[Linux] Problemm mit Firewall und Iprouting

Dieses Thema im Forum "Linux & BSD" wurde erstellt von avenger2099, 1. Oktober 2007 .

  1. 1. Oktober 2007
    Problemm mit Firewall und Iprouting

    Hi habe folgendes Netzwerk:

    eth0 = 10.141.90.0/24
    eth1 = 192.168.0.2/24 (Inet)
    eth3 = 192.168.100.3/24

    Mein Problem liegt einglich nur an der eth3 mit eth0 und eth1 klappt alles das Netz läuft super nur ich bekommes es nicht hin das das Netzwerk auf der eth3 Schnittstelle ins Inet kommt.

    Es geht im Moment nur wenn ich die Firewall aushabe.

    Könnt Ihr mir helfen?



    meine interfaces-Config

    Code:
    
    # The loopback network interface
    auto lo
    iface lo inet loopback
    
    # The primary network interface
    allow-hotplug eth0
    
    auto eth0
    iface eth0 inet static
     address 10.141.90.50
     netmask 255.255.255.0
     broadcast 10.141.90.255
     dns-servers 10.141.90.33
    
    
     dns-search wsa-sysi
    
    auto eth1
    iface eth1 inet static
    address 192.168.0.2
    netmask 255.255.255.0
    network 192.168.0.0
    broadcast 192.168.0.255
    gateway 192.168.0.1
    dns-servers 192.168.0.1
    
    auto eth2
    iface eth2 inet static
    address 192.168.100.3
    netmask 255.255.255.0
    broadcast 192.168.100.255
    dns-servers 192.168.0.1
    
    meine Firewall:

    Code:
    #!/bin/bash
    case "$1" in
     start)
     echo "Starte IP-Paketfilter"
    
     # iptables-Modul
     modprobe ip_tables
     # Connection-Tracking-Module
     modprobe ip_conntrack
     # Das Modul ip_conntrack_irc ist erst bei Kerneln >= 2.4.19 verfuegbar
     modprobe ip_conntrack_irc
     modprobe ip_conntrack_ftp
    
     # Tabelle flushen
     iptables -F
     iptables -t nat -F
     iptables -t mangle -F
     iptables -X
     iptables -t nat -X
     iptables -t mangle -X
    
     # Default-Policies setzen
     iptables -P INPUT DROP
     iptables -P OUTPUT DROP
     iptables -P FORWARD DROP
    
     # MY_REJECT-Chain
     iptables -N MY_REJECT
    
     # MY_REJECT fuellen
     iptables -A MY_REJECT -p tcp -m limit --limit 7200/h -j LOG --log-prefix "REJECT TCP "
     iptables -A MY_REJECT -p tcp -j REJECT --reject-with tcp-reset
     iptables -A MY_REJECT -p udp -m limit --limit 7200/h -j LOG --log-prefix "REJECT UDP "
     iptables -A MY_REJECT -p udp -j REJECT --reject-with icmp-port-unreachable
     iptables -A MY_REJECT -p icmp -m limit --limit 7200/h -j LOG --log-prefix "DROP ICMP "
     iptables -A MY_REJECT -p icmp -j DROP
     iptables -A MY_REJECT -m limit --limit 7200/h -j LOG --log-prefix "REJECT OTHER "
     iptables -A MY_REJECT -j REJECT --reject-with icmp-proto-unreachable
    
     # MY_DROP-Chain
     iptables -N MY_DROP
     iptables -A MY_DROP -j DROP
    # Alle Pakete protokollieren
     #iptables -A INPUT -j LOG --log-prefix "INPUT LOG "
     #iptables -A OUTPUT -j LOG --log-prefix "OUTPUT LOG�"
     #iptables -A FORWARD -j LOG --log-prefix "FORWARD LOG "
    
     # Korrupte Pakete zurueckweisen
     iptables -A INPUT -m state --state INVALID -j DROP
     iptables -A OUTPUT -m state --state INVALID -j DROP
     iptables -A FORWARD -m state --state INVALID -j DROP
    
     # Stealth Scans etc. DROPpen
     # Keine Flags gesetzt
     iptables -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP
     iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j MY_DROP
    
     # SYN und FIN gesetzt
     iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
     iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
    
     # SYN und RST gleichzeitig gesetzt
     iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
     iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
    
    
     # FIN und RST gleichzeitig gesetzt
     iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
     iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
    
     # FIN ohne ACK
     iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
     iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
    
     # PSH ohne ACK
     iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
     iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
    
     # URG ohne ACK
     iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP
     iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j MY_DROP
    
     # Loopback-Netzwerk-Kommunikation zulassen
     iptables -A INPUT -i lo -j ACCEPT
     iptables -A OUTPUT -o lo -j ACCEPT
    
     # Maximum Segment Size (MSS) f�r das Forwarding an PMTU anpassen
     iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
    
     # Connection-Tracking aktivieren
     iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
     iptables -A FORWARD -i ! eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
     #
     iptables -A FORWARD -i ! eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
     #
     iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
     iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    
     # HTTP
     iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 80 -j ACCEPT
     iptables -A INPUT -i eth2 -m state --state NEW -p tcp --dport 80 -j ACCEPT
    
     # HTTPS
     iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 443 -j ACCEPT
     iptables -A INPUT -i eth2 -m state --state NEW -p tcp --dport 443 -j ACCEPT
    
     # SMTP
     iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 25 -j ACCEPT
     iptables -A INPUT -i eth2 -m state --state NEW -p tcp --dport 25 -j ACCEPT
    
     # SMTPS
     iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 465 -j ACCEPT
     iptables -A INPUT -i eth2 -m state --state NEW -p tcp --dport 465 -j ACCEPT
    
     # NNTP
     iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 119 -j ACCEPT
     iptables -A INPUT -i eth2 -m state --state NEW -p tcp --dport 119 -j ACCEPT
    
     # DNS
     iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 53 -j ACCEPT
     iptables -A INPUT -i eth1 -m state --state NEW -p udp --dport 53 -j ACCEPT
     iptables -A INPUT -i eth2 -m state --state NEW -p tcp --dport 53 -j ACCEPT
     iptables -A INPUT -i eth2 -m state --state NEW -p udp --dport 53 -j ACCEPT
    
     # FTP
     iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 21 -j ACCEPT
     iptables -A INPUT -i eth2 -m state --state NEW -p tcp --dport 21 -j ACCEPT
    
    
     # SMB/CIFS
     iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 137 -j ACCEPT
     iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 138 -j ACCEPT
     iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 139 -j ACCEPT
     iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 445 -j ACCEPT
     iptables -A INPUT -i eth1 -m state --state NEW -p udp --dport 137 -j ACCEPT
     iptables -A INPUT -i eth1 -m state --state NEW -p udp --dport 138 -j ACCEPT
     iptables -A INPUT -i eth1 -m state --state NEW -p udp --dport 139 -j ACCEPT
     iptables -A INPUT -i eth1 -m state --state NEW -p udp --dport 445 -j ACCEPT
    
     # SSH
     iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 22 -j ACCEPT
     iptables -A INPUT -i eth2 -m state --state NEW -p tcp --dport 22 -j ACCEPT
    
     # MYSQL
     iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 3306 -j ACCEPT
     iptables -A INPUT -i eth2 -m state --state NEW -p tcp --dport 3306 -j ACCEPT
    
     # NTP
     iptables -A INPUT -i eth1 -m state --state NEW -p udp --dport 123 -j ACCEPT
     iptables -A INPUT -i eth2 -m state --state NEW -p udp --dport 123 -j ACCEPT
    
     # IRC
     iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 6667 -j ACCEPT
     iptables -A INPUT -i eth2 -m state --state NEW -p tcp --dport 6667 -j ACCEPT
    
     # TELNET
     iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 23 -j ACCEPT
     iptables -A INPUT -i eth2 -m state --state NEW -p tcp --dport 23 -j ACCEPT
    
     # OPENVPN_V1
     iptables -A INPUT -i eth1 -m state --state NEW -p udp --dport 5000 -j ACCEPT
     iptables -A INPUT -i eth2 -m state --state NEW -p udp --dport 5000 -j ACCEPT
    
     # OPENVPN_V2
     iptables -A INPUT -i eth1 -m state --state NEW -p udp --dport 1194 -j ACCEPT
     iptables -A INPUT -i eth2 -m state --state NEW -p udp --dport 1194 -j ACCEPT
    
     # ICMP Echo-Request (ping) zulassen und beantworten
     iptables -A INPUT -m state --state NEW -p icmp --icmp-type echo-request -j ACCEPT
    
     # LAN-Zugriff auf eth0
     iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT
     iptables -A INPUT -m state --state NEW -i eth1 -j ACCEPT
    
     # Default-Policies mit REJECT
     iptables -A INPUT -j MY_REJECT
     iptables -A OUTPUT -j MY_REJECT
     iptables -A FORWARD -j MY_REJECT
    
     # Forwarding/Routing
     echo "Aktiviere IP-Routing"
     echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null
    
     # Masquerading
     #iptables -A PREROUTING -s 10.141.90.0 -p tcp --dport 80 -j REDIRECT --to-port 8080
     #iptables -A POSTROUTING -t nat -s 172.15.1.0/24 -o eth1 -j MASQUERADE
     #iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
    
     iptables -A PREROUTING -t nat -s 10.141.90.0/24 -p tcp --dport 80 -j REDIRECT --to-port 8080
    
    
     iptables -A PREROUTING -t nat -s 192.168.100.0/24 -p tcp --dport 80 -j DNAT --to-destination 10.141.90.50:8080
     iptables -A POSTROUTING -t nat -s 10.141.90.0/24 -o eth1 -j MASQUERADE
    
     iptables -A POSTROUTING -j MASQUERADE -t nat -s 192.168.100.0/24 -o eth1
     #iptables -A POSTROUTING -t nat -s 10.141.90.0/24 -o eth2 -j MASQUERADE
    
    
     # SYN-Cookies
     echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null
    
     # Stop Source-Routing
     for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_source_route 2> /dev/null; done
    
     # Stop Redirecting
     for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_redirects 2> /dev/null; done
    
     # Reverse-Path-Filter
     for i in /proc/sys/net/ipv4/conf/*; do echo 2 > $i/rp_filter 2> /dev/null; done
    
     # Log Martians
     for i in /proc/sys/net/ipv4/conf/*; do echo 1 > $i/log_martians 2> /dev/null; done
    
     # BOOTP-Relaying ausschalten
     for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/bootp_relay 2> /dev/null; done
    
     # Proxy-ARP ausschalten
     for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/proxy_arp 2> /dev/null; done
    
     # Ung�ltige ICMP-Antworten ignorieren
     #echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 2> /dev/null
    
     # ICMP Echo-Broadcasts ignorieren
     #echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null
    
     # Max. 500/Sekunde (5/Jiffie) senden
     #echo 5 > /proc/sys/net/ipv4/icmp_ratelimit
    
     # Speicherallozierung und -timing f�r IP-De/-Fragmentierung
     echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh
     echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh
     echo 30 > /proc/sys/net/ipv4/ipfrag_time
    
     # TCP-FIN-Timeout zum Schutz vor DoS-Attacken setzen
     #echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
    
     # Maximal 3 Antworten auf ein TCP-SYN
     #echo 3 > /proc/sys/net/ipv4/tcp_retries1
    
     # TCP-Pakete maximal 15x wiederholen
     #echo 15 > /proc/sys/net/ipv4/tcp_retries2
    
     ;;
    
     stop)
     echo "Stoppe IP-Paketfilter"
     # Tabelle flushen
     iptables -F
     iptables -t nat -F
     iptables -t mangle -F
     iptables -X
     iptables -t nat -X
     iptables -t mangle -X
     echo "Deaktiviere IP-Routing"
    
     echo 0 > /proc/sys/net/ipv4/ip_forward
    
     # Default-Policies setzen
     iptables -P INPUT ACCEPT
     iptables -P OUTPUT ACCEPT
     iptables -P FORWARD ACCEPT
     ;;
    
     status)
     echo "Tabelle filter"
     iptables -L -vn
     echo "Tabelle nat"
     iptables -t nat -L -vn
     echo "Tabelle mangle"
     iptables -t mangle -L -vn
     ;;
    
     *)
     echo "Fehlerhafter Aufruf"
     echo "Syntax: $0 {start|stop|status}"
     exit 1
     ;;
    
    
    esac
    
    
    
     
  2. Video Script

    Videos zum Themenbereich

    * gefundene Videos auf YouTube, anhand der Überschrift.