iptables: Problem mit der Namenauflösung (name resolution)
Hallo Liste,
ich bin zur Zeit dabei, zu versuchen, mein Netzwerk mittels iptables
abzudichten. Dazu bin ich nach
http://www.online-tutorials.net/internet-netzwerk/iptables-tutorial/tutorials-t-29-214.html
vorgegangen, habe jetzt jedoch ein Problem mit der Namenauflösung.
"ping IP" funktioniert problemlos, während bspw. "ping google.de" nur einen "unknown host" meldet.
Das zugehörige Script sieht folgendermaßen aus:
#!/bin/bash
IPTABLES=/sbin/iptables
EXT_DEV=eth1
INT_NET=192.168.0.0/24
#Ports to Forward
FORWARD_1_TCP="21,22,25,53,80,110,119,443,1716,1717,1718,1719"
FORWARD_2_TCP="2341,2342,5050,5190,5222,6667,6668,8000,8080"
FORWARD_UDP="53,1716,1717,1718,1719"
#Ports, on which you have to accept output
OUTPUT_TCP="21,22,53,80,2342"
OUTPUT_UDP="21,22,53,80"
#Ports, on which you have to accept input
INPUT_TCP="21,22,53,80,2342"
INPUT_UDP="21,22,53,80"
case $1 in
start)
#Load Modules
modprobe iptable_nat
echo "Module loaded"
#Flash Tables
/sbin/iptables -t filter -F INPUT
/sbin/iptables -t filter -F OUTPUT
/sbin/iptables -t filter -F FORWARD
/sbin/iptables -t nat -F POSTROUTING
echo "Tables Flashed"
#Activate Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Forwarding activated"
#Activate Postrouting
/sbin/iptables -t nat -A POSTROUTING -o $EXT_DEV -s $INT_NET -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
echo "Postrouting activated"
#Set Policy to DROP"
/sbin/iptables -t filter -P INPUT DROP
/sbin/iptables -t filter -P OUTPUT DROP
/sbin/iptables -t filter -P FORWARD DROP
echo "Policys set to DROP"
#Accept Local Loops
/sbin/iptables -t filter -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
echo "Local Loops accepted"
#Accept ICMP
/sbin/iptables -t filter -A FORWARD -p icmp -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -p icmp -j ACCEPT
/sbin/iptables -t filter -A INPUT -p icmp -j ACCEPT
echo "ICMP accepted"
#Accept SYN
/sbin/iptables -t filter -A OUTPUT -p tcp ! --syn -j ACCEPT
/sbin/iptables -A FORWARD -p tcp ! --syn -j ACCEPT
/sbin/iptables -A INPUT -p tcp ! --syn -j ACCEPT
echo "SYN accepted"
#Forwarding
/sbin/iptables -t filter -A FORWARD -p tcp -m multiport --dport $FORWARD_1_TCP -j ACCEPT
/sbin/iptables -t filter -A FORWARD -p tcp -m multiport --dport $FORWARD_2_TCP -j ACCEPT
/sbin/iptables -t filter -A FORWARD -p udp -m multiport --dport $FORWARD_UDP -j ACCEPT
echo "Forwarding Rules were set"
#Input
/sbin/iptables -t filter -A INPUT -p tcp -m multiport --dport $INPUT_TCP -j ACCEPT
/sbin/iptables -t filter -A INPUT -p udp -m multiport --dport $INPUT_UDP -j ACCEPT
echo "Input Rules were set"
#Output
/sbin/iptables -t filter -A OUTPUT -p tcp -m multiport --dport $OUTPUT_TCP -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -p udp -m multiport --dport $OUTPUT_UDP -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -o $EXT_DEV -d 0.0.0.0/0 -p tcp -m multiport --dport $FORWARD_1_TCP -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -o $EXT_DEV -d 0.0.0.0/0 -p tcp -m multiport --dport $FORWARD_2_TCP -j ACCEPT
echo "Output Rules were set"
echo "ALL Rules were set"
echo "Firewall & Routing activated"
;;
stop)
/sbin/iptables -t filter -F INPUT
/sbin/iptables -t filter -F OUTPUT
/sbin/iptables -t filter -F FORWARD
/sbin/iptables -t nat -F POSTROUTING
;;
restart)
$0 stop && $0 start
;;
*)
echo "Usage: $0 {start|stop|restart}"
;;
esac
iptables -L -v gibt das hier aus:
--
Claudius Hubig ,= ,-_-. =. 224491597
Es gibt auch Linux-Aussteiger. ((_/)o o(\_)) Y!M:opensource2017
Aber die Rückfallquote steigt mit `-'(. .)`-' claudiushubig.tk
jeder Win-Version. (Walter Saner) \_/ opensource2017@jabber.ccc.de
Reply to: