkehr masqueraded werden, keine Restriktionen.

SuSE V8 stellt bereits eine vor-konfigurierte Firewall (firewall2) zur Verfügung. Es klappt auch alles, mit der Ausnahme von der telnet verbindung zu AS400.

Nach vielem Rechechieren hab ich mir folgenden script zusammengebaut:
#! /bin/bash

# Interfaces
IFACE_IN=eth0 # internal interface
IFACE=ppp0 # external interface

# IP Addresses
INT_IP=192.168.100.0/24 # IP Addresses on internal interface
HOST_IP=xx.xx.xx.xx # IP Address of external interface
AS400_IP=192.168.100.1 # IP Address of AS400

iptables -t nat -A POSTROUTING -o $IFACE -s $INT_IP -j MASQUERADE
iptables -t nat -A PREROUTING -d $HOST_IP -p tcp --dport 98 -j DNAT --to $AS400_IP:23
iptables -t nat -A POSTROUTING -s $INT_IP -j SNAT --to $HOST_IP

Wenn ich alled richtig verstehe, setzt das erste iptables ein generelles masquerading auf, das zweite mapped den Port 98 vom ppp0 auf port 23 von der AS400, und das dritte sollte die Antwort auf den telnet request von AS400 ans ppp0 weiterleiten.

Leider klappts nicht. Was mach ich falsch und wo liegt mein Überlegunsfehler?


Vielen Dank

Peter Sutter

[Berufspenner]

Hi

Es wird dir bei deinem Problem nicht helfen aber anstatt telnet zu nehmen würde ich die SSH empfehlen. Allein aus Sicherheitsgründen.

Cu

[sutterp]

Hallo Berufspenner,

Danke für Deinen Tip. Leider Leider unterstützten nicht alle Operating Systeme ssh. Telnet scheint die einzige vernünftige Verbindung zu AS400 zu sein.Übrigens ob telnet oder ssh, das eigentliche port forwarding Problem bleibt das gleiche.

[Stage]

iptables -t nat -A PREROUTING -d $HOST_IP -p tcp --dport 98 -j DNAT --to $AS400_IP:23

in der Man-Page lautet die korrekte Syntax zu DNAT:
.... -j DNAT --to-destination xxxx:xxx
damit müsste es klappen

iptables -t nat -A POSTROUTING -s $INT_IP -j SNAT --to $HOST_IP

hier ebenfalls --> -j SNAT --to-source xxxx:xxx

aber weiß nicht genau was du damit bezwecken willst, du hast doch schon Masquerading

[sutterp]

Danke, Stage, für Deine Antwort.

Ja, ich habe ja schon masquerading; ich hab ja mit einer telnet Verbindung auf das Internet von AS400 aus auch keine Probleme.

Aber die AS400 ist ja mit einer ip Addresse von 192.168.100.1 in einem privaten Subnet. Ich will ja vom Internet her telnet Zugang zur AS400, also in der anderen Richtung.

Port 23 am ppp0 ist ja schon für telnet auf den Gateway/Router benützt, ich muss für die telnet Verbindung auf die AS400 also irgend einen anderen Port am ppp0 benuetzen, z.b. Port 98.

Telnet Requests auf Port 98 am ppp0 sollen nun auf 192.168.100.1:23 am eth0 (den Telnet Port der AS400) umgeleitet werden. Die AS400 scheint den Request auch zu sehen, nur kommt die Antwort nie zurueck. Dies scheint das Problem zu sein. Die AS400 weist ja aufgrund des telnet Requests für die Antwort irgend einen Port zu, und wie ich diese Antwort behandeln muss weiss ich eben nicht.

Danke

Peter

[Stage]

ich hab dich schon verstanden mit den unterschiedlichen Ports.

ich glaub woran es liegt.

versuch mal folgendes
iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 93 --to-destination 192.168.100.1:23 -i ppp0

iptables -A FORWARD -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -p tcp -d 192.168.100.1 --dport 23 -i ppp0

[geronet]

>Die AS400 weist ja aufgrund des telnet Requests für die Antwort irgend einen Port zu

Jep, dieser müsste aber mit dem normalem Masquerading wieder rausgetragen werden.

Normalerweise würd ich sagen es spuckt dir die Suse-Firewall in die Suppe, weil du die Regeln in dem Script am Ende einfügst. Da bin ich mir fast sicher dass da nix weiterkommt.

Grüsse, Stefan

[sutterp]

Danke für Eure Antworten, geronet and Stage.

Ich hab das mit dem port 93 mal probiert, klappt aber nicht. Wahrscheinlich hat Stefan recht, dass die vorkonfigurierte SuSE Firewall2 da Sand ins Getriebe streut. Ein tail -f /var/log/messages zeigt dass die Pakete ausgefiltert werden.

Eine Telnet Verbindung auf Port 23 am ppp0 zeigt im log:
Aug 5 16:15:51 andypc2 kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=ss.ss.ss.ss DST=dd.dd.dd.dd LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=48086 DF PROTO=TCP SPT=33201 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405640402080A006DB0F10000000001010101)

Wo hingegen eine Telnet Verbindung auf port 93 am ppp0 das folgende ergibt:
Aug 5 15:50:44 andypc2 kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT=eth0 SRC=ss.ss.ss.ss DST=dd.dd.dd.dd LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=38902 DF PROTO=TCP SPT=33191 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405640402080A006B64040000000001010101)
Die Übersetzung auf dd.dd.dd.dd:23 findet also korrekt statt, aber das paket wird ausgefiltert.

Ich benütze die SuSE Firewall, weil alles was von Aussen kommt so schön ausgefiltert wird. Gibt es eine Methode mit der ich das was ich will erreichen kann ohne die Firewall komplett neu konfigurieren zu müssen? Wie kann ich die Firewall dazu bringen, Verbindungen auf port 93 zu akzeptieren.

Grüsse, Peter

[Stage]

Wo hingegen eine Telnet Verbindung auf port 93 am ppp0 das folgende ergibt:
Aug 5 15:50:44 andypc2 kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT=eth0 SRC=ss.ss.ss.ss DST=dd.dd.dd.dd LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=38902 DF PROTO=TCP SPT=33191 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405640402080A006B64040000000001010101)
Die Übersetzung auf dd.dd.dd.dd:23 findet also korrekt statt, aber das paket wird ausgefiltert.

das hast du richtig erkannt, deswegen weiß ich nicht ob du meinen Vorschlag ausprobiert hast. Du must nämlcih in der Forward-Chain noch erlauben das das Paket zu deinem 2 rechner durchgeroutet wird.

iptables -A FORWARD -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -p tcp -d 192.168.100.1 --dport 23

bzw es wäre nicht schlecht wenn du mal deine IpTables hier postest, denn wenn du die SuSEfirewall2 benutz, die legt noch BenutzerChains an.
Am besten mal iptables -L eingeben und hier posten.

EDIT: aber warum so kompliziert machen wenns auch einfacher geht, die SuSEfirewall2 hat doch ein schönes Konfigurationsscript /etc/sysconfig/SuSEfirewall2
Da trägts du bei Punkt14, also bei FW_FORWARD_MASQ das ein
FW_FORWARD_MASQ="0/0,192.168.100.1,tcp,93,23"

dann noch mit SuSEfirewall2 stop
SuSEfirewall2 start neuladen und dann müsste es klappen.
wenn nicht dann poste mal deine firewallconfig.

[sutterp]

Danke Stage,

Ja ich hab das mit port 93 ausprobiert vor meinem letzten Posting. Ich hab auch unter punkt 14 in /etc/sysconfig/SuSEfirewall2 den vorgeschlagenen Eintrag gemacht, gefolg von einem SuSEfirewall2 stop und
SuSEfirewall2 start. Hier ist das resultat von iptables -L.

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
LOG all -- loopback/8 anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOFING '
LOG all -- anywhere loopback/8 LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOFING '
DROP all -- loopback/8 anywhere
DROP all -- anywhere loopback/8
LOG all -- andypc2.disc400 anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOFING '
DROP all -- andypc2.disc400 anywhere
LOG all -- 198.142.106.152.optusnet.com.au anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOFING '
DROP all -- 198.142.106.152.optusnet.com.au anywhere
input_ext all -- anywhere 198.142.106.152.optusnet.com.au
input_int all -- anywhere andypc2.disc400
DROP all -- anywhere 192.168.100.255
DROP all -- anywhere 255.255.255.255
LOG all -- anywhere 198.142.106.152.optusnet.com.auLOG level warning tcp-options ip-options prefix `SuSE-FW-NO_ACCESS_INT->FWEXT '
DROP all -- anywhere 198.142.106.152.optusnet.com.au
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-UNAUTHORIZED-TARGET '
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
forward_ext all -- anywhere anywhere
forward_int all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-UNAUTHORIZED-ROUTING '
DROP all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-FORWARD-ERROR '
ACCEPT tcp -- anywhere disc400.disc400 state NEW,RELATED,ESTABLISHED tcp dpt:telnet

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
LOG icmp -- anywhere anywhere icmp time-exceeded LOG level warning tcp-options ip-options prefix `SuSE-FW-TRACEROUTE-ATTEMPT '
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp port-unreachable
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp network-prohibited
ACCEPT icmp -- anywhere anywhere icmp host-prohibited
ACCEPT icmp -- anywhere anywhere icmp communication-prohibited
DROP icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-OUTPUT-ERROR '

Chain forward_dmz (0 references)
target prot opt source destination
LOG all -- 198.142.106.152.optusnet.com.au anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOF '
DROP all -- 198.142.106.152.optusnet.com.au anywhere
LOG all -- 192.168.100.0/24 anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOF '
DROP all -- 192.168.100.0/24 anywhere
LOG all -- anywhere andypc2.disc400 LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-CIRCUMVENTION '
DROP all -- anywhere andypc2.disc400
LOG all -- anywhere 198.142.106.152.optusnet.com.auLOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-CIRCUMVENTION '
DROP all -- anywhere 198.142.106.152.optusnet.com.au
ACCEPT icmp -- anywhere anywhere state RELATED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG tcp -- anywhere disc400.disc400 tcp dpt:telnet flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT-REVERSE_MASQ '
ACCEPT tcp -- anywhere disc400.disc400 state NEW,RELATED,ESTABLISHED tcp dpt:telnet
LOG tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp source-quench LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp redirect LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp echo-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp timestamp-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp address-mask-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG udp -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG all -- anywhere anywhere state INVALID LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT-INVALID '
DROP all -- anywhere anywhere

Chain forward_ext (1 references)
target prot opt source destination
LOG all -- 192.168.100.0/24 anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOF '
DROP all -- 192.168.100.0/24 anywhere
LOG all -- anywhere andypc2.disc400 LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-CIRCUMVENTION '
DROP all -- anywhere andypc2.disc400
ACCEPT icmp -- anywhere anywhere state RELATED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG tcp -- anywhere disc400.disc400 tcp dpt:telnet flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT-REVERSE_MASQ '
ACCEPT tcp -- anywhere disc400.disc400 state NEW,RELATED,ESTABLISHED tcp dpt:telnet
LOG tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp source-quench LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp redirect LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp echo-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp timestamp-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp address-mask-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG udp -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG all -- anywhere anywhere state INVALID LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT-INVALID '
DROP all -- anywhere anywhere

Chain forward_int (1 references)
target prot opt source destination
LOG all -- 198.142.106.152.optusnet.com.au anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOF '
DROP all -- 198.142.106.152.optusnet.com.au anywhere
LOG all -- anywhere 198.142.106.152.optusnet.com.auLOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-CIRCUMVENTION '
DROP all -- anywhere 198.142.106.152.optusnet.com.au
ACCEPT icmp -- anywhere anywhere state RELATED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG tcp -- anywhere disc400.disc400 tcp dpt:telnet flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT-REVERSE_MASQ '
ACCEPT tcp -- anywhere disc400.disc400 state NEW,RELATED,ESTABLISHED tcp dpt:telnet
LOG tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp source-quench LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp redirect LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp echo-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp timestamp-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp address-mask-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG udp -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG all -- anywhere anywhere state INVALID LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT-INVALID '
DROP all -- anywhere anywhere

Chain input_dmz (0 references)
target prot opt source destination
LOG all -- 198.142.106.152.optusnet.com.au anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOF '
DROP all -- 198.142.106.152.optusnet.com.au anywhere
LOG all -- 192.168.100.0/24 anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOF '
DROP all -- 192.168.100.0/24 anywhere
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
LOG icmp -- anywhere anywhere icmp redirect LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere icmp source-quench LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere icmp timestamp-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere icmp address-mask-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere icmp type 2 LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP-CRIT '
DROP icmp -- anywhere anywhere
REJECT tcp -- anywhere anywhere tcp dpt:ident flags:SYN,RST,ACK/SYN reject-with tcp-reset
LOG tcp -- anywhere anywhere tcp dpt:netstat flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:netstat flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:telnet flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:telnet flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:time flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:time flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:sunrpc flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:sunrpc flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:login flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:login flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:x11 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:x11 flags:SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state ESTABLISHED tcp dpts:ipcserver:65535 flags:!SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state ESTABLISHED tcp dpt:ftp-data flags:!SYN,RST,ACK/SYN
ACCEPT udp -- dns.syd.optusnet.com.au anywhere state NEW,RELATED,ESTABLISHED udp spt:domain dpts:1024:65535
ACCEPT udp -- dns.meb.optusnet.com.au anywhere state NEW,RELATED,ESTABLISHED udp spt:domain dpts:1024:65535
DROP udp -- anywhere anywhere udp dpt:15
DROP udp -- anywhere anywhere udp dpt:ssh
DROP udp -- anywhere anywhere udp dpt:telnet
DROP udp -- anywhere anywhere udp dpt:time
DROP udp -- anywhere anywhere udp dpt:time
DROP udp -- anywhere anywhere udp dpt:sunrpc
DROP udp -- anywhere anywhere udp dpt:sunrpc
DROP udp -- anywhere anywhere udp dpt:who
DROP udp -- anywhere anywhere udp dpt:x11
LOG tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp source-quench LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp redirect LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp echo-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp timestamp-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp address-mask-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG udp -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG all -- anywhere anywhere state INVALID LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT-INVALID '
DROP all -- anywhere anywhere

Chain input_ext (1 references)
target prot opt source destination
LOG all -- 192.168.100.0/24 anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOF '
DROP all -- 192.168.100.0/24 anywhere
LOG icmp -- 198.142.106.152.optusnet.com.au anywhere icmp source-quench LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT-SOURCEQUENCH '
ACCEPT icmp -- 198.142.106.152.optusnet.com.au anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
LOG icmp -- anywhere anywhere icmp redirect LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere icmp source-quench LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere icmp timestamp-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere icmp address-mask-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere icmp type 2 LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP-CRIT '
DROP icmp -- anywhere anywhere
LOG tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT '
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:http
LOG tcp -- anywhere anywhere tcp dpt:https flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT '
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:https
LOG tcp -- anywhere anywhere tcp dpt:telnet flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT '
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:telnet
REJECT tcp -- anywhere anywhere tcp dpt:ident flags:SYN,RST,ACK/SYN reject-with tcp-reset
LOG tcp -- anywhere anywhere tcp dpt:netstat flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:netstat flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:telnet flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:telnet flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:time flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:time flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:sunrpc flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:sunrpc flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:login flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:login flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:x11 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:x11 flags:SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state ESTABLISHED tcp dpts:ipcserver:65535 flags:!SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state ESTABLISHED tcp dpt:ftp-data flags:!SYN,RST,ACK/SYN
ACCEPT udp -- dns.syd.optusnet.com.au anywhere state NEW,RELATED,ESTABLISHED udp spt:domain dpts:1024:65535
ACCEPT udp -- dns.meb.optusnet.com.au anywhere state NEW,RELATED,ESTABLISHED udp spt:domain dpts:1024:65535
DROP udp -- anywhere anywhere udp dpt:15
DROP udp -- anywhere anywhere udp dpt:ssh
DROP udp -- anywhere anywhere udp dpt:telnet
DROP udp -- anywhere anywhere udp dpt:time
DROP udp -- anywhere anywhere udp dpt:time
DROP udp -- anywhere anywhere udp dpt:sunrpc
DROP udp -- anywhere anywhere udp dpt:sunrpc
DROP udp -- anywhere anywhere udp dpt:who
DROP udp -- anywhere anywhere udp dpt:x11
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED udp dpts:1024:65535
ACCEPT udp -- anywhere anywhere state ESTABLISHED udp dpts:61000:65095
LOG tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp source-quench LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp redirect LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp echo-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp timestamp-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp address-mask-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG udp -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG all -- anywhere anywhere state INVALID LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT-INVALID '
DROP all -- anywhere anywhere

Chain input_int (1 references)
target prot opt source destination
LOG all -- 198.142.106.152.optusnet.com.au anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOF '
DROP all -- 198.142.106.152.optusnet.com.au anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
LOG icmp -- anywhere anywhere icmp redirect LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere icmp source-quench LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere icmp timestamp-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere icmp address-mask-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere icmp type 2 LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP-CRIT '
DROP icmp -- anywhere anywhere
REJECT tcp -- anywhere anywhere tcp dpt:ident flags:SYN,RST,ACK/SYN reject-with tcp-reset
LOG tcp -- anywhere anywhere tcp dpts:1024:65535 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT '
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp dpts:1024:65535
ACCEPT tcp -- anywhere anywhere state ESTABLISHED tcp dpts:ipcserver:65535 flags:!SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state ESTABLISHED tcp dpt:ftp-data flags:!SYN,RST,ACK/SYN
ACCEPT udp -- dns.syd.optusnet.com.au anywhere state NEW,RELATED,ESTABLISHED udp spt:domain dpts:1024:65535
ACCEPT udp -- dns.meb.optusnet.com.au anywhere state NEW,RELATED,ESTABLISHED udp spt:domain dpts:1024:65535
LOG tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp source-quench LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp redirect LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp echo-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp timestamp-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp address-mask-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG udp -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG all -- anywhere anywhere state INVALID LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT-INVALID '
DROP all -- anywhere anywhere

Ein Versuch auf port 93 ein Telnet abzusetzen zeigt im log folgendes:
Aug 5 23:48:47 andypc2 kernel: SuSE-FW-ACCEPT-REVERSE_MASQ IN=ppp0 OUT=eth0 SRC=203.132.107.189 DST=192.168.100.1 LEN=60 TOS=0x10 PREC=0x00 TTL=46 ID=12051 DF PROTO=TCP SPT=33369 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405640402080A009727780000000001010101)

iptables -t nat -L zeigt folgendes:

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:dcp to:192.168.100.1:23

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Aber es kommt immer noch nichts zurueck. Der Eintrag von FW_FORWARD_MASQ="0/0,192.168.100.1,tcp,93,23" in /etc/sysconfig/SuSEfirewall2 produziert das gleiche wie
iptables -A FORWARD -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -p tcp -d 192.168.100.1 --dport 23, nur ist es jetzt nach einem firewall stop/start wieder da.

Zusaetzliche Frage, ich habe bis jetzt in keiner Doku eine Antwort gefunden. Müssen IP Adressen angegeben werden kann man Namen wie z.B. optusnet.com.au angeben, i.e. macht iptables name resolutuion via DNS?

Ciao

Peter

[Stage]

komisch eigentlich steht da da das das reversemasquerading acceptiert wurde
ich poste mal meine config
hab selbst reversemaquerading für edonkey gemacht und es klappt wunderbar, siehe Punkt14

vieleicht probierst du mal anstatt Port 93 einen Highport aus also >1023, nimm mal 1093. Ich kann mir zwar nicht vorstellen das es daran liegen könnte, aber einen versuch wäre es wert.

# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. All rights reserved.
#
# Author: Marc Heuse <marc@suse.de>, 2001
# Please contact me directly if you find bugs.
#
# If you have problems getting this tool configures, please read this file
# carefuly and take also a look into
# -> /usr/share/doc/packages/SuSEfirewall2/EXAMPLES !
# -> /usr/share/doc/packages/SuSEfirewall2/FAQ !
# -> /usr/share/doc/packages/SuSEfirewall2/SuSEfirewall2.conf.EXAMPLE !
#
# /etc/sysconfig/SuSEfirewall2
#
# for use with /sbin/SuSEfirewall2 version 2.1 which is for 2.4 kernels!
#
# ------------------------------------------------------------------------ #
# PLEASE NOTE THE FOLLOWING:
#
# Just by configuring these settings and using the SuSEfirewall2 you are
# not secure per se! There is *not* such a thing you install and hence you
# are safed from all (security) hazards.
#
# To ensure your security, you need also:
#
# * Secure all services you are offering to untrusted networks (internet)
# You can do this by using software which has been designed with
# security in mind (like postfix, apop3d, ssh), setting these up without
# misconfiguration and praying, that they have got really no holes.
# SuSEcompartment can help in most circumstances to reduce the risk.
# * Do not run untrusted software. (philosophical question, can you trust
# SuSE or any other software distributor?)
# * Harden your server(s) with the harden_suse package/script
# * Recompile your kernel with the openwall-linux kernel patch
# (former secure-linux patch, from Solar Designer) www.openwall.com
# * Check the security of your server(s) regulary
# * If you are using this server as a firewall/bastion host to the internet
# for an internal network, try to run proxy services for everything and
# disable routing on this machine.
# * If you run DNS on the firewall: disable untrusted zone transfers and
# either don't allow access to it from the internet or run it split-brained.
#
# Good luck!
#
# Yours,
# SuSE Security Team
#
# ------------------------------------------------------------------------
#
# Configuration HELP:
#
# If you have got any problems configuring this file, take a look at
# /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an example.
#
#
# All types have to set enable SuSEfirewall2 in the runlevel editor
#
# If you are a end-user who is NOT connected to two networks (read: you have
# got a single user system and are using a dialup to the internet) you just
# have to configure (all other settings are OK): 2) and maybe 9).
#
# If this server is a firewall, which should act like a proxy (no direct
# routing between both networks), or you are an end-user connected to the
# internet and to an internal network, you have to setup your proxys and
# reconfigure (all other settings are OK): 2), 3), 9) and maybe 7), 11), 14)
#
# If this server is a firewall, and should do routing/masquerading between
# the untrusted and the trusted network, you have to reconfigure (all other
# settings are OK): 2), 3), 5), 6), 9), and maybe 7), 10), 11), 12), 13),
# 14), 20)
#
# If you want to run a DMZ in either of the above three standard setups, you
# just have to configure *additionally* 4), 9), 12), 13), 17), 19).
#
# If you know what you are doing, you may also change 8), 11), 15), 16)
# and the expert options 19), 20), 21), 22) and 23) at the far end, but you
# should NOT.
#
# If you use diald or ISDN autodialing, you might want to set 17).
#
# To get programs like traceroutes to your firewall to work is a bit tricky,
# you have to set the following options to "yes" : 11 (UDP only), 18 and 19.
#
# Please note that if you use service names, that they exist in /etc/services.
# There is no service "dns", it's called "domain"; email is called "smtp" etc.
#
# *Any* routing between interfaces except masquerading requires to set FW_ROUTE
# to "yes" and use FW_FORWARD or FW_ALLOW_CLASS_ROUTING !
#
# If you just want to do masquerading without filtering, ignore this script
# and run this line (exchange "ippp0" "ppp0" if you use a modem, not isdn):
# iptables -A POSTROUTING -t nat -j MASQUERADE -o ippp0
# echo 1 > /proc/sys/net/ipv4/ip_forward
# and additionally the following lines to get at least a minimum of security:
# iptables -A INPUT -j DROP -m state --state NEW,INVALID -i ippp0
# iptables -A FORWARD -j DROP -m state --state NEW,INVALID -i ippp0
# ------------------------------------------------------------------------

#
# 1.)
# Should the Firewall be started?
#
# This setting is done via the links in the /etc/init.d/rc?.d runlevel
# directories, which can be tweaked with a runlevel editor (or manually)

#
# 2.)
# Which is the interface that points to the internet/untrusted networks?
#
# Enter all the network devices here which are untrusted.
#
# Choice: any number of devices, seperated by a space
# e.g. "eth0", "ippp0 ippp1 eth0:1"
#
FW_DEV_EXT="ppp0"

#
# 3.)
# Which is the interface that points to the internal network?
#
# Enter all the network devices here which are trusted.
# If you are not connected to a trusted network (e.g. you have just a
# dialup) leave this empty.
#
# Choice: leave empty or any number of devices, seperated by a space
# e.g. "tr0", "eth0 eth1 eth1:1" or ""
#
FW_DEV_INT="eth1"

#
# 4.)
# Which is the interface that points to the dmz or dialup network?
#
# Enter all the network devices here which point to the dmz/dialups.
# A "dmz" is a special, seperated network, which is only connected to the
# firewall, and should be reachable from the internet to provide services,
# e.g. WWW, Mail, etc. and hence are at risk from attacks.
# See /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an example.
#
# Special note: You have to configure FW_FORWARD to define the services
# which should be available to the internet and set FW_ROUTE to yes.
#
# Choice: leave empty or any number of devices, seperated by a space
# e.g. "tr0", "eth0 eth1 eth1:1" or ""
#
FW_DEV_DMZ=""

#
# 5.)
# Should routing between the internet, dmz and internal network be activated?
# REQUIRES: FW_DEV_INT or FW_DEV_DMZ
#
# You need only set this to yes, if you either want to masquerade internal
# machines or allow access to the dmz (or internal machines, but this is not
# a good idea). This option supersedes IP_FORWARD from
# /etc/sysconfig/network/options
#
# Setting this option one alone doesn't do anything. Either activate
# massquerading with FW_MASQUERADE below if you want to masquerade your
# internal network to the internet, or configure FW_FORWARD to define
# what is allowed to be forwarded!
#
# Choice: "yes" or "no", defaults to "no"
#
FW_ROUTE="yes"

#
# 6.)
# Do you want to masquerade internal networks to the outside?
# REQUIRES: FW_DEV_INT or FW_DEV_DMZ, FW_ROUTE
#
# "Masquerading" means that all your internal machines which use services on
# the internet seem to come from your firewall.
# Please note that it is more secure to communicate via proxies to the
# internet than masquerading. This option is required for FW_MASQ_NETS and
# FW_FORWARD_MASQ.
#
# Choice: "yes" or "no", defaults to "no"
#
FW_MASQUERADE="yes"
#
# You must also define on which interface(s) to masquerade on. This is
# normally your external device(s) to the internet.
# Most users can leave the default below.
#
# e.g. "ippp0" or "$FW_DEV_EXT"
FW_MASQ_DEV="$FW_DEV_EXT"
#
# Which internal computers/networks are allowed to access the internet
# directly (not via proxys on the firewall)?
# Only these networks will be allowed access and will be masqueraded!
#
# Choice: leave empty or any number of hosts/networks seperated by a space.
# Every host/network may get a list of allowed services, otherwise everything
# is allowed. A target network, protocol and service is appended by a comma to
# the host/network. e.g. "10.0.0.0/8" allows the whole 10.0.0.0 network with
# unrestricted access. "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0tcp,21" allows
# the 10.0.1.0 network to use www/ftp to the internet.
# "10.0.1.0/24,tcp,1024:65535 10.0.2.0/24" is OK too.
# Set this variable to "0/0" to allow unrestricted access to the internet.
#
FW_MASQ_NETS="0/0"

#
# 7.)
# Do you want to protect the firewall from the internal network?
# REQUIRES: FW_DEV_INT
#
# If you set this to "yes", internal machines may only access services on
# the machine you explicitly allow. They will be also affected from the
# FW_AUTOPROTECT_SERVICES option.
# If you set this to "no", any user can connect (and attack) any service on
# the firewall.
#
# Choice: "yes" or "no", defaults to "yes"
#
# "yes" is a good choice
FW_PROTECT_FROM_INTERNAL="no"

#
# 8.)
# Do you want to autoprotect all running network services on the firewall?
#
# If set to "yes", all network access to services TCP and UDP on this machine
# will be prevented (except to those which you explicitly allow, see below:
# FW_SERVICES_{EXT,DMZ,INT}_{TCP,UDP})
#
# Choice: "yes" or "no", defaults to "yes"
#
FW_AUTOPROTECT_SERVICES="yes"

#
# 9.)
# Which services ON THE FIREWALL should be accessible from either the internet
# (or other untrusted networks), the dmz or internal (trusted networks)?
# (see no.13 & 14 if you want to route traffic through the firewall) XXX
#
# Enter all ports or known portnames below, seperated by a space.
# TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_*_TCP, and
# UDP services (e.g. syslog) must be set in FW_SERVICES_*_UDP.
# e.g. if a webserver on the firewall should be accessible from the internet:
# FW_SERVICES_EXT_TCP="www"
# e.g. if the firewall should receive syslog messages from the dmz:
# FW_SERVICES_DMZ_UDP="syslog"
# For IP protocols (like GRE for PPTP, or OSPF for routing) you need to set
# FW_SERVICES_*_IP with the protocol name or number (see /etc/protocols)
#
# Choice: leave empty or any number of ports, known portnames (from
# /etc/services) and port ranges seperated by a space. Port ranges are
# written like this: allow port 1 to 10 -> "1:10"
# e.g. "", "smtp", "123 514", "3200:3299", "ftp 22 telnet 512:514"
# For FW_SERVICES_*_IP enter the protocol name (like "igmp") or number ("2")
#
# Common: smtp domain
FW_SERVICES_EXT_TCP="22 53"
# Common: domain
FW_SERVICES_EXT_UDP="123 53" # Common: domain
# For VPN/Routing which END at the firewall!!
FW_SERVICES_EXT_IP=""
#
# Common: smtp domain
FW_SERVICES_DMZ_TCP=""
# Common: domain
FW_SERVICES_DMZ_UDP=""
# For VPN/Routing which END at the firewall!!
FW_SERVICES_DMZ_IP=""
#
# Common: ssh smtp domain
FW_SERVICES_INT_TCP=""
# Common: domain syslog
FW_SERVICES_INT_UDP=""
# For VPN/Routing which END at the firewall!!
FW_SERVICES_INT_IP=""

#
# 10.)
# Which services should be accessible from trusted hosts/nets?
#
# Define trusted hosts/networks (doesnt matter if they are internal or
# external) and the TCP and/or UDP services they are allowed to use.
# Please note that a trusted host/net is *not* allowed to ping the firewall
# until you set it to allow also icmp!
#
# Choice: leave FW_TRUSTED_NETS empty or any number of computers and/or
# networks, seperated by a space. e.g. "172.20.1.1 172.20.0.0/16"
# Optional, enter a protocol after a comma, e.g. "1.1.1.1,icmp"
# Optional, enter a port after a protocol, e.g. "2.2.2.2,tcp,22"
#
FW_TRUSTED_NETS=""

#
# 11.)
# How is access allowed to high (unpriviliged [above 1023]) ports?
#
# You may either allow everyone from anyport access to your highports ("yes"),
# disallow anyone ("no"), anyone who comes from a defined port (portnumber or
# known portname) [note that this is easy to circumvent!], or just your
# defined nameservers ("DNS").
# Note that you can't use rpc requests (e.g. rpcinfo, showmount) as root
# from a firewall using this script (well, you can if you include range
# 600:1023 in FW_SERVICES_EXT_UDP ...).
# Please note that with v2.1 "yes" is not mandatory for active FTP from
# the firewall anymore.
#
# Choice: "yes", "no", "DNS", portnumber or known portname, defaults to "no"
# if not set
#
# Common: "ftp-data", better is "yes" to be sure that everything else works :-(
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
# Common: "DNS" or "domain ntp", better is "yes" to be sure ...
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"

#
# 12.)
# Are you running some of the services below?
# They need special attention - otherwise they won&acute;t work!
#
# Set services you are running to "yes", all others to "no", defaults to "no"
# if not set.
#
FW_SERVICE_AUTODETECT="yes" # Autodetect the services below when starting
#
# If you are running bind/named set to yes. Remember that you have to open
# port 53 (or "domain") as udp/tcp to allow incoming queries.
# Also FW_ALLOW_INCOMING_HIGHPORTS_UDP needs to be "yes"
FW_SERVICE_DNS="yes"
#
# if you use dhclient to get an ip address you have to set this to "yes" !
FW_SERVICE_DHCLIENT="no"
#
# set to "yes" if this server is a DHCP server
FW_SERVICE_DHCPD="yes"
#
# set to "yes" if this server is running squid. You still have to open the
# tcp port 3128 to allow remote access to the squid proxy service.
FW_SERVICE_SQUID="no"
#
# set to "yes" if this server is running a samba server. You still have to open
# the tcp port 139 to allow remote access to SAMBA.
FW_SERVICE_SAMBA="no"

#
# 13.)
# Which services accessed from the internet should be allowed to the
# dmz (or internal network - if it is not masqueraded)?
# REQUIRES: FW_ROUTE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must have valid, non-private, IP addresses which were assigned to
# you by your ISP. This opens a direct link to your network, so only use
# this option for access to your dmz!!!!
#
# Choice: leave empty (good choice!) or use the following explained syntax
# of forwarding rules, seperated each by a space.
# A forwarding rule consists of 1) source IP/net and 2) destination IP
# seperated by a comma. e.g. "1.1.1.1,2.2.2.2 3.3.3.3/16,4.4.4.4/24"
# Optional is a protocol, seperated by a comma, e.g. "5.5.5.5,6.6.6.6,igmp"
# Optional is a port after the protocol with a comma, e.g. "0/0,0/0,udp,514"
#
FW_FORWARD="" # Beware to use this!

#
# 14.)
# Which services accessed from the internet should be allowed to masqueraded
# servers (on the internal network or dmz)?
# REQUIRES: FW_ROUTE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must be in a masqueraded segment and may not have public IP addesses!
# Hint: if FW_DEV_MASQ is set to the external interface you have to set
# FW_FORWARD from internal to DMZ for the service as well to allow access
# from internal!
#
# Please note that this should *not* be used for security reasons! You are
# opening a hole to your precious internal network. If e.g. the webserver there
# is compromised - your full internal network is compromised!!
#
# Choice: leave empty (good choice!) or use the following explained syntax
# of forward masquerade rules, seperated each by a space.
# A forward masquerade rule consists of 1) source IP/net, 2) destination IP
# (dmz/intern), 3) a protocol (tcp/udp only!) and 4) destination port,
# seperated by a comma (","), e.g. "4.0.0.0/8,1.1.1.1,tcp,80"
# Optional is a port after the destination port, to redirect the request to
# a different destination port on the destination IP, e.g.
# "4.0.0.0/8,1.1.1.1,tcp,80,81"
#
FW_FORWARD_MASQ="0/0,192.168.0.1,tcp,4662,4662 0/0,192.168.0.1,udp,4665,4665" #Beware to use this!

#
# 15.)
# Which accesses to services should be redirected to a localport on the
# firewall machine?
#
# This can be used to force all internal users to surf via your squid proxy,
# or transparently redirect incoming webtraffic to a secure webserver.
#
# Choice: leave empty or use the following explained syntax of redirecting
# rules, seperated by a space.
# A redirecting rule consists of 1) source IP/net, 2) destination IP/net,
# 3) protocol (tcp or udp) 3) original destination port and 4) local port to
# redirect the traffic to, seperated by a colon. e.g.:
# "10.0.0.0/8,0/0,tcp,80,3128 0/0,172.20.1.1,tcp,80,8080"
#
FW_REDIRECT=""

#
# 16.)
# Which logging level should be enforced?
# You can define to log packets which were accepted or denied.
# You can also the set log level, the critical stuff or everything.
# Note that logging *_ALL is only for debugging purpose ...
#
# Choice: "yes" or "no", FW_LOG_*_CRIT defaults to "yes",
# FW_LOG_*_ALL defaults to "no"
#
FW_LOG_DROP_CRIT="yes"
#
FW_LOG_DROP_ALL="no"
#
FW_LOG_ACCEPT_CRIT="no"
#
FW_LOG_ACCEPT_ALL="no"
#
# only change/activate this if you know what you are doing!
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"

#
# 17.)
# Do you want to enable additional kernel TCP/IP security features?
# If set to yes, some obscure kernel options are set.
# (icmp_ignore_bogus_error_responses, icmp_echoreply_rate,
# icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate,
# ip_local_port_range, log_martians, mc_forwarding, mc_forwarding,
# rp_filter, routing flush)
# Tip: Set this to "no" until you have verified that you have got a
# configuration which works for you. Then set this to "yes" and keep it
# if everything still works. (It should!) ;-)
#
# Choice: "yes" or "no", defaults to "yes"
#
FW_KERNEL_SECURITY="yes"

#
# 18.)
# Keep the routing set on, if the firewall rules are unloaded?
# REQUIRES: FW_ROUTE
#
# If you are using diald, or automatic dialing via ISDN, if packets need
# to be sent to the internet, you need to turn this on. The script will then
# not turn off routing and masquerading when stopped.
# You *might* also need this if you have got a DMZ.
# Please note that this is *insecure*! If you unload the rules, but are still
# connected, you might your internal network open to attacks!
# The better solution is to remove "/sbin/SuSEfirewall2 stop" or
# "/sbin/init.d/firewall stop" from the ip-down script!
#
#
# Choices "yes" or "no", defaults to "no"
#
FW_STOP_KEEP_ROUTING_STATE="no"

#
# 19.)
# Allow (or don't) ICMP echo pings on either the firewall or the dmz from
# the internet? The internet option is for allowing the DMZ and the internal
# network to ping the internet.
# REQUIRES: FW_ROUTE for FW_ALLOW_PING_DMZ and FW_ALLOW_PING_EXT
#
# Choice: "yes" or "no", defaults to "no" if not set
#
FW_ALLOW_PING_FW="yes"
#
FW_ALLOW_PING_DMZ="no"
#
FW_ALLOW_PING_EXT="no"

##
# END of rc.firewall
##

# #
#-------------------------------------------------------------------------#
# #
# EXPERT OPTIONS - all others please don't change these! #
# #
#-------------------------------------------------------------------------#
# #

#
# 20.)
# Allow (or don't) ICMP time-to-live-exceeded to be send from your firewall.
# This is used for traceroutes to your firewall (or traceroute like tools).
#
# Please note that the unix traceroute only works if you say "yes" to
# FW_ALLOW_INCOMING_HIGHPORTS_UDP, and windows traceroutes only if you say
# additionally "yes" to FW_ALLOW_PING_FW
#
# Choice: "yes" or "no", defaults to "no" if not set.
#
FW_ALLOW_FW_TRACEROUTE="yes"

#
# 21.)
# Allow ICMP sourcequench from your ISP?
#
# If set to yes, the firewall will notice when connection is choking, however
# this opens yourself to a denial of service attack. Choose your poison.
#
# Choice: "yes" or "no", defaults to "yes"
#
FW_ALLOW_FW_SOURCEQUENCH="yes"

#
# 22.)
# Allow/Ignore IP Broadcasts?
#
# If set to yes, the firewall will not filter broadcasts by default.
# This is needed e.g. for Netbios/Samba, RIP, OSPF where the broadcast
# option is used.
# If you do not want to allow them however ignore the annoying log entries,
# set FW_IGNORE_FW_BROADCAST to yes.
#
# Choice: "yes" or "no", defaults to "no" if not set.
#
FW_ALLOW_FW_BROADCAST="no"
#
FW_IGNORE_FW_BROADCAST="yes"

#
# 23.)
# Allow same class routing per default?
# REQUIRES: FW_ROUTE
#
# Do you want to allow routing between interfaces of the same class
# (e.g. between all internet interfaces, or all internal network interfaces)
# be default (so without the need setting up FW_FORWARD definitions)?
#
# Choice: "yes" or "no", defaults to "no"
#
FW_ALLOW_CLASS_ROUTING="no"

#
# 25.)
# Do you want to load customary rules from a file?
#
# This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
# READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom
#
#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"

[sutterp]

Guten Tag, Stage,

Vielen Dank für Deine Hilfe. Ich hab mal alles was Du vorgeschlagen hast gemacht. Hier die Analyse des vergleichs der zwei SuSEfirewall2 Dateien:

Peter FW_SERVICES_EXT_TCP="http https telnet"
Stage FW_SERVICES_EXT_TCP="22 53"
Ich will http, https und telnet, dies scheint korrekt zu sein. Muss ich hier auch port 93 oder 1093 eintragen?, werde die mal versuchen.

Peter FW_SERVICES_EXT_UDP="" werde dies auf telnet oder 23 aendern.
Stage FW_SERVICES_EXT_UDP="123 53"

Peter FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" habe dies auf yes geändert.
Stage FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
Sollte wahrscheinlich auf yes stehen wenn ich port 1023 benützen will, kann auf no stehen wenn ich port 93 benütze, versuche beides.

Peter FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"
Stage FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
Ich erlaube nur DNS auf udp highports, Du erlaubst alles. Sollte aber keine Rolle spielen, da hier kein DNS läuft.

Peter FW_SERVICE_DNS="no"
Stage FW_SERVICE_DNS="yes"
Es läuft in diesem kleinen network kein eigener DNS server.

Peter FW_SERVICE_DHCPD="no"
Stage FW_SERVICE_DHCPD="yes"
Ea läuft kein DHCP, dies kann also no bleiben

Peter FW_FORWARD_MASQ="0/0,192.168.100.1,tcp,93,23"
Stage FW_FORWARD_MASQ="0/0,192.168.0.1,tcp,4662,4662 0/0,192.168.0.1,udp,4665,4665"
Dies scheint mir auch richtig zu sein.

Mit allen diesen Änderungen läuft immer noch nichts.

Hier die Meldung in /var/log/messages auf den telnet request, dieser scheint akzeptiert worden zu sein.

Aug 7 08:30:52 andypc2 kernel: SuSE-FW-ACCEPT-REVERSE_MASQ IN=ppp0 OUT=eth0 SRC=203.132.107.189 DST=192.168.100.1 LEN=60 TOS=0x10 PREC=0x00 TTL=46 ID=24030 DF PROTO=TCP SPT=33550 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405640402080A00FF69270000000001010101)

ein tcpdump auf dem ppp0 zurzeit des telnet requests zeigt folgendes

08:33:16.209431 203.132.107.189.33551 > 198.142.106.152.dcp: S 4096742658:4096742658(0) win 5840 <mss 1380,sackOK,timestamp 16752932 0,nop,nop,nop,nop> (DF) [tos 0x10]
08:33:19.139427 203.132.107.189.33551 > 198.142.106.152.dcp: S 4096742658:4096742658(0) win 5840 <mss 1380,sackOK,timestamp 16753232 0,nop,nop,nop,nop> (DF) [tos 0x10]
08:33:25.159431 203.132.107.189.33551 > 198.142.106.152.dcp: S 4096742658:4096742658(0) win 5840 <mss 1380,sackOK,timestamp 16753832 0,nop,nop,nop,nop> (DF) [tos 0x10]

ein tcpdump auf dem eth0 zurzeit des telnet requests zeigt folgendes

08:35:19.574776 andypc.disc400.pcg-radar > disc400.disc400.telnet: P 2373625289:2373625304(15) ack 381385 win 17424 (DF)
08:35:19.609739 disc400.disc400.telnet > andypc.disc400.pcg-radar: P ack 15 win 8192 (DF)
08:35:19.660214 disc400.disc400.telnet > andypc.disc400.pcg-radar: . 1:1453(1452) ack 15 win 8192 (DF)
08:35:19.660286 disc400.disc400.telnet > andypc.disc400.pcg-radar: P 1453:1666(213) ack 15 win 8192 (DF)
08:35:19.660744 andypc.disc400.pcg-radar > disc400.disc400.telnet: . ack 1666 win 17424 (DF)
08:35:21.829823 203.132.107.189.33552 > disc400.disc400.telnet: S 2694552430:2694552430(0) win 5840 <mss 1380,sackOK,timestamp 16765498 0,nop,nop,nop,nop> (DF) [tos 0x10]

Der telnet Request ist also korrekt an eth0 weitergeleitet worden. Was jetzt passiert verstehe ich nicht mehr. disc400.disc400 (die AS400) versucht nun anscheinend mit einem arp meine MAC adresse zu bekommen. Aber die bekommt sie nie. (Es ist noch Verkehr von anderen Maschinen in diesem Dump).

08:35:21.832786 arp who-has 203.132.107.189 tell disc400.disc400
08:35:21.832839 arp who-has 203.132.107.189 tell disc400.disc400 hardware #6
08:35:22.247581 arp who-has 203.132.107.189 tell disc400.disc400
08:35:22.247633 arp who-has 203.132.107.189 tell disc400.disc400 hardware #6
08:35:22.753529 arp who-has 203.132.107.189 tell disc400.disc400
08:35:22.753583 arp who-has 203.132.107.189 tell disc400.disc400 hardware #6
08:35:23.259510 arp who-has 203.132.107.189 tell disc400.disc400
08:35:23.259574 arp who-has 203.132.107.189 tell disc400.disc400 hardware #6
08:35:23.765469 arp who-has 203.132.107.189 tell disc400.disc400
08:35:23.765522 arp who-has 203.132.107.189 tell disc400.disc400 hardware #6
08:35:24.271408 arp who-has 203.132.107.189 tell disc400.disc400
08:35:24.271460 arp who-has 203.132.107.189 tell disc400.disc400 hardware #6
08:35:24.859775 203.132.107.189.33552 > disc400.disc400.telnet: S 2694552430:2694552430(0) win 5840 <mss 1380,sackOK,timestamp 16765798 0,nop,nop,nop,nop> (DF) [tos 0x10]
08:35:25.300657 andypc.disc400.pcg-radar > disc400.disc400.telnet: P 15:29(14) ack 1666 win 17424 (DF)
08:35:25.329453 disc400.disc400.telnet > andypc.disc400.pcg-radar: P ack 29 win 8192 (DF)
08:35:25.603267 disc400.disc400.telnet > andypc.disc400.pcg-radar: P 1666:1678(12) ack 29 win 8192 (DF)
08:35:25.607695 andypc.disc400.pcg-radar > disc400.disc400.telnet: P 29:41(12) ack 1678 win 17412 (DF)
08:35:25.636013 disc400.disc400.telnet > andypc.disc400.pcg-radar: P ack 41 win 8192 (DF)
08:35:25.641534 disc400.disc400.telnet > andypc.disc400.pcg-radar: P 1678:1772(94) ack 41 win 8192 (DF)
08:35:25.713714 disc400.disc400.telnet > andypc.disc400.pcg-radar: P 1678:1788(110) ack 41 win 8192 (DF)
08:35:25.713990 andypc.disc400.pcg-radar > disc400.disc400.telnet: . ack 1788 win 17302 (DF)
08:35:25.911532 arp who-has 203.132.107.189 tell disc400.disc400
08:35:25.911595 arp who-has 203.132.107.189 tell disc400.disc400 hardware #6
08:35:26.396068 arp who-has 203.132.107.189 tell disc400.disc400
08:35:26.396132 arp who-has 203.132.107.189 tell disc400.disc400 hardware #6
08:35:26.902021 arp who-has 203.132.107.189 tell disc400.disc400
08:35:26.902075 arp who-has 203.132.107.189 tell disc400.disc400 hardware #6
08:35:27.407967 arp who-has 203.132.107.189 tell disc400.disc400
08:35:27.408030 arp who-has 203.132.107.189 tell disc400.disc400 hardware #6
08:35:27.913917 arp who-has 203.132.107.189 tell disc400.disc400
08:35:27.913970 arp who-has 203.132.107.189 tell disc400.disc400 hardware #6
08:35:28.419859 arp who-has 203.132.107.189 tell disc400.disc400
08:35:28.419923 arp who-has 203.132.107.189 tell disc400.disc400 hardware #6
08:35:29.293856 andypc.disc400.pcg-radar > disc400.disc400.telnet: P 41:56(15) ack 1788 win 17302 (DF)
08:35:29.311127 disc400.disc400.telnet > andypc.disc400.pcg-radar: P 1788:2623(835) ack 56 win 8192 (DF)
08:35:29.440694 disc400.disc400.telnet > andypc.disc400.pcg-radar: P 1788:2623(835) ack 56 win 8192 (DF)
08:35:29.440729 andypc.disc400.pcg-radar > disc400.disc400.telnet: . ack 2623 win 16467 (DF)
08:35:29.441023 andypc.disc400.pcg-radar > disc400.disc400.telnet: . ack 2623 win 16467 (DF)
08:35:29.933438 arp who-has 203.132.107.189 tell disc400.disc400
08:35:29.933492 arp who-has 203.132.107.189 tell disc400.disc400 hardware #6
08:35:30.342171 arp who-has 203.132.107.189 tell disc400.disc400
08:35:30.342224 arp who-has 203.132.107.189 tell disc400.disc400 hardware #6
08:35:30.495786 andypc.disc400.netbios-dgm > 192.168.100.255.netbios-dgm:
>>> NBT UDP PACKET(138) Res=0x1102 ID=0x62 IP=192 (0xc0).168 (0xa8).100 (0x64).4 (0x4) Port=138 (0x8a) Length=193 (0xc1) Res2=0x0
SourceName=ANDYPC NameType=0x00 (Workstation)
DestName=
WARNING: Short packet. Try increasing the snap length


08:35:30.495882 andypc.disc400.netbios-ns > 192.168.100.255.netbios-ns:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
08:35:30.848136 arp who-has 203.132.107.189 tell disc400.disc400
08:35:30.848190 arp who-has 203.132.107.189 tell disc400.disc400 hardware #6
08:35:31.250436 andypc.disc400.netbios-ns > 192.168.100.255.netbios-ns:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
08:35:31.354100 arp who-has 203.132.107.189 tell disc400.disc400
08:35:31.354162 arp who-has 203.132.107.189 tell disc400.disc400 hardware #6
08:35:31.860056 arp who-has 203.132.107.189 tell disc400.disc400
08:35:31.860109 arp who-has 203.132.107.189 tell disc400.disc400 hardware #6
08:35:32.005380 andypc.disc400.netbios-ns > 192.168.100.255.netbios-ns:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
08:35:32.366038 arp who-has 203.132.107.189 tell disc400.disc400
08:35:32.366101 arp who-has 203.132.107.189 tell disc400.disc400 hardware #6
08:35:32.784010 andypc.disc400.netbios-dgm > disc400.disc400.netbios-dgm:
>>> NBT UDP PACKET(138) Res=0x1002 ID=0x63 IP=192 (0xc0).168 (0xa8).100 (0x64).4 (0x4) Port=138 (0x8a) Length=163 (0xa3) Res2=0x0
SourceName=ANDYPC NameType=0x00 (Workstation)
DestName=
WARNING: Short packet. Try increasing the snap length


08:35:34.139367 andypc.disc400.pcg-radar > disc400.disc400.telnet: P 56:71(15) ack 2623 win 16467 (DF)
08:35:34.174854 disc400.disc400.telnet > andypc.disc400.pcg-radar: P ack 71 win 8192 (DF)
08:35:34.248367 disc400.disc400.telnet > andypc.disc400.pcg-radar: P 2623:3458(835) ack 71 win 8192 (DF)
08:35:34.350080 andypc.disc400.pcg-radar > disc400.disc400.telnet: . ack 3458 win 17424 (DF)

Wie gehts weiter?

Peter

[Stage]

mal ne zwischenfrage, geht denn ein Telnetzugriff von deinem Router auf die AS400 Maschine ?
Nicht das auf dieser auch eine Firewall läuft, oder kein TelnetServer an ist.

[sutterp]

Ja, Telnet Zugriff vom Router/Gateway aus klappt.

Wenn ich jedoch an das ganze Szenario und an die unaufgelöste mac Adresse denke, schwant mir dass möglicherweise das Gateway/Router auf der AS400 nicht richtig definiert ist. Ich kenn mich mit der AS400 auch nicht aus, hab auch keinen Zugriffsrechte darauf. Der Typ der normalerweise für die AS400 verantwortlich ist, ist bis morgen früh abwesend.

Ich bin ziemlich sicher dass die AS400 mit 127.0.0.1 als Gateway konfiguriert ist, und damit annimt dass 0.0.0.0 direkt erreichbar ist und will deshalb die mac Adresse. Ich sehe jedenfalls nie eine Antwort der AS400 am eth0 auf den telnet Request, nur Requests für die mac Addresse.

Ich versuche über das Wochenende etwas mehr herauszufinden.

Vielen Dank, und hab ein schönes Wochenende.

Peter

Änderung:

Ich habe geradem mit dem AS400 Typen telefoniert, er behauptet dass er von der AS400 telnet und ping auf externe Adressen machen kann. Aber vor ich irgend etwas weiteres unternehme, will ich sicher sein dass dies auch wirklich geht.

[sutterp]

Hallo Stage,

Da ist nichts falsch mit SuSEfirewall2. Das ganze läuft so wie es soll.

Meine letzte Analyse war genau richtig, die AS400 war so konfiguriert dass sie selbst als Router/Gateway konfiguriert war. Vielen Dank für Deine Hilfe. Deine Kommentare und Anregungen haben mir sehr geholfen das Problem einzugrenzen und schlussendlich zu lösen.

Moral von der Geschichte: Glaube keinem System Spezialisten was er Dir erzählt, es sei denn Du hast selbst gesehen dass es so ist wie er sagt; denn glauben macht selig, aber es hilft nicht ein Network Problem zu lösen.

Moral von der Geschichte 2: Vor man mit einer Frage an ein Forum gelangt, soll man sicher sein dass die Fakten auch so sind wie man sie darstellt sonst verschwendet man anderer Leute Zeit.

Nochmals vielen Dank

Peter Sutter