Hi, ich hab auf meinem linux 6.4 server mit hilfe von rp-pppoe ver. 2.2-1 ein dsl routing eingerichtet. das funktioniert soweit einwandfrei meine windows clients in den verschiedenen netzen werden einwandfrei greoutet. 192.168.11.x 192.168.10.x 192.168.1.x www, pop,ftp alles tut wunderbar. aber sobald ich versuche ein firewall script einzubinden (das ich bisher immer erstmal von hand gestartet habe) geht nichts mehr. Ich komme von den clients nicht mehr nach drausen. was mache ich falsch, ist an dem script was falsch was ich übersehen habe? (ich hab noch nicht soo viel ahnung von der sache :)) Danke schonmal! firewall script: dns_server1=194.97.200.20 dns_server2=193.158.141.116 dns_server3=194.25.2.129 local_net=192.168.0.0/16 # used tools IPCHAINS="/sbin/ipchains" INSMOD="/sbin/insmod" # Where to find Masquerading-Modules? MASQ_MOD="/lib/modules/`uname -r`/ipv4/ip_masq*" stop_firewall() { # accept all incoming packets $IPCHAINS -P input ACCEPT $IPCHAINS -P forward ACCEPT $IPCHAINS -P output ACCEPT # delete all chains $IPCHAINS -F input > /dev/null 2>&1 $IPCHAINS -F forward > /dev/null 2>&1 $IPCHAINS -F output > /dev/null 2>&1 $IPCHAINS -F e0-in > /dev/null 2>&1 $IPCHAINS -X e0-in > /dev/null 2>&1 $IPCHAINS -F e0-out > /dev/null 2>&1 $IPCHAINS -X e0-out > /dev/null 2>&1 $IPCHAINS -F e1-in > /dev/null 2>&1 $IPCHAINS -X e1-in > /dev/null 2>&1 $IPCHAINS -F e1-out > /dev/null 2>&1 $IPCHAINS -X e1-out > /dev/null 2>&1 } start_firewall() { # clear all firewall rules # first, deny all unknown traffic $IPCHAINS -P input DENY $IPCHAINS -P forward DENY $IPCHAINS -P output DENY # delete all chains $IPCHAINS -F input > /dev/null 2>&1 $IPCHAINS -F forward > /dev/null 2>&1 $IPCHAINS -F output > /dev/null 2>&1 $IPCHAINS -F fw_masq > /dev/null 2>&1 $IPCHAINS -F e0-in > /dev/null 2>&1 $IPCHAINS -X e0-in > /dev/null 2>&1 $IPCHAINS -F e0-out > /dev/null 2>&1 $IPCHAINS -X e0-out > /dev/null 2>&1 $IPCHAINS -F e1-in > /dev/null 2>&1 $IPCHAINS -X e1-in > /dev/null 2>&1 $IPCHAINS -F e1-out > /dev/null 2>&1 $IPCHAINS -X e1-out > /dev/null 2>&1 # Setting-up Masquerading Modules for MODULE in $MASQ_MOD; do $INSMOD $MODULE; done; # Enable IP-Forwarding echo "1" > /proc/sys/net/ipv4/ip_forward # allow masquerading via ippp0 $IPCHAINS -A forward -i ppp0 -s $local_net -d \! $local_net -j MASQ # $IPCHAINS -A fw_masq -j ACCEPT # create chain for incoming packets over ethernet $IPCHAINS -N e0-in $IPCHAINS -A e0-in -j ACCEPT # accept everything from local network # create chain for outgoing packets over ethernet $IPCHAINS -N e0-out $IPCHAINS -A e0-out -j ACCEPT # accept everything to local network # create chain for incoming packets over eth0 $IPCHAINS -N e1-in $IPCHAINS -A e1-in -s 192.168.0.0/16 -l -j DENY # local networks $IPCHAINS -A e1-in -s 172.16.0.0/12 -l -j DENY # local networks $IPCHAINS -A e1-in -s 10.0.0.0/8 -l -j DENY # local networks $IPCHAINS -A e1-in -p icmp -l -j ACCEPT # log all icmp packets, but accept $IPCHAINS -A e1-in -p udp -s $dns_server1 53 --dport 1024:65535 -j ACCEPT # DNS is ok $IPCHAINS -A e1-in -p udp -s $dns_server2 53 --dport 1024:65535 -j ACCEPT # DNS is ok $IPCHAINS -A e1-in -p udp -s $dns_server3 53 --dport 1024:65535 -j ACCEPT # DNS is ok $IPCHAINS -A e1-in -p udp -l -j REJECT # deny and log all other UDP traffic # $IPCHAINS -A e1-in -p tcp --dport 113 -j ACCEPT # accept ident requests $IPCHAINS -A e1-in -p tcp -y -l # log all incoming connections $IPCHAINS -A e1-in -p tcp --dport 21 -j ACCEPT # FTP ist ok $IPCHAINS -A e1-in -p tcp --dport 22 -j ACCEPT # SSH is ok $IPCHAINS -A e1-in -p tcp --sport 22 --dport 0:1023 \! -y -j ACCEPT # accept incoming ssh connections $IPCHAINS -A e1-in -p tcp --dport 25 -j ACCEPT # accept connections to local sendmail-po $IPCHAINS -A e1-in -p tcp --dport 80 -j ACCEPT $IPCHAINS -A e1-in -p tcp --dport 110 -j ACCEPT # POP3 is ok $IPCHAINS -A e1-in -p tcp --dport 0:1023 -y -l -j REJECT # deny and log all incoming connections t $IPCHAINS -A e1-in -p tcp --dport 0:1023 -l -j REJECT # deny all tcp traffic to low ports $IPCHAINS -A e1-in -p tcp --dport 6000:6023 -l -j REJECT # deny and log X / ssh-X $IPCHAINS -A e1-in -p tcp --dport 6666:6667 -l -j REJECT # deny and log irc $IPCHAINS -A e1-in -p tcp --dport 3306 -l -j REJECT # deny and log mysql $IPCHAINS -A e1-in -p tcp --dport 3000 -l -j REJECT # deny and log ntopd $IPCHAINS -A e1-in -p tcp --dport 20011 -l -j REJECT # deny and log isdnlog $IPCHAINS -A e1-in -p tcp --dport 2049 -l -j REJECT # deny and log nfsd $IPCHAINS -A e1-in -p tcp --dport 8080 -l -j REJECT # deny and log squid $IPCHAINS -A e1-in -p tcp --dport 5800:5810 -l -j REJECT # deny and log Xvnc $IPCHAINS -A e1-in -p tcp --dport 5900:5910 -l -j REJECT # deny and log Xvnc $IPCHAINS -A e1-in -p tcp --sport 20 --dport 1024:65535 -j ACCEPT # accept ftp (unsecure!) $IPCHAINS -A e1-in -p tcp -y -l -j REJECT # deny all remaining incoming connections $IPCHAINS -A e1-in -p tcp -j ACCEPT # accept all remaining tcp traffic $IPCHAINS -A e1-in -j REJECT # deny everything else # create chain for outgoing packets over ISDN $IPCHAINS -N e1-out $IPCHAINS -A e1-out -j ACCEPT # accept everything to outside network # default rules for all other traffic $IPCHAINS -A input -i lo -j ACCEPT # loopback device $IPCHAINS -A input -s 0.0.0.0 -j DENY # unknown source $IPCHAINS -A input -s 127.0.0.0/8 -j DENY # loopback addresses $IPCHAINS -A input -i eth0 -j e0-in # jump into specialized rule sets $IPCHAINS -A input -i ppp0 -j e1-in # jump into specialized rule sets $IPCHAINS -A output -i lo -j ACCEPT # loopback device $IPCHAINS -A output -i eth0 -j e0-out # jump into specialized rule sets $IPCHAINS -A output -i ppp0 -j e1-out # jump into specialized rule sets } . /etc/rc.config # Determine the base and follow a runlevel link name. base=${0##*/} link=${base#*[SK][0-9][0-9]} # The echo return value for success (defined in /etc/rc.config). return=$rc_done case "$1" in start) # ifconfig eth0 down # ifconfig ippp0 down # ifconfig ippp1 down # ifconfig ippp2 down echo -n "Setting up firewall:" start_firewall || return=$rc_failed echo -e "$return" # ifconfig eth0 up # ifconfig ippp0 up # ifconfig ippp1 up # ifconfig ippp2 up ;; stop) ifconfig eth0 down # ifconfig ippp0 down # ifconfig ippp1 down # ifconfig ippp2 down echo -n "Closing firewall:" stop_firewall || return=$rc_failed echo -e "$return" ifconfig eth0 up # ifconfig ippp0 up # ifconfig ippp1 up # ifconfig ippp2 up ;; restart) ifconfig eth0 down # ifconfig ippp0 down # ifconfig ippp1 down # ifconfig ippp2 down echo -n "Restarting firewall:" return=$rc_failed && stop_firewall && start_firewall && return=$rc_done echo -e "$return" ifconfig eth0 up # ifconfig ippp0 up # ifconfig ippp1 up # ifconfig ippp2 up ;; *) echo "Usage: $0 {start|stop|restart}" exit 1 esac # Inform the caller not only verbosely and set an exit status. test "$return" = "$rc_done" || exit 1 exit 0