Probleme mit arno-iptables-firewall

To: debian-user-german@lists.debian.org
Subject: Probleme mit arno-iptables-firewall
From: Michael Grosseck <liox@elso.mine.nu>
Date: Sun, 14 Sep 2008 21:40:36 +0200
Message-id: <48CD68B4.30300@elso.mine.nu>
Hallo,

ich bekomme irgendwie kein Port-Forwarding mit oben genannten
Firewall-Script zustande. Auch funktioniert das Loging irgendwie nicht.
Der Rechner hat 2 Netzwerkkarten, eine für die Verbindung ins Internet
(eth1), die andere für das interne Netz(eth0).
Meine debconf.cfg:

DC_EXT_IF="ppp0"
DC_EXT_IF_DHCP_IP=0
DC_OPEN_TCP="80 443 22 25 143 993 110 995 50555"
DC_OPEN_UDP=""
DC_INT_IF="eth0"
DC_NAT=1
DC_INTERNAL_NET="192.168.1.0/24"
DC_NAT_INTERNAL_NET="192.168.1.0/24"
DC_OPEN_ICMP=1

Die firewall.conf ist die Original von Debian mitgelieferte, außer das
ich folgendes ergänzt habe (die Änderungen für das Logfile mal
ausgenommen, siehe unten):
NAT_TCP_FORWARD="50555>192.168.1.140"


Beim Start erhalte ich folgendes:
Arno's Iptables Firewall Script v1.8.8c
-------------------------------------------------------------------------------
Sanity checks passed...OK
Detected IPTABLES module... Loading additional IPTABLES modules:
All IPTABLES modules loaded!
Configuring /proc/.... settings:
 Enabling anti-spoof with rp_filter
 Enabling SYN-flood protection via SYN-cookies
 Disabling the logging of martians
 Disabling the acception of ICMP-redirect messages
 Setting the max. amount of simultaneous connections to 16384
 Enabling protection against source routed packets
 Setting default conntrack timeouts
 Enabling reduction of the DoS'ing ability
 Setting Default TTL=64
 Disabling ECN (Explicit Congestion Notification)
 Flushing route table
/proc/ setup done...
Flushing rules in the filter table
Setting default (secure) policies
Using loglevel "debug" for syslogd

Setting up firewall rules:
-------------------------------------------------------------------------------
Accepting packets from the local loopback device
Enabling setting the maximum packet size via MSS
Enabling mangling TOS
Logging of stealth scans (nmap probes etc.) enabled
Logging of packets with bad TCP-flags enabled
Logging of INVALID packets disabled
Logging of fragmented packets enabled
Logging of access from reserved addresses enabled
Setting up anti-spoof rules
Reading custom IPTABLES rules from /etc/arno-iptables-firewall/custom-rules
Loading (user) plugins
Setting up INPUT policy for the external net (INET):
Logging of explicitly blocked hosts enabled
Logging of denied local output connections enabled
Packets will NOT be checked for private source addresses
Allowing the whole world to connect to TCP port(s): 80 443 22 25 143 993
110 995 50555
Allowing the whole world to send ICMP-requests(ping)
Logging of dropped ICMP-request(ping) packets enabled
Logging of dropped other ICMP packets enabled
Logging of possible stealth scans enabled
Logging of (other) connection attempts to PRIVILEGED TCP ports enabled
Logging of (other) connection attempts to PRIVILEGED UDP ports enabled
Logging of (other) connection attempts to UNPRIVILEGED TCP ports enabled
Logging of (other) connection attempts to UNPRIVILEGED UDP ports enabled
Logging of other IP protocols (non TCP/UDP/ICMP) connection attempts enabled
Logging of ICMP flooding enabled
Applying INET policy to external (INET) interface: ppp0 (without an
external subnet specified)
Setting up INPUT policy for internal (LAN) interface(s): eth0
 Allowing ICMP-requests(ping)
 Allowing all (other) protocols
Setting up FORWARD policy for internal (LAN) interface(s): eth0
 Logging of denied LAN->INET FORWARD connections enabled
 Setting up LAN->INET policy:
  Allowing ICMP-requests(ping)
  Allowing all (other) protocols
Enabling masquerading(NAT) via external interface(s): ppp0
 Adding (internal) host(s): 192.168.1.0/24
Forwarding(NAT) TCP port(s) 50555 to 192.168.1.140
Security is ENFORCED for external interface(s) in the FORWARD chain


Die iptable sieht so aus:

# Generated by iptables-save v1.3.6 on Sun Sep 14 21:20:11 2008
*nat
:PREROUTING ACCEPT [24:5637]
:POSTROUTING ACCEPT [221:14106]
:OUTPUT ACCEPT [221:14106]
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 50555 -j DNAT
--to-destination 192.168.1.140
-A POSTROUTING -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d !
192.168.1.0/255.255.255.0 -o ppp0 -j MASQUERADE
COMMIT
# Completed on Sun Sep 14 21:20:11 2008
# Generated by iptables-save v1.3.6 on Sun Sep 14 21:20:11 2008
*mangle
:PREROUTING ACCEPT [2617:1021084]
:INPUT ACCEPT [1149:220408]
:FORWARD ACCEPT [1468:800676]
:OUTPUT ACCEPT [1048:259549]
:POSTROUTING ACCEPT [2518:1060706]
-A PREROUTING -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08
-A PREROUTING -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10
-A PREROUTING -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10
-A PREROUTING -p tcp -m tcp --dport 23 -j TOS --set-tos 0x10
-A PREROUTING -p tcp -m tcp --dport 25 -j TOS --set-tos 0x10
-A PREROUTING -p udp -m udp --dport 53 -j TOS --set-tos 0x10
-A PREROUTING -p tcp -m tcp --dport 67 -j TOS --set-tos 0x10
-A PREROUTING -p tcp -m tcp --dport 80 -j TOS --set-tos 0x08
-A PREROUTING -p tcp -m tcp --dport 110 -j TOS --set-tos 0x08
-A PREROUTING -p tcp -m tcp --dport 113 -j TOS --set-tos 0x10
-A PREROUTING -p tcp -m tcp --dport 123 -j TOS --set-tos 0x10
-A PREROUTING -p tcp -m tcp --dport 143 -j TOS --set-tos 0x08
-A PREROUTING -p tcp -m tcp --dport 443 -j TOS --set-tos 0x08
-A PREROUTING -p tcp -m tcp --dport 993 -j TOS --set-tos 0x08
-A PREROUTING -p tcp -m tcp --dport 995 -j TOS --set-tos 0x08
-A PREROUTING -p tcp -m tcp --dport 1080 -j TOS --set-tos 0x10
-A PREROUTING -p tcp -m tcp --dport 6000:6063 -j TOS --set-tos 0x08
-A OUTPUT -o ppp0 -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08
-A OUTPUT -o ppp0 -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10
-A OUTPUT -o ppp0 -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10
-A OUTPUT -o ppp0 -p tcp -m tcp --dport 23 -j TOS --set-tos 0x10
-A OUTPUT -o ppp0 -p tcp -m tcp --dport 25 -j TOS --set-tos 0x10
-A OUTPUT -o ppp0 -p udp -m udp --dport 53 -j TOS --set-tos 0x08
-A OUTPUT -o ppp0 -p tcp -m tcp --dport 67 -j TOS --set-tos 0x10
-A OUTPUT -o ppp0 -p tcp -m tcp --dport 80 -j TOS --set-tos 0x08
-A OUTPUT -o ppp0 -p tcp -m tcp --dport 110 -j TOS --set-tos 0x08
-A OUTPUT -o ppp0 -p tcp -m tcp --dport 113 -j TOS --set-tos 0x10
-A OUTPUT -o ppp0 -p tcp -m tcp --dport 123 -j TOS --set-tos 0x10
-A OUTPUT -o ppp0 -p tcp -m tcp --dport 143 -j TOS --set-tos 0x08
-A OUTPUT -o ppp0 -p tcp -m tcp --dport 443 -j TOS --set-tos 0x08
-A OUTPUT -o ppp0 -p tcp -m tcp --dport 993 -j TOS --set-tos 0x08
-A OUTPUT -o ppp0 -p tcp -m tcp --dport 995 -j TOS --set-tos 0x08
-A OUTPUT -o ppp0 -p tcp -m tcp --dport 1080 -j TOS --set-tos 0x10
-A OUTPUT -o ppp0 -p tcp -m tcp --dport 6000:6063 -j TOS --set-tos 0x08
COMMIT
# Completed on Sun Sep 14 21:20:11 2008
# Generated by iptables-save v1.3.6 on Sun Sep 14 21:20:11 2008
*filter
:INPUT DROP [4:220]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [238:15888]
:EXT_ICMP_CHAIN - [0:0]
:EXT_INPUT_CHAIN - [0:0]
:EXT_OUTPUT_CHAIN - [0:0]
:HOST_BLOCK - [0:0]
:LAN_INET_FORWARD_CHAIN - [0:0]
:LAN_INPUT_CHAIN - [0:0]
:MAC_FILTER - [0:0]
:RESERVED_NET_CHK - [0:0]
:SPOOF_CHK - [0:0]
:VALID_CHK - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state RELATED -m tcp --dport 1024:65535 -j
ACCEPT
-A INPUT -p udp -m state --state RELATED -m udp --dport 1024:65535 -j
ACCEPT
-A INPUT -p icmp -m state --state RELATED -j ACCEPT
-A INPUT -i ppp0 -j HOST_BLOCK
-A INPUT -i eth0 -j MAC_FILTER
-A INPUT -j SPOOF_CHK
-A INPUT -i ppp0 -j VALID_CHK
-A INPUT -i ppp0 -p ! icmp -m state --state NEW -j EXT_INPUT_CHAIN
-A INPUT -i ppp0 -p icmp -m state --state NEW -m limit --limit 20/sec
--limit-burst 100 -j EXT_INPUT_CHAIN
-A INPUT -i ppp0 -p icmp -m state --state NEW -j EXT_ICMP_CHAIN
-A INPUT -i eth0 -j LAN_INPUT_CHAIN
-A INPUT -m limit --limit 1/sec -j LOG --log-prefix "Dropped INPUT
packet: " --log-level 7
-A INPUT -j DROP
-A FORWARD -i lo -j ACCEPT
-A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
-A FORWARD -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m state --state RELATED -m tcp --dport 1024:65535 -j
ACCEPT
-A FORWARD -p udp -m state --state RELATED -m udp --dport 1024:65535 -j
ACCEPT
-A FORWARD -p icmp -m state --state RELATED -j ACCEPT
-A FORWARD -i ppp0 -j HOST_BLOCK
-A FORWARD -i eth0 -j MAC_FILTER
-A FORWARD -j SPOOF_CHK
-A FORWARD -i ppp0 -j VALID_CHK
-A FORWARD -i eth0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o ppp0 -j LAN_INET_FORWARD_CHAIN
-A FORWARD -i ppp0 -o ! ppp0 -p tcp -m tcp --dport 50555 -j ACCEPT
-A FORWARD -m limit --limit 1/min --limit-burst 3 -j LOG --log-prefix
"Dropped FORWARD packet: " --log-level 7
-A FORWARD -j DROP
-A OUTPUT -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -f -m limit --limit 3/min -j LOG --log-prefix "FRAGMENTED
PACKET (OUT): " --log-level 7
-A OUTPUT -f -j DROP
-A OUTPUT -o ppp0 -j EXT_OUTPUT_CHAIN
-A EXT_ICMP_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 12/hour
--limit-burst 1 -j LOG --log-prefix "ICMP-request(ping) flood: "
--log-level 7
-A EXT_ICMP_CHAIN -p icmp -m icmp --icmp-type 3 -m limit --limit 12/hour
--limit-burst 1 -j LOG --log-prefix "ICMP-unreachable flood: "
--log-level 7
-A EXT_ICMP_CHAIN -p icmp -m icmp --icmp-type 4 -m limit --limit 12/hour
--limit-burst 1 -j LOG --log-prefix "ICMP-source-quench flood: "
--log-level 7
-A EXT_ICMP_CHAIN -p icmp -m icmp --icmp-type 11 -m limit --limit
12/hour --limit-burst 1 -j LOG --log-prefix "ICMP-time-exceeded flood: "
--log-level 7
-A EXT_ICMP_CHAIN -p icmp -m icmp --icmp-type 12 -m limit --limit
12/hour --limit-burst 1 -j LOG --log-prefix "ICMP-param.-problem flood:
" --log-level 7
-A EXT_ICMP_CHAIN -p icmp -m icmp --icmp-type 8 -j DROP
-A EXT_ICMP_CHAIN -p icmp -m icmp --icmp-type 3 -j DROP
-A EXT_ICMP_CHAIN -p icmp -m icmp --icmp-type 4 -j DROP
-A EXT_ICMP_CHAIN -p icmp -m icmp --icmp-type 11 -j DROP
-A EXT_ICMP_CHAIN -p icmp -m icmp --icmp-type 12 -j DROP
-A EXT_ICMP_CHAIN -p icmp -m limit --limit 12/hour --limit-burst 1 -j
LOG --log-prefix "ICMP(other) flood: " --log-level 7
-A EXT_ICMP_CHAIN -p icmp -j DROP
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0 -m limit --limit 6/hour
--limit-burst 1 -j LOG --log-prefix "TCP port 0 OS fingerprint: "
--log-level 7
-A EXT_INPUT_CHAIN -p udp -m udp --dport 0 -m limit --limit 6/hour
--limit-burst 1 -j LOG --log-prefix "UDP port 0 OS fingerprint: "
--log-level 7
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0 -j DROP
-A EXT_INPUT_CHAIN -p udp -m udp --dport 0 -j DROP
-A EXT_INPUT_CHAIN -p tcp -m tcp --sport 0 -m limit --limit 6/hour -j
LOG --log-prefix "TCP source port 0: " --log-level 7
-A EXT_INPUT_CHAIN -p udp -m udp --sport 0 -m limit --limit 6/hour -j
LOG --log-prefix "UDP source port 0: " --log-level 7
-A EXT_INPUT_CHAIN -p tcp -m tcp --sport 0 -j DROP
-A EXT_INPUT_CHAIN -p udp -m udp --sport 0 -j DROP
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 80 -j ACCEPT
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 443 -j ACCEPT
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 22 -j ACCEPT
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 25 -j ACCEPT
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 143 -j ACCEPT
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 993 -j ACCEPT
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 110 -j ACCEPT
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 995 -j ACCEPT
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 50555 -j ACCEPT
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 20/sec
--limit-burst 100 -j ACCEPT
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min
--limit-burst 1 -j LOG --log-prefix "ICMP-request: " --log-level 7
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 3 -m limit --limit
12/hour --limit-burst 1 -j LOG --log-prefix "ICMP-unreachable: "
--log-level 7
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 4 -m limit --limit
12/hour --limit-burst 1 -j LOG --log-prefix "ICMP-source-quench: "
--log-level 7
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 11 -m limit --limit
12/hour --limit-burst 1 -j LOG --log-prefix "ICMP-time-exceeded: "
--log-level 7
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 12 -m limit --limit
12/hour --limit-burst 1 -j LOG --log-prefix "ICMP-param.-problem: "
--log-level 7
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 1024:65535 ! --tcp-flags
FIN,SYN,RST,ACK SYN -m limit --limit 3/min -j LOG --log-prefix "Stealth
scan (UNPRIV)?: " --log-level 7
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0:1023 ! --tcp-flags
FIN,SYN,RST,ACK SYN -m limit --limit 3/min -j LOG --log-prefix "Stealth
scan (PRIV)?: " --log-level 7
-A EXT_INPUT_CHAIN -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0:1023 -m limit --limit 6/min
--limit-burst 2 -j LOG --log-prefix "Connection attempt (PRIV): "
--log-level 7
-A EXT_INPUT_CHAIN -p udp -m udp --dport 0:1023 -m limit --limit 6/min
--limit-burst 2 -j LOG --log-prefix "Connection attempt (PRIV): "
--log-level 7
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 1024:65535 -m limit --limit
6/min --limit-burst 2 -j LOG --log-prefix "Connection attempt (UNPRIV):
" --log-level 7
-A EXT_INPUT_CHAIN -p udp -m udp --dport 1024:65535 -m limit --limit
6/min --limit-burst 2 -j LOG --log-prefix "Connection attempt (UNPRIV):
" --log-level 7
-A EXT_INPUT_CHAIN -p tcp -j DROP
-A EXT_INPUT_CHAIN -p udp -j DROP
-A EXT_INPUT_CHAIN -p icmp -j DROP
-A EXT_INPUT_CHAIN -m limit --limit 1/min -j LOG --log-prefix "Other-IP
connection attempt: " --log-level 7
-A EXT_INPUT_CHAIN -j DROP
-A LAN_INET_FORWARD_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit
20/sec --limit-burst 100 -j ACCEPT
-A LAN_INET_FORWARD_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit
3/min --limit-burst 1 -j LOG --log-prefix "ICMP-request: " --log-level 7
-A LAN_INET_FORWARD_CHAIN -p icmp -m icmp --icmp-type 8 -j DROP
-A LAN_INET_FORWARD_CHAIN -j ACCEPT
-A LAN_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 20/sec
--limit-burst 100 -j ACCEPT
-A LAN_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min
--limit-burst 1 -j LOG --log-prefix "ICMP-request: " --log-level 7
-A LAN_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -j DROP
-A LAN_INPUT_CHAIN -j ACCEPT
-A RESERVED_NET_CHK -s 10.0.0.0/255.0.0.0 -m limit --limit 1/min
--limit-burst 1 -j LOG --log-prefix "Class A address: " --log-level 7
-A RESERVED_NET_CHK -s 172.16.0.0/255.240.0.0 -m limit --limit 1/min
--limit-burst 1 -j LOG --log-prefix "Class B address: " --log-level 7
-A RESERVED_NET_CHK -s 192.168.0.0/255.255.0.0 -m limit --limit 1/min
--limit-burst 1 -j LOG --log-prefix "Class C address: " --log-level 7
-A RESERVED_NET_CHK -s 169.254.0.0/255.255.0.0 -m limit --limit 1/min
--limit-burst 1 -j LOG --log-prefix "Class M$ address: " --log-level 7
-A RESERVED_NET_CHK -s 10.0.0.0/255.0.0.0 -j DROP
-A RESERVED_NET_CHK -s 172.16.0.0/255.240.0.0 -j DROP
-A RESERVED_NET_CHK -s 192.168.0.0/255.255.0.0 -j DROP
-A RESERVED_NET_CHK -s 169.254.0.0/255.255.0.0 -j DROP
-A SPOOF_CHK -s 192.168.1.0/255.255.255.0 -i eth0 -j RETURN
-A SPOOF_CHK -s 192.168.1.0/255.255.255.0 -m limit --limit 3/min -j LOG
--log-prefix "Spoofed packet: " --log-level 7
-A SPOOF_CHK -s 192.168.1.0/255.255.255.0 -j DROP
-A SPOOF_CHK -j RETURN
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -m limit --limit 3/min -j LOG --log-prefix "Stealth XMAS
scan: " --log-level 7
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "Stealth
XMAS-PSH scan: " --log-level 7
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,PSH,ACK,URG -m limit --limit 3/min -j LOG --log-prefix
"Stealth XMAS-ALL scan: " --log-level 7
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -m
limit --limit 3/min -j LOG --log-prefix "Stealth FIN scan: " --log-level 7
-A VALID_CHK -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit
3/min -j LOG --log-prefix "Stealth SYN/RST scan: " --log-level 7
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit
3/min -j LOG --log-prefix "Stealth SYN/FIN scan(?): " --log-level 7
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m
limit --limit 3/min -j LOG --log-prefix "Stealth Null scan: " --log-level 7
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -j DROP
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,ACK,URG -j DROP
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,PSH,ACK,URG -j DROP
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
-A VALID_CHK -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A VALID_CHK -p tcp -m tcp --tcp-option 64 -m limit --limit 3/min
--limit-burst 1 -j LOG --log-prefix "Bad TCP flag(64): " --log-level 7
-A VALID_CHK -p tcp -m tcp --tcp-option 128 -m limit --limit 3/min
--limit-burst 1 -j LOG --log-prefix "Bad TCP flag(128): " --log-level 7
-A VALID_CHK -p tcp -m tcp --tcp-option 64 -j DROP
-A VALID_CHK -p tcp -m tcp --tcp-option 128 -j DROP
-A VALID_CHK -m state --state INVALID -j DROP
-A VALID_CHK -f -m limit --limit 3/min --limit-burst 1 -j LOG
--log-prefix "Fragmented packet: "
-A VALID_CHK -f -j DROP
COMMIT
# Completed on Sun Sep 14 21:20:11 2008


Jemand eine Idee warum das Portforwarding nicht funktioniert?
Ich habe das ganze auch mal mit Port 80 probiert, allerdings auch ohne
Erfolg.

Mein zweites Problem ist, das ich keinerlei Infos von der Firewall bekomme.
Dazu habe ich die FIREWALL_LOG=/var/log/firewall eingeschalten
und LOGLEVEL auf debug gesetzt.
Zusätzlich habe ich die syslog.conf ausgetauscht, also die von der
Firewall Doku ins /etc Verzeichnis kopiert und den Log-Daemon neu gestartet.
Leider bekomme ich nicht mehr als:

** Starting Arno's Iptables Firewall v1.8.8c **
** All firewall rules applied **zigste was ich allerdings bekomme ist:


Hat jemand vielleicht eine Ahnung warum ich nicht mehr Infos bekomme?
Auch in den anderen Logfiles wird nichts geschrieben. :(

Danke
MfG
Michael
Reply to:
Prev by Date: Re: USB-Maus wird nicht erkannt
Next by Date: Re: apache-Authentikation mit Systempasswort
Previous by thread: Re: suche nach gcc-3.4(.6-5)-base
Next by thread: [OT]: Performance von VMware
Index(es):
- Date
- Thread