[gelöst] iptables: LAN ok, WAN geblockt. Warum?

Einrichten des lokalen Netzes, Verbindung zu anderen Computern und Diensten.
Antworten
Benutzeravatar
Lalle75
Beiträge: 83
Registriert: 25.10.2015 17:41:00
Wohnort: Ruhrgebiet

[gelöst] iptables: LAN ok, WAN geblockt. Warum?

Beitrag von Lalle75 » 12.12.2015 17:38:41

Hallo Leute.

Ich bin dabei, zum ersten Mal per iptables die Firewall einzurichten. Zur Unterstützung habe ich mit FireHOL die Regeln vordefinieren lassen und sie schließend an meine Bedingungen angepaßt. Aktuell möchte ich zunächst mal nur das Surfen nach innen und außen erlauben, außerdem die Kommunikation in meinem lokalen Netzwerk.

Aus irgendeinem Grund aber läßt sich keine Webseite außerhalb meines LAN aufrufen. Und das, obwohl die entsprechenden Ketten und Filterregeln für LAN und WAN fast identlich aussehen.

So sieht meine iptable-Konfiguration aus:

Code: Alles auswählen

# Generated by iptables-save v1.4.21 on Sat Dec 12 13:07:23 2015
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [150:9499]
:POSTROUTING ACCEPT [130:8003]
COMMIT

# Completed on Sat Dec 12 13:07:23 2015
# Generated by iptables-save v1.4.21 on Sat Dec 12 13:07:23 2015
*mangle
:PREROUTING ACCEPT [1781:920892]
:INPUT ACCEPT [1781:920892]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1903:140583]
:POSTROUTING ACCEPT [1882:139035]
COMMIT

# Completed on Sat Dec 12 13:07:23 2015
# Generated by iptables-save v1.4.21 on Sat Dec 12 13:07:23 2015
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:in_lan - [0:0]
:in_lan_dhcp_c1 - [0:0]
:in_lan_http_c2 - [0:0]
:in_lan_http_s4 - [0:0]
:in_lan_https_c3 - [0:0]
:in_lan_https_s5 - [0:0]
:in_lan_samba_s6 - [0:0]
:in_world - [0:0]
:in_world_http_c1 - [0:0]
:in_world_http_s3 - [0:0]
:in_world_https_c2 - [0:0]
:in_world_https_s4 - [0:0]
:out_lan - [0:0]
:out_lan_dhcp_c1 - [0:0]
:out_lan_http_c2 - [0:0]
:out_lan_http_s4 - [0:0]
:out_lan_https_c3 - [0:0]
:out_lan_https_s5 - [0:0]
:out_lan_samba_s6 - [0:0]
:out_world - [0:0]
:out_world_http_c1 - [0:0]
:out_world_http_s3 - [0:0]
:out_world_https_c2 - [0:0]
:out_world_https_s4 - [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.0.0/27 -d 192.168.0.10/32 -i eth0 -j in_lan
-A INPUT -d 192.168.0.10/32 -i eth0 -j in_world
-A INPUT -m state --state RELATED -j ACCEPT
-A INPUT -m limit --limit 1/sec -j LOG --log-prefix "IN-unknown:"
-A INPUT -j DROP

-A FORWARD -m state --state RELATED -j ACCEPT
-A FORWARD -m limit --limit 1/sec -j LOG --log-prefix "PASS-unknown:"
-A FORWARD -j DROP

-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 192.168.0.10/32 -d 192.168.0.0/27 -o eth0 -j out_lan
-A OUTPUT -s 192.168.0.10/32 -o eth0 -j out_world
-A OUTPUT -m state --state RELATED -j ACCEPT
-A OUTPUT -m limit --limit 1/sec -j LOG --log-prefix "OUT-unknown:"
-A OUTPUT -j DROP

-A in_lan -j in_lan_dhcp_c1
-A in_lan -j in_lan_http_c2
-A in_lan -j in_lan_https_c3
-A in_lan -j in_lan_http_s4
-A in_lan -j in_lan_https_s5
-A in_lan -j in_lan_samba_s6
-A in_lan -m state --state RELATED -j ACCEPT
-A in_lan -j ACCEPT

-A in_lan_dhcp_c1 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A in_lan_http_c2 -p tcp -m tcp --sport 80 --dport 32768:61000 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A in_lan_http_s4 -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A in_lan_https_c3 -p tcp -m tcp --sport 443 --dport 32768:61000 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A in_lan_https_s5 -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A in_lan_samba_s6 -p udp -m udp --sport 137 --dport 137 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A in_lan_samba_s6 -p udp -m udp --sport 1024:65535 --dport 137 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A in_lan_samba_s6 -p udp -m udp --sport 138 --dport 138 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A in_lan_samba_s6 -p udp -m udp --sport 1024:65535 --dport 138 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A in_lan_samba_s6 -p tcp -m tcp --sport 1024:65535 --dport 139 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A in_lan_samba_s6 -p tcp -m tcp --sport 1024:65535 --dport 445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

-A in_world -s 0.0.0.0/8 -j RETURN
-A in_world -s 10.0.0.0/8 -j RETURN
-A in_world -s 127.0.0.0/8 -j RETURN
-A in_world -s 240.0.0.0/4 -j RETURN
-A in_world -s 10.0.0.0/8 -j RETURN
-A in_world -s 169.254.0.0/16 -j RETURN
-A in_world -s 172.16.0.0/12 -j RETURN
-A in_world -s 192.0.2.0/24 -j RETURN
-A in_world -s 192.88.99.0/24 -j RETURN
-A in_world -s 192.168.0.0/16 -j RETURN
-A in_world -s 192.168.0.0/27 -j RETURN
-A in_world -j in_world_http_c1
-A in_world -j in_world_https_c2
-A in_world -j in_world_http_s3
-A in_world -j in_world_https_s4
-A in_world -m state --state RELATED -j ACCEPT
-A in_world -p tcp -m limit --limit 1/sec -j LOG --log-prefix "IN-world:"
-A in_world -p tcp -j REJECT --reject-with tcp-reset
-A in_world -m limit --limit 1/sec -j LOG --log-prefix "IN-world:"
-A in_world -j REJECT --reject-with icmp-port-unreachable

-A in_world_http_c1 -p tcp -m tcp --sport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A in_world_http_s3 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A in_world_https_c2 -p tcp -m tcp --sport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A in_world_https_s4 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

-A out_lan -j out_lan_dhcp_c1
-A out_lan -j out_lan_http_c2
-A out_lan -j out_lan_https_c3
-A out_lan -j out_lan_http_s4
-A out_lan -j out_lan_https_s5
-A out_lan -j out_lan_samba_s6
-A out_lan -m state --state RELATED -j ACCEPT
-A out_lan -j ACCEPT

-A out_lan_dhcp_c1 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A out_lan_http_c2 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A out_lan_http_s4 -p tcp -m tcp --sport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A out_lan_https_c3 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A out_lan_https_s5 -p tcp -m tcp --sport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A out_lan_samba_s6 -p udp -m udp --sport 137 --dport 137 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A out_lan_samba_s6 -p udp -m udp --sport 137 --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A out_lan_samba_s6 -p udp -m udp --sport 138 --dport 138 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A out_lan_samba_s6 -p udp -m udp --sport 138 --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A out_lan_samba_s6 -p tcp -m tcp --sport 139 --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A out_lan_samba_s6 -p tcp -m tcp --sport 445 --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

-A out_world -d 0.0.0.0/8 -j RETURN
-A out_world -d 10.0.0.0/8 -j RETURN
-A out_world -d 127.0.0.0/8 -j RETURN
-A out_world -d 240.0.0.0/4 -j RETURN
-A out_world -d 10.0.0.0/8 -j RETURN
-A out_world -d 169.254.0.0/16 -j RETURN
-A out_world -d 172.16.0.0/12 -j RETURN
-A out_world -d 192.0.2.0/24 -j RETURN
-A out_world -d 192.88.99.0/24 -j RETURN
-A out_world -d 192.168.0.0/16 -j RETURN
-A out_world -d 192.168.0.0/27 -j RETURN
-A out_world -j out_world_http_c1
-A out_world -j out_world_https_c2
-A out_world -j out_world_http_s3
-A out_world -j out_world_https_s4
-A out_world -m state --state RELATED -j ACCEPT
-A out_world -p tcp -m limit --limit 1/sec -j LOG --log-prefix "OUT-world:"
-A out_world -p tcp -j REJECT --reject-with tcp-reset
-A out_world -m limit --limit 1/sec -j LOG --log-prefix "OUT-world:"
-A out_world -j REJECT --reject-with icmp-port-unreachable

-A out_world_http_c1 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A out_world_http_s3 -p tcp -m tcp --sport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A out_world_https_c2 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A out_world_https_s4 -p tcp -m tcp --sport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
COMMIT
# Completed on Sat Dec 12 13:07:23 2015
Der Status von FireHOL zeigt, daß die Pakete aus dem LAN durchkommen, die Pakete von/nach Außerhalb geblockt werden. Ich vermute, es handelt sich nur um eine Kleinigkeit, aber ich finde den Fehler einfach nicht.
Hier ist die (etwas von mir reduzierte) Ausgabe:

Code: Alles auswählen

Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
      80     7448 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
     294   193020 in_lan     all  --  eth0   *       192.168.0.0/27       192.168.0.10        
       0        0 in_world   all  --  eth0   *       0.0.0.0/0            192.168.0.10        
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED
       0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: ...
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
      80     7448 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
     309    24178 out_lan    all  --  *      eth0    192.168.0.10         192.168.0.0/27      
      80     5208 out_world  all  --  *      eth0    192.168.0.10         0.0.0.0/0           
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED
       0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: ...
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain in_lan (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
     294   193020 in_lan_dhcp_c1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
     294   193020 in_lan_http_c2  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 in_lan_https_c3  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 in_lan_http_s4  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 in_lan_https_s5  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 in_lan_samba_s6  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain in_lan_dhcp_c1 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68

Chain in_lan_http_c2 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
     294   193020 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:80 dpts:32768:61000 state NEW,RELATED,ESTABLISHED

Chain in_world (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 RETURN     all  --  *      *       0.0.0.0/8            0.0.0.0/0           
       0        0 RETURN     all  --  *      *       10.0.0.0/8           0.0.0.0/0           
       0        0 RETURN     all  --  *      *       127.0.0.0/8          0.0.0.0/0           
       0        0 RETURN     all  --  *      *       240.0.0.0/4          0.0.0.0/0           
       0        0 RETURN     all  --  *      *       10.0.0.0/8           0.0.0.0/0           
       0        0 RETURN     all  --  *      *       169.254.0.0/16       0.0.0.0/0           
       0        0 RETURN     all  --  *      *       172.16.0.0/12        0.0.0.0/0           
       0        0 RETURN     all  --  *      *       192.0.2.0/24         0.0.0.0/0           
       0        0 RETURN     all  --  *      *       192.88.99.0/24       0.0.0.0/0           
       0        0 RETURN     all  --  *      *       192.168.0.0/16       0.0.0.0/0           
       0        0 RETURN     all  --  *      *       192.168.0.0/27       0.0.0.0/0           
       0        0 in_world_http_c1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 in_world_https_c2  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 in_world_http_s3  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 in_world_https_s4  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED
       0        0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: ...
       0        0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with tcp-reset
       0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: ...
       0        0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain out_lan (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
     309    24178 out_lan_dhcp_c1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
     309    24178 out_lan_http_c2  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 out_lan_https_c3  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 out_lan_http_s4  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 out_lan_https_s5  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 out_lan_samba_s6  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain out_lan_dhcp_c1 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:68 dpt:67

Chain out_lan_http_c2 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
     309    24178 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 state NEW,RELATED,ESTABLISHED

Chain out_world (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/8           
       0        0 RETURN     all  --  *      *       0.0.0.0/0            10.0.0.0/8          
       0        0 RETURN     all  --  *      *       0.0.0.0/0            127.0.0.0/8         
       0        0 RETURN     all  --  *      *       0.0.0.0/0            240.0.0.0/4         
       0        0 RETURN     all  --  *      *       0.0.0.0/0            10.0.0.0/8          
       0        0 RETURN     all  --  *      *       0.0.0.0/0            169.254.0.0/16      
       0        0 RETURN     all  --  *      *       0.0.0.0/0            172.16.0.0/12       
       0        0 RETURN     all  --  *      *       0.0.0.0/0            192.0.2.0/24        
       0        0 RETURN     all  --  *      *       0.0.0.0/0            192.88.99.0/24      
       0        0 RETURN     all  --  *      *       0.0.0.0/0            192.168.0.0/16      
       0        0 RETURN     all  --  *      *       0.0.0.0/0            192.168.0.0/27      
      80     5208 out_world_http_c1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
      80     5208 out_world_https_c2  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
      80     5208 out_world_http_s3  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
      80     5208 out_world_https_s4  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED
       0        0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: ...
       0        0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with tcp-reset
       7      445 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: ...
      80     5208 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain out_world_http_c1 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 state NEW,RELATED,ESTABLISHED

Chain out_world_http_s3 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:80 state NEW,RELATED,ESTABLISHED

Chain out_world_https_c2 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 state NEW,RELATED,ESTABLISHED

Chain out_world_https_s4 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:443 state NEW,RELATED,ESTABLISHED
Die Pakete im LAN nehmen den Weg:
Chain OUTPUT
out_lan
out_lan_dhcp_c1 (abgelehnt)
out_lan_http_c2 (angenommen mit tcp dpt:80 state NEW,RELATED,ESTABLISHED)
ACCEPT

Die Pakete nach außen nehmen den Weg:
Chain OUTPUT
out_world
out_world_http_c1 (abgelehnt mit tcp dpt:80 state NEW,RELATED,ESTABLISHED)
out_world_https_c2 (abgelehnt mit tcp dpt:443 state NEW,RELATED,ESTABLISHED)
out_world_http_s3 (abgelehnt mit tcp spt:80 state NEW,RELATED,ESTABLISHED)
out_world_https_s4 (abgelehnt mit tcp spt:443 state NEW,RELATED,ESTABLISHED)
REJECT

Warum wird ein Paket, daß an den Port 80 per TCP gehen soll, abgelehnt?
Zuletzt geändert von Lalle75 am 16.12.2015 10:56:00, insgesamt 1-mal geändert.
Gruß,
Der Lalle
Nach oben
tomi89
Beiträge: 269
Registriert: 21.08.2014 00:21:52

Re: iptables: LAN ok, WAN geblockt. Warum?

Beitrag von tomi89 » 12.12.2015 21:57:36

Du solltest dich genau informieren wenn du Iptables benutzen willst, sonst wirst du nicht lange Spaß daran haben.

Abgehend benutzt man z.B. Reject, damit die Anwendungen nicht in Timeouts laufen und eigene Targets sollten in Großbuchstaben geschrieben werden.

Folgendes wäre wahrscheinlich ein ungefähres Beispiel (so aus dem Kopf) für das was du vor hattest.

Code: Alles auswählen

iptables -F
iptables -X
iptables -Z

iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p tcp -s $LAN-IP-ADRESS-BEREICH -m multiport --dports 67,128,1024:65535 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p udp -s $LAN-IP-ADRESS-BEREICH -m multiport --dports 67,128,1024:65535 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -m limit --limit 1/sec -j LOG --log-prefix "IN-unknown:"
iptables -A INPUT -j DROP

iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -p tcp -d $LAN-IP-ADRESS-BEREICH -m multiport --dports 67,137 -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -p udp -d $LAN-IP-ADRESS-BEREICH -m multiport --dports 67,137 -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -p tcp ! -d $LAN-IP-ADRESS-BEREICH -m multiport --dports 53,80,443 -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -p udp ! -d $LAN-IP-ADRESS-BEREICH -m multiport --dports 53,80,443 -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -m limit --limit 1/sec -j LOG --log-prefix "OUT-unknown:"
iptables -A OUTPUT -j REJECT
Nach oben
Benutzeravatar
Lalle75
Beiträge: 83
Registriert: 25.10.2015 17:41:00
Wohnort: Ruhrgebiet

Re: iptables: LAN ok, WAN geblockt. Warum?

Beitrag von Lalle75 » 13.12.2015 01:41:22

tomi89 hat geschrieben:

Code: Alles auswählen

...
iptables -A OUTPUT -p tcp ! -d $LAN-IP-ADRESS-BEREICH -m multiport --dports 53,80,443 -m conntrack --ctstate NEW -j ACCEPT
...
Ok, manchmal hat man Tomaten auf den Augen. Ich Trottel hab vergessen, die Kommunikation mit dem DNS-Server über den Port 53 zuzulassen :roll:
Jetzt läuft es.
Gruß,
Der Lalle
Nach oben
Antworten

Zurück zu „Netzwerk“