Hallo zusammen,
ich baue gerade einen eigene Router auf Linux Basis, da die Router die man so kaufen kann leider nicht das koennen was ich gerne haette. Hauptsaechlich geht es darum mehrere LANs mit einem Router zu versorgen. Der Router soll auch gleichzeitig als DHCP und DNS Server fuer die LANs fungieren.
Soweit funktioniert auch alles (DHCP, DNS, Internetverbindung, Routing, NAT). Wenn ich allerdings versuche mit Hilfe von iptables eine Firewall zu konfiguriere geht ploetzlich gar nicht mehr.
Mein Firewall Script sieht zur Zeit so aus:
#!/bin/bash # Variables: # ---------- INTERNET_IFACE="ppp0" PRIVATE_IFACE="eth1" PRIVATE_WLAN_IFACE="wlan0" PRIVATE_IP="192.168.1.1" PRIVATE_NET="192.168.1.0/24" TEST_IFACE="eth2" TEST_IP="192.168.2.1" TEST_NET="192.168.2.0/24" GUEST_IFACE="wlan1" GUEST_IP="192.168.3.1" GUEST_NET="192.168.3.0/24" # Prepare firewall (delete chains and set policies): # -------------------------------------------------- echo -n "Prepare firewall ... " iptables -F iptables -F -t nat iptables -F -t mangle iptables -X iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -Z echo "done" # Deactivate Routung: # ------------------- echo -n "Deactivate routing ... " sysctl -w net.ipv4.ip_forward=0 > /dev/null echo "done" # Routing and Kernel Security Options: # ------------------------------------ echo -n "Activate routing and set kernel security options ... " sysctl -w net.ipv4.ip_forward=1 > /dev/null echo 1 > /proc/sys/net/ipv4/ip_dynaddr for i in /proc/sys/net/ipv4/conf/*/{accept_source_route,accept_redirects,send_redirects} do echo 0 > $i done echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo "done" # Initializes firewall: # --------------------- echo -n "Initializing firewall ... " # Self Defined Chains: # -------------------- # Logging CHains: # --------------- iptables -N MYDROP iptables -N MYACCEPT iptables -A MYDROP -j LOG --log-prefix "FW-DROP: " iptables -A MYDROP -j DROP iptables -A MYACCEPT -j LOG --log-prefix "FW-ACCEPT: " iptables -A MYACCEPT -j DROP # Routing Chains: # --------------- iptables -N PRIVATE_TO_INTERNET iptables -N INTERNET_TO_PRIVATE iptables -N TEST_TO_INTERNET iptables -N GUEST_TO_INTERNET iptables -N PRIVATE_TO_TEST iptables -N TEST_TO_PRIVATE # private to internet: iptables -A FORWARD -i $PRIVATE_IFACE -o $INTERNET_IFACE -j PRIVATE_TO_INTERNET iptables -A FORWARD -i $PRIVATE_WLAN_IFACE -o $INTERNET_IFACE -j PRIVATE_TO_INTERNET # internet to private: iptables -A FORWARD -i $INTERNET_IFACE -o $PRIVATE_IFACE -j INTERNET_TO_PRIVATE iptables -A FORWARD -i $INTERNET_IFACE -o $PRIVATE_WLAN_IFACE -j INTERNET_TO_PRIVATE # test to internet: iptables -A FORWARD -i $TEST_IFACE -o $INTERNET_IFACE -j TEST_TO_INTERNET # guest to internet: iptables -A FORWARD -i $GUEST_IFACE -o $INTERNET_IFACE -j GUEST_TO_INTERNET # private to test: iptables -A FORWARD -i $PRIVATE_IFACE -o $TEST_IFACE -j PRIVATE_TO_TEST iptables -A FORWARD -i $PRIVATE_WLAN_IFACE -o $TEST_IFACE -j PRIVATE_TO_TEST # test to private: iptables -A FORWARD -i $TEST_IFACE -o $PRIVATE_IFACE -j TEST_TO_PRIVATE iptables -A FORWARD -i $TEST_IFACE -o $PRIVATE_WLAN_IFACE -j TEST_TO_PRIVATE # Stateful Inspections: # --------------------- iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #iptables -A INPUT -m state --state INVALID -j MYDROP #iptables -A OUTPUT -m state --state INVALID -j MYDROP # Allow loopback communication: # ----------------------------- iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Antispoofing rules: # ------------------- # drop all packages from internet, which hast a local source address iptables -A FORWARD -s $PRIVATE_NET -i $INTERNET_IFACE -j DROP iptables -A FORWARD -s $TEST_NET -i $INTERNET_IFACE -j DROP iptables -A FORWARD -s $GUEST_NET -i $INTERNET_IFACE -j DROP # drop all package, which source address do not match to network of # its interface (e.g.: a apckage, which comes from the private interface, must # have a source address from the private network, otherwise it will be dropped) iptables -A FORWARD ! -s $PRIVATE_NET -i $PRIVATE_IFACE -j DROP iptables -A FORWARD ! -s $PRIVATE_NET -i $PRIVATE_WLAN_IFACE -j DROP iptables -A FORWARD ! -s $TEST_NET -i $TEST_IFACE -j DROP iptables -A FORWARD ! -s $GUEST_NET -i $GUEST_IFACE -j DROP # drop all packages which loopback source address iptables -A FORWARD -s 127.0.0.1/8 -j DROP # icmp iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j MYACCEPT iptables -A OUTPUT -p icmp --icmp-type fragmentation-needed -j MYACCEPT # Firewall rules: # --------------- # Routing Rules: # -------------- # Private to Internet: # -------------------- # allow all ports and icmp: iptables -A PRIVATE_TO_INTERNET -m state --state NEW -p tcp --dport 0:65535 -j MYACCEPT iptables -A PRIVATE_TO_INTERNET -m state --state NEW -p udp --dport 0:65535 -j MYACCEPT iptables -A PRIVATE_TO_INTERNET -m state --state NEW -p icmp -j MYACCEPT # drop the rest: iptables -A PRIVATE_TO_INTERNET -j DROP # Internet to Private: # -------------------- # forward tcp port 2222 to alenzen:22 (ssh) iptables -t nat -A PREROUTING -p tcp --dport 2222 -j DNAT --to-destination 192.168.1.3:22 iptables -t nat -A POSTROUTING -p tcp --dport 2222 -j MASQUERADE # forward tcp port 2223 to alenzensrv:22 (ssh) iptables -t nat -A PREROUTING -p tcp --dport 2223 -j DNAT --to-destination 192.168.1.4:22 iptables -t nat -A POSTROUTING -p tcp --dport 2223 -j MASQUERADE # Test to Internet: # ----------------- # http(s): iptables -A TEST_TO_INTERNET -m state --state NEW -p tcp --dport 80 -j MYACCEPT iptables -A TEST_TO_INTERNET -m state --state NEW -p tcp --dport 443 -j MYACCEPT # smtp(s): iptables -A TEST_TO_INTERNET -m state --state NEW -p tcp --dport 25 -j MYACCEPT iptables -A TEST_TO_INTERNET -m state --state NEW -p tcp --dport 465 -j MYACCEPT iptables -A TEST_TO_INTERNET -m state --state NEW -p tcp --dport 587 -j MYACCEPT # imap(s): iptables -A TEST_TO_INTERNET -m state --state NEW -p tcp --dport 143 -j MYACCEPT iptables -A TEST_TO_INTERNET -m state --state NEW -p tcp --dport 993 -j MYACCEPT # pop3(s): iptables -A TEST_TO_INTERNET -m state --state NEW -p tcp --dport 110 -j MYACCEPT iptables -A TEST_TO_INTERNET -m state --state NEW -p tcp --dport 995 -j MYACCEPT # drop the rest: iptables -A TEST_TO_INTERNET -j DROP # Guest to Internet: # ------------------ # allow all ports: iptables -A GUEST_TO_INTERNET -m state --state NEW -p tcp --dport 0:65535 -j MYACCEPT iptables -A GUEST_TO_INTERNET -m state --state NEW -p udp --dport 0:65535 -j MYACCEPT # drop the rest: iptables -A GUEST_TO_INTERNET -j DROP # Private to Test: # ---------------- # ssh: iptables -A PRIVATE_TO_TEST -m state --state NEW -p tcp --dport 22 -j MYACCEPT # icmp: iptables -A PRIVATE_TO_TEST -m state --state NEW -p icmp -j MYACCEPT # drop the rest: iptables -A PRIVATE_TO_TEST -j DROP # Test to Private: # ---------------- # nfs: iptables -A TEST_TO_PRIVATE -m state --state NEW -d 192.168.1.4 -p tcp --dport 111 -j MYACCEPT iptables -A TEST_TO_PRIVATE -m state --state NEW -d 192.168.1.4 -p udp --dport 111 -j MYACCEPT iptables -A TEST_TO_PRIVATE -m state --state NEW -d 192.168.1.4 -p tcp --dport 2049 -j MYACCEPT iptables -A TEST_TO_PRIVATE -m state --state NEW -d 192.168.1.4 -p udp --dport 2049 -j MYACCEPT # http(s): iptables -A TEST_TO_PRIVATE -m state --state NEW -d 192.168.1.4 -p tcp --dport 80 -j MYACCEPT iptables -A TEST_TO_PRIVATE -m state --state NEW -d 192.168.1.4 -p tcp --dport 443 -j MYACCEPT # samba: iptables -A TEST_TO_PRIVATE -m state --state NEW -d 192.168.1.4 -p tcp --dport 88 -j MYACCEPT # kerberos tcp iptables -A TEST_TO_PRIVATE -m state --state NEW -d 192.168.1.4 -p udp --dport 88 -j MYACCEPT # kerberos udp iptables -A TEST_TO_PRIVATE -m state --state NEW -d 192.168.1.4 -p tcp --dport 135 -j MYACCEPT # end point mapper iptables -A TEST_TO_PRIVATE -m state --state NEW -d 192.168.1.4 -p udp --dport 137 -j MYACCEPT # netbios name service iptables -A TEST_TO_PRIVATE -m state --state NEW -d 192.168.1.4 -p udp --dport 138 -j MYACCEPT # netbios datagram iptables -A TEST_TO_PRIVATE -m state --state NEW -d 192.168.1.4 -p tcp --dport 139 -j MYACCEPT # netbios session iptables -A TEST_TO_PRIVATE -m state --state NEW -d 192.168.1.4 -p tcp --dport 389 -j MYACCEPT # ldap tcp iptables -A TEST_TO_PRIVATE -m state --state NEW -d 192.168.1.4 -p udp --dport 389 -j MYACCEPT # ldap udp iptables -A TEST_TO_PRIVATE -m state --state NEW -d 192.168.1.4 -p tcp --dport 445 -j MYACCEPT # smb over tcp iptables -A TEST_TO_PRIVATE -m state --state NEW -d 192.168.1.4 -p tcp --dport 464 -j MYACCEPT # kerberos kpasswd tcp iptables -A TEST_TO_PRIVATE -m state --state NEW -d 192.168.1.4 -p udp --dport 464 -j MYACCEPT # kerberos kpasswd udp iptables -A TEST_TO_PRIVATE -m state --state NEW -d 192.168.1.4 -p tcp --dport 636 -j MYACCEPT # ldaps iptables -A TEST_TO_PRIVATE -m state --state NEW -d 192.168.1.4 -p tcp --dport 1024:5000 -j MYACCEPT # dynamic rpc ports iptables -A TEST_TO_PRIVATE -m state --state NEW -d 192.168.1.4 -p tcp --dport 3268 -j MYACCEPT # global cataloge iptables -A TEST_TO_PRIVATE -m state --state NEW -d 192.168.1.4 -p tcp --dport 3269 -j MYACCEPT # global cataloge ssl iptables -A TEST_TO_PRIVATE -m state --state NEW -d 192.168.1.4 -p tcp --dport 5353 -j MYACCEPT # multicat dns tcp iptables -A TEST_TO_PRIVATE -m state --state NEW -d 192.168.1.4 -p udp --dport 5353 -j MYACCEPT # multicat dns udp # icmp: iptables -A TEST_TO_PRIVATE -m state --state NEW -p icmp -j MYACCEPT # drop the rest: iptables -A TEST_TO_PRIVATE -j DROP # Personal Firewall Rules: # ------------------------ # Input Ports: # ------------ # ssh (allowed from internet connection and from private network): iptables -A INPUT -m state --state NEW -i $INTERNET_IFACE -p tcp --dport 22 -j MYACCEPT iptables -A INPUT -m state --state NEW -i $PRIVATE_IFACE -p tcp --dport 22 -j MYACCEPT iptables -A INPUT -m state --state NEW -i $PRIVATE_WLAN_IFACE -p tcp --dport 22 -j MYACCEPT # dns (allowed from all, except for internet connection): iptables -A INPUT -m state --state NEW -i $PRIVATE_IFACE -p tcp --dport 53 -j MYACCEPT iptables -A INPUT -m state --state NEW -i $PRIVATE_IFACE -p udp --dport 53 -j MYACCEPT iptables -A INPUT -m state --state NEW -i $PRIVATE_WLAN_IFACE -p tcp --dport 53 -j MYACCEPT iptables -A INPUT -m state --state NEW -i $PRIVATE_WLAN_IFACE -p udp --dport 53 -j MYACCEPT iptables -A INPUT -m state --state NEW -i $TEST_IFACE -p tcp --dport 53 -j MYACCEPT iptables -A INPUT -m state --state NEW -i $TEST_IFACE -p udp --dport 53 -j MYACCEPT iptables -A INPUT -m state --state NEW -i $GUEST_IFACE -p tcp --dport 53 -j MYACCEPT iptables -A INPUT -m state --state NEW -i $GUEST_IFACE -p udp --dport 53 -j MYACCEPT # dhcp (allowed from all, except for internet connection): iptables -A INPUT -m state --state NEW -i $PRIVATE_IFACE -p udp --dport 67 -j MYACCEPT iptables -A INPUT -m state --state NEW -i $PRIVATE_WLAN_IFACE -p udp --dport 67 -j MYACCEPT iptables -A INPUT -m state --state NEW -i $TEST_IFACE -p udp --dport 67 -j MYACCEPT iptables -A INPUT -m state --state NEW -i $GUEST_IFACE -p udp --dport 67 -j MYACCEPT # ntp (allowed from all, except for internet connection): iptables -A INPUT -m state --state NEW -i $PRIVATE_IFACE -p udp --dport 123 -j MYACCEPT iptables -A INPUT -m state --state NEW -i $PRIVATE_WLAN_IFACE -p udp --dport 123 -j MYACCEPT iptables -A INPUT -m state --state NEW -i $TEST_IFACE -p udp --dport 123 -j MYACCEPT iptables -A INPUT -m state --state NEW -i $GUEST_IFACE -p udp --dport 123 -j MYACCEPT # Output Ports: # ------------- # http(s): iptables -A OUTPUT -m state --state NEW -p tcp --dport 80 -j MYACCEPT iptables -A OUTPUT -m state --state NEW -p tcp --dport 443 -j MYACCEPT # dns (only for internet connection): iptables -A OUTPUT -m state --state NEW -o $INTERNET_IFACE -p tcp --dport 53 -j MYACCEPT iptables -A OUTPUT -m state --state NEW -o $INTERNET_IFACE -p udp --dport 53 -j MYACCEPT # ntp (only for internet connection): iptables -A OUTPUT -m state --state NEW -o $INTERNET_IFACE -p udp --dport 123 -j MYACCEPT echo "done" # Activate NAT: # --------------- echo -n "Activate NAT ... " # activate masquerade iptables -A POSTROUTING -t nat -o $INTERNET_IFACE -j MASQUERADE echo "done"
Im Grunde soll alles was nicht expliziet erlaubt ist, verboten sein und verworfen werden.
Ich find einfach den oder die Fehler nicht. Ich hoffe hier kann mir einer weiterhelfen. Vielen Dank schon mal.
Die Datei im Anhang zeigt mal schemtaisch, welche Dienste fuer welches LAN erluab sein sollen.