MC Premium (kromonos)
Ich hab hier ein Problem mit iptables. Als Gateway funktioniert es ast rein, nur leider nicht die eingehende NAT 
Folgendes Script hab ich mir zusammen geschustert/angepasst:
[shcode=bash]#!/bin/sh
#
# Copyright 2007 Fabio Baltieri (fabio.baltieri[at]gmail.com)
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This script has been developed and used on a GNU/Linux Slackware
# based system, to use it, just set the correct variables (LAN and WAN
# interface names), set the correct subnet under the INPUT rules and
# place the script in /etc/rc.d/rc.firewall so that it will be
# automatically called by rc.inet2.
# Also, you probably want to customize the rules for your particular
# configuration and create some mapping for internal services on the
# network, a template is present under the "DNAT" section.
IPTABLES=iptables
MODPROBE=modprobe
LAN=eth0
WAN=ppp0
firewall_start()
{
echo "Loading firewall rules"
$MODPROBE x_tables
$MODPROBE ip_tables
$MODPROBE iptable_filter
$MODPROBE iptable_nat
$MODPROBE nf_conntrack
$MODPROBE nf_conntrack_ftp ports=21,2121
$MODPROBE nf_conntrack_irc
$MODPROBE nf_conntrack_pptp
$MODPROBE nf_nat_ftp
$MODPROBE nf_nat_irc
$MODPROBE nf_nat_pptp
# Enable IP forwarding, rp_filter and syncookies
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 61 > /proc/sys/net/ipv4/ip_default_ttl
echo 1 > /proc/sys/net/ipv4/tcp_abort_on_overflow
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 3 > /proc/sys/net/ipv4/tcp_syn_retries
echo 3 > /proc/sys/net/ipv4/tcp_synack_retries
# Firewall rules
$IPTABLES -P INPUT ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $LAN -s 172.16.0.0/16 -j ACCEPT
$IPTABLES -A INPUT -i $LAN -p udp --dport bootps -j ACCEPT
# $IPTABLES -A INPUT -i $WAN -p tcp --dport auth -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -i $WAN -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPTABLES -A FORWARD -i $WAN -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
# Forwarding
$IPTABLES -A FORWARD -p tcp -m multiport --dport 135,136,137,138,139,445 -j DROP
$IPTABLES -A FORWARD -p udp -m multiport --dport 137,138,139,445 -j DROP
$IPTABLES -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# Masquerading
$IPTABLES -t nat -A POSTROUTING -o $WAN -j MASQUERADE
# DNAT
$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp --dport 443 -j DNAT --to 172.16.0.54:443
$IPTABLES -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
$IPTABLES -I FORWARD -i $WAN -p tcp --dport 443 -d 172.16.0.54 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp --dport 25 -j DNAT --to 172.16.0.54:25
$IPTABLES -I INPUT -p tcp -m tcp --dport 25 -j ACCEPT
$IPTABLES -I FORWARD -i $WAN -p tcp --dport 25 -d 172.16.0.54 -j ACCEPT
}
firewall_stop()
{
# Disable IP forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward
# Reset default policy to ACCEPT
$IPTABLES -t filter -P INPUT ACCEPT
$IPTABLES -t filter -P FORWARD ACCEPT
$IPTABLES -t filter -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
# Flush rules
$IPTABLES -F -t filter
$IPTABLES -F -t nat
$IPTABLES -F -t mangle
$IPTABLES -X
$IPTABLES -t mangle -X
$IPTABLES -t nat -X
}
firewall_status()
{
echo
echo "Table: filter"
echo
$IPTABLES -v -t filter -L --line-numbers
echo
echo "Table: nat"
echo
$IPTABLES -v -t nat -L --line-numbers
echo
}
case "$1" in
'start'|'restart')
firewall_stop
firewall_start
;;
'stop')
firewall_stop
;;
'status')
firewall_status
;;
*)
echo "usage $0 start|stop|restart|status"
esac
[/shcode]
Wie schon erwähnt, funktioniert es als Gateway problemlos, allerdings kann ich von außen nicht über die freigegebenen Ports zugreifen
Hat da jemand evtl. eine Lösung für?
EDIT: OK, scheinbar funktioniert das Script wie gewünscht. Nur die UMTS Verbindung lässt keine direkten eingehenden Verbindungen zu -_-
Folgendes Script hab ich mir zusammen geschustert/angepasst:
[shcode=bash]#!/bin/sh
#
# Copyright 2007 Fabio Baltieri (fabio.baltieri[at]gmail.com)
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This script has been developed and used on a GNU/Linux Slackware
# based system, to use it, just set the correct variables (LAN and WAN
# interface names), set the correct subnet under the INPUT rules and
# place the script in /etc/rc.d/rc.firewall so that it will be
# automatically called by rc.inet2.
# Also, you probably want to customize the rules for your particular
# configuration and create some mapping for internal services on the
# network, a template is present under the "DNAT" section.
IPTABLES=iptables
MODPROBE=modprobe
LAN=eth0
WAN=ppp0
firewall_start()
{
echo "Loading firewall rules"
$MODPROBE x_tables
$MODPROBE ip_tables
$MODPROBE iptable_filter
$MODPROBE iptable_nat
$MODPROBE nf_conntrack
$MODPROBE nf_conntrack_ftp ports=21,2121
$MODPROBE nf_conntrack_irc
$MODPROBE nf_conntrack_pptp
$MODPROBE nf_nat_ftp
$MODPROBE nf_nat_irc
$MODPROBE nf_nat_pptp
# Enable IP forwarding, rp_filter and syncookies
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 61 > /proc/sys/net/ipv4/ip_default_ttl
echo 1 > /proc/sys/net/ipv4/tcp_abort_on_overflow
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 3 > /proc/sys/net/ipv4/tcp_syn_retries
echo 3 > /proc/sys/net/ipv4/tcp_synack_retries
# Firewall rules
$IPTABLES -P INPUT ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $LAN -s 172.16.0.0/16 -j ACCEPT
$IPTABLES -A INPUT -i $LAN -p udp --dport bootps -j ACCEPT
# $IPTABLES -A INPUT -i $WAN -p tcp --dport auth -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -i $WAN -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPTABLES -A FORWARD -i $WAN -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
# Forwarding
$IPTABLES -A FORWARD -p tcp -m multiport --dport 135,136,137,138,139,445 -j DROP
$IPTABLES -A FORWARD -p udp -m multiport --dport 137,138,139,445 -j DROP
$IPTABLES -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# Masquerading
$IPTABLES -t nat -A POSTROUTING -o $WAN -j MASQUERADE
# DNAT
$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp --dport 443 -j DNAT --to 172.16.0.54:443
$IPTABLES -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
$IPTABLES -I FORWARD -i $WAN -p tcp --dport 443 -d 172.16.0.54 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp --dport 25 -j DNAT --to 172.16.0.54:25
$IPTABLES -I INPUT -p tcp -m tcp --dport 25 -j ACCEPT
$IPTABLES -I FORWARD -i $WAN -p tcp --dport 25 -d 172.16.0.54 -j ACCEPT
}
firewall_stop()
{
# Disable IP forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward
# Reset default policy to ACCEPT
$IPTABLES -t filter -P INPUT ACCEPT
$IPTABLES -t filter -P FORWARD ACCEPT
$IPTABLES -t filter -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
# Flush rules
$IPTABLES -F -t filter
$IPTABLES -F -t nat
$IPTABLES -F -t mangle
$IPTABLES -X
$IPTABLES -t mangle -X
$IPTABLES -t nat -X
}
firewall_status()
{
echo
echo "Table: filter"
echo
$IPTABLES -v -t filter -L --line-numbers
echo
echo "Table: nat"
echo
$IPTABLES -v -t nat -L --line-numbers
echo
}
case "$1" in
'start'|'restart')
firewall_stop
firewall_start
;;
'stop')
firewall_stop
;;
'status')
firewall_status
;;
*)
echo "usage $0 start|stop|restart|status"
esac
[/shcode]
Wie schon erwähnt, funktioniert es als Gateway problemlos, allerdings kann ich von außen nicht über die freigegebenen Ports zugreifen
Hat da jemand evtl. eine Lösung für?
EDIT: OK, scheinbar funktioniert das Script wie gewünscht. Nur die UMTS Verbindung lässt keine direkten eingehenden Verbindungen zu -_-
Wenn man keine Ahnung hat, einfach mal Fresse halten!
![[+]](images/collapse_collapsed.png)