Re: ssh + iptables
Ulf Volmer schrieb:
On Fri, Apr 21, 2006 at 09:14:36PM +0200, Marco Estrada Martinez wrote:
Andreas Pakulat schrieb:
Fehlermeldung, oder kommst du trotzdem nicht raus? Funktioniert dein
Masquerading, sprich gehen Dinge wie http, ftp und smtp? Hast du dort
evtl. was eingeschraenkt.
Andreas
naja garkeine Fehlermeldung. ich habe gerade mitbekommen das auch wenn
ich dir firewall ausschalte ich vom lapi nicht ins internet pingen kann.
http, ftp usw. gehen ja über den proxy. scheint also irgendein
allgemeines problem mit dem routing sein.
Wenn die FW *aus* ist, hast du niemanden, der das Masquerading erledigt.
(Poste doch mal die kompl. Regeln)
## komplettes Script
#!/bin/bash
# --------------------------------------------------------------------
# Copyright: (C) 2005 by MarcoMartinez.de
# Version: 1.0
# Author: Marco Estrada Martinez
# --------------------------------------------------------------------
# lines und columns ermitteln
#eval `stty size 2>/dev/null | (read L C; echo LINES=${L:-24}
COLUMNS=${C:-80})`
#export LINES COLUMNS
# VARIABLEN
IPTABLES=`which iptables`
LAN_INTERFACE=wlan0
WWW_INTERFACE=eth0
LAN_IP_RANGE=192.168.23.0/24
LAN_BROADCAST=192.168.23.255
MY_LAN_IP=192.168.23.1
MY_WWW_IP=192.168.22.1
ERROR=0
# escapezeichen f|r ausgabe
# esc=`echo -en "\033"`
# warn="${esc}[1;31m"
# done="${esc}[1;32m"
# norm=`echo -en "${esc}[m\017"`
# stat=`echo -en "\015${esc}[${COLUMNS}C${esc}[10D"`
# extd="${esc}[1m"
#### FUNCTIONEN
function Result {
# aufruf: $? len from outputstring
# vars
# strDone="${stat}${done}done${norm}"
# strFailed="${stat}${warn}failed${norm}"
if test $1 -ne 0 ; then
# echo $strFailed
ERROR=$((ERROR + 1))
# else
# echo $strDone
fi
}
case "$1" in
start)
echo -n "Starting Firewall "
# $IPTABLES-Modul
modprobe ip_tables
Result $?
# Connection-Tracking-Module
modprobe ip_conntrack
Result $?
# Das Modul ip_conntrack_irc ist erst bei Kerneln >= 2.4.19 verfuegbar
modprobe ip_conntrack_irc
Result $?
modprobe ip_conntrack_ftp
Result $?
modprobe iptable_nat
Result $?
modprobe ipt_MASQUERADE
Result $?
modprobe ipt_REJECT
Result $?
modprobe ipt_multiport
Result $?
## ROUTING AKTIVIEREN
echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null
Result $?
## MASQUERADING AKTIVIEREN
$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -p all -o
$WWW_INTERFACE -j MASQUERADE
Result $?
# SYN-Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null
Result $?
# Tabelle flushen
#echo -n "Tables flushen ..."
$IPTABLES -F
Result $?
$IPTABLES -t nat -F
Result $?
$IPTABLES -t mangle -F
Result $?
$IPTABLES -X
Result $?
$IPTABLES -t nat -X
Result $?
$IPTABLES -t mangle -X
Result $?
# Default-Policies setzen
#echo -n "Default-Polices setzen ..."
$IPTABLES -P INPUT DROP
Result $?
$IPTABLES -P OUTPUT DROP
Result $?
$IPTABLES -P FORWARD DROP
Result $?
# MY_REJECT-Chain
$IPTABLES -N MY_REJECT
Result $?
# MY_REJECT fuellen
$IPTABLES -A MY_REJECT -p tcp -m limit --limit 7200/h -j LOG
--log-prefix "REJECT TCP "
Result $?
$IPTABLES -A MY_REJECT -p tcp -j REJECT --reject-with tcp-reset
Result $?
$IPTABLES -A MY_REJECT -p udp -m limit --limit 7200/h -j LOG
--log-prefix "REJECT UDP "
Result $?
$IPTABLES -A MY_REJECT -p udp -j REJECT --reject-with
icmp-port-unreachable
Result $?
$IPTABLES -A MY_REJECT -p icmp -m limit --limit 7200/h -j LOG
--log-prefix "DROP ICMP "
Result $?
$IPTABLES -A MY_REJECT -p icmp -j DROP
Result $?
$IPTABLES -A MY_REJECT -m limit --limit 7200/h -j LOG --log-prefix
"REJECT OTHER "
Result $?
$IPTABLES -A MY_REJECT -j REJECT --reject-with icmp-proto-unreachable
Result $?
# MY_DROP-Chain
$IPTABLES -N MY_DROP
Result $?
$IPTABLES -A MY_DROP -m limit --limit 7200/h -j LOG --log-prefix
"PORTSCAN DROP "
Result $?
$IPTABLES -A MY_DROP -j DROP
Result $?
# Alle verworfenen Pakete protokollieren
$IPTABLES -A INPUT -m state --state INVALID -m limit --limit 7200/h
-j LOG --log-prefix "INPUT INVALID "
Result $?
$IPTABLES -A OUTPUT -m state --state INVALID -m limit --limit 7200/h
-j LOG --log-prefix "OUTPUT INVALID "
Result $?
$IPTABLES -A FORWARD -m state --state INVALID -m limit --limit
7200/h -j LOG --log-prefix "FORWARD INVALID "
Result $?
# Korrupte Pakete zurueckweisen
$IPTABLES -A INPUT -m state --state INVALID -j DROP
Result $?
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
Result $?
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
Result $?
# Stealth Scans etc. DROPpen
# Keine Flags gesetzt
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP
Result $?
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL NONE -j MY_DROP
Result $?
# SYN und FIN gesetzt
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
Result $?
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
Result $?
# SYN und RST gleichzeitig gesetzt
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
Result $?
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
Result $?
# FIN und RST gleichzeitig gesetzt
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
Result $?
$IPTABLES -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
Result $?
# FIN ohne ACK
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
Result $?
$IPTABLES -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
Result $?
# PSH ohne ACK
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
Result $?
$IPTABLES -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
Result $?
# URG ohne ACK
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP
Result $?
$IPTABLES -A FORWARD -p tcp --tcp-flags ACK,URG URG -j MY_DROP
Result $?
# Loopback-Netzwerk-Kommunikation zulassen
#echo -n "Loopback-Communication allowed ..."
$IPTABLES -A INPUT -i lo -j ACCEPT
Result $?
$IPTABLES -A OUTPUT -o lo -j ACCEPT
Result $?
# INTERNES LAN ALLES ERLAUBEN
$IPTABLES -A INPUT -i $LAN_INTERFACE -j ACCEPT
Result $?
$IPTABLES -A OUTPUT -o $LAN_INTERFACE -j ACCEPT
# Maximum Segment Size (MSS) für das Forwarding an PMTU anpassen
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
Result $?
# Connection-Tracking aktivieren
$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Result $?
$IPTABLES -A FORWARD -i ! $LAN_INTERFACE -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
Result $?
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Result $?
#$IPTABLES -A INPUT -s $LAN_IP_RANGE -j ACCEPT
#Result $?
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Result $?
# Interne Packete ins Inet forwarden
$IPTABLES -A FORWARD -i $LAN_INTERFACE -o $WWW_INTERFACE -j ACCEPT
Result $?
# HTTPS
#echo -n "Enabled port for HTTPS [443] ..."
$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --state
NEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p tcp --dport 443 -j ACCEPT
Result $?
# CVS
#echo -n "Enabled port for HTTPS [443] ..."
$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --state
NEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p tcp --dport 2401 -j ACCEPT
Result $?
# HTTP
#echo -n "Enabled port for HTTP [80] ..."
$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --state
NEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p tcp --dport 80 -j ACCEPT
Result $?
# PROXY
#echo -n "Enabled port for proxy [8080] ..."
$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --state
NEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p tcp --dport 8080 -j ACCEPT
Result $?
# PSQL
#echo -n "Enabled port for psql [5432] ..."
$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --state
NEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p tcp --dport 5432 -j ACCEPT
Result $?
# SMTP
#echo -n "Enabled port for smtp [25] ..."
$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --state NEW -s
$LAN_IP_RANGE -p tcp --dport 25 -j ACCEPT
Result $?
# SMTPS
#echo -n "Enabled port for smtps [465] ..."
$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --state
NEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p tcp --dport 465 -j ACCEPT
Result $?
# POP3
#echo -n "Disabled port for pop3 [110] ..."
#$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --state
NEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p tcp --dport 110 -j MY_REJECT
#Result $?
# POP3S
#echo -n "Enabled port fro pop3s [995] ..."
$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --state
NEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p tcp --dport 995 -j ACCEPT
Result $?
# DNS
#echo -n "Enabled port for dns [53]..."
$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --state
NEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p tcp --dport 53 -j ACCEPT
Result $?
$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --state
NEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p udp --dport 53 -j ACCEPT
Result $?
# DHCP
#echo -n "Enabled port for dhcp [67]..."
# Anforderung reinlassen
$IPTABLES -A INPUT -i $LAN_INTERFACE -s 0.0.0.0 -d 255.255.255.255
-p udp --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i $LAN_INTERFACE -s $LAN_IP_RANGE -d
255.255.255.255 -p udp --dport 67 -j ACCEPT
Result $?
# Antwort ausgeben
$IPTABLES -A OUTPUT -o $LAN_INTERFACE -s 192.168.23.1 -d
255.255.255.255 -p udp --dport 68 -j ACCEPT
Result $?
# Bestätigung reinlassen
$IPTABLES -A INPUT -i $LAN_INTERFACE -s 192.168.23.1 -d
255.255.255.255 -p udp --dport 68 -j ACCEPT
# SCANNER XSANE
#$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --state
NEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p tcp --dport 6566 -j ACCEPT
#Result $?
# CUPS
#echo -n "Enabled port for cups [631]..."
$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --state
NEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p tcp --dport 631 -j ACCEPT
Result $?
$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --state
NEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p udp --dport 631 -j ACCEPT
Result $?
$IPTABLES -A INPUT -i lo -m state --state NEW -p tcp --dport 631 -j
ACCEPT
Result $?
$IPTABLES -A INPUT -i lo -m state --state NEW -p udp --dport 631 -j
ACCEPT
Result $?
# SMB/CIFS
#echo -n "Enabled ports for samba [137/138/139] ..."
$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --state
NEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p tcp --dport 137:139 -j ACCEPT
Result $?
$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --state
NEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p udp --dport 137:139 -j ACCEPT
Result $?
$IPTABLES -A OUTPUT -o $LAN_INTERFACE -m state --state
NEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p udp --dport 137:139 -j
ACCEPT
Result $?
# für win netzwerkverbindung broadcast vom samba erlauben
$IPTABLES -A OUTPUT -o $LAN_INTERFACE -d $LAN_BROADCAST -s
$MY_LAN_IP -p udp --sport 137:138 -j ACCEPT
Result $?
# SSH
#echo -n "Enabled port for ssh [22] ..."
$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --state
NEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p tcp --dport 22 -j ACCEPT
Result $?
$IPTABLES -A FORWARD -o $WWW_INTERFACE -m state --state NEW -p tcp
--dport 22 -i $LAN_INTERFACE -s $LAN_IP_RANGE -j ACCEPT
Result $?
# NFS
#echo -n "Enabled port for nfs [111] ..."
$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --state
NEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p tcp --dport 111 -j ACCEPT
Result $?
$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --state
NEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p udp --dport 111 -j ACCEPT
Result $?
# NTP
#echo -n "Enabled port for ntp [123] ..."
$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --state
NEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p udp --dport 123 -j ACCEPT
Result $?
# WEBMIN
#echo -n "Enabled port for webmin [10000] ..."
$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --state
NEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p tcp --dport 10000 -j ACCEPT
Result $?
$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --state
NEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p udp --dport 53 -j ACCEPT
Result $?
# ICMP Echo-Request (ping) verweigern
$IPTABLES -A INPUT -m state --state NEW -p icmp --icmp-type
echo-request -j MY_DROP
Result $?
# Default-Policies mit REJECT
$IPTABLES -A INPUT -j MY_REJECT
Result $?
$IPTABLES -A OUTPUT -j MY_REJECT
Result $?
$IPTABLES -A FORWARD -j MY_REJECT
Result $?
# Stop Source-Routing
for i in /proc/sys/net/ipv4/conf/*; do echo 0 >
$i/accept_source_route 2> /dev/null; done
Result $?
# Stop Redirecting
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_redirects
2> /dev/null; done
Result $?
# Reverse-Path-Filter
for i in /proc/sys/net/ipv4/conf/*; do echo 2 > $i/rp_filter 2>
/dev/null; done
Result $?
# Log Martians
for i in /proc/sys/net/ipv4/conf/*; do echo 1 > $i/log_martians 2>
/dev/null; done
Result $?
# BOOTP-Relaying ausschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/bootp_relay 2>
/dev/null; done
Result $?
# Proxy-ARP ausschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/proxy_arp 2>
/dev/null; done
Result $?
# Ungültige ICMP-Antworten ignorieren
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 2>
/dev/null
Result $?
# ICMP Echo-Broadcasts ignorieren
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null
Result $?
# Max. 500/Sekunde (5/Jiffie) senden
echo 5 > /proc/sys/net/ipv4/icmp_ratelimit
Result $?
# Speicherallozierung und -timing für IP-De/-Fragmentierung
echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh
Result $?
echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh
Result $?
echo 30 > /proc/sys/net/ipv4/ipfrag_time
Result $?
# TCP-FIN-Timeout zum Schutz vor DoS-Attacken setzen
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
Result $?
# Maximal 3 Antworten auf ein TCP-SYN
echo 3 > /proc/sys/net/ipv4/tcp_retries1
Result $?
# TCP-Pakete maximal 15x wiederholen
echo 15 > /proc/sys/net/ipv4/tcp_retries2
Result $?
if(test $ERROR -eq 0) ; then
echo "."
else
echo "FAILED"
$0 stop
fi
;;
stop)
echo -n "Stopping Firewall "
# Tabelle flushen
$IPTABLES -F
Result $?
$IPTABLES -t nat -F
Result $?
$IPTABLES -t mangle -F
Result $?
$IPTABLES -X
Result $?
$IPTABLES -t nat -X
Result $?
$IPTABLES -t mangle -X
Result $?
#echo "Deaktiviere IP-Routing"
echo 0 > /proc/sys/net/ipv4/ip_forward
Result $?
# Default-Policies setzen
$IPTABLES -P INPUT ACCEPT
Result $?
$IPTABLES -P OUTPUT ACCEPT
Result $?
$IPTABLES -P FORWARD ACCEPT
Result $?
if(test $ERROR -eq 0) ; then
echo "."
else
echo "FAILED"
fi
;;
restart)
$0 stop
sleep 1
$0 start
;;
status)
echo "Tabelle filter"
$IPTABLES -L -vn
echo "Tabelle nat"
$IPTABLES -t nat -L -vn
echo "Tabelle mangle"
$IPTABLES -t mangle -L -vn
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
exit 1
;;
esac
Wenn du bisher via Proxy ist Netz gehst, ist ggf, auf dem Laptop keine
(korrekte) Defaultroute gesetzt?
ausgabe von route auf dem laptop:
Kernel IP Routentabelle
Ziel Router Genmask Flags
Metric Ref Use Iface
192.168.23.0 * 255.255.255.0 U 0
0 0 wlan0
localnet * 255.255.255.0 U
0 0 0 eth0
default morpheus.matrix 0.0.0.0 UG 0
0 0 wlan0
cu
ulf
Reply to: