floppyfw

nemonic · 20.03.2002, 03:50

hi!
könnte hilfe brauchen, leichte verzweiflung

die floppyfirewall geht wirklich gut, habe aber nur das problem wenn ich im ms messenger ein gespräch beginnen oder entgegen nehmen will läst es mich nicht. Chaten kein problem. lt ms messenger sollte port:6901 freigegeben werden. habe auch schon fast alles freigegeben, bisher ohne erfolg. habe mich jetzt auch schon mit ipchains beschäftigt, finde aber nichts was mir weiterhilft.
bitte um hilfe!
lg klemens
ps: im anhang aktelle firewall.ini.

# Firewall setup.
#
# Setting up ipchains and ipmasqadm
#
. /etc/config
#
# Stopping forwarding (this script may be run during normal uptime because
# for re-lease of HDCP or demand dialing / PPPoE.
#
echo "0" > /proc/sys/net/ipv4/ip_forward
#
# Overriding the /etc/config and adding additional information.
#
. /etc/outside.info
. /etc/inside.info
#
# Brad suggested this:
# And he suggested to check and maybe change the formatting.
# We'll do that later.
#
#
echo "Starting firewall with the following config:"
echo
echo " Inside Outside"
echo " Network: ${INSIDE_NETWORK} ${OUTSIDE_NETWORK}"
echo " Device: ${INSIDE_DEVICE} ${OUTSIDE_DEVICE}"
echo "IP Address: ${INSIDE_IP} ${OUTSIDE_IP}"
echo " Netmask: ${INSIDE_NETMASK} ${OUTSIDE_NETMASK}"
echo " Broadcast: ${INSIDE_BROADCAST} ${OUTSIDE_BROADCAST}"
echo " Gateway: [None Set] ${OUTSIDE_GATEWAY}"
echo
#
# Flushing the chains.
#
ipchains -F
#
# Policy for forwarding, Deny
#
ipchains -P forward DENY > /dev/null
# But we want to Masquerade
ipchains -A forward -i ${OUTSIDE_DEVICE} -j MASQ > /dev/null
ipchains -A forward -s ${INSIDE_NETWORK}/${INSIDE_NETMASK} -j MASQ

# Using this one, you can open up the whole internal network to
# anyone adding a route to it through your outside IP.
# Can be quite useful but it is unsecure.
ipchains -P forward MASQ
#
# Timeouts for the masqueraded connections.
#
ipchains -M -S 6000 120 300
#
# Minimum delay for SSH.
#
ipchains -A output -p tcp -d 0.0.0.0/0 22 -t 0x01 0x10
#
# We don't like the NetBIOS and Samba leaking..
#
/bin/ipchains -I input -j REJECT -p TCP -s 0/0 -d 0/0 137:139
/bin/ipchains -I input -j REJECT -p UDP -s 0/0 -d 0/0 137:139
# Messenger
/bin/ipchains -A input
ipchains -A input -p TCP -d ${OUTSIDE_IP} 6901 -j ACCEPT
ipmasqadm autofw -a -r tcp 6901 6901
ipchains -A input -p TCP -d ${OUTSIDE_IP} 389 -j ACCEPT
ipmasqadm autofw -a -r tcp 389 389
ipchains -A input -p TCP -d ${OUTSIDE_IP} 522 -j ACCEPT
ipmasqadm autofw -a -r tcp 522 522
ipchains -A input -p TCP -d ${OUTSIDE_IP} 1503 -j ACCEPT
ipmasqadm autofw -a -r tcp 1503 1503
ipchains -A input -p TCP -d ${OUTSIDE_IP} 1720 -j ACCEPT
ipmasqadm autofw -a -r tcp 1720 1720
ipchains -A input -p TCP -d ${OUTSIDE_IP} 1731 -j ACCEPT
ipmasqadm autofw -a -r tcp 1731 1731
ipchains -A input -p TCP -d ${OUTSIDE_IP} 1024 -j ACCEPT
ipmasqadm autofw -a -r tcp 1024 65535
ipchains -A input -p UDP -d ${OUTSIDE_IP} 1024 -j ACCEPT
ipmasqadm autofw -a -r udp 1024 65535
# /bin/ipchains -A input
#
# These are for port forwarding to a server on the inside network.
# remove the ipchains and ipmasqadm pair comments and replace
# the <SERVER-IP> with your real server IP.
#
# SSH:
#
# ipchains -A input -p TCP -d ${OUTSIDE_IP} 22 -j ACCEPT # ssh
# ipmasqadm portfw -a -P tcp -L ${OUTSIDE_IP} 22 -R 10.42.42.<SERVER-IP> 22 # ssh
#
# Mail / SMTP
#
# ipchains -A input -p TCP -d ${OUTSIDE_IP} 25 -j ACCEPT # mail
# ipmasqadm portfw -a -P tcp -L ${OUTSIDE_IP} 25 -R 10.42.42.<SERVER-IP> 25 # mail
#
# Web / HTTP
#
#ipchains -A input -p TCP -d ${OUTSIDE_IP} 80 -j ACCEPT # web
#ipmasqadm portfw -a -P tcp -L ${OUTSIDE_IP} 80 -R 10.42.42.100 80 # web
#
# Make www.grc.com happy.. or rather the "wow it's STEALTH" -crowd.
# If you are going to use ipmasqadm and inside servers you have to open
# up for them before this line. See above.
#
# But first, we have to accept the ftp data port so that the ftp
# masq module will work.
ipchains -A input -p TCP -d ${OUTSIDE_IP} 20 -j ACCEPT
# Identd on servers like reject alot better than DENY.
ipchains -A input -p TCP -d ${OUTSIDE_IP} 113 -j REJECT
# Then we can set everything at DENY, this could also be a policy.
ipchains -A input -p TCP -y -d ${OUTSIDE_IP} -j DENY
# Finally, list what we have
#
ipchains -n -L
#
# Rules set, we can enable forwarding in the kernel.
#
echo "Enabling IP forwarding."
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# This enables dynamic IP address following
#
echo 7 > /proc/sys/net/ipv4/ip_dynaddr

20.03.2002, 03:50	#1
nemonic Newbie Registriert seit: 19.03.2002 Beiträge: 1	floppyfw hi! könnte hilfe brauchen, leichte verzweiflung die floppyfirewall geht wirklich gut, habe aber nur das problem wenn ich im ms messenger ein gespräch beginnen oder entgegen nehmen will läst es mich nicht. Chaten kein problem. lt ms messenger sollte port:6901 freigegeben werden. habe auch schon fast alles freigegeben, bisher ohne erfolg. habe mich jetzt auch schon mit ipchains beschäftigt, finde aber nichts was mir weiterhilft. bitte um hilfe! lg klemens ps: im anhang aktelle firewall.ini. # Firewall setup. # # Setting up ipchains and ipmasqadm # . /etc/config # # Stopping forwarding (this script may be run during normal uptime because # for re-lease of HDCP or demand dialing / PPPoE. # echo "0" > /proc/sys/net/ipv4/ip_forward # # Overriding the /etc/config and adding additional information. # . /etc/outside.info . /etc/inside.info # # Brad suggested this: # And he suggested to check and maybe change the formatting. # We'll do that later. # # echo "Starting firewall with the following config:" echo echo " Inside Outside" echo " Network: ${INSIDE_NETWORK} ${OUTSIDE_NETWORK}" echo " Device: ${INSIDE_DEVICE} ${OUTSIDE_DEVICE}" echo "IP Address: ${INSIDE_IP} ${OUTSIDE_IP}" echo " Netmask: ${INSIDE_NETMASK} ${OUTSIDE_NETMASK}" echo " Broadcast: ${INSIDE_BROADCAST} ${OUTSIDE_BROADCAST}" echo " Gateway: [None Set] ${OUTSIDE_GATEWAY}" echo # # Flushing the chains. # ipchains -F # # Policy for forwarding, Deny # ipchains -P forward DENY > /dev/null # But we want to Masquerade ipchains -A forward -i ${OUTSIDE_DEVICE} -j MASQ > /dev/null ipchains -A forward -s ${INSIDE_NETWORK}/${INSIDE_NETMASK} -j MASQ # Using this one, you can open up the whole internal network to # anyone adding a route to it through your outside IP. # Can be quite useful but it is unsecure. ipchains -P forward MASQ # # Timeouts for the masqueraded connections. # ipchains -M -S 6000 120 300 # # Minimum delay for SSH. # ipchains -A output -p tcp -d 0.0.0.0/0 22 -t 0x01 0x10 # # We don't like the NetBIOS and Samba leaking.. # /bin/ipchains -I input -j REJECT -p TCP -s 0/0 -d 0/0 137:139 /bin/ipchains -I input -j REJECT -p UDP -s 0/0 -d 0/0 137:139 # Messenger /bin/ipchains -A input ipchains -A input -p TCP -d ${OUTSIDE_IP} 6901 -j ACCEPT ipmasqadm autofw -a -r tcp 6901 6901 ipchains -A input -p TCP -d ${OUTSIDE_IP} 389 -j ACCEPT ipmasqadm autofw -a -r tcp 389 389 ipchains -A input -p TCP -d ${OUTSIDE_IP} 522 -j ACCEPT ipmasqadm autofw -a -r tcp 522 522 ipchains -A input -p TCP -d ${OUTSIDE_IP} 1503 -j ACCEPT ipmasqadm autofw -a -r tcp 1503 1503 ipchains -A input -p TCP -d ${OUTSIDE_IP} 1720 -j ACCEPT ipmasqadm autofw -a -r tcp 1720 1720 ipchains -A input -p TCP -d ${OUTSIDE_IP} 1731 -j ACCEPT ipmasqadm autofw -a -r tcp 1731 1731 ipchains -A input -p TCP -d ${OUTSIDE_IP} 1024 -j ACCEPT ipmasqadm autofw -a -r tcp 1024 65535 ipchains -A input -p UDP -d ${OUTSIDE_IP} 1024 -j ACCEPT ipmasqadm autofw -a -r udp 1024 65535 # /bin/ipchains -A input # # These are for port forwarding to a server on the inside network. # remove the ipchains and ipmasqadm pair comments and replace # the <SERVER-IP> with your real server IP. # # SSH: # # ipchains -A input -p TCP -d ${OUTSIDE_IP} 22 -j ACCEPT # ssh # ipmasqadm portfw -a -P tcp -L ${OUTSIDE_IP} 22 -R 10.42.42.<SERVER-IP> 22 # ssh # # Mail / SMTP # # ipchains -A input -p TCP -d ${OUTSIDE_IP} 25 -j ACCEPT # mail # ipmasqadm portfw -a -P tcp -L ${OUTSIDE_IP} 25 -R 10.42.42.<SERVER-IP> 25 # mail # # Web / HTTP # #ipchains -A input -p TCP -d ${OUTSIDE_IP} 80 -j ACCEPT # web #ipmasqadm portfw -a -P tcp -L ${OUTSIDE_IP} 80 -R 10.42.42.100 80 # web # # Make www.grc.com happy.. or rather the "wow it's STEALTH" -crowd. # If you are going to use ipmasqadm and inside servers you have to open # up for them before this line. See above. # # But first, we have to accept the ftp data port so that the ftp # masq module will work. ipchains -A input -p TCP -d ${OUTSIDE_IP} 20 -j ACCEPT # Identd on servers like reject alot better than DENY. ipchains -A input -p TCP -d ${OUTSIDE_IP} 113 -j REJECT # Then we can set everything at DENY, this could also be a policy. ipchains -A input -p TCP -y -d ${OUTSIDE_IP} -j DENY # Finally, list what we have # ipchains -n -L # # Rules set, we can enable forwarding in the kernel. # echo "Enabling IP forwarding." echo "1" > /proc/sys/net/ipv4/ip_forward # # This enables dynamic IP address following # echo 7 > /proc/sys/net/ipv4/ip_dynaddr

Aktive Benutzer in diesem Thema: 1 (Registrierte Benutzer: 0, Gäste: 1)