Firewall
Hallo Liste,
ich habe einen dsl zugang der deutschen telekom.
um im ganzen LAN darueber zu surfen, hab ich einen debian server
mit 2.4er kernel und iptables firewall eingerichtet.
das laeuft auch ganz gut. aber manche seiten lassen sich nicht oeffnen.
diese probleme habe ich ausschliesslich mit groesseren domains, wie
www.mercedes-benz.de, www.entrium.de und www.deutsche-bank-24.de
wenn ich die firewall funktionalitaet ausschalte, kann ich auf dem
server auch diese seiten oeffnen (es muss also an der firewall liegen).
in den logs kann ich nichts finden.
woher ruehrt dieser fehler? wie ist er abzustellen?
anbei mein startscript (/etc/init.d/firewall.start), abgekupfert von
http://beyond.linuxfromscratch.org/view/cvs/postlfs/firewall.html.
schon mal vielen dank!
PaddyQL
-- /etc/init.d/firewall.start ------------------------------------------
#!/bin/sh
# Begin $rc_base/init.d/firewall
# Insert iptables modules (not needed if built into the kernel).
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ipt_MASQUERADE
modprobe ipt_LOG
modprobe ipt_REJECT
iptables -A INPUT -i ! ppp+ -j ACCEPT
iptables -A OUTPUT -o ! ppp+ -j ACCEPT
# to ping the box from outside
iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# avoid delays while accessing ftp-servers
iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT
# avoid ip-spoofing
iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8 -j DROP
iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12 -j DROP
iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP
# allow local-only connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# allow forwarding
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -i ! ppp+ -j ACCEPT
# do masquerading (not needed if intranet is not using private ip-addresses)
iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
# Log everything for debugging (last of all rules, but before DROP/REJECT)
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT
# avoid ip-spoofing
iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8 -j DROP
iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12 -j DROP
iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP
# allow local-only connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# allow forwarding
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -i ! ppp+ -j ACCEPT
# do masquerading (not needed if intranet is not using private ip-addresses)
iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
# Log everything for debugging (last of all rules, but before DROP/REJECT)
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
# simplify debugging and be fair to anyone try to access a disabled service
iptables -A INPUT -j REJECT
iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT
# set a sane policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr
# disable ExplicitCongestionNotification
echo 0 > /proc/sys/net/ipv4/tcp_ecn
# activate TCPsyncookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# activate Route-Verification = IP-Spoofing_protection
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# activate IP-Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
--------------------------------------------------------------------
-- ifconfig --------------------------------------------------------
star:~# ifconfig
eth0 Protokoll:Ethernet Hardware Adresse 00:50:BF:1D:2E:B1
inet Adresse:192.168.0.1 Bcast:192.168.0.255 Maske:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9560 errors:0 dropped:0 overruns:0 frame:0
TX packets:25262 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlnge:100
RX bytes:1229830 (1.1 MiB) TX bytes:31421866 (29.9 MiB)
Interrupt:15 Basisadresse:0xe000
eth1 Protokoll:Ethernet Hardware Adresse 00:60:08:4B:4B:7C
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4456 errors:0 dropped:0 overruns:0 frame:0
TX packets:4076 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:1 Sendewarteschlangenlnge:100
RX bytes:3612521 (3.4 MiB) TX bytes:360202 (351.7 KiB)
Interrupt:11 Basisadresse:0xec00
lo Protokoll:Lokale Schleife
inet Adresse:127.0.0.1 Maske:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:52 errors:0 dropped:0 overruns:0 frame:0
TX packets:52 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlnge:0
RX bytes:3580 (3.4 KiB) TX bytes:3580 (3.4 KiB)
ppp0 Protokoll:Punkt-zu-Punkt Verbindung
inet Adresse:217.80.140.3 P-z-P:62.225.255.237 Maske:255.255.255.255
UP PUNKTZUPUNKT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:4214 errors:0 dropped:0 overruns:0 frame:0
TX packets:3834 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlnge:3
RX bytes:3504145 (3.3 MiB) TX bytes:261189 (255.0 KiB)
--------------------------------------------------------------------
--
Zum AUSTRAGEN schicken Sie eine Mail an debian-user-german-request@lists.debian.org
mit dem Subject "unsubscribe". Probleme? Mail an listmaster@lists.debian.org (engl)
Reply to: