Guten Tag debian-user-german debian-user-german, Hallo!
Folgendes Scenario: 1) es gibt einen WLan AP, der gleichzeitig fürs gesamte Netz der Gateway ist. Daran hängen: a) ein/mehrere Win-Clienten, b) ein debian - Rechner mit installierter + aktivierter Firehol. Der Rechner verfügt techn. gesehen über 2 Netzwerkinterfaces (eth0+eth1), von denen aber nur eth0 genutzt wird. Weiterhin wird via tun0 ein openVPN Zugang ins private Netz angeboten. 2) der GW ist so eingerichtet, dass Anfragen auf bestimmten Ports (z.B. Port 22) an den debian Rechner weitergeleitet werden, um ihn fernadministrieren zu können. Natürlich ist dieser Port auch auf dem debian freigeschaltet. Demnach ist eine Administration von AUSSEN möglich. Problem: es gelinkt mir nur dann aus dem lokalen Netz eine Verbindung zu dem debian aufzubauen, wenn ich dessen Firewall deaktiviere (dies gilt für alle freigegebenen Ports). Dann funktioniert jedoch der openVPN nicht richtig. Demnach muss ich also, um im internen Netz auf den Rechner zugreifen zu können, mich zunächst zu einem ausserhalb des lokalen Netzes stehenden Rechner einloggen und von dort aus / via diesen Rechner die Firewall auf meinem debian abschalten. Das nervt. Gibts da eine Alternative? Die Firewallconfig hab ich mitgeschickt...s.u. Die Kernelfirewallsachen sind alle als Module eingebunden. Danke für Eure Hilfe und bitte nicht zögern, Nachfragen zu stellen. Eine Kleinigkeit noch: ich bin ab So. 29.10. erstmal für ca. 1 Woche nicht zu erreichen. Ich nutze debian sarge mit debian:/var/log# uname -r 2.6.17.13 debian:/var/log# iptables -V iptables v1.2.11 debian:/var/log# firehol --version : firehol.sh,v 1.231 2004/11/01 00:13:00 ktsaou Exp $ (C) Copyright 2003, Costa Tsaousis <[EMAIL PROTECTED]> FireHOL is distributed under GPL. cu, Stefan Hier nun also meine Fireholconfig. Damit das funktioniert, hab ich einen neuen Dienst definiert (für openVPN) und den auf Port 443 gelegt. # ---------------------------------------------------------------------------- # CUSTOM SERVICES # ---------------------------------------------------------------------------- # See the section "Adding Services" in the documentation # Example service x, listening on port TCP/z # > server_x_ports="tcp/z" # > client_x_ports="default" server_openvpn_ports="tcp/21" client_openvpn_ports="any" ## Settings for openVPN: iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A FORWARD -d 172.16.1.0/24 -i eth0 -j ACCEPT iptables -A FORWARD -d 172.16.1.0/24 -i lo -j ACCEPT iptables -A OUTPUT -o tun+ -j ACCEPT # for DefaultGW operations of OpenVPN: iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -o eth0 -j MASQUERADE FIREHOL_LOG_MODE="ULOG" FIREHOL_LOG_LEVEL="--log-level warning" FIREHOL_LOG_OPTIONS="--log-tcp-options --log-ip-options" FIREHOL_LOG_FREQUENCY="1/second" #FIREHOL_LOG_FREQUENCY="30/minute" #FIREHOL_LOG_BURST="5" FIREHOL_LOG_BURST="2" # ---------------------------------------------------------------------------- # NETWORK DEFINITIONS - Normally, only these are to be touched by you. # ---------------------------------------------------------------------------- # You can define anything you like, assuming you are using it later. # --- HOME --- # The definition of our HOME LAN. HOME_MYIP="192.168.100.60" # The IP on our HOME LAN HOME_MYIF="eth1" # The HOME LAN interface HOME_BCAST="192.168.100.255" # The HOME LAN broadcast HOME_LAN="192.168.100.0/16" # The HOME LAN HOME_SERVICES="all" # Do we run a DHCP server on the HOME LAN? HOME_DHCP=0 # Set to 0 to disable # --- PUBLIC --- # The definition of our PUBLIC interface. PUBLIC_MYIP="" # Leave empty for dynamic IP PUBLIC_MYIF="eth0" # The public interface PUBLIC_SERVICES="ssh http openvpn icmp" #PUBLIC_SERVICES="ssh openvpn" # Is the PPP interface a DIAL-ON-DEMAND? DIAL_ON_DEMAND=0 # Set to 0 to disable # --- TRUSTED --- # Hosts in the internet I trust for accessing private services # Empty these to disable. TRUSTED_PCS="" TRUSTED_SERVICES="" # --- TRANSPARENT CACHE --- # Run a transparent cache? SQUID_PORT="" # Leave empty to disable SQUID SQUID_USERS="squid" # Users to be excluded from the cache SQUID_EXCLUDE="" # Web Server IPs to be excluded from the cache # --- BLACKLIST --- # A space-separated list of IPs to be blocked. blacklist="" # HELPERS # ---------------------------------------------------------------------------- # Block all traffic from/to certain IPs if [ ! -z "${blacklist}" ] then blacklist full "${blacklist}" fi # Setup a transparent squid, only if SQUID_PORT is set. if [ ! -z "${SQUID_PORT}" ] then transparent_squid "${SQUID_PORT}" "${SQUID_USERS}" \ inface "${HOME_MYIF}" src "${HOME_LAN}" \ `test ! -z "${SQUID_EXCLUDE}" && echo "dst not '${SQUID_EXCLUDE}'"` fi # ---------------------------------------------------------------------------- # NETWORK ADDRESS TRANSLATION # ---------------------------------------------------------------------------- # Change the source/destination of packets... # Should we do SNAT or MASQUERADE? # If there is a PUBLIC_MYIP defined, we should do SNAT, otherwise MASQ. # if [ ! -z "${PUBLIC_MYIP}" ] then snat to "${PUBLIC_MYIP}" \ outface "${PUBLIC_MYIF}" \ src "${HOME_LAN}" dst not "${UNROUTABLE_IPS}" else masquerade "${PUBLIC_MYIF}" fi # To have some public service hit an internal machine, do this: # (the example redirects external port TCP/26 to internal IP 10.0.0.2 port 25) # # > dnat to 10.0.0.2:25 \ # > inface "${PUBLIC_MYIF}" \ # > src not "${HOME_LAN} ${UNROUTABLE_IPS}" \ # > proto tcp dport 26 # # For each such statement, the router at the end has to support it. # ---------------------------------------------------------------------------- # PROTECT SELF # ---------------------------------------------------------------------------- # Protect the firewall host... # --- HOME --- # Protect us from the HOME LAN interface "${HOME_MYIF}" home src "${HOME_LAN}" dst "${HOME_MYIP} ${HOME_BCAST}" policy reject server "${HOME_SERVICES}" accept client all accept # DHCP needs 0.0.0.0/255.255.255.255 access. if [ ${HOME_DHCP} -eq 1 ] then interface "${HOME_MYIF}" dhcp server dhcp accept fi # --- PUBLIC --- # Protect us from the PUBLIC interface "${PUBLIC_MYIF}" internet \ src not "${UNROUTABLE_IPS}" \ `test ! -z "${PUBLIC_MYIP}" && echo "dst '${PUBLIC_MYIP}'"` protection strong policy drop # Are there any trusted PCs/services? if [ ! -z "${TRUSTED_PCS}" -a ! -z "${TRUSTED_SERVICES}" ] then server "${TRUSTED_SERVICES}" accept src "${TRUSTED_PCS}" fi server "${PUBLIC_SERVICES}" accept client all accept # DIAL-ON-DEMAND needs this in case there is a PUBLIC_MYIP defined. if [ ${DIAL_ON_DEMAND} -eq 1 ] then interface "${PUBLIC_MYIF}" dialup client all accept fi # ---------------------------------------------------------------------------- # PROTECT ROUTING # ---------------------------------------------------------------------------- # Protect the LAN... # Route traffic for the clients on the LAN router internet2lan inface "${PUBLIC_MYIF}" outface "${HOME_MYIF}" \ src not "${UNROUTABLE_IPS}" dst "${HOME_LAN}" # route all client traffic client all accept # For the dnat example above, this is needed: # > server smtp accept dst 10.0.0.2 -- Mit freundlichen Grüßen Stefan Schilling mailto:[EMAIL PROTECTED]