Ich muss mich eventuell mal in ipTables einlesen. Mit UFW sieht das ziemlich viel aus.
Zuerst vom externen VPS
iptables -nvL
Chain INPUT (policy DROP 43 packets, 2500 bytes)
pkts bytes target prot opt in out source destination
6144 628K f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
4983 213K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 500,4500
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 policy match dir in pol ipsec
2 270 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701
0 0 ACCEPT all -- tun1 * 0.0.0.0/0 0.0.0.0/0 /* pritunl_5744a04e96b9f516fa0392f0 */
4105K 409M ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
4105K 409M ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
218K 17M ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
3081 207K ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
3081 207K ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
3081 207K ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- ens3 * 192.168.178.0/24 1.2.3.0/22 policy match dir in pol ipsec reqid 29 proto 50
0 0 ACCEPT all -- * ens3 1.2.3.0/22 192.168.178.0/24 policy match dir out pol ipsec reqid 29 proto 50
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT all -- ens+ ppp+ 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- ppp+ ens+ 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ens+ * 0.0.0.0/0 192.168.43.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- * ens+ 192.168.43.0/24 0.0.0.0/0
0 0 ACCEPT all -- * tun1 0.0.0.0/0 0.0.0.0/0 /* pritunl_5744a04e96b9f516fa0392f0 */
0 0 ACCEPT all -- tun1 * 0.0.0.0/0 0.0.0.0/0 /* pritunl_5744a04e96b9f516fa0392f0 */
0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * tun1 0.0.0.0/0 0.0.0.0/0 /* pritunl_5744a04e96b9f516fa0392f0 */
9187K 2035M ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
9187K 2035M ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
2262 156K ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
2262 156K ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
2262 156K ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
2262 156K ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain f2b-sshd (1 references)
pkts bytes target prot opt in out source destination
5964 618K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
60511 4740K ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
6290 1474K ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
4 184 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
43 2080 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
432 142K ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
109K 7767K ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
1983 111K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
22465 1704K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3354K 339M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3779 409K ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
3779 409K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
57 3400 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
179K 14M ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
179K 14M ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
22465 1704K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
6738K 1770M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1660 116K ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
767 69248 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
360 41663 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
3133 175K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
176K 14M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
176K 14M DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
99 6020 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
1555 110K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
349 18220 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
16 1709 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:9988
75 3784 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
107 5728 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
110 5616 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
3 140 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587
3 160 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
256 15364 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:15584
50 3200 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:9989
87 5056 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30033
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:9986
3 152 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:15026
1 40 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25565
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4200
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4202
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4499
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4500
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4500
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 2206K packets, 828M bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 1373 packets, 94756 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 11327 packets, 698K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 11327 packets, 698K bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * ens+ 192.168.42.0/24 0.0.0.0/0 to:1.2.3.4
0 0 SNAT all -- * ens+ 192.168.43.0/24 0.0.0.0/0 policy match dir out pol none to:1.2.3.4
0 0 MASQUERADE all -- * ens3 192.168.250.0/24 0.0.0.0/0 /* pritunl_5744a04e96b9f516fa0392f0 */
nun der lokale Server
iptables -nvL
Chain INPUT (policy ACCEPT 5216 packets, 719K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- ens160 * 1.2.3.0/22 192.168.178.0/24 policy match dir in pol ipsec reqid 29 proto 50
0 0 ACCEPT all -- * ens160 192.168.178.0/24 1.2.3.0/22 policy match dir out pol ipsec reqid 29 proto 50
Chain OUTPUT (policy ACCEPT 4564 packets, 1573K bytes)
pkts bytes target prot opt in out source destination
iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Was mir gerade auffällt, ist dass auf dem Server noch ein OpenVPN Server (durch Pritunl ermöglicht) läuft. Meine Vermutung ist nun, dass OpenVPN mit Strongswan irgendwie interferiert.