Fórum Ubuntu CZ/SK
Ubuntu pro osobní počítače => Internet a sítě => Téma založeno: okoun 03 Března 2009, 21:14:44
-
Ahoj, takto mám nastaven firehol. Problém je že si nemohu pingnout z vnější sítě do vnitřní, nevíte kde je chyba? Děkuji
# ccept all client traffic on any interface
# interface any world
# client all accept
DEFAULT_CLIENT_PORTS="1024:65535"
server_icq_ports="tcp/5190"
client_icq_ports="default"
interface eth2 internal
protection strong 10/sec 10
policy drop
server dns accept
server netbios_ns accept
server netbios_dgm accept
server netbios_ssn accept
server samba accept
server ssh accept
server squid accept
server icmp accept
server ping accept
client all accept
client ssh accept
client ping accept
client icmp accept
server vnc accept
client vnc accept
server smtp accept
client smtp accept
interface eth1 external
protection strong 10/sec 10
policy drop
server icmp accept
server ping accept
server ssh accept
client dns accept
client icmp accept
client ping accept
client telnet accept
client http accept
client https accept
client ftp accept
client ntp accept
client ssh accept
client icq accept
client jabber accept
client webcache accept
server http accept
server smtp accept
client smtp accept
router internal2external inface eth2 outface eth1
route all accept
router external2internal inface eth1 outface eth2
route all accept
-
Máte povolený forwarding? Jinak to snad na první pohled vypadá OK, ale raději ukažte co ten FireHol nastavil za pravidla.
Výpisy:
sysctl -a | grep forward
iptables -L
-
srsniste@srsniste-server:~$ sysctl -a | grep forward
error: permission denied on key 'kernel.cad_pid'
error: permission denied on key 'fs.binfmt_misc.register'
error: permission denied on key 'dev.parport.parport0.autoprobe'
error: permission denied on key 'dev.parport.parport0.autoprobe0'
error: permission denied on key 'dev.parport.parport0.autoprobe1'
error: permission denied on key 'dev.parport.parport0.autoprobe2'
error: permission denied on key 'dev.parport.parport0.autoprobe3'
error: permission denied on key 'net.ipv4.route.flush'
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth2.forwarding = 1
net.ipv4.conf.eth2.mc_forwarding = 0
error: permission denied on key 'net.ipv6.route.flush'
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv6.conf.eth2.forwarding = 0
net.ipv6.conf.eth1.forwarding = 0
Chain out_internal2external_all_s1 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state ESTABLISHED
Chain out_internal2external_ftp_s3 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ftp dpts:10 24:65535 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data dp ts:1024:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 state ESTABLISHED
Chain out_internal2external_irc_s2 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ircd dpts:1 024:65535 state ESTABLISHED
Chain out_internal_all_c10 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state NEW,ESTABLISH ED
Chain out_internal_dns_s1 (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp spt:domain stat e ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:domain stat e ESTABLISHED
Chain out_internal_ftp_c12 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:32768:6100 0 dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:32768:6100 0 dpt:ftp-data state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:32768:6100 0 dpts:1024:65535 state RELATED,ESTABLISHED
Chain out_internal_icmp_c15 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state NEW,ESTABLISH ED
Chain out_internal_icmp_s8 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state ESTABLISHED
Chain out_internal_irc_c11 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:32768:6100 0 dpt:ircd state NEW,ESTABLISHED
Chain out_internal_netbios_dgm_s3 (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp spt:netbios-dgm dpts:1024:65535 state ESTABLISHED
ACCEPT udp -- anywhere anywhere udp spt:netbios-dgm dpt:netbios-dgm state ESTABLISHED
Chain out_internal_netbios_ns_s2 (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 state ESTABLISHED
ACCEPT udp -- anywhere anywhere udp spt:netbios-ns dpt:netbios-ns state ESTABLISHED
Chain out_internal_netbios_ssn_s4 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:netbios-ssn dpts:1024:65535 state ESTABLISHED
Chain out_internal_ping_c14 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state NEW,ESTABLISH ED icmp echo-request
Chain out_internal_ping_s9 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state ESTABLISHED i cmp echo-reply
Chain out_internal_samba_s5 (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp spt:netbios-ns dpt:netbios-ns state NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 state NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp spt:netbios-dgm dpt:netbios-dgm state ESTABLISHED
ACCEPT udp -- anywhere anywhere udp spt:netbios-dgm dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:netbios-ssn dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:microsoft-d s dpts:1024:65535 state ESTABLISHED
Chain out_internal_smtp_c19 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:32768:6100 0 dpt:smtp state NEW,ESTABLISHED
Chain out_internal_smtp_s18 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:smtp dpts:1 024:65535 state ESTABLISHED
Chain out_internal_squid_s7 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:3128 dpts:1 024:65535 state ESTABLISHED
Chain out_internal_ssh_c13 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:32768:6100 0 dpt:ssh state NEW,ESTABLISHED
Chain out_internal_ssh_s6 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ssh dpts:10 24:65535 state ESTABLISHED
Chain out_internal_vnc_c17 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:32768:6100 0 dpts:5900:5903 state NEW,ESTABLISHED
Chain out_internal_vnc_s16 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:5900:5903 dpts:1024:65535 state ESTABLISHED
Chain pr_external_fragments (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 1/sec bu rst 5 LOG level warning prefix `'PACKET FRAGMENTS:''
DROP all -- anywhere anywhere
Chain pr_external_icmpflood (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere limit: avg 10/sec b urst 10
LOG all -- anywhere anywhere limit: avg 1/sec bu rst 5 LOG level warning prefix `'ICMP FLOOD:''
DROP all -- anywhere anywhere
Chain pr_external_malbad (4 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 1/sec bu rst 5 LOG level warning prefix `'MALFORMED BAD:''
DROP all -- anywhere anywhere
Chain pr_external_malnull (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 1/sec bu rst 5 LOG level warning prefix `'MALFORMED NULL:''
DROP all -- anywhere anywhere
Chain pr_external_malxmas (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 1/sec bu rst 5 LOG level warning prefix `'MALFORMED XMAS:''
DROP all -- anywhere anywhere
Chain pr_external_nosyn (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 1/sec bu rst 5 LOG level warning prefix `'NEW TCP w/o SYN:''
DROP all -- anywhere anywhere
Chain pr_external_synflood (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere limit: avg 10/sec b urst 10
LOG all -- anywhere anywhere limit: avg 1/sec bu rst 5 LOG level warning prefix `'SYN FLOOD:''
DROP all -- anywhere anywhere
Chain pr_internal_fragments (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 1/sec bu rst 5 LOG level warning prefix `'PACKET FRAGMENTS:''
DROP all -- anywhere anywhere
Chain pr_internal_icmpflood (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere limit: avg 10/sec b urst 10
LOG all -- anywhere anywhere limit: avg 1/sec bu rst 5 LOG level warning prefix `'ICMP FLOOD:''
DROP all -- anywhere anywhere
Chain pr_internal_malbad (4 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 1/sec bu rst 5 LOG level warning prefix `'MALFORMED BAD:''
DROP all -- anywhere anywhere
Chain pr_internal_malnull (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 1/sec bu rst 5 LOG level warning prefix `'MALFORMED NULL:''
DROP all -- anywhere anywhere
Chain pr_internal_malxmas (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 1/sec bu rst 5 LOG level warning prefix `'MALFORMED XMAS:''
DROP all -- anywhere anywhere
Chain pr_internal_nosyn (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 1/sec bu rst 5 LOG level warning prefix `'NEW TCP w/o SYN:''
DROP all -- anywhere anywhere
Chain pr_internal_synflood (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere limit: avg 10/sec b urst 10
LOG all -- anywhere anywhere limit: avg 1/sec bu rst 5 LOG level warning prefix `'SYN FLOOD:''
DROP all -- anywhere anywhere
-
forwarding je OK, pravidla také imho vypadají dobře.
podíváme se ještě na síť:
ip a
ip r
-
srsniste@srsniste-server:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNO WN qlen 1000
link/ether 00:1f:d0:6d:b9:e8 brd ff:ff:ff:ff:ff:ff
inet 10.27.82.49/28 brd 10.27.82.63 scope global eth2
inet6 fe80::21f:d0ff:fe6d:b9e8/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNO WN qlen 1000
link/ether 00:50:fc:fa:10:23 brd ff:ff:ff:ff:ff:ff
inet 10.27.82.254/30 brd 10.27.82.255 scope global eth1
inet6 2a01:490:16:1205:250:fcff:fefa:1023/64 scope global dynamic
valid_lft 3577sec preferred_lft 3577sec
inet6 fe80::250:fcff:fefa:1023/64 scope link
valid_lft forever preferred_lft forever
srsniste@srsniste-server:~$ ip r
10.27.82.252/30 dev eth1 proto kernel scope link src 10.27.82.254
10.27.82.48/28 dev eth2 proto kernel scope link src 10.27.82.49
169.254.0.0/16 dev eth1 scope link metric 1000
default via 10.27.82.253 dev eth1 metric 100
-
1) na 10.27.82.254 si z 10.27.82.253 pingnete a naopak také?
2) z nějakého stroje v rozsahu 10.27.82.50 - 10.27.82.63 si na 10.27.82.49 a zpět pingnete také?
3) z 10.27.82.50 - 10.27.82.63 na 10.27.82.253 to už neprojde?
4) masky sítě na ostatních strojích máte správně?
5) máte na nich nastavenou bránu na odpovídající adresu serveru?
6) nemáte prohozené kabely v síťovkách?
7) mýlím se a firewall není nastavený jak by měl (narozdíl od BSD packet filteru nejsou iptables to v čem bych si byl na 100% jistý), na chvíli jej stopnout přes /etc/init.d/firehol stop a zkusit to všechno propingovat znovu. Alespoň se uvidí jestli je problém v nastavení firewallu nebo jinde.
nic víc mne nenapadá
-
1. ano z obou stran
2. ano z obou stran
3. z 10.27.82.50/28 na 10.27.82.253 to je OK ale naopak to jde pouze na 10.27.82.254 (server WAN) a 10.27.82.49 (server LAN) dále na ostatní koncové stanice 10.27.82.50-63 ne
4. ano
5. ano
6. ne to by ani nešlo
Tak jsem zjistil ze to nejak zaclo fungovat ale je divne ze naje zarizeni jde pingnout a nejake ne, neni to firewallem na koncove stanici ?
-
tak problem nebyl na serveru ale na koncove stanici, nevim proc ale nedokazala vzit pres dhcp branu ::)
Díky za reakce