View previous topic :: View next topic |
Author |
Message |
thund3rbird n00b
Joined: 19 Sep 2002 Posts: 35
|
Posted: Sat Oct 12, 2002 9:28 am Post subject: IPTABLES & FWBUILDER |
|
|
HI @ all,
ich habe bei mir ne firewall via iptables, die ich fest im kernel einkompiliert habe!
Dazu benutze ich den fwbuilder um mir meine Firewall regeln zu erstellen.
Das hat auf der alten Maschine auch alles perfekt funktioniert, nur jetzt unter Gentoo mit Vanilla-Sources da hängt sich mein Netzwerk immer auf wenn ich die RULES manuel starten will
der fwbuilder erstellt eine datei mit den iptables RULES
Diese habe ich mal manuel ausgeführt
Code: | ./hostname.domain.fw |
wenn ich dann früher eingegeben habe, dann hat er mir immer angezeigt welche RULES laufen.
Jetzt ist das einfach leer und mein netzwerk schmiert ab!!!
Woran kann das liegen??
Bitte um HILFE!!!
THX
cu mirko _________________ Linux -][- Life is too short for reboot!-][- |
|
Back to top |
|
|
Anotherone n00b
Joined: 19 Sep 2002 Posts: 26
|
Posted: Sat Oct 12, 2002 2:40 pm Post subject: |
|
|
Es wäre hilfreich, wenn du den Inhalt der Datei mal posten könntest und was genau heisst "das Netzwerk schmiert ab"?
Anotherone _________________ Notebook
Celeron 700
Gentoo 1.4
Kernel 2.4.20 mit XFS
Gnome 2 + XFCE 4 |
|
Back to top |
|
|
MasterOfMagic l33t
Joined: 20 Aug 2002 Posts: 677 Location: Vienna, Austria
|
Posted: Sun Oct 13, 2002 12:39 am Post subject: |
|
|
hast du vielleicht im kernel irgendwas bei den netfilter einstellungen vergessen?
wieso schreibst du dein script nicht ohne diesen firewall builder? irgendeine meldung muss da ja kommen wo er genau hängen bleibt.
mfg
masterofmagic _________________ Gentoo 1.4
Kernel 2.4.24
KDE 3.1.5 |
|
Back to top |
|
|
lorschy Apprentice
Joined: 16 Jul 2002 Posts: 191
|
Posted: Wed Oct 16, 2002 10:30 pm Post subject: |
|
|
ich habe genau das selber problem, hatte mir ein funzendes script unter meinem alten gentoo gebaut, und fwbuilder version 1.0.5 und das hab ich importiert. compiliern und so geht auch aber wenn ich starten will gehts ma ganricht.
hier das script Code: | #!/bin/sh
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v1.0.6-
#
# Generated Wed Oct 16 23:21:53 2002 CEST by root
#
#
#
#
!#check() {
!# if test ! -x "$1"; then
!# echo "$1 not found or is not executable"
!# exit 1
!# fi
!#}
log() {
if test -x "$LOGGER"; then
logger -p info "$1"
fi
}
!#MODPROBE=""
!IPTABLES="/sbin/iptables"
!#IP=""
!LOGGER="/usr/bin/logger"
!#check $MODPROBE
!#check $IPTABLES
!#check $IP
cd /etc || exit 1
log "Activating firewall script generated Wed Oct 16 23:21:53 2002 CEST by root"
MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/"
MODULES="ipt_conntrack ipt_conntrack_ftp ipt_nat_ftp ipt_conntrack_irc ipt_nat_irc"
for module in $(echo $MODULES); do
if [ -e "${MODULE_DIR}/${module}.o" -o -e "${MODULE_DIR}/${module}.o.gz" ]; then
$MODPROBE -k ${module} || exit 1
fi
done
FWD=`cat /proc/sys/net/ipv4/ip_forward`
echo "0" > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl
!#$IP -4 neigh flush dev eth0
!#$IP -4 addr flush dev eth0 label "eth0:FWB*"
!#$IP -4 neigh flush dev eth1
!#$IP -4 addr flush dev eth1 label "eth1:FWB*"
$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
cat /proc/net/ip_tables_names | while read table; do
$IPTABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IPTABLES -t $table -F $chain
fi
done
$IPTABLES -t $table -X
done
#
# Rule 0(NAT)
#
#
$IPTABLES -t nat -A POSTROUTING -o eth1 -s 127.0.0.1 -j SNAT --to-source 172.26.7.112
$IPTABLES -t nat -A POSTROUTING -o eth1 -s 127.0.0.1/8 -j SNAT --to-source 172.26.7.112
$IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.190 -j SNAT --to-source 172.26.7.112
$IPTABLES -t nat -A POSTROUTING -o eth1 -s 172.26.7.111 -j SNAT --to-source 172.26.7.112
$IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to-source 172.26.7.112
$IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.80 -j SNAT --to-source 172.26.7.112
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Rule 0(localhost)
#
# allow everything on loopback
#
$IPTABLES -A FORWARD -i localhost -j ACCEPT
$IPTABLES -A FORWARD -o localhost -j ACCEPT
#
# Rule 0(eth0)
#
#
#
$IPTABLES -A FORWARD -i eth0 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth0 -m state --state NEW -j ACCEPT
#
# Rule 0(eth1)
#
#
#
$IPTABLES -A FORWARD -i eth1 -j DROP
$IPTABLES -A FORWARD -o eth1 -j DROP
#
# Rule 0(global)
#
# block fragments
#
$IPTABLES -N RULE_0
$IPTABLES -A INPUT -p ip -f -j RULE_0
$IPTABLES -A RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DROP "
$IPTABLES -A RULE_0 -j DROP
#
# Rule 1(global)
#
# NBT Client
#
$IPTABLES -A INPUT -p tcp -s 192.168.1.200 -d 127.0.0.1/8 --destination-port 139 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 172.26.7.112 -d 127.0.0.1/8 --destination-port 139 -j ACCEPT
$IPTABLES -A INPUT -p udp -m multiport -s 192.168.1.200 -d 127.0.0.1/8 --destination-ports 138,139,137 -j ACCEPT
$IPTABLES -A INPUT -p udp -m multiport -s 172.26.7.112 -d 127.0.0.1/8 --destination-ports 138,139,137 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d 127.0.0.1/8 --destination-port 139 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -m multiport -d 127.0.0.1/8 --destination-ports 138,139,137 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 192.168.1.200 -d 127.0.0.1 --destination-port 139 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 172.26.7.112 -d 127.0.0.1 --destination-port 139 -j ACCEPT
$IPTABLES -A INPUT -p udp -m multiport -s 192.168.1.200 -d 127.0.0.1 --destination-ports 138,139,137 -j ACCEPT
$IPTABLES -A INPUT -p udp -m multiport -s 172.26.7.112 -d 127.0.0.1 --destination-ports 138,139,137 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d 127.0.0.1 --destination-port 139 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -m multiport -d 127.0.0.1 --destination-ports 138,139,137 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 192.168.1.200 -d 172.26.7.112 --destination-port 139 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 172.26.7.112 -d 172.26.7.112 --destination-port 139 -j ACCEPT
$IPTABLES -A INPUT -p udp -m multiport -s 192.168.1.200 -d 172.26.7.112 --destination-ports 138,139,137 -j ACCEPT
$IPTABLES -A INPUT -p udp -m multiport -s 172.26.7.112 -d 172.26.7.112 --destination-ports 138,139,137 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d 172.26.7.112 --destination-port 139 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -m multiport -d 172.26.7.112 --destination-ports 138,139,137 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d 192.168.1.80 --destination-port 139 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d 192.168.1.190 --destination-port 139 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d 172.26.7.111 --destination-port 139 -j ACCEPT
$IPTABLES -N ptmp001
$IPTABLES -A OUTPUT -d 192.168.1.80 -j ptmp001
$IPTABLES -A OUTPUT -d 192.168.1.190 -j ptmp001
$IPTABLES -A OUTPUT -d 172.26.7.111 -j ptmp001
$IPTABLES -A ptmp001 -p udp -m multiport --destination-ports 138,139,137 -j ACCEPT
#
# Rule 2(global)
#
# NBT Server
#
$IPTABLES -A INPUT -p tcp -s 127.0.0.1/8 --destination-port 139 -j ACCEPT
$IPTABLES -A INPUT -p udp -m multiport -s 127.0.0.1/8 --destination-ports 138,139,137 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -s 127.0.0.1/8 -d 192.168.1.200 --destination-port 139 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -s 127.0.0.1/8 -d 172.26.7.112 --destination-port 139 -j ACCEPT
$IPTABLES -N ptmp002
$IPTABLES -A OUTPUT -d 192.168.1.200 -j ptmp002
$IPTABLES -A OUTPUT -d 172.26.7.112 -j ptmp002
$IPTABLES -A ptmp002 -p udp -m multiport -s 127.0.0.1/8 --destination-ports 138,139,137 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 127.0.0.1 --destination-port 139 -j ACCEPT
$IPTABLES -A INPUT -p udp -m multiport -s 127.0.0.1 --destination-ports 138,139,137 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -s 127.0.0.1 -d 192.168.1.200 --destination-port 139 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -s 127.0.0.1 -d 172.26.7.112 --destination-port 139 -j ACCEPT
$IPTABLES -N ptmp003
$IPTABLES -A OUTPUT -d 192.168.1.200 -j ptmp003
$IPTABLES -A OUTPUT -d 172.26.7.112 -j ptmp003
$IPTABLES -A ptmp003 -p udp -m multiport -s 127.0.0.1 --destination-ports 138,139,137 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 172.26.7.112 --destination-port 139 -j ACCEPT
$IPTABLES -A INPUT -p udp -m multiport -s 172.26.7.112 --destination-ports 138,139,137 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -s 172.26.7.112 -d 192.168.1.200 --destination-port 139 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -s 172.26.7.112 -d 172.26.7.112 --destination-port 139 -j ACCEPT
$IPTABLES -N ptmp004
$IPTABLES -A OUTPUT -d 192.168.1.200 -j ptmp004
$IPTABLES -A OUTPUT -d 172.26.7.112 -j ptmp004
$IPTABLES -A ptmp004 -p udp -m multiport -s 172.26.7.112 --destination-ports 138,139,137 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 192.168.1.80 --destination-port 139 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 192.168.1.190 --destination-port 139 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 172.26.7.111 --destination-port 139 -j ACCEPT
$IPTABLES -N ptmp005
$IPTABLES -A INPUT -p udp -m multiport --destination-ports 138,139,137 -j ptmp005
$IPTABLES -A ptmp005 -s 192.168.1.80 -j ACCEPT
$IPTABLES -A ptmp005 -s 192.168.1.190 -j ACCEPT
$IPTABLES -A ptmp005 -s 172.26.7.111 -j ACCEPT
#
# Rule 3(global)
#
# POSTFIX SMTP
#
$IPTABLES -A INPUT -p tcp -s 127.0.0.1/8 --destination-port 25 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -s 127.0.0.1/8 -d 192.168.1.200 --destination-port 25 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -s 127.0.0.1/8 -d 172.26.7.112 --destination-port 25 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 172.26.7.112 --destination-port 25 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -s 172.26.7.112 -d 192.168.1.200 --destination-port 25 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -s 172.26.7.112 -d 172.26.7.112 --destination-port 25 -j ACCEPT
#
# Rule 4(global)
#
# POSTFIX SMTP
#
$IPTABLES -A INPUT -p tcp --destination-port 25 -j REJECT --reject-with icmp-host-prohibited
#
# Rule 9(global)
#
# allow all outgoing connections
#
$IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT
#
# Rule 10(global)
#
# News
#
$IPTABLES -A INPUT -p tcp -s 195.139.52.141 --destination-port 119 -j ACCEPT
#
# Rule 11(global)
#
# E-Mail
#
$IPTABLES -N ptmp006
$IPTABLES -A OUTPUT -d 213.165.64.20 -j ptmp006
$IPTABLES -A ptmp006 -p tcp -m multiport --destination-ports 25,143,110 -j ACCEPT
#
# Rule 12(global)
#
# DNS
#
$IPTABLES -A INPUT -p tcp -s 192.168.1.200 --destination-port 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 172.26.7.112 --destination-port 53 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d 192.168.1.200 --destination-port 53 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d 172.26.7.112 --destination-port 53 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d 62.225.139.162 --destination-port 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 62.225.139.162 --destination-port 53 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s 62.225.139.162 -d 62.225.139.162 --destination-port 53 -j ACCEPT
#
# Rule 13(global)
#
# BROWSER
#
$IPTABLES -A OUTPUT -p tcp -m multiport --destination-ports 21,80,443 -j ACCEPT
#
# Rule 14(global)
#
#
#
$IPTABLES -N RULE_14
$IPTABLES -A INPUT -p tcp --source-port 20 --destination-port 1025:65535 -j RULE_14
$IPTABLES -A RULE_14 -j LOG --log-level info --log-prefix "RULE 14 -- DROP "
$IPTABLES -A RULE_14 -j DROP
#
# Rule 15(global)
#
# NetzwerkMngm
#
$IPTABLES -N ptmp008
$IPTABLES -A INPUT -p icmp --icmp-type 8/0 -j ptmp008
$IPTABLES -A INPUT -p icmp --icmp-type 0/0 -j ptmp008
$IPTABLES -A ptmp008 -s 192.168.1.200 -j ACCEPT
$IPTABLES -A ptmp008 -s 172.26.7.112 -j ACCEPT
$IPTABLES -N ptmp009
$IPTABLES -A INPUT -p udp -m multiport --destination-ports 161,162 -j ptmp009
$IPTABLES -A ptmp009 -s 192.168.1.200 -j ACCEPT
$IPTABLES -A ptmp009 -s 172.26.7.112 -j ACCEPT
$IPTABLES -N ptmp010
$IPTABLES -A OUTPUT -d 192.168.1.200 -j ptmp010
$IPTABLES -A OUTPUT -d 172.26.7.112 -j ptmp010
$IPTABLES -A ptmp010 -p icmp --icmp-type 8/0 -j ACCEPT
$IPTABLES -A ptmp010 -p icmp --icmp-type 0/0 -j ACCEPT
$IPTABLES -N ptmp011
$IPTABLES -A OUTPUT -d 192.168.1.200 -j ptmp011
$IPTABLES -A OUTPUT -d 172.26.7.112 -j ptmp011
$IPTABLES -A ptmp011 -p udp -m multiport --destination-ports 161,162 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -d 192.168.1.190 --icmp-type 8/0 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -d 192.168.1.190 --icmp-type 0/0 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -m multiport -d 192.168.1.190 --destination-ports 161,162 -j ACCEPT
$IPTABLES -A INPUT -p icmp -s 192.168.1.190 --icmp-type 8/0 -j ACCEPT
$IPTABLES -A INPUT -p icmp -s 192.168.1.190 --icmp-type 0/0 -j ACCEPT
$IPTABLES -A INPUT -p udp -m multiport -s 192.168.1.190 --destination-ports 161,162 -j ACCEPT
$IPTABLES -A FORWARD -p icmp -s 192.168.1.190 -d 192.168.1.190 --icmp-type 8/0 -j ACCEPT
$IPTABLES -A FORWARD -p icmp -s 192.168.1.190 -d 192.168.1.190 --icmp-type 0/0 -j ACCEPT
$IPTABLES -A FORWARD -p udp -m multiport -s 192.168.1.190 -d 192.168.1.190 --destination-ports 161,162 -j ACCEPT
#
# Rule 16(global)
#
# Ping
#
$IPTABLES -A OUTPUT -p icmp --icmp-type 8/0 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --destination-port 33434:33524 -j ACCEPT
# Rule 17(global)
#
# NBT Silencer
#
$IPTABLES -A INPUT -p tcp -s 127.0.0.1 --destination-port 139 -j DROP
$IPTABLES -A INPUT -p udp -m multiport -s 127.0.0.1 --destination-ports 138,139,137 -j DROP
$IPTABLES -A OUTPUT -p tcp -s 127.0.0.1 -d 192.168.1.200 --destination-port 139 -j DROP
$IPTABLES -A OUTPUT -p tcp -s 127.0.0.1 -d 172.26.7.112 --destination-port 139 -j DROP
$IPTABLES -N ptmp012
$IPTABLES -A OUTPUT -d 192.168.1.200 -j ptmp012
$IPTABLES -A OUTPUT -d 172.26.7.112 -j ptmp012
$IPTABLES -A ptmp012 -p udp -m multiport -s 127.0.0.1 --destination-ports 138,139,137 -j DROP
$IPTABLES -A INPUT -p tcp -s 192.168.1.80 --destination-port 139 -j DROP
$IPTABLES -A INPUT -p tcp -s 192.168.1.190 --destination-port 139 -j DROP
$IPTABLES -A INPUT -p tcp -s 172.26.7.111 --destination-port 139 -j DROP
$IPTABLES -N ptmp013
$IPTABLES -A INPUT -p udp -m multiport --destination-ports 138,139,137 -j ptmp013
$IPTABLES -A ptmp013 -s 192.168.1.80 -j DROP
$IPTABLES -A ptmp013 -s 192.168.1.190 -j DROP
$IPTABLES -A ptmp013 -s 172.26.7.111 -j DROP
#
# Rule 19(global)
#
#
#
$IPTABLES -A INPUT -s 127.0.0.1 -d 127.0.0.1 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -m state --state NEW -j ACCEPT
#
# Rule 20(global)
#
# BattleCom
#
$IPTABLES -A FORWARD -p tcp -d 192.168.1.190 --destination-port 2300:2400 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 192.168.1.190 --destination-port 47624:47625 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 192.168.1.190 --destination-port 28800:28900 -j ACCEPT
$IPTABLES -A FORWARD -p udp -d 192.168.1.190 --destination-port 2300:2400 -j ACCEPT
$IPTABLES -A FORWARD -p udp -d 192.168.1.190 --destination-port 47624:47625 -j ACCEPT
$IPTABLES -A FORWARD -p udp -d 192.168.1.190 --destination-port 28800:28900 -j ACCEPT
#
# Rule 22(global)
#
# 'masquerading' rule
#
$IPTABLES -A OUTPUT -s 127.0.0.1 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -s 127.0.0.1/8 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.1.190 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s 172.26.7.111 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.1.80 -m state --state NEW -j ACCEPT
#
# Rule 23(global)
#
# 'catch all' rule
#
$IPTABLES -N RULE_23
$IPTABLES -A INPUT -j RULE_23
$IPTABLES -A RULE_23 -j LOG --log-level info --log-prefix "RULE 23 -- DROP "
$IPTABLES -A RULE_23 -j DROP
#
#
echo 1 > /proc/sys/net/ipv4/ip_forward |
die sachen am anfangt mit !# hab ich auskommentieren muessen das es ueberhaupt geht.
sonst kam immer der fehler not found or is not executable.
und so sind die chains zwar dirn aber ich kann nicht mehr raus nichtma als localhost. ping und so geht aber im normalen lan.
hab ich vielleicht was vergessen in den kernel zu baeun oder module?
also is das eine typische fehlermeldung? |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|