Ik heb het volgende probleem,
Ik heb een ipip tunnel naar een andere linux pc dit werk allemaal prima, ik kan de andere kant prima pingen alleen ik kom niet verder dan de gateway (10.0.01) en anders om ook niet (10.1.1.1). wat ik dus bedoel is dat ik vanaf mijn werkstation (10.1.1.2) niet 10.0.0.1 kan pingen. Ik heb een iptables script draaien en ik denk dat die dat afvangt, alleen weet niet waar hij dit zou afvangen of wat ik fout doe.
plz help
paar gegevens:
Mijn linux pc:
eth0 : 80.56.69.131
eth1 : 10.1.1.1
hera : ipip tunnel naar remote 213.46.130.62 (deze is gerouteerd naar 10.0.0.0/24)
Andere linux pc :
eth0 : 213.46.130.62
eth1 : 10.0.0.1
tundev : ipip tunnel naar 80.56.69.131 ( deze is gerouteerd naar 10.1.1.0/24)
mijn iptables script :
LAN_IP="10.1.1.1"
LAN_IP_RANGE="10.0.0.0/8"
LAN_BCAST_ADRESS="10.255.255.255"
LAN_IFACE="eth1"
LO_IFACE="lo"
LO_IP="127.0.0.1"
INET_IP="80.56.69.131"
INET_IFACE="eth0"
TUNNEL="hera"
CHAINS=`iptables -n -L |perl -n -e '/Chain\s+(\S+)/ && !($1 =~ /^(INPUT|FORWARD|OUTPUT)$/) && print "$1 "'`
echo "####################################################"
echo "# #"
echo "# Firewall script based on Iptables. #"
echo "# #"
echo "# Done by D-ThylamidE #"
echo "# #"
echo "####################################################"
echo "# #"
echo "# Network Details: #"
echo "# #"
echo "# Lan Ip : $LAN_IP #"
echo "# Lan Ip Range : $LAN_IP_RANGE #"
echo "# Lan Interface : $LAN_IFACE #"
echo "# I-net Ip : $INET_IP #"
echo "# I-net Interface : $INET_IFACE #"
echo "# #"
echo "####################################################"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "Reduce DoS'ing ability..."
echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "1" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack
echo "1280" > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo -n "Flushing Chains -> "
echo $CHAINS
iptables -F
iptables -X
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
echo "Set default policies for the INPUT, FORWARD and OUTPUT chains..."
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT
echo "Take care of bad TCP packets that we don't want..."
iptables -N bad_tcp_packets
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
echo "Do some checks for obviously spoofed IP's..."
iptables -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP
iptables -A bad_tcp_packets -i $INET_IFACE -s 172.16.0.0/12 -j DROP
#iptables -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP
echo "Enable simple IP Forwarding and NAT..."
iptables -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
echo "Set rules for bad TCP packets we don't want..."
iptables -A FORWARD -p tcp -j bad_tcp_packets
#echo "Accept the packets we actually want to forward..."
iptables -A FORWARD -i $LAN_IFACE -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet
died: "
echo "Create separate chains for ICMP, TCP and UDP to traverse..."
iptables -N icmp_packets
iptables -N tcp_packets
iptables -N udpincoming_packets
echo "Set allowed chain for TCP connections..."
iptables -N allowed
iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p TCP -j DROP
echo -n "ICMP rules -> "
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type echo-request -j DROP
iptables -A icmp_packets -p ICMP -d $LAN_BCAST_ADRESS -j DROP
echo "Changed rules totally."
echo -n "TCP rules -> "
echo -n "Allow port 21, "
iptables -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
echo -n "22, "
iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
echo -n "80, "
iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
echo -n "113, "
iptables -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
echo "37337"
iptables -A tcp_packets -p TCP -s 0/0 --dport 37337 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 31337 -j allowed
echo -n "UDP ports -> "
echo -n "Allow port 53, "
iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
echo "123"
iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
echo -n "INPUT chain -> "
echo -n "Bad TCP packets we don't want, "
iptables -A INPUT -p tcp -j bad_tcp_packets
echo -n "Incoming packets from the internet, "
iptables -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
iptables -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
iptables -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
echo "Special networks not part of the Internet."
iptables -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
iptables -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
iptables -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
echo "Kill anything from outside claiming to be from internal network.."
#iptables -A INPUT -i $INET_IFACE -s $LAN_IP_RANGE -j REJECT
iptables -A INPUT -i $TUNNEL -j ACCEPT
echo -n "OUTPUT chain -> "
echo -n "Bad TCP packets we don't want, "
iptables -A OUTPUT -p tcp -j bad_tcp_packets
echo -n "Special OUTPUT rules to decide which IP's to allow, "
iptables -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
echo "Log weird packets that don't match the above."
iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died:"
echo -n "FORWARD chain -> "
echo -n "Forward port 113, "
iptables -A PREROUTING -t nat -p tcp -d 80.56.69.131 --dport 113 -j DNAT --to 10.1.1.2:113
echo "4000 - 4050, "
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 4000:4050 -j DNAT --to-destination 10.1.1.2
plz help
Ik heb een ipip tunnel naar een andere linux pc dit werk allemaal prima, ik kan de andere kant prima pingen alleen ik kom niet verder dan de gateway (10.0.01) en anders om ook niet (10.1.1.1). wat ik dus bedoel is dat ik vanaf mijn werkstation (10.1.1.2) niet 10.0.0.1 kan pingen. Ik heb een iptables script draaien en ik denk dat die dat afvangt, alleen weet niet waar hij dit zou afvangen of wat ik fout doe.
plz help
paar gegevens:
Mijn linux pc:
eth0 : 80.56.69.131
eth1 : 10.1.1.1
hera : ipip tunnel naar remote 213.46.130.62 (deze is gerouteerd naar 10.0.0.0/24)
Andere linux pc :
eth0 : 213.46.130.62
eth1 : 10.0.0.1
tundev : ipip tunnel naar 80.56.69.131 ( deze is gerouteerd naar 10.1.1.0/24)
mijn iptables script :
LAN_IP="10.1.1.1"
LAN_IP_RANGE="10.0.0.0/8"
LAN_BCAST_ADRESS="10.255.255.255"
LAN_IFACE="eth1"
LO_IFACE="lo"
LO_IP="127.0.0.1"
INET_IP="80.56.69.131"
INET_IFACE="eth0"
TUNNEL="hera"
CHAINS=`iptables -n -L |perl -n -e '/Chain\s+(\S+)/ && !($1 =~ /^(INPUT|FORWARD|OUTPUT)$/) && print "$1 "'`
echo "####################################################"
echo "# #"
echo "# Firewall script based on Iptables. #"
echo "# #"
echo "# Done by D-ThylamidE #"
echo "# #"
echo "####################################################"
echo "# #"
echo "# Network Details: #"
echo "# #"
echo "# Lan Ip : $LAN_IP #"
echo "# Lan Ip Range : $LAN_IP_RANGE #"
echo "# Lan Interface : $LAN_IFACE #"
echo "# I-net Ip : $INET_IP #"
echo "# I-net Interface : $INET_IFACE #"
echo "# #"
echo "####################################################"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "Reduce DoS'ing ability..."
echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "1" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack
echo "1280" > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo -n "Flushing Chains -> "
echo $CHAINS
iptables -F
iptables -X
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
echo "Set default policies for the INPUT, FORWARD and OUTPUT chains..."
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT
echo "Take care of bad TCP packets that we don't want..."
iptables -N bad_tcp_packets
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
echo "Do some checks for obviously spoofed IP's..."
iptables -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP
iptables -A bad_tcp_packets -i $INET_IFACE -s 172.16.0.0/12 -j DROP
#iptables -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP
echo "Enable simple IP Forwarding and NAT..."
iptables -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
echo "Set rules for bad TCP packets we don't want..."
iptables -A FORWARD -p tcp -j bad_tcp_packets
#echo "Accept the packets we actually want to forward..."
iptables -A FORWARD -i $LAN_IFACE -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet
died: "
echo "Create separate chains for ICMP, TCP and UDP to traverse..."
iptables -N icmp_packets
iptables -N tcp_packets
iptables -N udpincoming_packets
echo "Set allowed chain for TCP connections..."
iptables -N allowed
iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p TCP -j DROP
echo -n "ICMP rules -> "
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type echo-request -j DROP
iptables -A icmp_packets -p ICMP -d $LAN_BCAST_ADRESS -j DROP
echo "Changed rules totally."
echo -n "TCP rules -> "
echo -n "Allow port 21, "
iptables -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
echo -n "22, "
iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
echo -n "80, "
iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
echo -n "113, "
iptables -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
echo "37337"
iptables -A tcp_packets -p TCP -s 0/0 --dport 37337 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 31337 -j allowed
echo -n "UDP ports -> "
echo -n "Allow port 53, "
iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
echo "123"
iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
echo -n "INPUT chain -> "
echo -n "Bad TCP packets we don't want, "
iptables -A INPUT -p tcp -j bad_tcp_packets
echo -n "Incoming packets from the internet, "
iptables -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
iptables -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
iptables -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
echo "Special networks not part of the Internet."
iptables -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
iptables -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
iptables -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
echo "Kill anything from outside claiming to be from internal network.."
#iptables -A INPUT -i $INET_IFACE -s $LAN_IP_RANGE -j REJECT
iptables -A INPUT -i $TUNNEL -j ACCEPT
echo -n "OUTPUT chain -> "
echo -n "Bad TCP packets we don't want, "
iptables -A OUTPUT -p tcp -j bad_tcp_packets
echo -n "Special OUTPUT rules to decide which IP's to allow, "
iptables -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
echo "Log weird packets that don't match the above."
iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died:"
echo -n "FORWARD chain -> "
echo -n "Forward port 113, "
iptables -A PREROUTING -t nat -p tcp -d 80.56.69.131 --dport 113 -j DNAT --to 10.1.1.2:113
echo "4000 - 4050, "
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 4000:4050 -j DNAT --to-destination 10.1.1.2
plz help