Hi Leute kann mir jamand helfen bitte ich habe centos 5.5 als Gateway mit Squid+Havp als Proxy eth0 --internet (192.168.178. adsl router) eth1 -- lan (192.168.2.1)
also Proxy funktioniert und iptables auch ping leuft u.s.w. nun versuche ich von cleint Pc mit Filezilla auf hoster zu zugreifen (ohne Erfolg) hier ist mein Konfig von iptables:
module : modprobe ip_conntrack_ftp modprobe ip_nat_ftpsind auch geladen
# Generated by iptables-save v1.3.5 on Wed Apr 20 03:16:17 2011 *nat :PREROUTING ACCEPT [13:1184] :POSTROUTING ACCEPT [1:172] :OUTPUT ACCEPT [1:172] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Wed Apr 20 03:16:17 2011 # Generated by iptables-save v1.3.5 on Wed Apr 20 03:16:17 2011 *mangle :PREROUTING ACCEPT [453:35320] :INPUT ACCEPT [453:35320] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [342:49808] :POSTROUTING ACCEPT [342:49808] COMMIT #1 Completed on Wed Apr 20 03:16:17 2011 # Generated by iptables-save v1.3.5 on Wed Apr 20 03:16:17 2011 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [342:49808] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT #DNS -A RH-Firewall-1-INPUT -i eth1 -m tcp -p tcp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -i eth1 -m udp -p udp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -p udp -s 192.168.178.1 --sport 53 -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -p tcp -s 192.168.178.1 --sport 53 -j ACCEPT #PRINTING -A RH-Firewall-1-INPUT -i eth1 -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -i eth1 -p tcp -m tcp --dport 631 -j ACCEPT #Rules for connect to router #-A RH-Firewall-1-FORWARD -i eth1 -d 192.168.178.1 -m state --state NEW,ESTABLISHED -j ACCEPT #-A RH-Firewall-1-FORWARD -i eth0 -d 192.168.2.0/24 -m state --state ESTABLISHED -j ACCEPT #-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 10000 -j ACCEPT
#SQUID -A RH-Firewall-1-INPUT -i eth1 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 3128 -j ACCEPT -A RH-Firewall-1-INPUT -i eth1 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 8080 -j ACCEPT
#VNC -A RH-Firewall-1-INPUT -i eth1 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 5900 -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED -m tcp --sport 80 -j ACCEPT #HTTPS -A RH-Firewall-1-INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED -m tcp --sport 443 -j ACCEPT #SSH -A RH-Firewall-1-INPUT -i eth1 -s 192.168.2.0/24 -m state --state ESTABLISHED,NEW,RELATED -p tcp --dport 22 -j ACCEPT #WEBMIN -A RH-Firewall-1-INPUT -i eth1 -s 192.168.2.0/24 -p tcp -m state --state NEW,ESTABLISHED,RELATED -m tcp --dport 10000 -j ACCEPT #FTP -A RH-Firewall-1-INPUT -i eth1 -s 192.168.2.0/24 -m state --state ESTABLISHED,NEW,RELATED -p tcp --dport 21 -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -m state --state ESTABLISHED,RELATED -p tcp --sport 21 -j ACCEPT #Allow active -A RH-Firewall-1-INPUT -i eth1 -s 192.168.2.0/24 -m state --state ESTABLISHED,NEW,RELATED -p tcp --dport 20 -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -m state --state ESTABLISHED,RELATED -p tcp --sport 20 -j ACCEPT #Allow passive FTP -A RH-Firewall-1-INPUT -i eth1 -s 192.168.2.0/24 -m state --state ESTABLISHED,NEW,RELATED -p tcp --dport 1024 -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -m state --state ESTABLISHED,RELATED -p tcp --sport 1024 -j ACCEPT #log end -A RH-Firewall-1-INPUT -i eth1 -j LOG --log-level debug --log-prefix "EHT1 -FROM LAN " -A RH-Firewall-1-INPUT -i eth0 -j LOG --log-level debug --log-prefix "EHT0 -From INTERNET " -A RH-Firewall-1-INPUT -j DROP COMMIT # Completed on Wed Apr 20 03:16:17 2011
danke Evgenij
Am 22.04.2011 17:36, schrieb Evgenij Dauenahuer:
Hi Leute kann mir jamand helfen bitte ich habe centos 5.5 als Gateway mit Squid+Havp als Proxy
FTP wird nicht über den Squid abgewickelt?
eth0 --internet (192.168.178. adsl router) eth1 -- lan (192.168.2.1)
also Proxy funktioniert und iptables auch ping leuft u.s.w. nun versuche ich von cleint Pc mit Filezilla auf hoster zu zugreifen (ohne Erfolg)
Was wird geloggt? Was sagt ein tcpdump auf dem Client und dem Gateway??
hier ist mein Konfig von iptables:
module : modprobe ip_conntrack_ftp modprobe ip_nat_ftpsind auch geladen
# Generated by iptables-save v1.3.5 on Wed Apr 20 03:16:17 2011 *nat :PREROUTING ACCEPT [13:1184] :POSTROUTING ACCEPT [1:172] :OUTPUT ACCEPT [1:172] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Wed Apr 20 03:16:17 2011 # Generated by iptables-save v1.3.5 on Wed Apr 20 03:16:17 2011 *mangle :PREROUTING ACCEPT [453:35320] :INPUT ACCEPT [453:35320] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [342:49808] :POSTROUTING ACCEPT [342:49808] COMMIT #1 Completed on Wed Apr 20 03:16:17 2011 # Generated by iptables-save v1.3.5 on Wed Apr 20 03:16:17 2011 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0]
Keine Pakete bislang geforwardet? Sieht verdächtig aus.
:OUTPUT ACCEPT [342:49808] :RH-Firewall-1-INPUT - [0:0]
Durch diese Chain ging bislang ebenfalls kein Paket?
-A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT #DNS -A RH-Firewall-1-INPUT -i eth1 -m tcp -p tcp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -i eth1 -m udp -p udp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -p udp -s 192.168.178.1 --sport 53 -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -p tcp -s 192.168.178.1 --sport 53 -j ACCEPT #PRINTING -A RH-Firewall-1-INPUT -i eth1 -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -i eth1 -p tcp -m tcp --dport 631 -j ACCEPT #Rules for connect to router #-A RH-Firewall-1-FORWARD -i eth1 -d 192.168.178.1 -m state --state NEW,ESTABLISHED -j ACCEPT #-A RH-Firewall-1-FORWARD -i eth0 -d 192.168.2.0/24 -m state --state ESTABLISHED -j ACCEPT #-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 10000 -j ACCEPT
#SQUID -A RH-Firewall-1-INPUT -i eth1 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 3128 -j ACCEPT -A RH-Firewall-1-INPUT -i eth1 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 8080 -j ACCEPT
#VNC -A RH-Firewall-1-INPUT -i eth1 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 5900 -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED -m tcp --sport 80 -j ACCEPT #HTTPS -A RH-Firewall-1-INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED -m tcp --sport 443 -j ACCEPT #SSH -A RH-Firewall-1-INPUT -i eth1 -s 192.168.2.0/24 -m state --state ESTABLISHED,NEW,RELATED -p tcp --dport 22 -j ACCEPT #WEBMIN -A RH-Firewall-1-INPUT -i eth1 -s 192.168.2.0/24 -p tcp -m state --state NEW,ESTABLISHED,RELATED -m tcp --dport 10000 -j ACCEPT #FTP -A RH-Firewall-1-INPUT -i eth1 -s 192.168.2.0/24 -m state --state ESTABLISHED,NEW,RELATED -p tcp --dport 21 -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -m state --state ESTABLISHED,RELATED -p tcp --sport 21 -j ACCEPT
Wieso source port 21? Das passt nicht. Das müsste der destination port sein.
#Allow active -A RH-Firewall-1-INPUT -i eth1 -s 192.168.2.0/24 -m state --state ESTABLISHED,NEW,RELATED -p tcp --dport 20 -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -m state --state ESTABLISHED,RELATED -p tcp --sport 20 -j ACCEPT#
Hier derselbe Fehler.
#Allow passive FTP -A RH-Firewall-1-INPUT -i eth1 -s 192.168.2.0/24 -m state --state ESTABLISHED,NEW,RELATED -p tcp --dport 1024 -j ACCEPT
Du willst eine destination port range 1024:65535
-A RH-Firewall-1-INPUT -i eth0 -m state --state ESTABLISHED,RELATED -p tcp --sport 1024 -j ACCEPT
Hier ebenfalls source port anstatt destination port range 1024:64535
#log end -A RH-Firewall-1-INPUT -i eth1 -j LOG --log-level debug --log-prefix "EHT1 -FROM LAN " -A RH-Firewall-1-INPUT -i eth0 -j LOG --log-level debug --log-prefix "EHT0 -From INTERNET "
Wenn Dir Deine Firewall-Regeln einen Strich durch die Rechnung machen, dann findest Du das ja geloggt.
-A RH-Firewall-1-INPUT -j DROP COMMIT # Completed on Wed Apr 20 03:16:17 2011
danke Evgenij
ip_forward muss an (1) sein.
Alexander