Hallo,
nun bin ich wahrlich ratlos .....
In Vorbereitung auf meinen DSL Anschluß (er soll nächste Woche geschaltet werden <img src="http://www.pl-forum.de/UltraBoard/Images/Happy.gif" border="0" align="middle">) habe ich mir das Buch "Das Firewall Buch" zugelegt.
Entsprechend der dort abgedruckten Skripte will ich anfangen, mein ipchains Skript anzupassen.
Um ersteinmal auf Nummer Sicher zu gehen, wollte ich das Ganze mittels des abgedruckten Skripts testen - und nichts funzt .... <img src="http://www.pl-forum.de/UltraBoard/Images/Sad.gif" border="0" align="middle">
Hat jemand eine Idee, warum es nicht klappt?
Weder ein http, noch ein ftp, nntp oder sonstiger Aufruf klappt.
System: SuSE 7.2, Kernel 2.4.6-6, ipchains 1.3.9
--- /var/log/messages --- schnipp ---
Jul 17 17:45:31 gateway named[501]: starting (/etc/named.conf). named 8.2.3-REL Fri May 11 16:00:24 GMT 2001 ^Iroot@ivy:/usr/src/packages/BUILD/bind8-8.2.3/bin/named
Jul 17 17:45:31 gateway named[501]: master zone "localhost" (IN) loaded (serial 42)
Jul 17 17:45:31 gateway named[501]: master zone "0.0.127.in-addr.arpa" (IN) loaded (serial 42)
Jul 17 17:45:31 gateway named[501]: hint zone "" (IN) loaded (serial 0)
Jul 17 17:45:31 gateway named[501]: /var/named/skar.hosts: WARNING SOA expire value is less than 7 days (432000)
Jul 17 17:45:31 gateway named[501]: master zone "skar" (IN) loaded (serial 2001071600)
Jul 17 17:45:31 gateway named[501]: listening on [127.0.0.1].53 (lo)
Jul 17 17:45:31 gateway named[501]: listening on [192.168.0.1].53 (ippp0)
Jul 17 17:45:31 gateway named[501]: listening on [192.168.10.2].53 (eth0)
Jul 17 17:45:31 gateway named[501]: listening on [192.168.10.3].53 (eth0:1)
Jul 17 17:45:31 gateway named[501]: listening on [192.168.20.1].53 (eth1)
Jul 17 17:45:31 gateway named[501]: Forwarding source address is [0.0.0.0].1024
Jul 17 17:45:31 gateway named[514]: group = named
Jul 17 17:45:31 gateway named[514]: user = named
Jul 17 17:45:31 gateway named[514]: Ready to answer queries.
Jul 17 17:45:31 gateway kernel: OPEN: 192.168.0.1 -> 212.7.128.162 UDP, port: 1024 -> 53
Jul 17 17:45:31 gateway kernel: ippp0: dialing 1 08003337666...
Jul 17 17:45:32 gateway isdnlog: (HiSax driver detected)
Jul 17 17:45:32 gateway isdnlog: Jul 17 17:45:32 * tei 117 calling 08003337666 with +49 123456, RING (Data)
Jul 17 17:45:34 gateway rpc.statd[567]: Version 0.3.1 Starting
Jul 17 17:45:35 gateway kernel: Installing knfsd (copyright (C) 1996 okir@monad.swb.de).
Jul 17 17:45:35 gateway /usr/sbin/cron[619]: (CRON) STARTUP (fork ok)
Jul 17 17:45:35 gateway kernel: eth1: no IPv6 routers present
Jul 17 17:45:35 gateway kernel: eth0: no IPv6 routers present
Jul 17 17:45:36 gateway isdnlog: Jul 17 17:45:36 tei 117 calling 08003337666 with +49 123456, Time:Tue Jul 17 17:43:00 2001
Jul 17 17:45:36 gateway isdnlog: Jul 17 17:45:36 tei 117 calling 08003337666 with +49 123456, CONNECT (Data)
Jul 17 17:45:36 gateway kernel: spurious 8259A interrupt: IRQ7.
Jul 17 17:45:36 gateway ipppd[213]: Local number: 0123456, Remote number: 08003337666, Type: outgoing
Jul 17 17:45:36 gateway ipppd[213]: PHASE_WAIT -> PHASE_ESTABLISHED, ifunit: 0, linkunit: 0, fd: 7
Jul 17 17:45:36 gateway kernel: isdn_net: ippp0 connected
Jul 17 17:45:36 gateway ipppd[213]: MPPP negotiation, He: No We: No
Jul 17 17:45:36 gateway ipppd[213]: local IP address 212.7.137.155
Jul 17 17:45:36 gateway ipppd[213]: remote IP address 62.214.0.97
Jul 17 17:45:47 gateway squid[719]: Squid Parent: child process 720 started
Jul 17 17:45:47 gateway squid[720]: Starting Squid Cache version 2.3.STABLE4-hno.CVS for i686-pc-linux-gnu...
Jul 17 17:45:47 gateway squid[720]: Process ID 720
Jul 17 17:45:47 gateway squid[720]: With 4096 file descriptors available
Jul 17 17:45:47 gateway squid[720]: DNS Socket created on FD 2
Jul 17 17:45:47 gateway squid[720]: Adding nameserver 192.168.10.2 from /etc/resolv.conf
Jul 17 17:45:47 gateway squid[720]: Adding nameserver 212.7.128.162 from /etc/resolv.conf
Jul 17 17:45:47 gateway squid[720]: Adding nameserver 212.7.128.165 from /etc/resolv.conf
Jul 17 17:45:49 gateway squid[720]: Unlinkd pipe opened on FD 7
Jul 17 17:45:49 gateway squid[720]: Swap maxSize 204800 KB, estimated 34133 objects
Jul 17 17:45:49 gateway squid[720]: Target number of buckets: 682
Jul 17 17:45:49 gateway squid[720]: Using 8192 Store buckets
Jul 17 17:45:49 gateway squid[720]: Max Mem size: 8192 KB
Jul 17 17:45:49 gateway squid[720]: Max Swap size: 204800 KB
Jul 17 17:45:50 gateway squid[720]: Rebuilding storage in /var/squid/cache (CLEAN)
Jul 17 17:45:50 gateway squid[720]: Set Current Directory to /var/squid/cache
Jul 17 17:45:51 gateway squid[720]: Loaded Icons.
Jul 17 17:45:51 gateway squid[720]: Accepting HTTP connections at 0.0.0.0, port 3128, FD 9.
Jul 17 17:45:51 gateway squid[720]: Accepting ICP messages at 0.0.0.0, port 3130, FD 10.
Jul 17 17:45:51 gateway squid[720]: Accepting HTCP messages on port 4827, FD 11.
Jul 17 17:45:51 gateway squid[720]: WCCP Disabled.
Jul 17 17:45:51 gateway squid[720]: Ready to serve requests.
Jul 17 17:45:52 gateway squid[720]: Done reading /var/squid/cache swaplog (12145 entries)
Jul 17 17:45:52 gateway squid[720]: Finished rebuilding storage from disk.
Jul 17 17:45:52 gateway squid[720]: 12145 Entries scanned
Jul 17 17:45:52 gateway squid[720]: 0 Invalid entries.
Jul 17 17:45:52 gateway squid[720]: 0 With invalid flags.
Jul 17 17:45:52 gateway squid[720]: 12145 Objects loaded.
Jul 17 17:45:52 gateway squid[720]: 0 Objects expired.
Jul 17 17:45:52 gateway squid[720]: 0 Objects cancelled.
Jul 17 17:45:52 gateway squid[720]: 0 Duplicate URLs purged.
Jul 17 17:45:52 gateway squid[720]: 0 Swapfile clashes avoided.
Jul 17 17:45:52 gateway squid[720]: Took 4.4 seconds (2765.9 objects/sec).
Jul 17 17:45:52 gateway squid[720]: Beginning Validation Procedure
Jul 17 17:45:52 gateway squid[720]: Completed Validation Procedure
Jul 17 17:45:52 gateway squid[720]: Validated 12145 Entries
Jul 17 17:45:52 gateway squid[720]: store_swap_size = 143955k
Jul 17 17:45:52 gateway squid[720]: storeLateRelease: released 0 objects
Jul 17 17:45:44 gateway kernel: ip_tables: (c)2000 Netfilter core team
Jul 17 17:45:45 gateway kernel: ip_conntrack (1023 buckets, 8184 max)
Jul 17 17:46:03 gateway kernel: DROP-TCP IN=eth0 OUT= MAC=00:a0:c9:42:e9:29:00:10:4b:b6:01:f7:08:00 SRC=192.168.10.100 DST=192.168.10.2 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=64513 DF PROTO=TCP SPT=1067 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
Jul 17 17:46:06 gateway kernel: DROP-TCP IN=eth0 OUT= MAC=00:a0:c9:42:e9:29:00:10:4b:b6:01:f7:08:00 SRC=192.168.10.100 DST=192.168.10.2 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=65025 DF PROTO=TCP SPT=1067 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
Jul 17 17:46:12 gateway kernel: DROP-TCP IN=eth0 OUT= MAC=00:a0:c9:42:e9:29:00:10:4b:b6:01:f7:08:00 SRC=192.168.10.100 DST=192.168.10.2 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=65281 DF PROTO=TCP SPT=1067 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
Jul 17 17:46:24 gateway kernel: DROP-TCP IN=eth0 OUT= MAC=00:a0:c9:42:e9:29:00:10:4b:b6:01:f7:08:00 SRC=192.168.10.100 DST=192.168.10.2 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=2 DF PROTO=TCP SPT=1067 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
Jul 17 17:46:57 gateway ipppd[213]: Modem hangup
Jul 17 17:46:57 gateway ipppd[213]: Connection terminated.
Jul 17 17:46:57 gateway ipppd[213]: taking down PHASE_DEAD link 0, linkunit: 0
Jul 17 17:46:57 gateway kernel: isdn_net: local hangup ippp0
Jul 17 17:46:57 gateway kernel: ippp0: Chargesum is 0
Jul 17 17:46:57 gateway isdnlog: Jul 17 17:46:57 tei 117 calling 08003337666 with +49 123456, Normal call clearing (User)
Jul 17 17:46:57 gateway ipppd[213]: closing fd 7 from unit 0
Jul 17 17:46:57 gateway kernel: ippp_ccp: freeing reset data structure c7323800
Jul 17 17:46:57 gateway ipppd[213]: link 0 closed , linkunit: 0
Jul 17 17:46:57 gateway ipppd[213]: reinit_unit: 0
Jul 17 17:46:57 gateway kernel: ippp, open, slot: 0, minor: 0, state: 0000
Jul 17 17:46:57 gateway kernel: ippp_ccp: allocated reset data structure c7323800
Jul 17 17:46:57 gateway ipppd[213]: Connect[0]: /dev/ippp0, fd: 7
Jul 17 17:46:57 gateway isdnlog: Jul 17 17:46:57 tei 117 calling 08003337666 with +49 123456, HANGUP (82 CI 0.000 DM 0:01:21 I= 4.5Kb O= 1.8Kb)
Jul 17 17:46:57 gateway ip-down: Setting up routing for ippp0 (using /etc/route.conf)..done
Jul 17 17:47:41 gateway kernel: OPEN: 192.168.0.1 -> 212.7.128.165 UDP, port: 1068 -> 53
Jul 17 17:47:41 gateway kernel: ippp0: dialing 1 08003337666...
Jul 17 17:47:41 gateway isdnlog: Jul 17 17:47:41 * tei 117 calling 08003337666 with +49 123456, RING (Data)
Jul 17 17:47:44 gateway kernel: DROP-UDP IN=eth0 OUT= MAC=00:a0:c9:42:e9:29:00:10:4b:b6:01:f7:08:00 SRC=192.168.10.100 DST=192.168.10.2 LEN=58 TOS=0x00 PREC=0x00 TTL=128 ID=770 PROTO=UDP SPT=1068 DPT=53 LEN=38
Jul 17 17:47:45 gateway isdnlog: Jul 17 17:47:45 tei 117 calling 08003337666 with +49 123456, Time:Tue Jul 17 17:47:00 2001
Jul 17 17:47:45 gateway isdnlog: Jul 17 17:47:45 tei 117 calling 08003337666 with +49 123456, CONNECT (Data)
Jul 17 17:47:46 gateway ipppd[213]: Local number: 0123456, Remote number: 08003337666, Type: outgoing
Jul 17 17:47:46 gateway ipppd[213]: PHASE_WAIT -> PHASE_ESTABLISHED, ifunit: 0, linkunit: 0, fd: 7
Jul 17 17:47:46 gateway kernel: isdn_net: ippp0 connected
Jul 17 17:47:46 gateway kernel: DROP-UDP IN=eth0 OUT= MAC=00:a0:c9:42:e9:29:00:10:4b:b6:01:f7:08:00 SRC=192.168.10.100 DST=192.168.10.2 LEN=58 TOS=0x00 PREC=0x00 TTL=128 ID=1282 PROTO=UDP SPT=1068 DPT=53 LEN=38
Jul 17 17:47:49 gateway ipppd[213]: MPPP negotiation, He: No We: No
Jul 17 17:47:49 gateway ipppd[213]: local IP address 212.7.137.11
Jul 17 17:47:49 gateway ipppd[213]: remote IP address 62.214.0.97
Jul 17 17:47:51 gateway kernel: DROP-UDP IN=eth0 OUT= MAC=00:a0:c9:42:e9:29:00:10:4b:b6:01:f7:08:00 SRC=192.168.10.100 DST=192.168.10.2 LEN=58 TOS=0x00 PREC=0x00 TTL=128 ID=1794 PROTO=UDP SPT=1068 DPT=53 LEN=38
Jul 17 17:47:51 gateway kernel: DROP-TCP IN=eth0 OUT=ippp0 SRC=192.168.10.100 DST=193.99.144.71 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2050 DF PROTO=TCP SPT=1069 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
Jul 17 17:47:54 gateway kernel: DROP-TCP IN=eth0 OUT=ippp0 SRC=192.168.10.100 DST=193.99.144.71 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2562 DF PROTO=TCP SPT=1069 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
Jul 17 17:47:57 gateway named[514]: ns_forw: sendto([212.7.128.162].53): Operation not permitted
Jul 17 17:47:57 gateway kernel: DROP-TCP IN=eth0 OUT=ippp0 SRC=192.168.10.100 DST=209.73.180.3 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=3074 DF PROTO=TCP SPT=1071 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
Jul 17 17:47:57 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=212.7.128.162 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
Jul 17 17:48:00 gateway kernel: DROP-TCP IN=eth0 OUT=ippp0 SRC=192.168.10.100 DST=193.99.144.71 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=3586 DF PROTO=TCP SPT=1069 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
Jul 17 17:48:00 gateway kernel: DROP-TCP IN=eth0 OUT=ippp0 SRC=192.168.10.100 DST=209.73.180.3 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=3842 DF PROTO=TCP SPT=1071 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
Jul 17 17:48:01 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=212.7.128.165 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
Jul 17 17:48:02 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=212.7.128.162 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=30490 DF PROTO=UDP SPT=1031 DPT=53 LEN=51
Jul 17 17:48:02 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=212.7.128.165 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=30490 DF PROTO=UDP SPT=1031 DPT=53 LEN=51
Jul 17 17:48:02 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=212.7.128.162 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
Jul 17 17:48:05 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=128.63.2.53 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
Jul 17 17:48:06 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=212.7.128.165 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
Jul 17 17:48:06 gateway kernel: DROP-TCP IN=eth0 OUT=ippp0 SRC=192.168.10.100 DST=209.73.180.3 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=4098 DF PROTO=TCP SPT=1071 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
Jul 17 17:48:06 gateway kernel: DROP-UDP IN= OUT=eth0 SRC=192.168.10.2 DST=192.168.10.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=221
Jul 17 17:48:06 gateway kernel: DROP-UDP IN= OUT=eth0 SRC=192.168.10.2 DST=192.168.10.255 LEN=236 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=216
Jul 17 17:48:07 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=212.7.128.162 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=30991 DF PROTO=UDP SPT=1032 DPT=53 LEN=51
Jul 17 17:48:07 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=212.7.128.165 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=30991 DF PROTO=UDP SPT=1032 DPT=53 LEN=51
Jul 17 17:48:09 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=128.8.10.90 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
Jul 17 17:48:10 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=128.63.2.53 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
Jul 17 17:48:11 gateway kernel: DROP-TCP IN=eth0 OUT=ippp0 SRC=192.168.10.100 DST=193.99.144.71 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=4354 DF PROTO=TCP SPT=1069 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
Jul 17 17:48:13 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=192.33.4.12 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
Jul 17 17:48:14 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=128.8.10.90 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
Jul 17 17:48:17 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=192.5.5.241 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
Jul 17 17:48:18 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=192.33.4.12 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
Jul 17 17:48:18 gateway kernel: DROP-TCP IN=eth0 OUT=ippp0 SRC=192.168.10.100 DST=209.73.180.3 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=4610 DF PROTO=TCP SPT=1071 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
Jul 17 17:48:21 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=198.41.0.10 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
Jul 17 17:48:22 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=192.5.5.241 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
Jul 17 17:48:25 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=192.36.148.17 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
Jul 17 17:48:26 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=198.41.0.10 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
Jul 17 17:48:29 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=198.41.0.4 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
Jul 17 17:48:30 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=192.36.148.17 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
Jul 17 17:48:33 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=193.0.14.129 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
Jul 17 17:48:34 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=198.41.0.4 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
Jul 17 17:48:37 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=128.9.0.107 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
Jul 17 17:48:38 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=193.0.14.129 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
Jul 17 17:48:41 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=198.32.64.12 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
Jul 17 17:48:42 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=128.9.0.107 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
Jul 17 17:48:45 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=192.203.230.10 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
Jul 17 17:48:46 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=198.32.64.12 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
Jul 17 17:48:49 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=192.112.36.4 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
Jul 17 17:48:50 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=192.203.230.10 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
Jul 17 17:48:53 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=202.12.27.33 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
Jul 17 17:48:54 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=192.112.36.4 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
Jul 17 17:48:57 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=212.7.128.162 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
Jul 17 17:48:58 gateway kernel: DROP-UDP IN= OUT=ippp0 SRC=212.7.137.11 DST=202.12.27.33 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
--- schnapp ---
--- /etc/resolv.con --- schnipp ---
domain skar
search skar komtel.net komtel.net
nameserver 192.168.10.2
nameserver 212.7.128.162
nameserver 212.7.128.165
--- schnapp ---
--- FW Skript --- schnipp ---
#!/bin/tcsh
# Firewall Skript
#
set IPTABLES = /usr/sbin/iptables
#
set p_high = 1024:65535
set p_ssh = 1000:1023
#
set EXT = ippp0
set INT = eth0
set IF = ( $EXT $INT )
set NS = ( 212.7.128.162 212.7.128.165 )
set mail = 212.7.146.1
set loghost = 192.168.10.10
set INTERN = 192.168.10.0/255.255.255.0
echo "0" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "5" > /proc/sys/net/ipv4/icmp_destunreach_rate
echo "5" > /proc/sys/net/ipv4/icmp_echoreply_rate
echo "5" > /proc/sys/net/ipv4/icmp_paramprob_rate
echo "10" > /proc/sys/net/ipv4/icmp_timeexceed_rate
#
foreach if ( $IF )
echo "1" > /proc/sys/net/ipv4/conf/$if/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/$if/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/$if/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/$if/bootp_relay
echo "1" > /proc/sys/net/ipv4/conf/$if/log_martians
end
#
#
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
#
# loopback
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
#
# ssh Wartung
$IPTABLES -A INPUT -i $INT -s $INTERN -p TCP --sport $p_ssh --dport ssh -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $INT -d $INTERN -p TCP --dport $p_ssh --sport ssh -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#
#
$IPTABLES -N my_drop
$IPTABLES -A my_drop -p ICMP -j LOG --log-prefix "DROP-ICMP "
$IPTABLES -A my_drop -p UDP -j LOG --log-prefix "DROP-UDP "
$IPTABLES -A my_drop -p TCP -j LOG --log-prefix "DROP-TCP "
$IPTABLES -A my_drop -j DROP
#
# Masquerading
$IPTABLES -t nat -A POSTROUTING -o $EXT -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#
#
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INT -o $EXT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
#
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW,INVALID -j my_drop
$IPTABLES -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT -o $INT -m state --state NEW,INVALID -j my_drop
#
# icmp
$IPTABLES -A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT
#
# syslog
$IPTABLES -A OUTPUT -o $INT -m state --state NEW -p UDP --sport syslog -d $loghost --dport syslog -j ACCEPT
#
#
$IPTABLES -A FORWARD -o $EXT -p ICMP --icmp-type echo-request -j ACCEPT
#
# DNS
foreach ns ( $NS )
$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p UDP --sport $p_high -d $ns --dport domain -j ACCEPT
$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high -d $ns --dport domain -j ACCEPT
end
#
# Mail (smtp / pop)
$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high -d $mail --dport smtp -j ACCEPT
$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high -d $mail --dport pop3 -j ACCEPT
#
# http
$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high -d $mail --dport http -j ACCEPT
$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high -d $mail --dport https -j ACCEPT
#
# reject ident
$IPTABLES -A FORWARD -i $EXT -p TCP --dport auth --syn -j REJECT
#
# ftp, out, PORT
$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high --dport ftp -j ACCEPT
#
# ftp, out, passiv
$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high --dport $p_high -j ACCEPT
#
$IPTABLES -A INPUT -j my_drop
$IPTABLES -A FORWARD -j my_drop
$IPTABLES -A OUTPUT -j my_drop
#
# end
--- schnapp ---
Danke & Gruß
FW Problem ?!?
-
Stormbringer
- Posts: 1570
- Joined: 11. Jan 2001 11:01
- Location: Ruhrgebiet
FW Problem ?!?
Last edited by Stormbringer on 17. Jul 2001 17:02, edited 1 time in total.
Continuum Hierarchy Supervisor:
You have already been assimilated.
(Rechtschreibungsreformverweigerer!)
You have already been assimilated.
(Rechtschreibungsreformverweigerer!)
-
Stormbringer
- Posts: 1570
- Joined: 11. Jan 2001 11:01
- Location: Ruhrgebiet
Re: FW Problem ?!?
... tja ..... wenn man sich nicht konzentriert ....
Nutze iptables (nicht ipchains) in der Version 1.2.1a.
Gruß
Nutze iptables (nicht ipchains) in der Version 1.2.1a.
Gruß
Continuum Hierarchy Supervisor:
You have already been assimilated.
(Rechtschreibungsreformverweigerer!)
You have already been assimilated.
(Rechtschreibungsreformverweigerer!)