| View previous topic :: View next topic |
| Author |
Message |
barthi
Apprentice
Joined: 02 Mar 2003
Posts: 256
|
 Posted: Mon Dec 29, 2003 11:22 am Post subject: NAT, DSL und IPTABLES |
 |
|
Hallo!
Folgendes Szenario:
2 NICs:
eth1 für das lokale Netz, IP 192.168.0.1
ppp0 für DSL, dyn. IP
jetzt würde ich gerne alle Clients über das lokale Netz auf das Internet zugreifen lassen.
Eigentlich funktioniert das ja mit IPTABLES, NAT und MASQUERADING.
Bei mir komischerweise nicht.
Ich habe folgendes gemacht:
Zunächst den relevanten Teil aus meiner Kernel-Config:
| Code: |
#
# Networking options
#
CONFIG_PACKET=y
CONFIG_PACKET_MMAP=y
# CONFIG_NETLINK_DEV is not set
CONFIG_NETFILTER=y
CONFIG_NETFILTER_DEBUG=y
# CONFIG_FILTER is not set
CONFIG_UNIX=y
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_NAT=y
# CONFIG_IP_ROUTE_MULTIPATH is not set
CONFIG_IP_ROUTE_TOS=y
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_ROUTE_LARGE_TABLES is not set
# CONFIG_IP_PNP is not set
# CONFIG_NET_IPIP is not set
# CONFIG_NET_IPGRE is not set
# CONFIG_IP_MROUTE is not set
# CONFIG_ARPD is not set
# CONFIG_INET_ECN is not set
CONFIG_SYN_COOKIES=y
#
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_FTP=m
# CONFIG_IP_NF_AMANDA is not set
# CONFIG_IP_NF_TFTP is not set
# CONFIG_IP_NF_TALK is not set
# CONFIG_IP_NF_RSH is not set
# CONFIG_IP_NF_H323 is not set
# CONFIG_IP_NF_EGG is not set
# CONFIG_IP_NF_CONNTRACK_MARK is not set
CONFIG_IP_NF_IRC=m
# CONFIG_IP_NF_QUAKE3 is not set
# CONFIG_IP_NF_CT_PROTO_GRE is not set
# CONFIG_IP_NF_PPTP is not set
# CONFIG_IP_NF_MMS is not set
# CONFIG_IP_NF_CUSEEME is not set
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=m
# CONFIG_IP_NF_MATCH_RPC is not set
# CONFIG_IP_NF_MATCH_LIMIT is not set
# CONFIG_IP_NF_MATCH_QUOTA is not set
CONFIG_IP_NF_POOL=m
CONFIG_IP_POOL_STATISTICS=y
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_MAC=m
# CONFIG_IP_NF_MATCH_PKTTYPE is not set
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
# CONFIG_IP_NF_MATCH_MPORT is not set
# CONFIG_IP_NF_MATCH_TOS is not set
# CONFIG_IP_NF_MATCH_RECENT is not set
# CONFIG_IP_NF_MATCH_TIME is not set
# CONFIG_IP_NF_MATCH_RANDOM is not set
# CONFIG_IP_NF_MATCH_PSD is not set
# CONFIG_IP_NF_MATCH_NTH is not set
CONFIG_IP_NF_MATCH_IPV4OPTIONS=m
# CONFIG_IP_NF_MATCH_FUZZY is not set
# CONFIG_IP_NF_MATCH_CONDITION is not set
# CONFIG_IP_NF_MATCH_ECN is not set
# CONFIG_IP_NF_MATCH_DSCP is not set
# CONFIG_IP_NF_MATCH_AH_ESP is not set
# CONFIG_IP_NF_MATCH_LENGTH is not set
# CONFIG_IP_NF_MATCH_TTL is not set
# CONFIG_IP_NF_MATCH_TCPMSS is not set
# CONFIG_IP_NF_MATCH_STEALTH is not set
# CONFIG_IP_NF_MATCH_REALM is not set
# CONFIG_IP_NF_MATCH_HELPER is not set
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_CONNLIMIT=m
CONFIG_IP_NF_MATCH_CONNTRACK=m
# CONFIG_IP_NF_MATCH_UNCLEAN is not set
# CONFIG_IP_NF_MATCH_STRING is not set
# CONFIG_IP_NF_MATCH_OWNER is not set
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
# CONFIG_IP_NF_TARGET_NETLINK is not set
# CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP is not set
# CONFIG_IP_NF_TARGET_MIRROR is not set
# CONFIG_IP_NF_TARGET_TARPIT is not set
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_SAME=m
# CONFIG_IP_NF_TARGET_NETMAP is not set
CONFIG_IP_NF_NAT_LOCAL=y
# CONFIG_IP_NF_NAT_SNMP_BASIC is not set
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_MANGLE=m
# CONFIG_IP_NF_TARGET_TOS is not set
# CONFIG_IP_NF_TARGET_ECN is not set
# CONFIG_IP_NF_TARGET_DSCP is not set
# CONFIG_IP_NF_TARGET_MARK is not set
# CONFIG_IP_NF_TARGET_IMQ is not set
# CONFIG_IP_NF_TARGET_CLASSIFY is not set
CONFIG_IP_NF_TARGET_LOG=m
# CONFIG_IP_NF_TARGET_ROUTE is not set
# CONFIG_IP_NF_TARGET_TTL is not set
# CONFIG_IP_NF_TARGET_ULOG is not set
# CONFIG_IP_NF_TARGET_TCPMSS is not set
# CONFIG_IP_NF_ARPTABLES is not set
|
Das müsste so stimmen, oder?
Dann hab ich iptables emerged und zum default Runlevel hinzugefügt.
Ich hab mir dann ein kleines Script geschrieben, wo einige Regel drin stehen: /etc/ppp/iptables-rules
| Code: |
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P FORWARD DROP
iptables -A FORWARD -i eth1 -o ppp0 -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
#iptables -P INPUT DROP
#iptables -P OUTPUT ACCEPT
#iptables -A INPUT -i lo -j ACCEPT
#iptables -A INPUT -p tcp --dport ssh -j ACCEPT
|
danach hab ich den Befehl iptables-save ausgeführt und dann hab ich /etc/init.d/iptables start ausgeführt.
Leider funktioniert das MASQUERADING nicht. Ich kann aber keinen Fehler entdecken. Könnt ihr mir sagen, was ich falsch gemacht habe?
Danke,
Barthi |
|
| Back to top |
|
 |
utang
Apprentice
Joined: 20 Apr 2003
Posts: 190
|
| Posted: Mon Dec 29, 2003 12:08 pm Post subject: |
|
|
Kannst du mal dein Firewallscript stoppen und folgende 2 Zeilen manuell in der Console eingeben:
# echo "1" > /proc/sys/net/ipv4/ip_forward
# iptables -A POSTROUTING -o ppp0 -t nat -j MASQUERADE
kommen dannach deine Clients ins Inet? Wenn ein "ping -n3 <IP>" klappen sollte dann liegt es wahrscheinlich an deinem script... |
|
| Back to top |
|
|
barthi
Apprentice
Joined: 02 Mar 2003
Posts: 256
|
| Posted: Mon Dec 29, 2003 12:45 pm Post subject: |
|
|
Tatsache, das geht! Super!! Danke schön!!
Aber hast du ne Idee, warum das Script nicht funzt?
Barthi
P.S.: Hab's schon gefunden. Hing scheinbar an den fehlenden Anführungszeichen. Komisch, aber egal. Das Resultat zählt  |
|
| Back to top |
|
|
utang
Apprentice
Joined: 20 Apr 2003
Posts: 190
|
| Posted: Mon Dec 29, 2003 1:18 pm Post subject: |
|
|
also wenn du /etc/init.d/iptables start ausführst dann startet er die IPTABLES mit folgendem INHALT:
/etc/init.d/iptables
| Code: | #!/sbin/runscript
# Copyright 1999-2003 Gentoo Technologies, Inc.
# Distributed under the terms of the GNU General Public License, v2 or
# later
# $Header: /home/cvsroot/gentoo-x86/net-firewall/iptables/files/iptables.init,v 1.1 2003/03/11 21:50:24 mholzer Exp $
opts="start stop save"
depend() {
need logger net
}
start() {
ebegin "Loading iptables state and starting firewall"
# This variable is set in /etc/conf.d/iptables
if [ ! -f ${IPTABLES_SAVE} ]
then
einfo "Not starting iptables. First create some rules then run"
einfo "/etc/init.d/iptables save"
else
einfo "Restoring iptables ruleset"
/sbin/iptables-restore ${SAVE_RESTORE_OPTIONS} < ${IPTABLES_SAVE}
if [ "${ENABLE_FORWARDING_IPv4}" = "yes" ] ; then
einfo "Enabling forwarding for ipv4"
echo "1" > /proc/sys/net/ipv4/conf/all/forwarding
fi
if [ "${ENABLE_FORWARDING_IPv6}" = "yes" ] ; then
einfo "Enabling forwarding for ipv6"
echo "1" > /proc/sys/net/ipv6/conf/all/forwarding
fi
fi
eend $?
}
stop() {
ebegin "Stopping firewall and saving iptables state"
# This way we don't forget to save changes
/sbin/iptables-save ${SAVE_RESTORE_OPTIONS} > ${IPTABLES_SAVE}
# set sane defaults that disable forwarding
if [ -f /proc/sys/net/ipv4/conf/all/forwarding ] ; then
echo "0" > /proc/sys/net/ipv4/conf/all/forwarding
fi
if [ -f /proc/sys/net/ipv6/conf/all/forwarding ] ; then
echo "0" > /proc/sys/net/ipv6/conf/all/forwarding
fi
for a in `cat /proc/net/ip_tables_names`; do
iptables -F -t $a
iptables -X -t $a
if [ $a == nat ]; then
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
elif [ $a == mangle ]; then
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
elif [ $a == filter ]; then
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
iptables -t filter -P OUTPUT ACCEPT
fi
done
eend $?
}
save() {
ebegin "Saving iptables state"
/sbin/iptables-save ${SAVE_RESTORE_OPTIONS} > ${IPTABLES_SAVE}
eend $?
} |
Wenn du alles richtig konfiguriert hast dann müsste diese Datei alleine schon ausreichen,damit deine Clients ins Inet kommen. Teste das mal bitte...
Deine Regeln nimmst du dann einfach darin mit auf,ungefähr so,denke ich mal...
/etc/init.d/iptables (modifiziert)
| Code: | #!/sbin/runscript
# Copyright 1999-2003 Gentoo Technologies, Inc.
# Distributed under the terms of the GNU General Public License, v2 or
# later
# $Header: /home/cvsroot/gentoo-x86/net-firewall/iptables/files/iptables.init,v 1.1 2003/03/11 21:50:24 mholzer Exp $
opts="start stop save"
depend() {
need logger net
}
start() {
ebegin "Loading iptables state and starting firewall"
# This variable is set in /etc/conf.d/iptables
if [ ! -f ${IPTABLES_SAVE} ]
then
einfo "Not starting iptables. First create some rules then run"
einfo "/etc/init.d/iptables save"
else
einfo "Restoring iptables ruleset"
/sbin/iptables-restore ${SAVE_RESTORE_OPTIONS} < ${IPTABLES_SAVE}
if [ "${ENABLE_FORWARDING_IPv4}" = "yes" ] ; then
einfo "Enabling forwarding for ipv4"
echo "1" > /proc/sys/net/ipv4/conf/all/forwarding
iptables -P FORWARD DROP
iptables -A FORWARD -i eth1 -o ppp0 -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
fi
if [ "${ENABLE_FORWARDING_IPv6}" = "yes" ] ; then
einfo "Enabling forwarding for ipv6"
echo "1" > /proc/sys/net/ipv6/conf/all/forwarding
fi
fi
eend $?
}
stop() {
ebegin "Stopping firewall and saving iptables state"
# This way we don't forget to save changes
/sbin/iptables-save ${SAVE_RESTORE_OPTIONS} > ${IPTABLES_SAVE}
# set sane defaults that disable forwarding
if [ -f /proc/sys/net/ipv4/conf/all/forwarding ] ; then
echo "0" > /proc/sys/net/ipv4/conf/all/forwarding
fi
if [ -f /proc/sys/net/ipv6/conf/all/forwarding ] ; then
echo "0" > /proc/sys/net/ipv6/conf/all/forwarding
fi
for a in `cat /proc/net/ip_tables_names`; do
iptables -F -t $a
iptables -X -t $a
if [ $a == nat ]; then
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
elif [ $a == mangle ]; then
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
elif [ $a == filter ]; then
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
iptables -t filter -P OUTPUT ACCEPT
fi
done
eend $?
}
save() {
ebegin "Saving iptables state"
/sbin/iptables-save ${SAVE_RESTORE_OPTIONS} > ${IPTABLES_SAVE}
eend $?
} |
bin mir da nicht so sicher,test das mal bitte ... und sag bescheid ... |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Deutsches Forum (German)
