Ernst May-Jung wrote:
On Wednesday 23 June 2004 08:42, Christopher Ruehl wrote:
hallo Ernst,
bitte schick mir mal
iptables-save > active_config
an mich oder in die ML
Hallo Christopher,
der Output ist kurz genug für die Mailing-Liste:
--------------------------------------------------------------------------------------------------------------
/home/ernst: cat active_config
# Generated by iptables-save v1.2.8 on Wed Jun 23 11:15:48 2004
*nat
:PREROUTING ACCEPT [9915:662498]
:POSTROUTING ACCEPT [2150:163200]
:OUTPUT ACCEPT [0:0]
hier fehlt ein
-A POSTROUTING -o eth1 -j MASQUERADE
bei netzwerkrouter eth1=extern eth0 intern oder
-A POSTROUTING -o ppp0 -j MASQUERADE bei eth0 intern ppp0 (pppoe interface bei dsl)
schreib die zeile mal in dein iptables-save > output und iptables-restore < output
dann kontrolliere nochmal die iptables-save
COMMIT
# Completed on Wed Jun 23 11:15:48 2004
# Generated by iptables-save v1.2.8 on Wed Jun 23 11:15:48 2004
*mangle
:PREROUTING ACCEPT [90297:49519037]
:INPUT ACCEPT [86437:49167137]
:FORWARD ACCEPT [878:61628]
:OUTPUT ACCEPT [76520:13006627]
:POSTROUTING ACCEPT [77342:13081681]
COMMIT
# Completed on Wed Jun 23 11:15:48 2004
# Generated by iptables-save v1.2.8 on Wed Jun 23 11:15:48 2004
*filter
:INPUT ACCEPT [170:15181]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [76520:13006627]
:block - [0:0]
-A INPUT -j block
-A FORWARD -j block
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A block -m state --state RELATED,ESTABLISHED -j ACCEPT
-A block -s 127.0.0.0/255.255.255.0 -m state --state NEW -j ACCEPT
-A block -s 192.168.0.0/255.255.255.0 -m state --state NEW -j ACCEPT
-A block -s 10.0.0.0/255.255.255.0 -m state --state NEW -j ACCEPT
-A block -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A block -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A block -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A block -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A block -p udp -m udp --dport 517 -j ACCEPT
-A block -p udp -m udp --dport 518 -j ACCEPT
-A block -p icmp -j ACCEPT
-A block -s 192.168.0.0/255.255.255.0 -m limit --limit 3/hour -j LOG --log-prefix "Bad packet from LAN:"
-A block -s ! 192.168.0.0/255.255.255.0 -m limit --limit 3/hour -j LOG --log-prefix "Bad packet from Internet:"
-A block -s ! 10.0.0.0/255.255.255.0 -m limit --limit 3/hour -j LOG --log-prefix "Bad packet from Internet:"
-A block -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Wed Jun 23 11:15:48 2004
------------------------------------------------------------------------------------------------------
Wie gesagt, das Ding läuft nicht mehr als Router/Gateway. Seit update auf 2.6
Ich hab auch den berühmten Schalter an: /proc/sys/net/ipv4: cat ip_forward 1
Gruß Ernst
---------------------------------------------------------------------------- PUG - Penguin User Group Wiesbaden - http://www.pug.org
---------------------------------------------------------------------------- PUG - Penguin User Group Wiesbaden - http://www.pug.org
