iptables script die 2. ("ssh" geht, "www" nicht!)
Posted: 21. Oct 2004 20:40
Hallo,
ich habe ein iptables script welches zu funktionieren scheint nur kann ich nicht im internet surfen - wenn gleich ich per ssh auf einen Server im Internet zugreifen kann!
Das Script / die Iptables konfiguration läuft auf meiner Workstation und nicht auf einem Router / Gateway.
Wäre echt nett wenn mir jemand weiterhelfen könnte, da ich wie schon gesagt einfach keinen Fehler finden kann!
ich poste nochmal ein paar informationen dazu
(erst das script, dann die iptables konfiguration, dann einen dmesg auszug)
----------------SCRIPT----------------------
INTERFACE="ppp0"
LOCAL="192.168.0.0/24"
IPTABLES="/sbin/iptables"
Stop()
{
Flush ACCEPT
}
Close()
{
Flush DROP
}
Flush()
{
${IPTABLES} -P INPUT $1
${IPTABLES} -P OUTPUT $1
${IPTABLES} -F
${IPTABLES} -F INPUT
${IPTABLES} -F OUTPUT
${IPTABLES} -X destroy > /dev/null 2>&1
${IPTABLES} -X in_private > /dev/null 2>&1
${IPTABLES} -X out_private > /dev/null 2>&1
}
Start()
{
Close
CreateBucket
EgressFilter
InOutTCP 22 # SSH
InOutTCP 80 # http
OutTCP http 80 https 8080
OutTCP ftp smtp pop3
OutFTP
#Firewall ICMP . ICMP is useful so allow any by defult
${IPTABLES} -A INPUT -j ACCEPT -p icmp
${IPTABLES} -A OUTPUT -j ACCEPT -p icmp
${IPTABLES} -A INPUT -j destroy
${IPTABLES} -A OUTPUT -j destroy
}
CreateBucket()
{
${IPTABLES} -N destroy
#These rules are only for logging.
${IPTABLES} -A destroy -j LOG --log-level notice -m limit
${IPTABLES} -A destroy -j DROP
}
EgressFilter()
{
#Dont let private addresses in
${IPTABLES} -N in_private
${IPTABLES} -F in_private
${IPTABLES} -A in_private -j destroy -s 127.0.0.0/8
${IPTABLES} -A in_private -j destroy -s 10.0.0.0/8
${IPTABLES} -A in_private -j destroy -s 172.16.0.0/12
${IPTABLES} -A in_private -j destroy -s 192.168.0.0/16
${IPTABLES} -A in_private -j destroy -s 224.0.0.0/4
${IPTABLES} -A in_private -j destroy -s 240.0.0.0/4
#dont let private addresses escape
#Also darf der Server keine Pakete an die folgenden Adressen senden
#weil sie ja im Internet nicht existieren dürfen und der Server somit
#mit gefälschten adressen kommuniziert !?
${IPTABLES} -N out_private
${IPTABLES} -F out_private
${IPTABLES} -A out_private -j destroy -d 127.0.0.0/8
${IPTABLES} -A out_private -j destroy -d 10.0.0.0/8
${IPTABLES} -A out_private -j destroy -d 172.16.0.0/12
${IPTABLES} -A out_private -j destroy -d 192.168.0.0/16
${IPTABLES} -A out_private -j destroy -d 224.0.0.0/4
${IPTABLES} -A out_private -j destroy -d 240.0.0.0/4
#Alle Pakete der INPUT und OUTPUT Chains werden erfasst
${IPTABLES} -A INPUT -j in_private -i ${INTERFACE}
${IPTABLES} -A OUTPUT -j out_private -o ${INTERFACE}
}
InOutTCP()
{
InTCP $*
OutTCP $*
}
InTCP()
{
for i in $*
do
${IPTABLES} -A INPUT -j ACCEPT -i ${INTERFACE} -p tcp --dport $i -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A OUTPUT -j ACCEPT -o ${INTERFACE} -p tcp --sport $i -m state --state ESTABLISHED,RELATED
done
}
OutTCP()
{
for i in $*
do
${IPTABLES} -A OUTPUT -j ACCEPT -o ${INTERFACE} -p tcp --sport 1024: --dport $i -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A INPUT -j ACCEPT -i ${INTERFACE} -p tcp --sport $i -m state --state ESTABLISHED,RELATED
done
}
OutFTP()
{
InOutTCP ftp-data
${IPTABLES} -A INPUT -j ACCEPT -i ${INTERFACE} -p tcp --sport ftp-data -m state --state NEW,ESTABLISHED,RELATED
}
_____________________________________________
-----------IPTABLES KONFIGURATION------------------------
Chain INPUT (policy DROP)
target prot opt source destination
in_private all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ssh state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:www state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:www state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:www state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:www state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:https state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:webcache state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:smtp state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:pop3 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data state NEW,RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
destroy all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
out_private all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp spt:ssh state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ssh state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:www state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:www state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:www state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:www state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:https state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:webcache state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ftp state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:smtp state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:pop3 state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ftp-data state NEW,RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
destroy all -- anywhere anywhere
Chain destroy (14 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/hour burst 5 LOG level notice
DROP all -- anywhere anywhere
Chain in_private (1 references)
target prot opt source destination
destroy all -- 127.0.0.0/8 anywhere
destroy all -- 10.0.0.0/8 anywhere
destroy all -- 172.16.0.0/12 anywhere
destroy all -- 192.168.0.0/16 anywhere
destroy all -- 224.0.0.0/4 anywhere
destroy all -- 240.0.0.0/4 anywhere
Chain out_private (1 references)
target prot opt source destination
destroy all -- anywhere 127.0.0.0/8
destroy all -- anywhere 10.0.0.0/8
destroy all -- anywhere 172.16.0.0/12
destroy all -- anywhere 192.168.0.0/16
destroy all -- anywhere 224.0.0.0/4
destroy all -- anywhere 240.0.0.0/4
___________________________________________
----------------------dmesg------------------------------
CSLIP: code copyright 1989 Regents of the University of California
PPP generic driver version 2.4.2
NET: Registered protocol family 10
Disabled Privacy Extensions on device c0366d00(lo)
IPv6 over IPv4 tunneling driver
PPP BSD Compression module registered
PPP Deflate Compression module registered
ip_tables: (C) 2000-2002 Netfilter core team
ip_conntrack version 2.1 (1279 buckets, 10232 max) - 300 bytes per conntrack
IN=ppp0 OUT= MAC= SRC=145.254.101.28 DST=145.254.167.138 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=4178 DF PROTO=TCP SPT=2385 DPT=445 WINDOW=8760 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=145.254.222.41 DST=145.254.167.138 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=63208 DF PROTO=TCP SPT=4537 DPT=135 WINDOW=8760 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=145.254.192.141 DST=145.254.167.138 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=14160 DF PROTO=TCP SPT=1446 DPT=135 WINDOW=2144 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=205.188.7.154 DST=145.254.167.138 LEN=80 TOS=0x00 PREC=0x00 TTL=104 ID=11777 DF PROTO=TCP SPT=5190 DPT=1127 WINDOW=16384 RES=0x00 ACK PSH URGP=0
IN=ppp0 OUT= MAC= SRC=145.254.222.41 DST=145.254.167.138 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=63398 DF PROTO=TCP SPT=4537 DPT=135 WINDOW=8760 RES=0x00 SYN URGP=0
______________________________________
ich habe ein iptables script welches zu funktionieren scheint nur kann ich nicht im internet surfen - wenn gleich ich per ssh auf einen Server im Internet zugreifen kann!
Das Script / die Iptables konfiguration läuft auf meiner Workstation und nicht auf einem Router / Gateway.
Wäre echt nett wenn mir jemand weiterhelfen könnte, da ich wie schon gesagt einfach keinen Fehler finden kann!
ich poste nochmal ein paar informationen dazu
(erst das script, dann die iptables konfiguration, dann einen dmesg auszug)
----------------SCRIPT----------------------
INTERFACE="ppp0"
LOCAL="192.168.0.0/24"
IPTABLES="/sbin/iptables"
Stop()
{
Flush ACCEPT
}
Close()
{
Flush DROP
}
Flush()
{
${IPTABLES} -P INPUT $1
${IPTABLES} -P OUTPUT $1
${IPTABLES} -F
${IPTABLES} -F INPUT
${IPTABLES} -F OUTPUT
${IPTABLES} -X destroy > /dev/null 2>&1
${IPTABLES} -X in_private > /dev/null 2>&1
${IPTABLES} -X out_private > /dev/null 2>&1
}
Start()
{
Close
CreateBucket
EgressFilter
InOutTCP 22 # SSH
InOutTCP 80 # http
OutTCP http 80 https 8080
OutTCP ftp smtp pop3
OutFTP
#Firewall ICMP . ICMP is useful so allow any by defult
${IPTABLES} -A INPUT -j ACCEPT -p icmp
${IPTABLES} -A OUTPUT -j ACCEPT -p icmp
${IPTABLES} -A INPUT -j destroy
${IPTABLES} -A OUTPUT -j destroy
}
CreateBucket()
{
${IPTABLES} -N destroy
#These rules are only for logging.
${IPTABLES} -A destroy -j LOG --log-level notice -m limit
${IPTABLES} -A destroy -j DROP
}
EgressFilter()
{
#Dont let private addresses in
${IPTABLES} -N in_private
${IPTABLES} -F in_private
${IPTABLES} -A in_private -j destroy -s 127.0.0.0/8
${IPTABLES} -A in_private -j destroy -s 10.0.0.0/8
${IPTABLES} -A in_private -j destroy -s 172.16.0.0/12
${IPTABLES} -A in_private -j destroy -s 192.168.0.0/16
${IPTABLES} -A in_private -j destroy -s 224.0.0.0/4
${IPTABLES} -A in_private -j destroy -s 240.0.0.0/4
#dont let private addresses escape
#Also darf der Server keine Pakete an die folgenden Adressen senden
#weil sie ja im Internet nicht existieren dürfen und der Server somit
#mit gefälschten adressen kommuniziert !?
${IPTABLES} -N out_private
${IPTABLES} -F out_private
${IPTABLES} -A out_private -j destroy -d 127.0.0.0/8
${IPTABLES} -A out_private -j destroy -d 10.0.0.0/8
${IPTABLES} -A out_private -j destroy -d 172.16.0.0/12
${IPTABLES} -A out_private -j destroy -d 192.168.0.0/16
${IPTABLES} -A out_private -j destroy -d 224.0.0.0/4
${IPTABLES} -A out_private -j destroy -d 240.0.0.0/4
#Alle Pakete der INPUT und OUTPUT Chains werden erfasst
${IPTABLES} -A INPUT -j in_private -i ${INTERFACE}
${IPTABLES} -A OUTPUT -j out_private -o ${INTERFACE}
}
InOutTCP()
{
InTCP $*
OutTCP $*
}
InTCP()
{
for i in $*
do
${IPTABLES} -A INPUT -j ACCEPT -i ${INTERFACE} -p tcp --dport $i -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A OUTPUT -j ACCEPT -o ${INTERFACE} -p tcp --sport $i -m state --state ESTABLISHED,RELATED
done
}
OutTCP()
{
for i in $*
do
${IPTABLES} -A OUTPUT -j ACCEPT -o ${INTERFACE} -p tcp --sport 1024: --dport $i -m state --state NEW,ESTABLISHED,RELATED
${IPTABLES} -A INPUT -j ACCEPT -i ${INTERFACE} -p tcp --sport $i -m state --state ESTABLISHED,RELATED
done
}
OutFTP()
{
InOutTCP ftp-data
${IPTABLES} -A INPUT -j ACCEPT -i ${INTERFACE} -p tcp --sport ftp-data -m state --state NEW,ESTABLISHED,RELATED
}
_____________________________________________
-----------IPTABLES KONFIGURATION------------------------
Chain INPUT (policy DROP)
target prot opt source destination
in_private all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ssh state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:www state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:www state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:www state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:www state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:https state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:webcache state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:smtp state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:pop3 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data state NEW,RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
destroy all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
out_private all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp spt:ssh state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ssh state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:www state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:www state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:www state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:www state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:https state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:webcache state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ftp state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:smtp state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:pop3 state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ftp-data state NEW,RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
destroy all -- anywhere anywhere
Chain destroy (14 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/hour burst 5 LOG level notice
DROP all -- anywhere anywhere
Chain in_private (1 references)
target prot opt source destination
destroy all -- 127.0.0.0/8 anywhere
destroy all -- 10.0.0.0/8 anywhere
destroy all -- 172.16.0.0/12 anywhere
destroy all -- 192.168.0.0/16 anywhere
destroy all -- 224.0.0.0/4 anywhere
destroy all -- 240.0.0.0/4 anywhere
Chain out_private (1 references)
target prot opt source destination
destroy all -- anywhere 127.0.0.0/8
destroy all -- anywhere 10.0.0.0/8
destroy all -- anywhere 172.16.0.0/12
destroy all -- anywhere 192.168.0.0/16
destroy all -- anywhere 224.0.0.0/4
destroy all -- anywhere 240.0.0.0/4
___________________________________________
----------------------dmesg------------------------------
CSLIP: code copyright 1989 Regents of the University of California
PPP generic driver version 2.4.2
NET: Registered protocol family 10
Disabled Privacy Extensions on device c0366d00(lo)
IPv6 over IPv4 tunneling driver
PPP BSD Compression module registered
PPP Deflate Compression module registered
ip_tables: (C) 2000-2002 Netfilter core team
ip_conntrack version 2.1 (1279 buckets, 10232 max) - 300 bytes per conntrack
IN=ppp0 OUT= MAC= SRC=145.254.101.28 DST=145.254.167.138 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=4178 DF PROTO=TCP SPT=2385 DPT=445 WINDOW=8760 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=145.254.222.41 DST=145.254.167.138 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=63208 DF PROTO=TCP SPT=4537 DPT=135 WINDOW=8760 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=145.254.192.141 DST=145.254.167.138 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=14160 DF PROTO=TCP SPT=1446 DPT=135 WINDOW=2144 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=205.188.7.154 DST=145.254.167.138 LEN=80 TOS=0x00 PREC=0x00 TTL=104 ID=11777 DF PROTO=TCP SPT=5190 DPT=1127 WINDOW=16384 RES=0x00 ACK PSH URGP=0
IN=ppp0 OUT= MAC= SRC=145.254.222.41 DST=145.254.167.138 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=63398 DF PROTO=TCP SPT=4537 DPT=135 WINDOW=8760 RES=0x00 SYN URGP=0
______________________________________