Re: Debian als Gateway, nur wie?

Rindlisbacher Florian Wed, 02 Mar 2005 04:50:00 -0800

Hallo

> - IP_FORWARD
> - Routing
> - Tunnelaufbau
> - Packetfilterung



> All das kann man pr�fen.

> 1. cat /proc/sys/net/ipv4/ip_forward
>   (sollte 1 ergeben)
> 2. rpute -n
> 3. tail /var/logmessages, auth, syslog, ...
> 4. iptables-save -c

Also das hatte ich bereits aktiviert: ip_forward=1

Jetzt habe ich an iptables und dem routing nicht ge�ndert, 
da ich mir nicht mehr sicher bin was genua hineingeh�rt.
Der VPN Tunnel lauft orgdnusgem�ss, ich kann im Moment 
nur die Verbindung von einem Client zu Server selber verschl�sseln.

Und hier sind die oberen Tests

-----------------------------------------------------------------
# Generated by iptables-save v1.2.11 on Wed Mar  2 13:25:33 2005
*mangle
:PREROUTING ACCEPT [2828:366520]
:INPUT ACCEPT [1544:198437]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [269:21531]
:POSTROUTING ACCEPT [269:21531]
COMMIT
# Completed on Wed Mar  2 13:25:33 2005
# Generated by iptables-save v1.2.11 on Wed Mar  2 13:25:33 2005
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
[0:0] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j LOG
[0:0] -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP
[7:895] -A INPUT -d 255.255.255.255 -i eth1 -j ACCEPT
[1354:179188] -A INPUT -s 192.168.10.0/255.255.255.0 -i eth1 -j ACCEPT
[0:0] -A INPUT -d 224.0.0.0/240.0.0.0 -i eth1 -p ! tcp -j ACCEPT
[0:0] -A INPUT -s 192.168.10.0/255.255.255.0 -i eth0 -j LOG
[0:0] -A INPUT -s 192.168.10.0/255.255.255.0 -i eth0 -j DROP
[1:350] -A INPUT -d 255.255.255.255 -i eth0 -j ACCEPT
[45:8136] -A INPUT -d 192.168.21.97 -i eth0 -j ACCEPT
[0:0] -A INPUT -d 192.168.10.255 -i eth0 -j ACCEPT
[142:10224] -A INPUT -j LOG
[142:10224] -A INPUT -j DROP
[0:0] -A FORWARD -s 192.168.10.0/255.255.255.0 -i eth1 -o eth0 -j ACCEPT
[0:0] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -d 192.168.10.0/255.255.255.0 -o eth0 -j LOG
[0:0] -A FORWARD -d 192.168.10.0/255.255.255.0 -o eth0 -j DROP
[0:0] -A FORWARD -j LOG
[0:0] -A FORWARD -j DROP
[0:0] -A OUTPUT -o lo -j ACCEPT
[0:0] -A OUTPUT -d 255.255.255.255 -o eth1 -j ACCEPT
[266:20623] -A OUTPUT -d 192.168.10.0/255.255.255.0 -o eth1 -j ACCEPT
[0:0] -A OUTPUT -d 224.0.0.0/240.0.0.0 -o eth1 -p ! tcp -j ACCEPT
[0:0] -A OUTPUT -d 192.168.10.0/255.255.255.0 -o eth0 -j LOG
[0:0] -A OUTPUT -d 192.168.10.0/255.255.255.0 -o eth0 -j DROP
[0:0] -A OUTPUT -d 255.255.255.255 -o eth0 -j ACCEPT
[12:1944] -A OUTPUT -s 192.168.21.97 -o eth0 -j ACCEPT
[0:0] -A OUTPUT -s 192.168.10.255 -o eth0 -j ACCEPT
[0:0] -A OUTPUT -j LOG
[0:0] -A OUTPUT -j DROP
COMMIT
# Completed on Wed Mar  2 13:25:33 2005
# Generated by iptables-save v1.2.11 on Wed Mar  2 13:25:33 2005
*nat
:PREROUTING ACCEPT [1542:256928]
:POSTROUTING ACCEPT [4:283]
:OUTPUT ACCEPT [4:283]
[0:0] -A POSTROUTING -s 192.168.10.0/255.255.255.0 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Mar  2 13:25:33 2005
-----------------------------------------------------------------
route -n
Kernel IP Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
192.168.21.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
0.0.0.0         192.168.21.44   0.0.0.0         UG    0      0        0 eth0
-----------------------------------------------------------------
tail messages
Mar  2 13:31:57 debvpn kernel: IN=eth0 OUT= 
MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:46:16:5a:08:00 SRC=192.168.21.44 
DST=192.168.21.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=8043 PROTO=UDP SPT=520 
DPT=520 LEN=52
Mar  2 13:32:27 debvpn kernel: IN=eth0 OUT= 
MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:46:16:5a:08:00 SRC=192.168.21.44 
DST=192.168.21.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=8045 PROTO=UDP SPT=520 
DPT=520 LEN=52
Mar  2 13:32:41 debvpn kernel: IN=eth0 OUT= 
MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:46:16:5a:08:00 SRC=192.168.21.44 
DST=192.168.21.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=8046 PROTO=UDP SPT=520 
DPT=520 LEN=52
Mar  2 13:32:58 debvpn kernel: IN=eth0 OUT= 
MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:46:16:5a:08:00 SRC=192.168.21.44 
DST=192.168.21.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=8047 PROTO=UDP SPT=520 
DPT=520 LEN=52
Mar  2 13:33:28 debvpn kernel: IN=eth0 OUT= 
MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:46:16:5a:08:00 SRC=192.168.21.44 
DST=192.168.21.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=8048 PROTO=UDP SPT=520 
DPT=520 LEN=52
Mar  2 13:33:58 debvpn kernel: IN=eth0 OUT= 
MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:46:16:5a:08:00 SRC=192.168.21.44 
DST=192.168.21.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=8049 PROTO=UDP SPT=520 
DPT=520 LEN=52
Mar  2 13:34:28 debvpn kernel: IN=eth0 OUT= 
MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:46:16:5a:08:00 SRC=192.168.21.44 
DST=192.168.21.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=8050 PROTO=UDP SPT=520 
DPT=520 LEN=52
Mar  2 13:34:58 debvpn kernel: IN=eth0 OUT= 
MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:46:16:5a:08:00 SRC=192.168.21.44 
DST=192.168.21.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=8051 PROTO=UDP SPT=520 
DPT=520 LEN=52
Mar  2 13:35:28 debvpn kernel: IN=eth0 OUT= 
MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:46:16:5a:08:00 SRC=192.168.21.44 
DST=192.168.21.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=8052 PROTO=UDP SPT=520 
DPT=520 LEN=52
Mar  2 13:35:58 debvpn kernel: IN=eth0 OUT= 
MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:46:16:5a:08:00 SRC=192.168.21.44 
DST=192.168.21.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=8053 PROTO=UDP SPT=520 
DPT=520 LEN=52

Re: Debian als Gateway, nur wie?

Antwort per Email an