Firehol läßt nur externe Zugriffe zu; lokales Netz ist ausgesperrt
Guten Tag debian-user-german debian-user-german,
Hallo!
Folgendes Scenario:
1) es gibt einen WLan AP, der gleichzeitig fürs gesamte Netz der Gateway
ist. Daran hängen:
a) ein/mehrere Win-Clienten,
b) ein debian - Rechner mit installierter + aktivierter Firehol. Der
Rechner verfügt techn. gesehen über 2 Netzwerkinterfaces (eth0+eth1),
von denen aber nur eth0 genutzt wird. Weiterhin wird via tun0 ein
openVPN Zugang ins private Netz angeboten.
2) der GW ist so eingerichtet, dass Anfragen auf bestimmten Ports
(z.B. Port 22) an den debian Rechner weitergeleitet werden, um ihn
fernadministrieren zu können. Natürlich ist dieser Port auch auf dem
debian freigeschaltet. Demnach ist eine Administration von AUSSEN
möglich.
Problem: es gelinkt mir nur dann aus dem lokalen Netz eine Verbindung
zu dem debian aufzubauen, wenn ich dessen Firewall deaktiviere (dies
gilt für alle freigegebenen Ports). Dann funktioniert jedoch der
openVPN nicht richtig.
Demnach muss ich also, um im internen Netz auf den Rechner zugreifen
zu können, mich zunächst zu einem ausserhalb des lokalen Netzes
stehenden Rechner einloggen und von dort aus / via diesen Rechner die
Firewall auf meinem debian abschalten.
Das nervt. Gibts da eine Alternative? Die Firewallconfig hab ich
mitgeschickt...s.u.
Die Kernelfirewallsachen sind alle als Module eingebunden.
Danke für Eure Hilfe und bitte nicht zögern, Nachfragen zu stellen.
Eine Kleinigkeit noch: ich bin ab So. 29.10. erstmal für ca. 1 Woche
nicht zu erreichen.
Ich nutze debian sarge mit
debian:/var/log# uname -r
2.6.17.13
debian:/var/log# iptables -V
iptables v1.2.11
debian:/var/log# firehol --version
: firehol.sh,v 1.231 2004/11/01 00:13:00 ktsaou Exp $
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
FireHOL is distributed under GPL.
cu,
Stefan
Hier nun also meine Fireholconfig. Damit das funktioniert, hab ich
einen neuen Dienst definiert (für openVPN) und den auf Port 443
gelegt.
# ----------------------------------------------------------------------------
# CUSTOM SERVICES
# ----------------------------------------------------------------------------
# See the section "Adding Services" in the documentation
# Example service x, listening on port TCP/z
# > server_x_ports="tcp/z"
# > client_x_ports="default"
server_openvpn_ports="tcp/21"
client_openvpn_ports="any"
## Settings for openVPN:
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -d 172.16.1.0/24 -i eth0 -j ACCEPT
iptables -A FORWARD -d 172.16.1.0/24 -i lo -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
# for DefaultGW operations of OpenVPN:
iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -o eth0 -j MASQUERADE
FIREHOL_LOG_MODE="ULOG"
FIREHOL_LOG_LEVEL="--log-level warning"
FIREHOL_LOG_OPTIONS="--log-tcp-options --log-ip-options"
FIREHOL_LOG_FREQUENCY="1/second"
#FIREHOL_LOG_FREQUENCY="30/minute"
#FIREHOL_LOG_BURST="5"
FIREHOL_LOG_BURST="2"
# ----------------------------------------------------------------------------
# NETWORK DEFINITIONS - Normally, only these are to be touched by you.
# ----------------------------------------------------------------------------
# You can define anything you like, assuming you are using it later.
# --- HOME ---
# The definition of our HOME LAN.
HOME_MYIP="192.168.100.60" # The IP on our HOME LAN
HOME_MYIF="eth1" # The HOME LAN interface
HOME_BCAST="192.168.100.255" # The HOME LAN broadcast
HOME_LAN="192.168.100.0/16" # The HOME LAN
HOME_SERVICES="all"
# Do we run a DHCP server on the HOME LAN?
HOME_DHCP=0 # Set to 0 to disable
# --- PUBLIC ---
# The definition of our PUBLIC interface.
PUBLIC_MYIP="" # Leave empty for dynamic IP
PUBLIC_MYIF="eth0" # The public interface
PUBLIC_SERVICES="ssh http openvpn icmp"
#PUBLIC_SERVICES="ssh openvpn"
# Is the PPP interface a DIAL-ON-DEMAND?
DIAL_ON_DEMAND=0 # Set to 0 to disable
# --- TRUSTED ---
# Hosts in the internet I trust for accessing private services
# Empty these to disable.
TRUSTED_PCS=""
TRUSTED_SERVICES=""
# --- TRANSPARENT CACHE ---
# Run a transparent cache?
SQUID_PORT="" # Leave empty to disable SQUID
SQUID_USERS="squid" # Users to be excluded from the cache
SQUID_EXCLUDE="" # Web Server IPs to be excluded from the cache
# --- BLACKLIST ---
# A space-separated list of IPs to be blocked.
blacklist=""
# HELPERS
# ----------------------------------------------------------------------------
# Block all traffic from/to certain IPs
if [ ! -z "${blacklist}" ]
then
blacklist full "${blacklist}"
fi
# Setup a transparent squid, only if SQUID_PORT is set.
if [ ! -z "${SQUID_PORT}" ]
then
transparent_squid "${SQUID_PORT}" "${SQUID_USERS}" \
inface "${HOME_MYIF}" src "${HOME_LAN}" \
`test ! -z "${SQUID_EXCLUDE}" && echo "dst not '${SQUID_EXCLUDE}'"`
fi
# ----------------------------------------------------------------------------
# NETWORK ADDRESS TRANSLATION
# ----------------------------------------------------------------------------
# Change the source/destination of packets...
# Should we do SNAT or MASQUERADE?
# If there is a PUBLIC_MYIP defined, we should do SNAT, otherwise MASQ.
#
if [ ! -z "${PUBLIC_MYIP}" ]
then
snat to "${PUBLIC_MYIP}" \
outface "${PUBLIC_MYIF}" \
src "${HOME_LAN}" dst not "${UNROUTABLE_IPS}"
else
masquerade "${PUBLIC_MYIF}"
fi
# To have some public service hit an internal machine, do this:
# (the example redirects external port TCP/26 to internal IP 10.0.0.2 port 25)
#
# > dnat to 10.0.0.2:25 \
# > inface "${PUBLIC_MYIF}" \
# > src not "${HOME_LAN} ${UNROUTABLE_IPS}" \
# > proto tcp dport 26
#
# For each such statement, the router at the end has to support it.
# ----------------------------------------------------------------------------
# PROTECT SELF
# ----------------------------------------------------------------------------
# Protect the firewall host...
# --- HOME ---
# Protect us from the HOME LAN
interface "${HOME_MYIF}" home src "${HOME_LAN}" dst "${HOME_MYIP} ${HOME_BCAST}"
policy reject
server "${HOME_SERVICES}" accept
client all accept
# DHCP needs 0.0.0.0/255.255.255.255 access.
if [ ${HOME_DHCP} -eq 1 ]
then
interface "${HOME_MYIF}" dhcp
server dhcp accept
fi
# --- PUBLIC ---
# Protect us from the PUBLIC
interface "${PUBLIC_MYIF}" internet \
src not "${UNROUTABLE_IPS}" \
`test ! -z "${PUBLIC_MYIP}" && echo "dst '${PUBLIC_MYIP}'"`
protection strong
policy drop
# Are there any trusted PCs/services?
if [ ! -z "${TRUSTED_PCS}" -a ! -z "${TRUSTED_SERVICES}" ]
then
server "${TRUSTED_SERVICES}" accept src "${TRUSTED_PCS}"
fi
server "${PUBLIC_SERVICES}" accept
client all accept
# DIAL-ON-DEMAND needs this in case there is a PUBLIC_MYIP defined.
if [ ${DIAL_ON_DEMAND} -eq 1 ]
then
interface "${PUBLIC_MYIF}" dialup
client all accept
fi
# ----------------------------------------------------------------------------
# PROTECT ROUTING
# ----------------------------------------------------------------------------
# Protect the LAN...
# Route traffic for the clients on the LAN
router internet2lan inface "${PUBLIC_MYIF}" outface "${HOME_MYIF}" \
src not "${UNROUTABLE_IPS}" dst "${HOME_LAN}"
# route all client traffic
client all accept
# For the dnat example above, this is needed:
# > server smtp accept dst 10.0.0.2
--
Mit freundlichen Grüßen
Stefan Schilling
mailto:mail.suse@gmx.de
Reply to: