Hallo,
ich habe mir von Harry iptables Generator eine iptables-Firewall (mit NAT zum Edonkey Client) generieren lassen. Die funktioniert soweit auch super, das einzige Probleme ist, das meine "/var/log/messages" jetzt mit logging Meldungen überflutet wird. Hier ein kleiner Ausschnitt was an Meldungen in 60 Sekunden auftaucht :Jetzt habe ich das gleiche Problem schonmal gepostet und mir wurde geraten bestimmte Sachen vom logging auszuschließen. Dazu hatte man mir auch ein Beispiel gegeben.Code:Sep 22 14:43:38 rhsrv kernel: REJECT TCP IN=ppp0 OUT= MAC= SRC=217.217.128.18 DST=217.226.206.144 LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=4881 DF PROTO=TCP SPT=2416 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0 Sep 22 14:43:56 rhsrv kernel: REJECT TCP IN=ppp0 OUT= MAC= SRC=80.139.138.115 DST=217.226.206.144 LEN=40 TOS=0x00 PREC=0x00 TTL=124 ID=47597 PROTO=TCP SPT=4662 DPT=2970 WINDOW=0 RES=0x00 ACK RST URGP=0 Sep 22 14:44:04 rhsrv kernel: REJECT TCP IN=ppp0 OUT= MAC= SRC=12.153.204.150 DST=217.226.206.144 LEN=40 TOS=0x00 PREC=0x00 TTL=113 ID=56839 PROTO=TCP SPT=4662 DPT=3000 WINDOW=0 RES=0x00 ACK RST URGP=0 Sep 22 14:44:08 rhsrv kernel: REJECT UDP IN=ppp0 OUT= MAC= SRC=217.226.206.144 DST=255.255.255.255 LEN=188 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=631 DPT=631 LEN=168 Sep 22 14:44:12 rhsrv kernel: REJECT UDP IN=ppp0 OUT= MAC= SRC=81.226.5.115 DST=217.226.206.144 LEN=78 TOS=0x00 PREC=0x00 TTL=113 ID=56816 PROTO=UDP SPT=1300 DPT=137 LEN=58 Sep 22 14:44:28 rhsrv kernel: REJECT TCP IN=ppp0 OUT= MAC= SRC=80.143.32.158 DST=217.226.206.144 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=50171 DF PROTO=TCP SPT=60027 DPT=3063 WINDOW=65535 RES=0x00 ACK SYN URGP=0 Sep 22 14:44:31 rhsrv kernel: REJECT TCP IN=ppp0 OUT= MAC= SRC=80.143.32.158 DST=217.226.206.144 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=50243 DF PROTO=TCP SPT=60036 DPT=3063 WINDOW=65535 RES=0x00 ACK SYN URGP=0 Sep 22 14:44:31 rhsrv kernel: REJECT TCP IN=ppp0 OUT= MAC= SRC=80.143.32.158 DST=217.226.206.144 LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=50255 DF PROTO=TCP SPT=60036 DPT=3063 WINDOW=65535 RES=0x00 ACK URGP=0 Sep 22 14:44:37 rhsrv kernel: REJECT TCP IN=ppp0 OUT= MAC= SRC=217.236.95.216 DST=217.226.206.144 LEN=40 TOS=0x00 PREC=0x00 TTL=124 ID=16960 PROTO=TCP SPT=4662 DPT=3060 WINDOW=0 RES=0x00 ACK RST URGP=0 Sep 22 14:44:37 rhsrv kernel: REJECT TCP IN=ppp0 OUT= MAC= SRC=80.143.32.158 DST=217.226.206.144 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=50383 DF PROTO=TCP SPT=60036 DPT=3063 WINDOW=65535 RES=0x00 ACK SYN URGP=0 Sep 22 14:44:37 rhsrv kernel: REJECT TCP IN=ppp0 OUT= MAC= SRC=80.143.32.158 DST=217.226.206.144 LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=50393 DF PROTO=TCP SPT=60036 DPT=3063 WINDOW=65535 RES=0x00 ACK URGP=0 Sep 22 14:44:39 rhsrv kernel: REJECT UDP IN=ppp0 OUT= MAC= SRC=217.226.206.144 DST=255.255.255.255 LEN=188 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=631 DPT=631 LEN=168
Meine ALTE(!) Firewall, mit der alles funktioniert hat, sah so aus:Diese Firewall habe ich dann so abgeändert, wie mir geraten wurde. Und dabei ist dann das hier raus gekommen:Code:#!/bin/bash # --------------------------------------------------------------------- # Linux-iptables-Firewallskript, Copyright (c) 2003 under the GPL # Autogenerated by iptables Generator v1.16 (c) 2002 by Harald Bertram_ # Please visit http://www.harry.homelinux.org for new versions of # the iptables Generator (c). # # This Script was generated by request from: # boehm@kraus-automaten.de on: 2003-9-8 11:8.58 MET. # # If you have questions about the iptables Generator or about # your Firewall-Skript feel free to take a look at out website or # send me an E-Mail to webmaster@harry.homelinux.org. # # My special thanks are going to Lutz Heinrich (trinitywork@hotmail.com) who # made lots of Beta-Testing and gave me lots of well qualified # Feedback that made me able to improve the iptables Generator. # -------------------------------------------------------------------- case "$1" in start) echo "Starte IP-Paketfilter" # iptables-Modul modprobe ip_tables # Connection-Tracking-Module modprobe ip_conntrack # Das Modul ip_conntrack_irc ist erst bei Kerneln >= 2.4.19 verfuegbar modprobe ip_conntrack_irc modprobe ip_conntrack_ftp # Tabelle flushen iptables -F iptables -t nat -F iptables -t mangle -F iptables -X iptables -t nat -X iptables -t mangle -X # Default-Policies setzen iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # MY_REJECT-Chain iptables -N MY_REJECT # MY_REJECT fuellen iptables -A MY_REJECT -p tcp -m limit --limit 7200/h -j LOG --log-prefix "REJECT TCP " iptables -A MY_REJECT -p tcp -j REJECT --reject-with tcp-reset iptables -A MY_REJECT -p udp -m limit --limit 7200/h -j LOG --log-prefix "REJECT UDP " iptables -A MY_REJECT -p udp -j REJECT --reject-with icmp-port-unreachable iptables -A MY_REJECT -p icmp -m limit --limit 7200/h -j LOG --log-prefix "DROP ICMP " iptables -A MY_REJECT -p icmp -j DROP iptables -A MY_REJECT -m limit --limit 7200/h -j LOG --log-prefix "REJECT OTHER " iptables -A MY_REJECT -j REJECT --reject-with icmp-proto-unreachable # MY_DROP-Chain iptables -N MY_DROP iptables -A MY_DROP -m limit --limit 7200/h -j LOG --log-prefix "PORTSCAN DROP " iptables -A MY_DROP -j DROP # Alle verworfenen Pakete protokollieren iptables -A INPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "INPUT INVALID " iptables -A OUTPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "OUTPUT INVALID " iptables -A FORWARD -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "FORWARD INVALID " # Korrupte Pakete zurueckweisen iptables -A INPUT -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A FORWARD -m state --state INVALID -j DROP # Stealth Scans etc. DROPpen # Keine Flags gesetzt iptables -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j MY_DROP # SYN und FIN gesetzt iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP # SYN und RST gleichzeitig gesetzt iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP # FIN und RST gleichzeitig gesetzt iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP # FIN ohne ACK iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP # PSH ohne ACK iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP # URG ohne ACK iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j MY_DROP # Loopback-Netzwerk-Kommunikation zulassen iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Maximum Segment Size (MSS) für das Forwarding an PMTU anpassen iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # Connection-Tracking aktivieren iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i ! ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # SSH iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 22 -j ACCEPT # # IP-Adresse des LAN-Interfaces ermitteln eth0 # LAN_IP1=$(ifconfig eth0 | head -n 2 | tail -n 1 | cut -d: -f2 | cut -d" " -f 1) # NAT fuer HTTP #iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination #iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 80 -j SNAT --to-source $LAN_IP1 #iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d --dport 80 -j ACCEPT # LAN-Zugriff auf eth0 iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT # # IP-Adresse des LAN-Interfaces ermitteln eth1 # LAN_IP2=$(ifconfig eth1 | head -n 2 | tail -n 1 | cut -d: -f2 | cut -d" " -f 1) # NAT fuer EDONKEY iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 4661 -j DNAT --to-destination 192.168.1.2 iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 4661 -j SNAT --to-source $LAN_IP2 iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.1.2 --dport 4661 -j ACCEPT iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 4662 -j DNAT --to-destination 192.168.1.2 iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 4662 -j SNAT --to-source $LAN_IP2 iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.1.2 --dport 4662 -j ACCEPT iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 4663 -j DNAT --to-destination 192.168.1.2 iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 4663 -j SNAT --to-source $LAN_IP2 iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.1.2 --dport 4663 -j ACCEPT iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 4665 -j DNAT --to-destination 192.168.1.2 iptables -t nat -A POSTROUTING -o eth1 -p udp --dport 4665 -j SNAT --to-source $LAN_IP2 iptables -A FORWARD -i ppp0 -m state --state NEW -p udp -d 192.168.1.2 --dport 4665 -j ACCEPT iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 4672 -j DNAT --to-destination 192.168.1.2 iptables -t nat -A POSTROUTING -o eth1 -p udp --dport 4672 -j SNAT --to-source $LAN_IP2 iptables -A FORWARD -i ppp0 -m state --state NEW -p udp -d 192.168.1.2 --dport 4672 -j ACCEPT # LAN-Zugriff auf eth1 iptables -A INPUT -m state --state NEW -i eth1 -j ACCEPT # Default-Policies mit REJECT iptables -A INPUT -j MY_REJECT iptables -A OUTPUT -j MY_REJECT iptables -A FORWARD -j MY_REJECT # Routing echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null # Masquerading iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # SYN-Cookies echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null # Stop Source-Routing for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_source_route 2> /dev/null; done # Stop Redirecting for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_redirects 2> /dev/null; done # Reverse-Path-Filter for i in /proc/sys/net/ipv4/conf/*; do echo 2 > $i/rp_filter 2> /dev/null; done # Log Martians for i in /proc/sys/net/ipv4/conf/*; do echo 1 > $i/log_martians 2> /dev/null; done # BOOTP-Relaying ausschalten for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/bootp_relay 2> /dev/null; done # Proxy-ARP ausschalten for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/proxy_arp 2> /dev/null; done # Ungültige ICMP-Antworten ignorieren echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 2> /dev/null # ICMP Echo-Broadcasts ignorieren echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null # Max. 500/Sekunde (5/Jiffie) senden echo 5 > /proc/sys/net/ipv4/icmp_ratelimit # Speicherallozierung und -timing für IP-De/-Fragmentierung echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh echo 30 > /proc/sys/net/ipv4/ipfrag_time # TCP-FIN-Timeout zum Schutz vor DoS-Attacken setzen echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout # Maximal 3 Antworten auf ein TCP-SYN echo 3 > /proc/sys/net/ipv4/tcp_retries1 # TCP-Pakete maximal 15x wiederholen echo 15 > /proc/sys/net/ipv4/tcp_retries2 ;; stop) echo "Stoppe IP-Paketfilter" # Tabelle flushen iptables -F iptables -t nat -F iptables -t mangle -F iptables -X iptables -t nat -X iptables -t mangle -X echo "Deaktiviere IP-Routing" echo 0 > /proc/sys/net/ipv4/ip_forward # Default-Policies setzen iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT ;; status) echo "Tabelle filter" iptables -L -vn echo "Tabelle nat" iptables -t nat -L -vn echo "Tabelle mangle" iptables -t mangle -L -vn ;; *) echo "Fehlerhafter Aufruf" echo "Syntax: $0 {start|stop|status}" exit 1 ;; esacDas Problem ist nur,jetzt geht gar nix mehr .Code:#!/bin/bash # --------------------------------------------------------------------- # Linux-iptables-Firewallskript, Copyright (c) 2003 under the GPL # Autogenerated by iptables Generator v1.16 (c) 2002 by Harald Bertram_ # Please visit http://www.harry.homelinux.org for new versions of # the iptables Generator (c). # # This Script was generated by request from: # boehm@kraus-automaten.de on: 2003-9-8 11:8.58 MET. # # If you have questions about the iptables Generator or about # your Firewall-Skript feel free to take a look at out website or # send me an E-Mail to webmaster@harry.homelinux.org. # # My special thanks are going to Lutz Heinrich (trinitywork@hotmail.com) who # made lots of Beta-Testing and gave me lots of well qualified # Feedback that made me able to improve the iptables Generator. # -------------------------------------------------------------------- case "$1" in start) echo "Starte IP-Paketfilter" # iptables-Modul modprobe ip_tables # Connection-Tracking-Module modprobe ip_conntrack # Das Modul ip_conntrack_irc ist erst bei Kerneln >= 2.4.19 verfuegbar modprobe ip_conntrack_irc modprobe ip_conntrack_ftp # Tabelle flushen iptables -F iptables -t nat -F iptables -t mangle -F iptables -X iptables -t nat -X iptables -t mangle -X # Default-Policies setzen iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # # MY_LOG # iptables -N MY_LOG iptables -A MY_LOG -p tcp -m limit --limit 7200/h -j LOG --log-prefix "REJECT TCP " iptables -A MY_LOG -p udp -m limit --limit 7200/h -j LOG --log-prefix "REJECT UDP " iptables -A MY_LOG -p icmp -m limit --limit 7200/h -j LOG --log-prefix "REJECT ICMP " # MY_REJECT-Chain iptables -N MY_REJECT # MY_REJECT fuellen # iptables -A MY_REJECT -p tcp -m limit --limit 7200/h -j LOG --log-prefix "REJECT TCP " iptables -A MY_REJECT -p tcp -j REJECT --reject-with tcp-reset # iptables -A MY_REJECT -p udp -m limit --limit 7200/h -j LOG --log-prefix "REJECT UDP " iptables -A MY_REJECT -p udp -j REJECT --reject-with icmp-port-unreachable # iptables -A MY_REJECT -p icmp -m limit --limit 7200/h -j LOG --log-prefix "DROP ICMP " iptables -A MY_REJECT -p icmp -j DROP iptables -A MY_REJECT -m limit --limit 7200/h -j LOG --log-prefix "REJECT OTHER " iptables -A MY_REJECT -j REJECT --reject-with icmp-proto-unreachable # # MY_LOGREJECT # iptables -N MY_LOGREJECT iptables -A MY_LOGREJECT -j MY_LOG iptables -A MY_LOGREJECT -j MY_REJECT # # vom Logging ausschliessen # iptables -A INPUT -p TCP --dport 4661:4665 -j MY_REJECT iptables -A INPUT -p UDP --dport 4665 -j MY_REJECT iptables -A INPUT -p UDP --dport 137 -j MY_REJECT iptables -A INPUT -p UDP --dport 1214 -j MY_REJECT iptables -A INPUT -p TCP --dport 1214 -j MY_REJECT iptables -A INPUT -p UDP --dport 6970 -j MY_REJECT iptables -A INPUT -j MY_LOGREJECT iptables -A FORWARD -j MY_LOGREJECT iptables -A OUTPUT -j MY_LOGREJECT # MY_DROP-Chain iptables -N MY_DROP iptables -A MY_DROP -m limit --limit 7200/h -j LOG --log-prefix "PORTSCAN DROP " iptables -A MY_DROP -j DROP # Alle verworfenen Pakete protokollieren iptables -A INPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "INPUT INVALID " iptables -A OUTPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "OUTPUT INVALID " iptables -A FORWARD -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "FORWARD INVALID " # Korrupte Pakete zurueckweisen iptables -A INPUT -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A FORWARD -m state --state INVALID -j DROP # Stealth Scans etc. DROPpen # Keine Flags gesetzt iptables -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j MY_DROP # SYN und FIN gesetzt iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP # SYN und RST gleichzeitig gesetzt iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP # FIN und RST gleichzeitig gesetzt iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP # FIN ohne ACK iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP # PSH ohne ACK iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP # URG ohne ACK iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j MY_DROP # Loopback-Netzwerk-Kommunikation zulassen iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Maximum Segment Size (MSS) für das Forwarding an PMTU anpassen iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # Connection-Tracking aktivieren iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i ! ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # SSH iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 22 -j ACCEPT # # IP-Adresse des LAN-Interfaces ermitteln eth0 # LAN_IP1=$(ifconfig eth0 | head -n 2 | tail -n 1 | cut -d: -f2 | cut -d" " -f 1) # NAT fuer HTTP #iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination #iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 80 -j SNAT --to-source $LAN_IP1 #iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d --dport 80 -j ACCEPT # LAN-Zugriff auf eth0 iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT # # IP-Adresse des LAN-Interfaces ermitteln eth1 # LAN_IP2=$(ifconfig eth1 | head -n 2 | tail -n 1 | cut -d: -f2 | cut -d" " -f 1) # NAT fuer EDONKEY iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 4661 -j DNAT --to-destination 192.168.1.2 iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 4661 -j SNAT --to-source $LAN_IP2 iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.1.2 --dport 4661 -j ACCEPT iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 4662 -j DNAT --to-destination 192.168.1.2 iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 4662 -j SNAT --to-source $LAN_IP2 iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.1.2 --dport 4662 -j ACCEPT iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 4663 -j DNAT --to-destination 192.168.1.2 iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 4663 -j SNAT --to-source $LAN_IP2 iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.1.2 --dport 4663 -j ACCEPT iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 4665 -j DNAT --to-destination 192.168.1.2 iptables -t nat -A POSTROUTING -o eth1 -p udp --dport 4665 -j SNAT --to-source $LAN_IP2 iptables -A FORWARD -i ppp0 -m state --state NEW -p udp -d 192.168.1.2 --dport 4665 -j ACCEPT iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 4672 -j DNAT --to-destination 192.168.1.2 iptables -t nat -A POSTROUTING -o eth1 -p udp --dport 4672 -j SNAT --to-source $LAN_IP2 iptables -A FORWARD -i ppp0 -m state --state NEW -p udp -d 192.168.1.2 --dport 4672 -j ACCEPT # LAN-Zugriff auf eth1 iptables -A INPUT -m state --state NEW -i eth1 -j ACCEPT # Default-Policies mit REJECT iptables -A INPUT -j MY_REJECT iptables -A OUTPUT -j MY_REJECT iptables -A FORWARD -j MY_REJECT # Routing echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null # Masquerading iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # SYN-Cookies echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null # Stop Source-Routing for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_source_route 2> /dev/null; done # Stop Redirecting for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_redirects 2> /dev/null; done # Reverse-Path-Filter for i in /proc/sys/net/ipv4/conf/*; do echo 2 > $i/rp_filter 2> /dev/null; done # Log Martians for i in /proc/sys/net/ipv4/conf/*; do echo 1 > $i/log_martians 2> /dev/null; done # BOOTP-Relaying ausschalten for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/bootp_relay 2> /dev/null; done # Proxy-ARP ausschalten for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/proxy_arp 2> /dev/null; done # Ungültige ICMP-Antworten ignorieren echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 2> /dev/null # ICMP Echo-Broadcasts ignorieren echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null # Max. 500/Sekunde (5/Jiffie) senden echo 5 > /proc/sys/net/ipv4/icmp_ratelimit # Speicherallozierung und -timing für IP-De/-Fragmentierung echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh echo 30 > /proc/sys/net/ipv4/ipfrag_time # TCP-FIN-Timeout zum Schutz vor DoS-Attacken setzen echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout # Maximal 3 Antworten auf ein TCP-SYN echo 3 > /proc/sys/net/ipv4/tcp_retries1 # TCP-Pakete maximal 15x wiederholen echo 15 > /proc/sys/net/ipv4/tcp_retries2 ;; stop) echo "Stoppe IP-Paketfilter" # Tabelle flushen iptables -F iptables -t nat -F iptables -t mangle -F iptables -X iptables -t nat -X iptables -t mangle -X echo "Deaktiviere IP-Routing" echo 0 > /proc/sys/net/ipv4/ip_forward # Default-Policies setzen iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT ;; status) echo "Tabelle filter" iptables -L -vn echo "Tabelle nat" iptables -t nat -L -vn echo "Tabelle mangle" iptables -t mangle -L -vn ;; *) echo "Fehlerhafter Aufruf" echo "Syntax: $0 {start|stop|status}" exit 1 ;; esac
Weder habe ich jetzt noch Zugriff aufs Internet, noch kann ich von den Win-Clients auf die Samba-Freigaben zugreifen, ja selbst ssh geht kaum noch. Also nehme ich mal an, das in meinem neuen Firewall Skript irgendwo ein Fehler ist. Ich hoffe mir kann hier jemand sagen wo??
Lesezeichen