[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re[2]: firewall script fighting

Hello Ray and others,

thanks for fast response:

RO> You need to clarify a detail: what is the IP address of "my server"?

RO> If it is a server on the LAN (with an address in the range),
RO> you need to set up port forwarding to reach it. The relevant app is
RO> "ipmasqadm". You will also need to open the router to traffic to the ports
RO> you want to forward, as in the next paragraph.

the server is the router itself (potato). the router=server ist
connected to the internet via isdn and i am on dynamic IP.

RO> If it is the router itself, you need to be more specific than "nobody can
RO> connect to my server". As I read your ruleset, you have not opened any
RO> destination ports in the typical range (1-1024) for standard services. For
RO> each service you want to make accessable, you need an input-chain rule
RO> something like this:

RO>     ipchains -A input -i $DEV_INET -p tcp -d a.b.c.d/32 443 -j ACCEPT

hm, i thought i did open specific services, for example:

#----- HTTP erlauben ----->
ipchains -A output -i $DEV_INET -p tcp -d $INET 80 -j ACCEPT
ipchains -A input -i $DEV_INET -p tcp -s $INET 80 -j ACCEPT ! -y

where $INET=, maybe this is my mistake. do i have to enter
the real IP of the external interface? this would mean i have to reget
my ip every time i reconnect to internet cause i am on dialup ?

RO> where a.b.c.d is the IP address of your external interface (which you do not
RO> appear to have a shell variable for), and you replace "443" and "tcp" with
RO> the actual port and protocol for the service you want to offer. You may also
RO> need additional output-chain rules ... I did not check that part.

do i need to define the shellvariable $INET in such way:
INET=$(/sbin/ifconfig | /bin/grep P-t-P | /usr/bin/cut -c 21-38 | awk '{print $1}' )
and put the firewallscript in /etc/ppp/ip-up or link from there?

the current firewall-script is /etc/init.d/firewall and i link to it
from /etc/rc2.d/S20firewall. is this actually the common way to start
scripts at startup?

thanks again

RO> At 05:20 PM 4/1/01 +0200, tim@atomstrahl.de wrote:
>>i try to setup a firewall for my lan. i want to be invissible to the
>>internet (no respond to a ping), but i want to allow some specific
>>connects. my script i have so far makes me invissible and i can surf
>>the web..., but nobody can connect to my server.
>>maybe you easiely find some errors:
>># Firewall Skript
>>insmod ip_masq_cuseeme
>>insmod ip_masq_ftp
>>insmod ip_masq_irc
>>insmod ip_masq_quake
>>insmod ip_masq_raudio
>>insmod ip_masq_user
>>insmod ip_masq_vdolive
>>#----- IP Forwarding und Unterstuetzung dynamisch zugeteilter IP Adressen
RO> aktivieren -----
>>echo "1" > /proc/sys/net/ipv4/ip_dynaddr
>>echo "1" > /proc/sys/net/ipv4/ip_forward
>>#----- Alle Regeln loeschen -----
>>ipchains -F
>>#----- Default Policy auf DENY setzen -----
>>ipchains -P input DENY
>>ipchains -P forward DENY 
>>ipchains -P output DENY 
>>#----- ip-spoofing verhindern -----
>>ipchains -A input -i $DEV_INET -p tcp -s $LAN -j DENY -l
>>#----- Loopback erlauben -----
>>ipchains -A input -i lo -j ACCEPT
>>ipchains -A output -i lo -j ACCEPT
>>#----- alle Intranet Verbindungen erlauben -----
>>ipchains -A input -i $DEV_LAN -s $LAN -j ACCEPT
>>ipchains -A output -i $DEV_LAN -d $LAN -j ACCEPT
>>#----- DNS Abfragen ins Internet erlauben, sowohl UDP als auch TCP -----
>>ipchains -A output -i $DEV_INET -p udp -d $INET 53 -j ACCEPT
>>ipchains -A input -i $DEV_INET -p udp -s $INET 53 -j ACCEPT
>>ipchains -A output -i $DEV_INET -p tcp -d $INET 53 -j ACCEPT
>>ipchains -A input -i $DEV_INET -p tcp -s $INET 53 -j ACCEPT ! -y
>>#----- HTTP erlauben -----
>>ipchains -A output -i $DEV_INET -p tcp -d $INET 80 -j ACCEPT
>>ipchains -A input -i $DEV_INET -p tcp -s $INET 80 -j ACCEPT ! -y
>>#----- HTTPS erlauben -----
>>ipchains -A output -i $DEV_INET -p tcp -d $INET 443 -j ACCEPT
>>ipchains -A input -i $DEV_INET -p tcp -s $INET 443 -j ACCEPT ! -y
>>#----- FTP erlauben -----
>>ipchains -A output -i $DEV_INET -p tcp -d $INET 21 -j ACCEPT
>>ipchains -A input -i $DEV_INET -p tcp -s $INET 21 -j ACCEPT ! -y
>>#----- Erweiterung fuer aktives FTP -----
>>ipchains -A output -i $DEV_INET -p tcp -d $INET 20 -j ACCEPT
>>ipchains -A input -i $DEV_INET -p tcp -s $INET 20 -j ACCEPT
>>#----- SSH ins Internet erlauben -----
>>ipchains -A output -i $DEV_INET -p tcp -d $INET 22 -j ACCEPT
>>ipchains -A input -i $DEV_INET -p tcp -s $INET 22 -j ACCEPT ! -y
>>#----- SMTP ins Internet erlauben -----
>>ipchains -A output -i $DEV_INET -p tcp -d $INET 25 -j ACCEPT
>>ipchains -A input -i $DEV_INET -p tcp -s $INET 25 -j ACCEPT ! -y
>>#----- POP3 ins Internet erlauben -----
>>ipchains -A output -i $DEV_INET -p tcp -d $INET 110 -j ACCEPT
>>ipchains -A input -i $DEV_INET -p tcp -s $INET 110 -j ACCEPT ! -y
>>ipchains -A output -i $DEV_INET -p tcp -d $INET 1023:65535 -j ACCEPT
>>ipchains -A input -i $DEV_INET -p tcp -s $INET 1023:65535 -j ACCEPT ! -y
>>ipchains -A output -i $DEV_INET -p udp -d $INET 1023:65535 -j ACCEPT
>>ipchains -A input -i $DEV_INET -p udp -d $INET 1023:65535 -j ACCEPT
>>#----- Chain fuer ICMP erstellen -----
>>ipchains -N icmp-out
>>ipchains -A icmp-out -p icmp --icmp-type echo-reply -j DENY
>>ipchains -A icmp-out -p icmp --icmp-type echo-request -j ACCEPT
>>ipchains -A icmp-out -p icmp --icmp-type destination-unreachable -j ACCEPT
>>ipchains -A icmp-out -p icmp --icmp-type source-quench -j ACCEPT
>>ipchains -A icmp-out -p icmp --icmp-type time-exceeded -j ACCEPT
>>ipchains -A icmp-out -p icmp --icmp-type parameter-problem -j ACCEPT
>>ipchains -N icmp-in
>>ipchains -A icmp-in -p icmp --icmp-type echo-reply -j ACCEPT
>>ipchains -A icmp-in -p icmp --icmp-type echo-request -j DENY
>>ipchains -A icmp-in -p icmp --icmp-type destination-unreachable -j ACCEPT
>>ipchains -A icmp-in -p icmp --icmp-type source-quench -j ACCEPT
>>ipchains -A icmp-in -p icmp --icmp-type time-exceeded -j ACCEPT
>>ipchains -A icmp-in -p icmp --icmp-type parameter-problem -j ACCEPT
>>#----- ICMP Pakete an Output Chain uebergeben -----
>>ipchains -A output -p icmp -j icmp-out
>>#----- ICMP Pakete an Input Chain uebergeben -----
>>ipchains -A input -p icmp -j icmp-in
>>#----- Masquerading aktivieren -----
>>ipchains -A forward -s -d -j MASQ
>>echo Firewall is up
>>again the problem is nobody cant connect except from inside the lan
>>thanks in advance
>>Best regards,
>> tim                          mailto:tim@atomstrahl.de
>>To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
>>with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

RO> --
RO> ------------------------------------"Never tell me the odds!"---
RO> Ray Olszewski                                        -- Han Solo
RO> Palo Alto, CA                                    ray@comarre.com        
RO> ----------------------------------------------------------------

RO> --  
RO> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
RO> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Best regards,
 tim                            mailto:tim@atomstrahl.de

Reply to: