Re: Firewall Probleme

newer
Proxy für divere Dienste

older
Moneyplex 2004: Kein Drucken...

Daniel

18 Aug 2005 18 Aug '05

14:33

Am 18.08.2005 um 16:31 schrieb Daniel:

...

Am 18.08.2005 um 08:50 schrieb Dr. Thorsten Brandau:

...
Hi!

on 17.08.2005 21:49 Daniel said the following:

...
Nein das Ding hängt auf der einen Seite direkt an einer öffentlichen statischen IP und auf der anderen Seite haben wir ein internes Netz aufgebaut!

Am 17.08.2005 um 19:05 schrieb Daniel Lord:

...
Hi,

On Wed, 17 Aug 2005, Daniel wrote:

...
Hab auf einer Athlon 64 Maschine eine Masquerading Firewall am laufen! Hab in Yast für die externe Zone ssh freigeschaltet aber ich kann den Rechner mit ssh von extern nicht erreichen!

ist es moeglich, das du den zugang auf dem router/firewall selber nicht eingeschaltet hast? ("Autoprotect services")? laueft sshd ueberhaupt? wird port 22 vielleicht automatisch ins interne netz geforwarded?

ciao

T

-- Um die Liste abzubestellen, schicken Sie eine Mail an: suse-linux-unsubscribe@suse.com Um eine Liste aller verfuegbaren Kommandos zu bekommen, schicken Sie eine Mail an: suse-linux-help@suse.com

Also aus dem Internen Netz kann ich via sshd connecten wenn die Firewall komplett aus ist dann auch nur wenn Firewall und somit Masquerading rennt dann klappt es nicht! Im übrigen hier ssh -v ausgabe lautet: OpenSSH_3.6.1p1+CAN-2004-0175, SSH protocols 1.5/2.0, OpenSSL 0x0090702f debug1: Reading configuration data /etc/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: Connecting to 192.99.164.42 [192.99.164.42] port 22. debug1: connect to address 192.99.164.42 port 22: Operation timed out ssh: connect to host 192.99.164.42 port 22: Operation timed out

Also aus dem Internen Netz kann ich via sshd connecten wenn die Firewall komplett aus ist dann auch nur wenn Firewall und somit Masquerading rennt dann klappt es nicht! Im übrigen hier ssh -v ausgabe lautet: OpenSSH_3.6.1p1+CAN-2004-0175, SSH protocols 1.5/2.0, OpenSSL 0x0090702f debug1: Reading configuration data /etc/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: Connecting to 192.99.164.42 [192.99.164.42] port 22. debug1: connect to address 192.99.164.42 port 22: Operation timed out ssh: connect to host 192.99.164.42 port 22: Operation timed out

Show replies by date

Daniel

18 Aug 18 Aug

14:40

New subject: Firewall Probleme

Am 18.08.2005 um 16:33 schrieb Daniel:

...

Am 18.08.2005 um 16:31 schrieb Daniel:

...
Am 18.08.2005 um 08:50 schrieb Dr. Thorsten Brandau:

...
Hi!

on 17.08.2005 21:49 Daniel said the following:

...
Nein das Ding hängt auf der einen Seite direkt an einer öffentlichen statischen IP und auf der anderen Seite haben wir ein internes Netz aufgebaut!

Am 17.08.2005 um 19:05 schrieb Daniel Lord:

...
Hi,

On Wed, 17 Aug 2005, Daniel wrote:

...
Hab auf einer Athlon 64 Maschine eine Masquerading Firewall am laufen! Hab in Yast für die externe Zone ssh freigeschaltet aber ich kann den Rechner mit ssh von extern nicht erreichen!

ist es moeglich, das du den zugang auf dem router/firewall selber nicht eingeschaltet hast? ("Autoprotect services")? laueft sshd ueberhaupt? wird port 22 vielleicht automatisch ins interne netz geforwarded?

ciao

T

-- Um die Liste abzubestellen, schicken Sie eine Mail an: suse-linux-unsubscribe@suse.com Um eine Liste aller verfuegbaren Kommandos zu bekommen, schicken Sie eine Mail an: suse-linux-help@suse.com

Also aus dem Internen Netz kann ich via sshd connecten wenn die Firewall komplett aus ist dann auch nur wenn Firewall und somit Masquerading rennt dann klappt es nicht! Im übrigen hier ssh -v ausgabe lautet: OpenSSH_3.6.1p1+CAN-2004-0175, SSH protocols 1.5/2.0, OpenSSL 0x0090702f debug1: Reading configuration data /etc/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: Connecting to 192.99.164.42 [192.99.164.42] port 22. debug1: connect to address 192.99.164.42 port 22: Operation timed out ssh: connect to host 192.99.164.42 port 22: Operation timed out

Also aus dem Internen Netz kann ich via sshd connecten wenn die Firewall komplett aus ist dann auch nur wenn Firewall und somit Masquerading rennt dann klappt es nicht! Im übrigen hier ssh -v ausgabe lautet: OpenSSH_3.6.1p1+CAN-2004-0175, SSH protocols 1.5/2.0, OpenSSL 0x0090702f debug1: Reading configuration data /etc/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: Connecting to 192.99.164.42 [192.99.164.42] port 22. debug1: connect to address 192.99.164.42 port 22: Operation timed out ssh: connect to host 192.99.164.42 port 22: Operation timed out

Ups falsche IP ist die 193 am Anfang aber ansonsten sieht es gleich aus!

Daniel Lord

15:18

New subject: Firewall Probleme

Hi, [...] -v bitte netstat -tulpen iptables -v -L -n Greetings Daniel -- Windows: "it's not dead, it's just thinking about your request"

Daniel

7 Sep 7 Sep

20:27

New subject: Firewall Probleme

Am 18.08.2005 um 17:18 schrieb Daniel Lord:

...

Hi,

[...] -v bitte

netstat -tulpen iptables -v -L -n

Greetings Daniel -- Windows: "it's not dead, it's just thinking about your request"

-- Um die Liste abzubestellen, schicken Sie eine Mail an: suse-linux-unsubscribe@suse.com Um eine Liste aller verfuegbaren Kommandos zu bekommen, schicken Sie eine Mail an: suse-linux-help@suse.com

netstat -tulpen ausgabe: Aktive Internetverbindungen (Nur Server) Proto Recv-Q Send-Q Local Address Foreign Address State Benutzer Inode PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 0 15929 5545/portmap tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 0 17431 5956/master tcp 0 0 :::22 :::* LISTEN 0 17652 5994/sshd tcp 0 0 ::1:25 :::* LISTEN 0 17432 5956/master udp 0 0 0.0.0.0:67 0.0.0.0:* 0 16588 5785/dhcpd udp 0 0 0.0.0.0:67 0.0.0.0:* 0 16587 5785/dhcpd udp 0 0 0.0.0.0:111 0.0.0.0:* 0 15906 5545/portmap iptables -v -L -n Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1 76 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 30902 3106K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 56 6100 input_int all -- eth0 * 0.0.0.0/0 0.0.0.0/0 4297 281K input_ext all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET ' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 6679 353K TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU 19677 3145K forward_int all -- eth0 * 0.0.0.0/0 0.0.0.0/0 8237 873K forward_ext all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING ' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1 76 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 34097 6221K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR ' Chain forward_ext (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED icmp type 0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0 118 7088 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 6 336 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 11 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 12 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 14 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 18 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 code 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 5 0 0 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 8113 866K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT ' 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT ' 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT ' 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT-INV ' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain forward_int (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- * eth1 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 11 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 12 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 14 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 18 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 code 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 5 19462 3124K ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT ' 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT ' 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT ' 44 4350 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT-INV ' 215 20548 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain input_ext (1 references) pkts bytes target prot opt in out source destination 7 2308 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4 2 148 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 11 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 12 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 14 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 18 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 code 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 5 309 18504 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:22 flags:0x16/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 2432 146K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:22 flags:0x16/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-ACC ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 reject_func tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 state NEW 570 27764 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 35 3139 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 127 49818 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 398 16846 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT-INV ' 1856 133K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain input_int (1 references) pkts bytes target prot opt in out source destination 56 6100 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain reject_func (1 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable hoffe das das weiterhilft!

Daniel Lord

9 Sep 9 Sep

16:26

New subject: Firewall Probleme

Hi, On Wed, 07 Sep 2005, Daniel wrote:

...

Am 18.08.2005 um 17:18 schrieb Daniel Lord:

...
-v bitte

netstat -tulpen iptables -v -L -n

netstat -tulpen ausgabe:

[...urgs...] es gibt auch sinnvolle Ausnahmen der 80 Zeichen Regel ;) Alternativ Anhang (wenn erlaubt)

...

Aktive Internetverbindungen (Nur Server) Proto Recv-Q Send-Q Local Address Foreign Address State Benutzer Inode PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 0 15929 5545/portmap tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 0 17431 5956/master tcp 0 0 :::22 :::* LISTEN 0 17652 5994/sshd tcp 0 0 ::1:25 :::* LISTEN 0 17432 5956/master udp 0 0 0.0.0.0:67 0.0.0.0:* 0 16588 5785/dhcpd udp 0 0 0.0.0.0:67 0.0.0.0:* 0 16587 5785/dhcpd udp 0 0 0.0.0.0:111 0.0.0.0:* 0 15906 5545/portmap

wir sehen also, dass SSHD auf IPv6 Port 22 hört. Leider sehen wir nichts von IPv4, das du sicher benutzt. -> ListenAddress 0.0.0.0 Damit schlägst du zwei Fliegen mit einer Klappe - dein netstat ist übersichtlich :) - keiner kann unter Benutzung von IPv6 deine Firewall/Hosts/XXX Regeln umgehen. Btw. brauchst du portmap? Wenn nein dann ausmachen.

...

iptables -v -L -n

Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1 76 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 30902 3106K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 56 6100 input_int all -- eth0 * 0.0.0.0/0 0.0.0.0/0 4297 281K input_ext all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET ' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 6679 353K TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU 19677 3145K forward_int all -- eth0 * 0.0.0.0/0 0.0.0.0/0 8237 873K forward_ext all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING ' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1 76 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 34097 6221K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR '

Chain forward_ext (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED icmp type 0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0 118 7088 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 6 336 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 11 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 12 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 14 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 18 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 code 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 5 0 0 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 8113 866K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT ' 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT ' 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT ' 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT-INV ' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain forward_int (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- * eth1 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 11 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 12 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 14 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 18 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 code 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 5 19462 3124K ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT ' 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT ' 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT ' 44 4350 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT-INV ' 215 20548 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain input_ext (1 references) pkts bytes target prot opt in out source destination 7 2308 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4 2 148 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 11 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 12 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 14 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 18 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 code 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 5

ab hier ist es für dich interessant. Den Rest lasse ich für die anderen stehen, die es besser wissen als ich ;)

...

309 18504 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:22 flags:0x16/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 2432 146K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:22 flags:0x16/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-ACC ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22

Was da steht heißt, dass du maximal 5x pro Minute eine Verbindung auf Port 22 versuchen solltest. Diese Verbindungsversuche werden gelogged und zugelassen. --> Deine Firewall ist nicht das Problem. Wenn du nicht extern und intern vertauscht hast ;) extern ist eth1 intern ist eth0 (laut firewall)

...

0 0 reject_func tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 state NEW 570 27764 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 35 3139 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 127 49818 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 398 16846 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT-INV ' 1856 133K DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain input_int (1 references) pkts bytes target prot opt in out source destination 56 6100 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain reject_func (1 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable

hoffe das das weiterhilft!

in sortierter Form (d.h. lesbar) sicher ;) Wenn ich jetzt auf die Schnelle noch was übersehen haben sollte sagt dir das die folgende iptables Regel. iptables -I INPUT -i ethX ! --fragment --protocol tcp --destination-port 22 -j ACCEPT damit umgehst du dann die ganzen schönen Firewall Regeln und erlaubst ssh Zugriff. X durch was richtiges ersetzen... noch ein Test: nc -v <rechnerip> 22 # von extern Greetings Daniel -- Laugh about your problems, everyone else does.

7040

Age (days ago)

7062

Last active (days ago)

List overview

Download

4 comments

2 participants

participants (2)

Daniel
Daniel Lord