[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: firewall script fighting

You need to clarify a detail: what is the IP address of "my server"?

If it is a server on the LAN (with an address in the range),
you need to set up port forwarding to reach it. The relevant app is
"ipmasqadm". You will also need to open the router to traffic to the ports
you want to forward, as in the next paragraph.

If it is the router itself, you need to be more specific than "nobody can
connect to my server". As I read your ruleset, you have not opened any
destination ports in the typical range (1-1024) for standard services. For
each service you want to make accessable, you need an input-chain rule
something like this:

    ipchains -A input -i $DEV_INET -p tcp -d a.b.c.d/32 443 -j ACCEPT 

where a.b.c.d is the IP address of your external interface (which you do not
appear to have a shell variable for), and you replace "443" and "tcp" with
the actual port and protocol for the service you want to offer. You may also
need additional output-chain rules ... I did not check that part.

At 05:20 PM 4/1/01 +0200, tim@atomstrahl.de wrote:
>i try to setup a firewall for my lan. i want to be invissible to the
>internet (no respond to a ping), but i want to allow some specific
>connects. my script i have so far makes me invissible and i can surf
>the web..., but nobody can connect to my server.
>maybe you easiely find some errors:
># Firewall Skript
>insmod ip_masq_cuseeme
>insmod ip_masq_ftp
>insmod ip_masq_irc
>insmod ip_masq_quake
>insmod ip_masq_raudio
>insmod ip_masq_user
>insmod ip_masq_vdolive
>#----- IP Forwarding und Unterstuetzung dynamisch zugeteilter IP Adressen
aktivieren -----
>echo "1" > /proc/sys/net/ipv4/ip_dynaddr
>echo "1" > /proc/sys/net/ipv4/ip_forward
>#----- Alle Regeln loeschen -----
>ipchains -F
>#----- Default Policy auf DENY setzen -----
>ipchains -P input DENY
>ipchains -P forward DENY 
>ipchains -P output DENY 
>#----- ip-spoofing verhindern -----
>ipchains -A input -i $DEV_INET -p tcp -s $LAN -j DENY -l
>#----- Loopback erlauben -----
>ipchains -A input -i lo -j ACCEPT
>ipchains -A output -i lo -j ACCEPT
>#----- alle Intranet Verbindungen erlauben -----
>ipchains -A input -i $DEV_LAN -s $LAN -j ACCEPT
>ipchains -A output -i $DEV_LAN -d $LAN -j ACCEPT
>#----- DNS Abfragen ins Internet erlauben, sowohl UDP als auch TCP -----
>ipchains -A output -i $DEV_INET -p udp -d $INET 53 -j ACCEPT
>ipchains -A input -i $DEV_INET -p udp -s $INET 53 -j ACCEPT
>ipchains -A output -i $DEV_INET -p tcp -d $INET 53 -j ACCEPT
>ipchains -A input -i $DEV_INET -p tcp -s $INET 53 -j ACCEPT ! -y
>#----- HTTP erlauben -----
>ipchains -A output -i $DEV_INET -p tcp -d $INET 80 -j ACCEPT
>ipchains -A input -i $DEV_INET -p tcp -s $INET 80 -j ACCEPT ! -y
>#----- HTTPS erlauben -----
>ipchains -A output -i $DEV_INET -p tcp -d $INET 443 -j ACCEPT
>ipchains -A input -i $DEV_INET -p tcp -s $INET 443 -j ACCEPT ! -y
>#----- FTP erlauben -----
>ipchains -A output -i $DEV_INET -p tcp -d $INET 21 -j ACCEPT
>ipchains -A input -i $DEV_INET -p tcp -s $INET 21 -j ACCEPT ! -y
>#----- Erweiterung fuer aktives FTP -----
>ipchains -A output -i $DEV_INET -p tcp -d $INET 20 -j ACCEPT
>ipchains -A input -i $DEV_INET -p tcp -s $INET 20 -j ACCEPT
>#----- SSH ins Internet erlauben -----
>ipchains -A output -i $DEV_INET -p tcp -d $INET 22 -j ACCEPT
>ipchains -A input -i $DEV_INET -p tcp -s $INET 22 -j ACCEPT ! -y
>#----- SMTP ins Internet erlauben -----
>ipchains -A output -i $DEV_INET -p tcp -d $INET 25 -j ACCEPT
>ipchains -A input -i $DEV_INET -p tcp -s $INET 25 -j ACCEPT ! -y
>#----- POP3 ins Internet erlauben -----
>ipchains -A output -i $DEV_INET -p tcp -d $INET 110 -j ACCEPT
>ipchains -A input -i $DEV_INET -p tcp -s $INET 110 -j ACCEPT ! -y
>ipchains -A output -i $DEV_INET -p tcp -d $INET 1023:65535 -j ACCEPT
>ipchains -A input -i $DEV_INET -p tcp -s $INET 1023:65535 -j ACCEPT ! -y
>ipchains -A output -i $DEV_INET -p udp -d $INET 1023:65535 -j ACCEPT
>ipchains -A input -i $DEV_INET -p udp -d $INET 1023:65535 -j ACCEPT
>#----- Chain fuer ICMP erstellen -----
>ipchains -N icmp-out
>ipchains -A icmp-out -p icmp --icmp-type echo-reply -j DENY
>ipchains -A icmp-out -p icmp --icmp-type echo-request -j ACCEPT
>ipchains -A icmp-out -p icmp --icmp-type destination-unreachable -j ACCEPT
>ipchains -A icmp-out -p icmp --icmp-type source-quench -j ACCEPT
>ipchains -A icmp-out -p icmp --icmp-type time-exceeded -j ACCEPT
>ipchains -A icmp-out -p icmp --icmp-type parameter-problem -j ACCEPT
>ipchains -N icmp-in
>ipchains -A icmp-in -p icmp --icmp-type echo-reply -j ACCEPT
>ipchains -A icmp-in -p icmp --icmp-type echo-request -j DENY
>ipchains -A icmp-in -p icmp --icmp-type destination-unreachable -j ACCEPT
>ipchains -A icmp-in -p icmp --icmp-type source-quench -j ACCEPT
>ipchains -A icmp-in -p icmp --icmp-type time-exceeded -j ACCEPT
>ipchains -A icmp-in -p icmp --icmp-type parameter-problem -j ACCEPT
>#----- ICMP Pakete an Output Chain uebergeben -----
>ipchains -A output -p icmp -j icmp-out
>#----- ICMP Pakete an Input Chain uebergeben -----
>ipchains -A input -p icmp -j icmp-in
>#----- Masquerading aktivieren -----
>ipchains -A forward -s -d -j MASQ
>echo Firewall is up
>again the problem is nobody cant connect except from inside the lan
>thanks in advance
>Best regards,
> tim                          mailto:tim@atomstrahl.de
>To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
>with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

------------------------------------"Never tell me the odds!"---
Ray Olszewski                                        -- Han Solo
Palo Alto, CA           	 	         ray@comarre.com        

Reply to: