-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
here some words about my system:
- - Redhat 7.2 / Kernel 2.4.18
- - Iptables 1.2.6a
- - dual-homed system:
* LAN eth0
* Internet ippp0
- - ip_forward is aktiv
- - there are 2 Workstations behind the Firewall
- - every paket which is going out at ippp0 is masqueraded, IP-MASQUERADE
is working fine, both Clients can communicate with Hosts in the Internet.
The beginning of my firewallscript looks like this:
#!/bin/sh
CONNECTION_TRACKING="1"
IPTABLES="/sbin/iptables" # IPtables Binary
BAD="ippp0" # Internet-If
GOOD="eth0" # LAN-If
LOOPBACK_INTERFACE="lo" # Loopback-If
LOOPBACK="127.0.0.0/8" # Loopback-If
LOCALIP="192.168.0.2/32" # Lokale IP
LOCALNET="192.168.0.0/24" # Lokale Netzwerk-Adresse
CLASS_A="10.0.0.0/8" # Klasse A: private Netze
CLASS_B="172.16.0.0/12" # Klasse B: private Netze
CLASS_C="192.168.0.0/16" # Klasse C: private Netze
CLASS_D_MULTICAST="224.0.0.0/4" # Klasse D: Multicast-Adressen
CLASS_E_RESERVED_NET="240.0.0.0/5" # Klasse E: reservierte Adressen
BROADCAST_SRC="0.0.0.0" # Broadcast-Absender
BROADCAST_DEST="255.255.255.255" # Broadcast-Empfaenger
PRIVPORTS="0:1023" # priviligierte Ports
UNPRIVPORTS="1024:65535" # unpriviligierte Ports
NFS_PORT="2049" # (TCP) NFS
SOCKS_PORT="1080" # (TCP) SOCKS
OPENWINDOWS_PORT="2000" # (TCP) OpenWindows
SQUID_PORT="8080" # (TCP) squid-web-cache
if [ -f /etc/rc.d/ipppd.info ]; then
. /etc/rc.d/ipppd.info
fi
########################################################################
# IP-Forward
echo 1 > /proc/sys/net/ipv4/ip_forward
# Pings an Broadcast-Adressen ignorieren
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Source-Routing deaktivieren
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# TCP-SYN-Cookies einschalten
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Keine ICMP-Redirects annehmen
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Keine ICMP-Redirects versenden
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
#######################################################################
# evt. noch bestehende Regeln loeschen
$IPTABLES --flush
$IPTABLES -t nat --flush
$IPTABLES -t mangle --flush
# Keine Einschraenkungen f�r Loopback
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# Firewall-Policy festlegen
$IPTABLES --policy INPUT DROP
$IPTABLES --policy OUTPUT DROP
$IPTABLES --policy FORWARD DROP
$IPTABLES -t nat --policy PREROUTING DROP
$IPTABLES -t nat --policy OUTPUT DROP
$IPTABLES -t nat --policy POSTROUTING DROP
$IPTABLES -t mangle --policy PREROUTING DROP
$IPTABLES -t mangle --policy OUTPUT DROP
# Absender-IP bei abgehenden Verbindungen ueber
# ippp0 Maskieren
$IPTABLES -t nat -A POSTROUTING -o $BAD -j MASQUERADE
######################################################################
My problem is that if I try to ping myself (127.0.0.1) after I've parsed the
script the following error-msg is displayed:
sendto: Operation not permitted
But I think the 2 lines before changing the firewall-policy to drop should
allow every traffic from localhost. I don't know what I can do.
Yours Trouly,
Jan Brinkmann
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD4DBQE8v+gE5W1/Bc1zLlsRAh1dAJi4jTN9Y8/PwMhP9l2oMo/3sPf1AKCz3E4h
qf+2lWvtLmsTaiuzhI8ICQ==
=J3vl
-----END PGP SIGNATURE-----
----------------------------------
Diese Mail wurde auf Viren gepr�ft
----------------------------------
