Re: ssh + iptables

To: debian-user-german@lists.debian.org
Subject: Re: ssh + iptables
From: Marco Estrada Martinez <marco@marcomartinez.de>
Date: Fri, 21 Apr 2006 22:49:38 +0200
Message-id: <[🔎] 44494562.5060703@marcomartinez.de>
Reply-to: marco@marcomartinez.de
In-reply-to: <[🔎] 20060421194116.GF4566@u-v.de>
References: <[🔎] 44491480.6010904@marcomartinez.de> <[🔎] 20060421180917.GA4566@u-v.de> <[🔎] 44492396.1090301@marcomartinez.de> <[🔎] 20060421190036.GA6265@morpheus> <[🔎] 44492F1C.7010607@marcomartinez.de> <[🔎] 20060421194116.GF4566@u-v.de>

Ulf Volmer schrieb:

On Fri, Apr 21, 2006 at 09:14:36PM +0200, Marco Estrada Martinez wrote:
Andreas Pakulat schrieb:
Fehlermeldung, oder kommst du trotzdem nicht raus? Funktioniert dein
Masquerading, sprich gehen Dinge wie http, ftp und smtp? Hast du dort
evtl. was eingeschraenkt.

Andreas
naja garkeine Fehlermeldung. ich habe gerade mitbekommen das auch wennich dir firewall ausschalte ich vom lapi nicht ins internet pingen kann.http, ftp usw. gehen ja über den proxy. scheint also irgendeinallgemeines problem mit dem routing sein.
Wenn die FW *aus* ist, hast du niemanden, der das Masquerading erledigt.
(Poste doch mal die kompl. Regeln)


## komplettes Script
#!/bin/bash
# --------------------------------------------------------------------
# Copyright: (C) 2005 by MarcoMartinez.de
# Version: 1.0
# Author: Marco Estrada Martinez
# --------------------------------------------------------------------
# lines und columns ermitteln

#eval `stty size 2>/dev/null | (read L C; echo LINES=${L:-24}COLUMNS=${C:-80})`

#export LINES COLUMNS

# VARIABLEN
IPTABLES=`which iptables`
LAN_INTERFACE=wlan0
WWW_INTERFACE=eth0
LAN_IP_RANGE=192.168.23.0/24
LAN_BROADCAST=192.168.23.255
MY_LAN_IP=192.168.23.1
MY_WWW_IP=192.168.22.1
ERROR=0


# escapezeichen f|r ausgabe
#    esc=`echo -en "\033"`
#    warn="${esc}[1;31m"
#    done="${esc}[1;32m"
#    norm=`echo -en "${esc}[m\017"`
#    stat=`echo -en "\015${esc}[${COLUMNS}C${esc}[10D"`
#    extd="${esc}[1m"

#### FUNCTIONEN
function Result {
   # aufruf: $? len from outputstring
   # vars
#    strDone="${stat}${done}done${norm}"
#    strFailed="${stat}${warn}failed${norm}"

if test $1 -ne 0 ; then

#    echo $strFailed
   ERROR=$((ERROR + 1))
#    else
#    echo $strDone
   fi
}

case "$1" in
 start)

   echo -n "Starting Firewall "
   # $IPTABLES-Modul
   modprobe ip_tables
   Result $?

# Connection-Tracking-Module

   modprobe ip_conntrack
   Result $?

   # Das Modul ip_conntrack_irc ist erst bei Kerneln >= 2.4.19 verfuegbar
   modprobe ip_conntrack_irc
   Result $?
   modprobe ip_conntrack_ftp
   Result $?

modprobe iptable_nat

   Result $?

modprobe ipt_MASQUERADE

   Result $?

modprobe ipt_REJECT

   Result $?

modprobe ipt_multiport

   Result $?

## ROUTING AKTIVIEREN

   echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null
   Result $?

## MASQUERADING AKTIVIEREN$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -p all -o$WWW_INTERFACE -j MASQUERADE

   Result $?

# SYN-Cookies

   echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null
   Result $?

   # Tabelle flushen
   #echo -n "Tables flushen ..."
   $IPTABLES -F
   Result $?
   $IPTABLES -t nat -F
   Result $?
   $IPTABLES -t mangle -F
   Result $?
   $IPTABLES -X
   Result $?
   $IPTABLES -t nat -X
   Result $?
   $IPTABLES -t mangle -X
   Result $?

   # Default-Policies setzen
   #echo -n "Default-Polices setzen ..."
   $IPTABLES -P INPUT DROP
   Result $?
   $IPTABLES -P OUTPUT DROP
   Result $?
   $IPTABLES -P FORWARD DROP
   Result $?

   # MY_REJECT-Chain
   $IPTABLES -N MY_REJECT
   Result $?

   # MY_REJECT fuellen

$IPTABLES -A MY_REJECT -p tcp -m limit --limit 7200/h -j LOG--log-prefix "REJECT TCP "

   Result $?
   $IPTABLES -A MY_REJECT -p tcp -j REJECT --reject-with tcp-reset
   Result $?

$IPTABLES -A MY_REJECT -p udp -m limit --limit 7200/h -j LOG--log-prefix "REJECT UDP "

   Result $?

$IPTABLES -A MY_REJECT -p udp -j REJECT --reject-withicmp-port-unreachable

   Result $?

$IPTABLES -A MY_REJECT -p icmp -m limit --limit 7200/h -j LOG--log-prefix "DROP ICMP "

   Result $?
   $IPTABLES -A MY_REJECT -p icmp -j DROP
   Result $?

$IPTABLES -A MY_REJECT -m limit --limit 7200/h -j LOG --log-prefix"REJECT OTHER "

   Result $?
   $IPTABLES -A MY_REJECT -j REJECT --reject-with icmp-proto-unreachable
   Result $?

   # MY_DROP-Chain
   $IPTABLES -N MY_DROP
   Result $?

$IPTABLES -A MY_DROP -m limit --limit 7200/h -j LOG --log-prefix"PORTSCAN DROP "

   Result $?
   $IPTABLES -A MY_DROP -j DROP
   Result $?

   # Alle verworfenen Pakete protokollieren

$IPTABLES -A INPUT -m state --state INVALID -m limit --limit 7200/h-j LOG --log-prefix "INPUT INVALID "

   Result $?

$IPTABLES -A OUTPUT -m state --state INVALID -m limit --limit 7200/h-j LOG --log-prefix "OUTPUT INVALID "

   Result $?

$IPTABLES -A FORWARD -m state --state INVALID -m limit --limit7200/h -j LOG --log-prefix "FORWARD INVALID "

   Result $?

   # Korrupte Pakete zurueckweisen
   $IPTABLES -A INPUT -m state --state INVALID -j DROP
   Result $?
   $IPTABLES -A OUTPUT -m state --state INVALID -j DROP
   Result $?
   $IPTABLES -A FORWARD -m state --state INVALID -j DROP
   Result $?

   # Stealth Scans etc. DROPpen
   # Keine Flags gesetzt
   $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP
   Result $?
   $IPTABLES -A FORWARD -p tcp --tcp-flags ALL NONE -j MY_DROP
   Result $?

   # SYN und FIN gesetzt
   $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
   Result $?
   $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
   Result $?

   # SYN und RST gleichzeitig gesetzt
   $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
   Result $?
   $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
   Result $?

   # FIN und RST gleichzeitig gesetzt
   $IPTABLES -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
   Result $?
   $IPTABLES -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
   Result $?

   # FIN ohne ACK
   $IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
   Result $?
   $IPTABLES -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
   Result $?

   # PSH ohne ACK
   $IPTABLES -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
   Result $?
   $IPTABLES -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
   Result $?

   # URG ohne ACK
   $IPTABLES -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP
   Result $?
   $IPTABLES -A FORWARD -p tcp --tcp-flags ACK,URG URG -j MY_DROP
   Result $?

   # Loopback-Netzwerk-Kommunikation zulassen
   #echo -n "Loopback-Communication allowed ..."
   $IPTABLES -A INPUT -i lo -j ACCEPT
   Result $?
   $IPTABLES -A OUTPUT -o lo -j ACCEPT
   Result $?

# INTERNES LAN ALLES ERLAUBEN

   $IPTABLES -A INPUT -i $LAN_INTERFACE -j ACCEPT
   Result $?
   $IPTABLES -A OUTPUT -o $LAN_INTERFACE -j ACCEPT

# Maximum Segment Size (MSS) für das Forwarding an PMTU anpassen$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS--clamp-mss-to-pmtu

   Result $?

   # Connection-Tracking aktivieren
   $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
   Result $?

$IPTABLES -A FORWARD -i ! $LAN_INTERFACE -m state --stateNEW,ESTABLISHED,RELATED -j ACCEPT

   Result $?
   $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
   Result $?
   #$IPTABLES -A INPUT -s $LAN_IP_RANGE -j ACCEPT
   #Result $?
   $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
   Result $?

# Interne Packete ins Inet forwarden

   $IPTABLES -A FORWARD -i $LAN_INTERFACE -o $WWW_INTERFACE -j ACCEPT
   Result $?

   # HTTPS
   #echo -n "Enabled port for HTTPS [443] ..."

$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --stateNEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p tcp --dport 443 -j ACCEPT

   Result $?

# CVS

   #echo -n "Enabled port for HTTPS [443] ..."

$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --stateNEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p tcp --dport 2401 -j ACCEPTResult $?

   # HTTP
   #echo -n "Enabled port for HTTP [80] ..."

$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --stateNEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p tcp --dport 80 -j ACCEPT

   Result $?

   # PROXY
   #echo -n "Enabled port for proxy [8080] ..."

$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --stateNEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p tcp --dport 8080 -j ACCEPT

   Result $?

# PSQL

   #echo -n "Enabled port for psql [5432] ..."

$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --stateNEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p tcp --dport 5432 -j ACCEPT

   Result $?

# SMTP

   #echo -n "Enabled port for smtp [25] ..."

$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --state NEW -s$LAN_IP_RANGE -p tcp --dport 25 -j ACCEPT

   Result $?

   # SMTPS
   #echo -n "Enabled port for smtps [465] ..."

$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --stateNEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p tcp --dport 465 -j ACCEPT

   Result $?

   # POP3
   #echo -n "Disabled port for pop3 [110] ..."

#$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --stateNEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p tcp --dport 110 -j MY_REJECT

   #Result $?

   # POP3S
   #echo -n "Enabled port fro pop3s [995] ..."

$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --stateNEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p tcp --dport 995 -j ACCEPT

   Result $?

   # DNS
   #echo -n "Enabled port for dns [53]..."

$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --stateNEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p tcp --dport 53 -j ACCEPT

   Result $?

$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --stateNEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p udp --dport 53 -j ACCEPT

   Result $?

# DHCP

   #echo -n "Enabled port for dhcp [67]..."
   # Anforderung reinlassen

$IPTABLES -A INPUT -i $LAN_INTERFACE -s 0.0.0.0 -d 255.255.255.255-p udp --dport 67 -j ACCEPT$IPTABLES -A INPUT -i $LAN_INTERFACE -s $LAN_IP_RANGE -d255.255.255.255 -p udp --dport 67 -j ACCEPT

   Result $?
   # Antwort ausgeben

$IPTABLES -A OUTPUT -o $LAN_INTERFACE -s 192.168.23.1 -d255.255.255.255 -p udp --dport 68 -j ACCEPT

   Result $?
   # Bestätigung reinlassen

$IPTABLES -A INPUT -i $LAN_INTERFACE -s 192.168.23.1 -d255.255.255.255 -p udp --dport 68 -j ACCEPT# SCANNER XSANE#$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --stateNEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p tcp --dport 6566 -j ACCEPT

   #Result $?

# CUPS

   #echo -n "Enabled port for cups [631]..."

$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --stateNEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p tcp --dport 631 -j ACCEPT

   Result $?

$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --stateNEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p udp --dport 631 -j ACCEPT

   Result $?

$IPTABLES -A INPUT -i lo -m state --state NEW -p tcp --dport 631 -jACCEPT

   Result $?

$IPTABLES -A INPUT -i lo -m state --state NEW -p udp --dport 631 -jACCEPT

   Result $?

# SMB/CIFS

   #echo -n "Enabled ports for samba [137/138/139] ..."

$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --stateNEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p tcp --dport 137:139 -j ACCEPT

   Result $?

$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --stateNEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p udp --dport 137:139 -j ACCEPT

   Result $?

$IPTABLES -A OUTPUT -o $LAN_INTERFACE -m state --stateNEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p udp --dport 137:139 -jACCEPTResult $?

   # für win netzwerkverbindung broadcast vom samba erlauben

$IPTABLES -A OUTPUT -o $LAN_INTERFACE -d $LAN_BROADCAST -s$MY_LAN_IP -p udp --sport 137:138 -j ACCEPT

   Result $?

   # SSH
   #echo -n "Enabled port for ssh [22] ..."

$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --stateNEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p tcp --dport 22 -j ACCEPT

   Result $?

$IPTABLES -A FORWARD -o $WWW_INTERFACE -m state --state NEW -p tcp--dport 22 -i $LAN_INTERFACE -s $LAN_IP_RANGE -j ACCEPT

   Result $?

# NFS

   #echo -n "Enabled port for nfs [111] ..."

$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --stateNEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p tcp --dport 111 -j ACCEPT

   Result $?

$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --stateNEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p udp --dport 111 -j ACCEPTResult $?# NTP

   #echo -n "Enabled port for ntp [123] ..."

$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --stateNEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p udp --dport 123 -j ACCEPT

   Result $?

# WEBMIN

   #echo -n "Enabled port for webmin [10000] ..."

$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --stateNEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p tcp --dport 10000 -j ACCEPTResult $?$IPTABLES -A INPUT -i $LAN_INTERFACE -m state --stateNEW,ESTABLISHED,RELATED -s $LAN_IP_RANGE -p udp --dport 53 -j ACCEPT

   Result $?

# ICMP Echo-Request (ping) verweigern$IPTABLES -A INPUT -m state --state NEW -p icmp --icmp-typeecho-request -j MY_DROP

   Result $?

# Default-Policies mit REJECT

   $IPTABLES -A INPUT -j MY_REJECT
   Result $?
   $IPTABLES -A OUTPUT -j MY_REJECT
   Result $?
   $IPTABLES -A FORWARD -j MY_REJECT
   Result $?

   # Stop Source-Routing

for i in /proc/sys/net/ipv4/conf/*; do echo 0 >$i/accept_source_route 2> /dev/null; done

   Result $?

# Stop Redirectingfor i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_redirects2> /dev/null; done

   Result $?

# Reverse-Path-Filterfor i in /proc/sys/net/ipv4/conf/*; do echo 2 > $i/rp_filter 2>/dev/null; done

   Result $?

# Log Martiansfor i in /proc/sys/net/ipv4/conf/*; do echo 1 > $i/log_martians 2>/dev/null; done

   Result $?

# BOOTP-Relaying ausschaltenfor i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/bootp_relay 2>/dev/null; done

   Result $?

# Proxy-ARP ausschaltenfor i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/proxy_arp 2>/dev/null; done

   Result $?

# Ungültige ICMP-Antworten ignorierenecho 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 2>/dev/null

   Result $?

# ICMP Echo-Broadcasts ignorieren

   echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null
   Result $?

# Max. 500/Sekunde (5/Jiffie) senden

   echo 5 > /proc/sys/net/ipv4/icmp_ratelimit
   Result $?

# Speicherallozierung und -timing für IP-De/-Fragmentierung

   echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh
   Result $?
   echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh
   Result $?
   echo 30 > /proc/sys/net/ipv4/ipfrag_time
   Result $?

   # TCP-FIN-Timeout zum Schutz vor DoS-Attacken setzen
   echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
   Result $?

   # Maximal 3 Antworten auf ein TCP-SYN
   echo 3 > /proc/sys/net/ipv4/tcp_retries1
   Result $?

   # TCP-Pakete maximal 15x wiederholen
   echo 15 > /proc/sys/net/ipv4/tcp_retries2
   Result $?

if(test $ERROR -eq 0) ; then

   echo "."
   else
   echo "FAILED"
   $0 stop
   fi

   ;;

 stop)
   echo -n "Stopping Firewall "
   # Tabelle flushen
   $IPTABLES -F
   Result $?
   $IPTABLES -t nat -F
   Result $?
   $IPTABLES -t mangle -F
   Result $?
   $IPTABLES -X
   Result $?
   $IPTABLES -t nat -X
   Result $?
   $IPTABLES -t mangle -X
   Result $?
   #echo "Deaktiviere IP-Routing"
   echo 0 > /proc/sys/net/ipv4/ip_forward
   Result $?

   # Default-Policies setzen
   $IPTABLES -P INPUT ACCEPT
   Result $?
   $IPTABLES -P OUTPUT ACCEPT
   Result $?
   $IPTABLES -P FORWARD ACCEPT
   Result $?

if(test $ERROR -eq 0) ; then

   echo "."
   else
   echo "FAILED"
   fi

;;restart)

   $0 stop
   sleep 1
   $0 start
   ;;

 status)
   echo "Tabelle filter"
   $IPTABLES -L -vn
   echo "Tabelle nat"
   $IPTABLES -t nat -L -vn
   echo "Tabelle mangle"
   $IPTABLES -t mangle -L -vn
   ;;

 *)
   echo "Usage: $0 {start|stop|restart|status}"
   exit 1
   ;;

esac

Wenn du bisher via Proxy ist Netz gehst, ist ggf, auf dem Laptop keine
(korrekte) Defaultroute gesetzt?

ausgabe von route auf dem laptop:

Kernel IP Routentabelle

Ziel Router Genmask FlagsMetric Ref Use Iface192.168.23.0 * 255.255.255.0 U 00 0 wlan0localnet * 255.255.255.0 U0 0 0 eth0default morpheus.matrix 0.0.0.0 UG 00 0 wlan0

cu
ulf

Reply to:

Follow-Ups:
- Re: ssh + iptables
  - From: Andreas Pakulat <apaku@gmx.de>

References:
- ssh + iptables
  - From: Marco Estrada Martinez <marco@marcomartinez.de>
- Re: ssh + iptables
  - From: Ulf Volmer <u.volmer@u-v.de>
- Re: ssh + iptables
  - From: Marco Estrada Martinez <marco@marcomartinez.de>
- Re: ssh + iptables
  - From: Andreas Pakulat <apaku@gmx.de>
- Re: ssh + iptables
  - From: Marco Estrada Martinez <marco@marcomartinez.de>
- Re: ssh + iptables
  - From: Ulf Volmer <u.volmer@u-v.de>

Prev by Date: Re: Gnome Terminal spinnt
Next by Date: Re: Apache2 beendet sich selber
Previous by thread: Re: ssh + iptables
Next by thread: Re: ssh + iptables
Index(es):
- Date
- Thread