Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

iptables, nat & vnc-server
 View unanswered posts
View posts from last 24 hours
View posts from last 7 days

 
Reply to topic    Gentoo Forums Forum Index Deutsches Forum (German)
View previous topic :: View next topic  
Author Message
Gucky_der_Mausbiber
Guru
Guru


Joined: 10 Apr 2005
Posts: 359
Location: Wetzlar, Hessen
PostPosted: Mon Feb 02, 2009 4:33 pm    Post subject: iptables, nat & vnc-server Reply with quote
Nabend,
ich habe bei uns im Netzwerk auf den Windows XP Clients den realVNC-Server installiert, und zwar im "Service"-Mode, d.h. der vnc-server läuft als Dienst, somit ist auch ein- und ausloggen übers netz möglich. desweiteren habe ich dann an allen clients verschiedene ports für den vnc-server vergeben.
Unser server und gateway ist eine gentoo maschine, auf der folgendes skript läuft
Code:
#!/bin/bash
# ---------------------------------------------------------------------
# Linux-iptables-Firewallskript, Copyright (c) 2009 under the GPL
# Autogenerated by iptables Generator v1.22 (c) 2002-2009 by Harald Bertram 
# Please visit http://harry.homelinux.org for new versions of
# the iptables Generator (c).
#
# This Script was generated by request from:
# boehm@kraus-automaten.de on: 2009-1-19 0:22.2 MET.
#
# If you have questions about the iptables Generator or about
# your Firewall-Skript feel free to take a look at out website or
# send me an E-Mail to webmaster@harry.homelinux.org.
#
# My special thanks are going to Lutz Heinrich (trinitywork at hotmail dot com)
# who made lots of Beta-Testing and gave me lots of well qualified
# Feedback that made me able to improve the iptables Generator.
# --------------------------------------------------------------------
#
### BEGIN INIT INFO
# Provides: IP-Paketfilter
# Required-Start: $network $local_fs
# Required-Stop: $local_fs
# Default-Start: 3 5
# Default-Stop: 0 1 2 4 6
# Short-Description: Harry's IP-Paketfilter
# Description: Harry's IP-Paketfilter provides reasonable
#      IP-Security for Home-Computers and small networks
### END INIT INFO
#

case "$1" in
  start)
    echo "Starte IP-Paketfilter"

    # iptables-Modul
    # modprobe ip_tables
    # Connection-Tracking-Module
    # modprobe ip_conntrack
    # Das Modul ip_conntrack_irc ist erst bei Kerneln >= 2.4.19 verfuegbar
    # modprobe ip_conntrack_irc
    # modprobe ip_conntrack_ftp

    # Tabelle flushen
    iptables -F
    iptables -t nat -F
    iptables -t mangle -F
    iptables -X
    iptables -t nat -X
    iptables -t mangle -X

    # Default-Policies setzen
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP

    # MY_REJECT-Chain
    iptables -N MY_REJECT

    # MY_REJECT fuellen
    iptables -A MY_REJECT -p tcp -j REJECT --reject-with tcp-reset
    iptables -A MY_REJECT -p udp -j REJECT --reject-with icmp-port-unreachable
    iptables -A MY_REJECT -p icmp -j DROP
    iptables -A MY_REJECT -j REJECT --reject-with icmp-proto-unreachable

    # MY_DROP-Chain
    iptables -N MY_DROP
    iptables -A MY_DROP -j DROP

    # Korrupte Pakete zurueckweisen
    iptables -A INPUT -m state --state INVALID -j DROP
    iptables -A OUTPUT -m state --state INVALID -j DROP
    iptables -A FORWARD -m state --state INVALID -j DROP

    # Stealth Scans etc. DROPpen
    # Keine Flags gesetzt
    iptables -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP
    iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j MY_DROP

    # SYN und FIN gesetzt
    iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
    iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP

    # SYN und RST gleichzeitig gesetzt
    iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
    iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP

    # FIN und RST gleichzeitig gesetzt
    iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
    iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP

    # FIN ohne ACK
    iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
    iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP

    # PSH ohne ACK
    iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
    iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP

    # URG ohne ACK
    iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP
    iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j MY_DROP

    # Loopback-Netzwerk-Kommunikation zulassen
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT

    # Maximum Segment Size (MSS) für das Forwarding an PMTU anpassen
    iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

    # Connection-Tracking aktivieren
    iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i ! ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Squid
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

    # SSH
    iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 23045 -j ACCEPT

    # VNC pc-agenda
    # iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 27461 -j DNAT --to-destination 192.168.16.5:27461
    # iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 27461 -j LOG --log-level warn --log-prefix "ipt VNC:"

    # VNC pc-kraft
    # iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 27465 -j DNAT --to-destination 192.168.16.105:27465
    # iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 27465 -j LOG --log-level warn --log-prefix "ipt VNC:"

    # VNC pc-cramer
    # iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 27469 -j DNAT --to-destination 192.168.16.110:27469
    # iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 27469 -j LOG --log-level warn --log-prefix "ipt VNC:"

    # VNC pc-hauss
    # iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 27467 -j DNAT --to-destination 192.168.16.115:27467
    # iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 27467 -j LOG --log-level warn --log-prefix "ipt VNC:"

    # VNC pc-boehm
    iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 27463 -j DNAT --to-destination 192.168.16.125:27463
    iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 27463 -j LOG --log-level warn --log-prefix "ipt VNC:"

    # aMule
    #iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 33033 -j ACCEPT
    #iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 4661 -j ACCEPT
    #iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 4662 -j ACCEPT
    #iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 4665 -j ACCEPT
    #iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 4672 -j ACCEPT

    # vmware von ausserhalb
    # iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 902  -j ACCEPT   

    # ICMP Echo-Request (ping) zulassen und beantworten
    iptables -A INPUT -m state --state NEW -p icmp --icmp-type echo-request -j ACCEPT

    # LAN-Zugriff auf eth0
    iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT

    # Default-Policies mit REJECT
    iptables -A INPUT -j MY_REJECT
    iptables -A OUTPUT -j MY_REJECT
    iptables -A FORWARD -j MY_REJECT

    # Forwarding/Routing
    echo "Aktiviere IP-Routing"
    echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null

    # Masquerading
    iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

    # SYN-Cookies
    # echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null

    # Stop Source-Routing
    for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_source_route 2> /dev/null; done

    # Stop Redirecting
    for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_redirects 2> /dev/null; done

    # Reverse-Path-Filter
    for i in /proc/sys/net/ipv4/conf/*; do echo 2 > $i/rp_filter 2> /dev/null; done

    # Log Martians
    for i in /proc/sys/net/ipv4/conf/*; do echo 1 > $i/log_martians 2> /dev/null; done

    # BOOTP-Relaying ausschalten
    for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/bootp_relay 2> /dev/null; done

    # Proxy-ARP ausschalten
    for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/proxy_arp 2> /dev/null; done

    # Ungültige ICMP-Antworten ignorieren
    echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 2> /dev/null

    # ICMP Echo-Broadcasts ignorieren
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null

    # Max. 500/Sekunde (5/Jiffie) senden
    echo 5 > /proc/sys/net/ipv4/icmp_ratelimit

    # Speicherallozierung und -timing für IP-De/-Fragmentierung
    echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh
    echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh
    echo 30 > /proc/sys/net/ipv4/ipfrag_time

    # TCP-FIN-Timeout zum Schutz vor DoS-Attacken setzen
    echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout

    # Maximal 3 Antworten auf ein TCP-SYN
    echo 3 > /proc/sys/net/ipv4/tcp_retries1

    # TCP-Pakete maximal 15x wiederholen
    echo 15 > /proc/sys/net/ipv4/tcp_retries2

    ;;

  stop)
    echo "Stoppe IP-Paketfilter"
    # Tabelle flushen
    iptables -F
    iptables -t nat -F
    iptables -t mangle -F
    iptables -X
    iptables -t nat -X
    iptables -t mangle -X
    echo "Deaktiviere IP-Routing"
    echo 0 > /proc/sys/net/ipv4/ip_forward

    # Default-Policies setzen
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
    ;;

  status)
    echo "Tabelle filter"
    iptables -L -vn
    echo "Tabelle nat"
    iptables -t nat -L -vn
    echo "Tabelle mangle"
    iptables -t mangle -L -vn
    ;;

  *)
    echo "Fehlerhafter Aufruf"
    echo "Syntax: $0 {start|stop|status}"
    exit 1
    ;;

esac

Da habe ich dann in der Mitte den Abschnitt mit den VNC-Servern eingefügt, das habe ich beim googlen so gefunden. Nur leider bekomme ich immer nur "Conncection Refused" als Antwort.
Versuche ich ich dagegen von einem Client aus die Server anzusprechen, dann gelingt das wunderbar. Nur eben von "außerhalb" geht nix.
Deswegen denke ich müsste es eigentlich an dem iptables-skript liegen, nur wo da genau? Ich habe jetzt auch schon verschiedene Möglichkeiten für "vnc,iptables & nat" gefunden, aber bei allen kommt das gleiche ergebniss :
Connection Refused

Ich könnte mir noch denken das es ne Einstelluns-Sache beim vnc-server ist, den dort kann man angeben, von wo er verbindungen annimmt. ABER, ich habe dort entweder nur ein "+" stehen (was wohl für alles zählt) oder bei anderen ein "+0.0.0.0" .... also zumindest ist nirgens ein IP Bereich angegeben.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Deutsches Forum (German) All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy