[Linux] Problemm mit Firewall und Iprouting

avenger2099 · 1. Oktober 2007

Problemm mit Firewall und Iprouting

Hi habe folgendes Netzwerk:

eth0 = 10.141.90.0/24
eth1 = 192.168.0.2/24 (Inet)
eth3 = 192.168.100.3/24

Mein Problem liegt einglich nur an der eth3 mit eth0 und eth1 klappt alles das Netz läuft super nur ich bekommes es nicht hin das das Netzwerk auf der eth3 Schnittstelle ins Inet kommt.

Es geht im Moment nur wenn ich die Firewall aushabe.

Könnt Ihr mir helfen?

meine interfaces-Config

Code:


# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0

auto eth0
iface eth0 inet static
 address 10.141.90.50
 netmask 255.255.255.0
 broadcast 10.141.90.255
 dns-servers 10.141.90.33


 dns-search wsa-sysi

auto eth1
iface eth1 inet static
address 192.168.0.2
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
dns-servers 192.168.0.1

auto eth2
iface eth2 inet static
address 192.168.100.3
netmask 255.255.255.0
broadcast 192.168.100.255
dns-servers 192.168.0.1

meine Firewall:

Code:

#!/bin/bash
case "$1" in
 start)
 echo "Starte IP-Paketfilter"

 # iptables-Modul
 modprobe ip_tables
 # Connection-Tracking-Module
 modprobe ip_conntrack
 # Das Modul ip_conntrack_irc ist erst bei Kerneln >= 2.4.19 verfuegbar
 modprobe ip_conntrack_irc
 modprobe ip_conntrack_ftp

 # Tabelle flushen
 iptables -F
 iptables -t nat -F
 iptables -t mangle -F
 iptables -X
 iptables -t nat -X
 iptables -t mangle -X

 # Default-Policies setzen
 iptables -P INPUT DROP
 iptables -P OUTPUT DROP
 iptables -P FORWARD DROP

 # MY_REJECT-Chain
 iptables -N MY_REJECT

 # MY_REJECT fuellen
 iptables -A MY_REJECT -p tcp -m limit --limit 7200/h -j LOG --log-prefix "REJECT TCP "
 iptables -A MY_REJECT -p tcp -j REJECT --reject-with tcp-reset
 iptables -A MY_REJECT -p udp -m limit --limit 7200/h -j LOG --log-prefix "REJECT UDP "
 iptables -A MY_REJECT -p udp -j REJECT --reject-with icmp-port-unreachable
 iptables -A MY_REJECT -p icmp -m limit --limit 7200/h -j LOG --log-prefix "DROP ICMP "
 iptables -A MY_REJECT -p icmp -j DROP
 iptables -A MY_REJECT -m limit --limit 7200/h -j LOG --log-prefix "REJECT OTHER "
 iptables -A MY_REJECT -j REJECT --reject-with icmp-proto-unreachable

 # MY_DROP-Chain
 iptables -N MY_DROP
 iptables -A MY_DROP -j DROP
# Alle Pakete protokollieren
 #iptables -A INPUT -j LOG --log-prefix "INPUT LOG "
 #iptables -A OUTPUT -j LOG --log-prefix "OUTPUT LOGï¿½"
 #iptables -A FORWARD -j LOG --log-prefix "FORWARD LOG "

 # Korrupte Pakete zurueckweisen
 iptables -A INPUT -m state --state INVALID -j DROP
 iptables -A OUTPUT -m state --state INVALID -j DROP
 iptables -A FORWARD -m state --state INVALID -j DROP

 # Stealth Scans etc. DROPpen
 # Keine Flags gesetzt
 iptables -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP
 iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j MY_DROP

 # SYN und FIN gesetzt
 iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
 iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP

 # SYN und RST gleichzeitig gesetzt
 iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP


 # FIN und RST gleichzeitig gesetzt
 iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
 iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP

 # FIN ohne ACK
 iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
 iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP

 # PSH ohne ACK
 iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
 iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP

 # URG ohne ACK
 iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP
 iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j MY_DROP

 # Loopback-Netzwerk-Kommunikation zulassen
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A OUTPUT -o lo -j ACCEPT

 # Maximum Segment Size (MSS) fï¿½r das Forwarding an PMTU anpassen
 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

 # Connection-Tracking aktivieren
 iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 iptables -A FORWARD -i ! eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 #
 iptables -A FORWARD -i ! eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 #
 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

 # HTTP
 iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 80 -j ACCEPT
 iptables -A INPUT -i eth2 -m state --state NEW -p tcp --dport 80 -j ACCEPT

 # HTTPS
 iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 443 -j ACCEPT
 iptables -A INPUT -i eth2 -m state --state NEW -p tcp --dport 443 -j ACCEPT

 # SMTP
 iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 25 -j ACCEPT
 iptables -A INPUT -i eth2 -m state --state NEW -p tcp --dport 25 -j ACCEPT

 # SMTPS
 iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 465 -j ACCEPT
 iptables -A INPUT -i eth2 -m state --state NEW -p tcp --dport 465 -j ACCEPT

 # NNTP
 iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 119 -j ACCEPT
 iptables -A INPUT -i eth2 -m state --state NEW -p tcp --dport 119 -j ACCEPT

 # DNS
 iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 53 -j ACCEPT
 iptables -A INPUT -i eth1 -m state --state NEW -p udp --dport 53 -j ACCEPT
 iptables -A INPUT -i eth2 -m state --state NEW -p tcp --dport 53 -j ACCEPT
 iptables -A INPUT -i eth2 -m state --state NEW -p udp --dport 53 -j ACCEPT

 # FTP
 iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 21 -j ACCEPT
 iptables -A INPUT -i eth2 -m state --state NEW -p tcp --dport 21 -j ACCEPT


 # SMB/CIFS
 iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 137 -j ACCEPT
 iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 138 -j ACCEPT
 iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 139 -j ACCEPT
 iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 445 -j ACCEPT
 iptables -A INPUT -i eth1 -m state --state NEW -p udp --dport 137 -j ACCEPT
 iptables -A INPUT -i eth1 -m state --state NEW -p udp --dport 138 -j ACCEPT
 iptables -A INPUT -i eth1 -m state --state NEW -p udp --dport 139 -j ACCEPT
 iptables -A INPUT -i eth1 -m state --state NEW -p udp --dport 445 -j ACCEPT

 # SSH
 iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 22 -j ACCEPT
 iptables -A INPUT -i eth2 -m state --state NEW -p tcp --dport 22 -j ACCEPT

 # MYSQL
 iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 3306 -j ACCEPT
 iptables -A INPUT -i eth2 -m state --state NEW -p tcp --dport 3306 -j ACCEPT

 # NTP
 iptables -A INPUT -i eth1 -m state --state NEW -p udp --dport 123 -j ACCEPT
 iptables -A INPUT -i eth2 -m state --state NEW -p udp --dport 123 -j ACCEPT

 # IRC
 iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 6667 -j ACCEPT
 iptables -A INPUT -i eth2 -m state --state NEW -p tcp --dport 6667 -j ACCEPT

 # TELNET
 iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 23 -j ACCEPT
 iptables -A INPUT -i eth2 -m state --state NEW -p tcp --dport 23 -j ACCEPT

 # OPENVPN_V1
 iptables -A INPUT -i eth1 -m state --state NEW -p udp --dport 5000 -j ACCEPT
 iptables -A INPUT -i eth2 -m state --state NEW -p udp --dport 5000 -j ACCEPT

 # OPENVPN_V2
 iptables -A INPUT -i eth1 -m state --state NEW -p udp --dport 1194 -j ACCEPT
 iptables -A INPUT -i eth2 -m state --state NEW -p udp --dport 1194 -j ACCEPT

 # ICMP Echo-Request (ping) zulassen und beantworten
 iptables -A INPUT -m state --state NEW -p icmp --icmp-type echo-request -j ACCEPT

 # LAN-Zugriff auf eth0
 iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT
 iptables -A INPUT -m state --state NEW -i eth1 -j ACCEPT

 # Default-Policies mit REJECT
 iptables -A INPUT -j MY_REJECT
 iptables -A OUTPUT -j MY_REJECT
 iptables -A FORWARD -j MY_REJECT

 # Forwarding/Routing
 echo "Aktiviere IP-Routing"
 echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null

 # Masquerading
 #iptables -A PREROUTING -s 10.141.90.0 -p tcp --dport 80 -j REDIRECT --to-port 8080
 #iptables -A POSTROUTING -t nat -s 172.15.1.0/24 -o eth1 -j MASQUERADE
 #iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

 iptables -A PREROUTING -t nat -s 10.141.90.0/24 -p tcp --dport 80 -j REDIRECT --to-port 8080


 iptables -A PREROUTING -t nat -s 192.168.100.0/24 -p tcp --dport 80 -j DNAT --to-destination 10.141.90.50:8080
 iptables -A POSTROUTING -t nat -s 10.141.90.0/24 -o eth1 -j MASQUERADE

 iptables -A POSTROUTING -j MASQUERADE -t nat -s 192.168.100.0/24 -o eth1
 #iptables -A POSTROUTING -t nat -s 10.141.90.0/24 -o eth2 -j MASQUERADE


 # SYN-Cookies
 echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null

 # Stop Source-Routing
 for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_source_route 2> /dev/null; done

 # Stop Redirecting
 for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_redirects 2> /dev/null; done

 # Reverse-Path-Filter
 for i in /proc/sys/net/ipv4/conf/*; do echo 2 > $i/rp_filter 2> /dev/null; done

 # Log Martians
 for i in /proc/sys/net/ipv4/conf/*; do echo 1 > $i/log_martians 2> /dev/null; done

 # BOOTP-Relaying ausschalten
 for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/bootp_relay 2> /dev/null; done

 # Proxy-ARP ausschalten
 for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/proxy_arp 2> /dev/null; done

 # Ungï¿½ltige ICMP-Antworten ignorieren
 #echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 2> /dev/null

 # ICMP Echo-Broadcasts ignorieren
 #echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null

 # Max. 500/Sekunde (5/Jiffie) senden
 #echo 5 > /proc/sys/net/ipv4/icmp_ratelimit

 # Speicherallozierung und -timing fï¿½r IP-De/-Fragmentierung
 echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh
 echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh
 echo 30 > /proc/sys/net/ipv4/ipfrag_time

 # TCP-FIN-Timeout zum Schutz vor DoS-Attacken setzen
 #echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout

 # Maximal 3 Antworten auf ein TCP-SYN
 #echo 3 > /proc/sys/net/ipv4/tcp_retries1

 # TCP-Pakete maximal 15x wiederholen
 #echo 15 > /proc/sys/net/ipv4/tcp_retries2

 ;;

 stop)
 echo "Stoppe IP-Paketfilter"
 # Tabelle flushen
 iptables -F
 iptables -t nat -F
 iptables -t mangle -F
 iptables -X
 iptables -t nat -X
 iptables -t mangle -X
 echo "Deaktiviere IP-Routing"

 echo 0 > /proc/sys/net/ipv4/ip_forward

 # Default-Policies setzen
 iptables -P INPUT ACCEPT
 iptables -P OUTPUT ACCEPT
 iptables -P FORWARD ACCEPT
 ;;

 status)
 echo "Tabelle filter"
 iptables -L -vn
 echo "Tabelle nat"
 iptables -t nat -L -vn
 echo "Tabelle mangle"
 iptables -t mangle -L -vn
 ;;

 *)
 echo "Fehlerhafter Aufruf"
 echo "Syntax: $0 {start|stop|status}"
 exit 1
 ;;


esac

Anzeige

Nützliche Suchen

[Linux] Problemm mit Firewall und Iprouting

Videos zum Themenbereich