Portmapping mit Mandrake 10

[Mr_Sven]

Hi,
hab ein kleines Problem.
Ich will einige Ports von meinem Router auf einen anderen mappen und das geht jetzt nicht mehr,
Ich bin von Suse 7.3 auf Mandrake 10 umgestiegen und das gleiche FW script was auf der Suse SW funktioniert hatte, geht nur teilweise.
Es lässt sich alles eintragen und steht auch in "iptables -L", aber wenn ich die Ports von aussen anspreche, dann bekomme ich immer "Connection Refused"
Wenn ich die Ports direkt auf dem Zielrechner anspreche, dann geht es, nur aus dem Internet nicht.
Muss ich was bei Mandrake beachten?

Ich danke für eure Hilfe.

Gruß Sven

Ich hänge mal mein FW Script an:

Code: Select all

#!/bin/sh

# Variablen Definiftion
ip="/sbin/iptables"
mod="/sbin/modprobe"

# Einbinden von Modulen

$mod ip_tables
$mod ip_conntrack
$mod ip_conntrack_ftp
$mod ip_nat_ftp

# Firewall sicher initialisieren und vorhandene Regeln lschen
# hier die default Policy's
$ip -P INPUT DROP
$ip -P OUTPUT DROP
$ip -P FORWARD DROP

## hier die Regeln
## zuerst alle vorhandenen Regeln loeschen
$ip -F
$ip -t nat -F
$ip -t mangle -F
$ip -X

## Zhler für Pakete und Bytes zurücksetzen
$ip -Z

BROADCAST="255.255.255.255"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="127.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
P_PORTS="0:1023"
UP_PORTS="1024:65535"
TR_SRC_PORTS="32769:65535"
TR_DEST_PORTS="33434:33523"

# Disable response to ping.
#/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Don't accept source routed packets. Attackers can use source routing to generate
# traffic pretending to be from inside your network, but which is routed back along
# the path from which it came, namely outside, so attackers can compromise your
# network. Source routing is rarely used for legitimate purposes.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

# Disable response to broadcasts.
# You don't want yourself becoming a Smurf amplifier.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable ICMP redirect acceptance. ICMP redirects can be used to alter your routing
# tables, possibly to a bad end.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

# Enable bad error message protection.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Log spoofed packets, source routed packets, redirect packets.
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians


## end of initialisation the firewall
########################################################################################

## LOOPBACK
# Allow unlimited traffic on the loopback interface.
$ip -A INPUT  -i lo -j ACCEPT
$ip -A OUTPUT -o lo -j ACCEPT

## Make sure NEW tcp connections are SYN packets
$ip -A INPUT -i ppp0 -p tcp ! --syn -m state --state NEW -j DROP

## SPOOFING
# Most of this anti-spoofing stuff is theoretically not really necessary with the flags we
# have set in the kernel above ........... but you never know there isn't a bug somewhere in
# your IP stack.
#
# Refuse spoofed packets pretending to be from your IP address.
#iptables -A INPUT  -i ppp0 -s $IPADDR -j DROP

# Refuse packets claiming to be from a Class A private network.
$ip -A INPUT  -i ppp0 -s $CLASS_A -j DROP

# Refuse packets claiming to be from a Class B private network.
$ip -A INPUT  -i ppp0 -s $CLASS_B -j DROP

# Refuse packets claiming to be from a Class C private network.
$ip -A INPUT  -i ppp0 -s $CLASS_C -j DROP

# Refuse Class D multicast addresses. Multicast is illegal as a source address.
$ip -A INPUT -i ppp0 -s $CLASS_D_MULTICAST -j DROP

# Refuse Class E reserved IP addresses.
$ip -A INPUT -i ppp0 -s $CLASS_E_RESERVED_NET -j DROP

# Refuse packets claiming to be to the loopback interface.
# Refusing packets claiming to be to the loopback interface protects against
# source quench, whereby a machine can be told to slow itself down by an icmp source
# quench to the loopback.
$ip -A INPUT  -i ppp0 -d $LOOPBACK -j DROP

# Refuse broadcast address packets.
$ip -A INPUT -i ppp0 -d $BROADCAST -j DROP


## hiermit wird NAT konfiguriert, alle Pakete, die nach ppp0 gehen
$ip -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

## folgende Anweisung leitet alle Pakete an den angebenen Port an einen internen Rechner weiter,
## um zum Beispiel einen Webserver betreiben zu knnen
# $ip -t nat -A PREROUTING -p tcp --dport 80 -i ppp0 -j DNAT --to 192.168.1.1:80

## Schnittstellen Konfiguration
## die interne Netzwerkkarte
$ip -A OUTPUT -o eth0 -j ACCEPT
$ip -A INPUT -i eth0 -j ACCEPT

## die ppp0 Schnittstelle
$ip -A OUTPUT -o ppp0 -m state --state ESTABLISHED,NEW,RELATED -j ACCEPT
$ip -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT

## eingehenden Verbindung auf ppp0
## folgende Pakete droppen ( kommen von NMAP )
$ip -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$ip -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP

$ip -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$ip -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP

## ICMP-Fehlermeldung aktivieren
$ip -A INPUT -i ppp0 -p icmp --icmp-type 3 -j ACCEPT
$ip -A INPUT -i ppp0 -p icmp --icmp-type 4 -j ACCEPT
$ip -A INPUT -i ppp0 -p icmp --icmp-type 11 -j ACCEPT
$ip -A INPUT -i ppp0 -p icmp --icmp-type 12 -j ACCEPT

## Ping von ausserhalb auf den Rechner lassen
# $ip -A INPUT -i ppp0 -p icmp --icmp-type 8 -j ACCEPT

## ssh zulassen
$ip -A INPUT -i ppp0 -p tcp --dport 22 --sport 1024: -m state --state ESTABLISHED,NEW,RELATED -j ACCEPT

## IRC Zulassen
$ip -A INPUT -i ppp0 -p tcp --dport 6667 --sport 1024: -m state --state ESTABLISHED,NEW,RELATED -j ACCEPT
$ip -A INPUT -i ppp0 -p tcp --dport 113 --sport 1024: -m state --state ESTABLISHED,NEW,RELATED -j ACCEPT

## smtp zulassen
$ip -A INPUT -i ppp0 -p tcp --dport 25 --sport 1024: -m state --state ESTABLISHED,NEW,RELATED -j ACCEPT

## http zulassen
$ip -A INPUT -i ppp0 -p tcp --dport 80 --sport 1024: -m state --state ESTABLISHED,NEW,RELATED -j ACCEPT

## FTP
$ip -A INPUT -i ppp0 -p tcp --dport 21 --sport 1024: -m state --state ESTABLISHED,NEW,RELATED -j ACCEPT
$ip -A INPUT -i ppp0 -p udp --dport 21 --sport 1024: -m state --state ESTABLISHED,NEW,RELATED -j ACCEPT
$ip -A INPUT -i ppp0 -p tcp --dport 20 --sport 1024: -m state --state ESTABLISHED,NEW,RELATED -j ACCEPT
$ip -A INPUT -i ppp0 -p udp --dport 20 --sport 1024: -m state --state ESTABLISHED,NEW,RELATED -j ACCEPT


##DPB
$ip -A INPUT -i ppp0 -p tcp --dport 27030:27039 --sport 1024: -m state --state ESTABLISHED,NEW,RELATED -j ACCEPT
$ip -A INPUT -i ppp0 -p udp --dport 27000:27015 --sport 1024: -m state --state ESTABLISHED,NEW,RELATED -j ACCEPT
$ip -A INPUT -i ppp0 -p udp --dport 1200 --sport 1024: -m state --state ESTABLISHED,NEW,RELATED -j ACCEPT

## 2. Regel um die Pakete für einen internen Rechner auch weiterzuleiten, siehe oben
# $ip -A FORWARD -i ppp0 -o eth0 -p tcp --dport 80 -d 192.168.1.1/32 -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

$ip -A INPUT -i ppp0 -p tcp --sport 1024:65535 --dport 1024:65535  -m state --state ESTABLISHED -j ACCEPT
$ip -A OUTPUT -o ppp0 -p tcp --sport 1024:65535 --dport 1024:65535  -m state --state ESTABLISHED,RELATED -j ACCEPT

## Forwarding

$ip -t nat -A PREROUTING -p udp --dport 5900 -i ppp0 -j DNAT --to 192.168.0.1:5900
$ip -t nat -A PREROUTING -p tcp --dport 5900 -i ppp0 -j DNAT --to 192.168.0.1:5900

$ip -A FORWARD -i ppp0 -o eth0 -p udp --dport 5900 -d 192.168.0.1/32 -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$ip -A FORWARD -i ppp0 -o eth0 -p tcp --dport 5900 -d 192.168.0.1/32 -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

$ip -t nat -A PREROUTING -p udp --dport 2401 -i ppp0 -j DNAT --to 192.168.0.1:5900
$ip -t nat -A PREROUTING -p tcp --dport 2401 -i ppp0 -j DNAT --to 192.168.0.1:5900

$ip -A FORWARD -i ppp0 -o eth0 -p udp --dport 2401 -d 192.168.0.1/32 -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$ip -A FORWARD -i ppp0 -o eth0 -p tcp --dport 2401 -d 192.168.0.1/32 -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

$ip -A FORWARD -i eth0 -o ppp0 -m state --state ESTABLISHED,NEW,RELATED -j ACCEPT
$ip -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT