Jeg har lavet denne firewall, på min server som fungere som firewall,
mailserver og www server. Men når jeg
har startet firewallen og jeg vil sende en email fra en client på lokal
netværket , og fra servere ,får jeg den fejl:
to=webmaster@XXXXXXX.dk vtladdr=root (0/0) delay=00:00:00 xdelay=00:00:00
mailer=esmtp pri=30163 relay=mail.XXXXXXXx.com [212.97.xxx.xxx] , dsn=4.0.0
, stat=Deferred: connection refused by mail.xxxxxxx.com
hvis jeg slår firewallen fra virker det fint!!
så hvad jeg kan se er der et eller andet (port) jeg har glemt og åbne for i
firewallen!!
fra eth0 er der adgang til www,smtp og pop3
*
* eth0 (195.249.xxx.xxx) internet
*
************'
* server +
* firewall
*
*************
*
* localnet eth1 (192.168.2.X)
*
fra eth1 er der adgang til
www.ftp.telnet,smtp,pop3
Jeg håber der er nogle der kan se fejlen
Kenneth
min ipchains :
# -------------------------------------------------------------------------
#
#
# FIREWALL
#
#
#
#
#---------------------------------------------------------------------------
-
# flush alle regler ()
-F
# sætter alle til afvis
-P input DENY
-P output REJECT
-P forward DENY
# acceptere al trafik på loopback interface
-A input -i lo -j ACCEPT
-A output -i lo -j ACCEPT
#----------------------------------------------------------------
# alle maskiner på lokal netværket har adgang til denne computer
-A input -i eth1 -s 192.168.2.197/24 -j ACCEPT
-A output -i eth1 -d 192.168.2.197/24 -j ACCEPT
-A forward -i eth0 -s 192.168.2.197/24 -j MASQ
# ---------------------------------------------------------------
#
# SPOOFING AND BAD ADRESSES
#
#----------------------------------------------------------------
# afviser ingående pakker som giver sig ud
# for at være fra en Eksten adresse
-A input -i eth0 -s 195.249.32.212 -j DENY -l
# afviser indgående pakker som giver sig ud
# for at være a class A;B or C private netværk
-A input -i eth0 -s 10.0.0.0/8 -j DENY
-A input -i eth0 -s 172.16.0.0/12 -j DENY
-A input -i eth0 -s 192.168.2.2/16 -j DENY
# afviser broadcast til 255.255.255.255 og fra ip adresse 0.0.0.0
-A input -i eth0 -s 255.255.255.255 -j DENY -l
-A input -i eth0 -d 0.0.0.0 -j DENY -l
# Afviser Class d multicast .Multicast er illegal som kilde adresse!
-A input -i eth0 -s 224.0.0.0/4 -j DENY
# Afviser Class E reservert ip adresser
-A input -i eth0 -s 240.0.0.0/5 -j DENY -l
# Afviser adresser som er difinert som reseveret af IANA
-A input -i eth0 -s 0.0.0.0/8 -j DENY -l
-A input -i eth0 -s 127.0.0.0/8 -j DENY -l
-A input -i eth0 -s 169.254.0.0/16 -j DENY -l
-A input -i eth0 -s 192.0.2.0/24 -j DENY -l
-A input -i eth0 -s 224.0.0.0/3 -j DENY -l
-A input --prot tcp --dport auth -j ACCEPT
#------------------------------------------------------------------
#
# UDP INCOMING TRACEROUTE
#
#------------------------------------------------------------------
# traceroute usually uses -S 32769:65535 -D 33434:33523
-A input -i eth0 -p udp \
--source-port 32769:65535 \
--destination-port 33434:33523 -j DENY -l
#-----------------------------------------------------------------
# DNS client (53)
#-----------------------------------------------------------------
-A output -i eth0 -p udp \
-s 195.249.32.212 1024:65535 \
-d 193.162.159.194 53 -j ACCEPT
-A input -i eth0 -p udp \
-s 193.162.159.194 53 \
-d 195.249.32.212 1024:65535 -j ACCEPT
-A output -i eth0 -p tcp \
-s 195.249.32.212 1024:65535 \
-d 193.162.159.194 53 -j ACCEPT
-A input -i eth0 -p tcp ! -y \
-s 193.162.159.194 53 \
-d 195.249.32.212 1024:65535 -j ACCEPT
-A output -i eth0 -p udp \
-s 195.249.32.212 1024:65535 \
-d 193.168.145.130 53 -j ACCEPT
-A input -i eth0 -p udp \
-s 193.168.145.130 53 \
-d 195.249.32.212 1024:65535 -j ACCEPT
-A output -i eth0 -p tcp \
-s 195.249.32.212 1024:65535 \
-d 193.168.145.130 53 -j ACCEPT
-A input -i eth0 -p tcp ! -y \
-s 193.168.145.130 53 \
-d 195.249.32.212 1024:65535 -j ACCEPT
# ------------------------------------------------------------------
#
# HTTP server (80)
#
# ------------------------------------------------------------------
-A input -i eth0 -p tcp \
--source-port 1024:65535 \
-d 195.249.32.212 80 -j ACCEPT
-A output -i eth0 -p tcp ! -y \
-s 195.249.32.212 80 \
--destination-port 1024:65535 -j ACCEPT
# ------------------------------------------------------------------
#
# HTTP client (80)
#
# ------------------------------------------------------------------
-A output -i eth0 -p tcp \
-s 195.249.32.212 1024:65535 \
--destination-port 80 -j ACCEPT
-A input -i eth0 -p tcp ! -y \
--source-port 80 \
-d 195.249.32.212 1024:65535 -j ACCEPT
# ------------------------------------------------------------------
#
# HTTPS client (443)
#
# ------------------------------------------------------------------
-A output -i eth0 -p tcp \
-s 195.249.32.212 1024:65535 \
--destination-port 443 -j ACCEPT
-A input -i eth0 -p tcp ! -y \
--source-port 443 \
-d 195.249.32.212 1024:65535 -j ACCEPT
# ------------------------------------------------------------------
#
# POP server (110) fra ekstern eth0
#
# ------------------------------------------------------------------
# -A input -i eth0 -p tcp \
# --source-port 1024:65535 \
# -d 195.249.32.212 110 -j ACCEPT
#
# -A output -i eth0 -p tcp ! -y \
# -s 195.249.32.212 110 \
# --destination-port 1024:65535 -j ACCEPT
#--------------------------------------------------------------------
#
# POP server (110) fra intern eth1
#
#--------------------------------------------------- ----------------
-A input -i eth1 -p tcp \
--source-port 1024:65535 \
-d 192.168.2.197 110 -j ACCEPT
-A output -i eth1 -p tcp ! -y \
-s 192.168.2.197 110 \
--destination-port 1024:65535 -j ACCEPT
# ------------------------------------------------------------------
#
# SMTP server (25) fra ekstern eth0
#
#-------------------------------------------------------------------
#-i eth0
-A input -p tcp \
--source-port 1024:65535 \
-d 0/0 25 -j ACCEPT
-A output -p tcp ! -y \
-s 0/0 25 \
--destination-port 1024:65535 -j ACCEPT
#--------------------------------------------------------------------
#
# SMTP server (25) fra intern eth1
#
#--------------------------------------------------------------------
# -A input -i eth1 -p tcp \
# --source-port 1024:65535 \
# -d 192.168.2.197 25 -j ACCEPT
# -A output -i eth1 -p tcp ! -y \
# -s 192.168.2.197 25 \
# --destination-port 1024:65535 -j ACCEPT
# ------------------------------------------------------------------
#
# TELNET server (23) KUN FRA INTERN eth1
#
#-------------------------------------------------------------------
-A input -i eth1 -p tcp \
--source-port 1024:65535 \
-d 192.168.2.197 23 -j ACCEPT
-A output -i eth1 -p tcp ! -y \
-s 192.168.2.197 23 \
--destination-port 1024:65535 -j ACCEPT
# ------------------------------------------------------------------
#
# AUTH server (113)
#
# ------------------------------------------------------------------
# Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)
-A input -i eth0 -p tcp \
--source-port 1024:65535 \
-d 195.249.32.212 113 -j ACCEPT
# var REJECT
# ------------------------------------------------------------------
#
# AUTH client (113)
#
# ------------------------------------------------------------------
-A output -i eth0 -p tcp \
-s 195.249.32.212 1024:65535 \
--destination-port 113 -j ACCEPT
-A input -i eth0 -p tcp ! -y \
--source-port 113 \
-d 195.249.32.212 1024:65535 -j ACCEPT
#-------------------------------------------------------------------
#
# WHO IS client (43)
#
#
#-------------------------------------------------------------------
-A output -i eth0 -p tcp -s 195.249.32.212 1024:65535 --destination-port
43 -j ACCEPT
-A input -i eth0 -p tcp ! -y --source-port 43 -d 195.249.32.212
1024:65535 -j ACCEPT
# ------------------------------------------------------------------
#
# FTP server (21) KUN FRA INTERN NETVÆRK
#
# ------------------------------------------------------------------
# indgående
-A input -i eth1 -p tcp \
--source-port 1024:65535 \
-d 195.249.32.212 21 -j ACCEPT
-A output -p tcp ! -y \
-i eth1 -s 195.249.32.212 21 \
--destination-port 1024:65535 -j ACCEPT
# PORT MODE data channel responses
-A output -p tcp \
-i eth1 -s 195.249.32.212 20 \
--destination-port 1024:65535 -j ACCEPT
-A input -i eth1 -p tcp ! -y \
--source-port 1024:65535 \
-d 195.249.32.212 20 -j ACCEPT
#---------------------------------------------------------------------------
--
#
# TRACE ROUTE
#
#---------------------------------------------------------------------------
--
-A output -i eth0 -p udp \
-s 195.249.32.212 32769:65535 \
--destination-port 33434:33523 -j ACCEPT -l
# --------------------------------------------------------------------------
--
#
# ICMP
#
#---------------------------------------------------------------------------
--
# To prevent denial of service attacks based on ICMP bombs, filter
# incoming Redirect (5) and outgoing Destination Unreachable (3).
# Note, however, disabling Destination Unreachable (3) is not
# advisable, as it is used to negotiate packet fragment size.
# For bi-directional ping.
# Message Types: Echo_Reply (0), Echo_Request (8)
# To prevent attacks, limit the src addresses to your ISP range.
#
# For outgoing traceroute.
# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
# default UDP base: 33434 to base+nhops-1
#
# For incoming traceroute.
# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
# To block this, deny OUTGOING 3 and 11
# 0: echo-reply (pong)
# 3: destination-unreachable, port-unreachable, fragmentation-needed,
etc.
# 4: source-quench
# 5: redirect
# 8: echo-request (ping)
# 11: time-exceeded
# 12: parameter-problem
-A input -i eth0 -p icmp \
--icmp-type echo-reply \
-d 195.249.32.212 -j ACCEPT
-A input -i eth0 -p icmp \
--icmp-type destination-unreachable \
-d 195.249.32.212 -j ACCEPT
-A input -i eth0 -p icmp \
--icmp-type source-quench \
-d 195.249.32.212 -j ACCEPT
-A input -i eth0 -p icmp \
--icmp-type time-exceeded \
-d 195.249.32.212 -j ACCEPT
-A input -i eth0 -p icmp \
--icmp-type parameter-problem \
-d 195.249.32.212 -j ACCEPT
-A output -i eth0 -p icmp \
-s 195.249.32.212 fragmentation-needed -j ACCEPT
-A output -i eth0 -p icmp \
-s 195.249.32.212 source-quench -j ACCEPT
-A output -i eth0 -p icmp \
-s 195.249.32.212 echo-request -j ACCEPT
-A output -i eth0 -p icmp \
-s 195.249.32.212 parameter-problem -j ACCEPT
# ------------------------------------------------------------------
#
# Enable logging for selected denied packets
#
# ------------------------------------------------------------------
-A input -i eth0 -p tcp -j DENY -l
-A input -i eth0 -p udp \
--destination-port 0:1023 -j DENY -l
-A input -i eth0 -p udp \
--destination-port 1024:65535 -j DENY -l
-A input -i eth0 -p icmp \
--icmp-type 5 -j DENY -l
-A input -i eth0 -p icmp \
--icmp-type 13:255 -j DENY -l
-A output -i eth0 -j REJECT -l
# ------------------------------------------------------------------
#
# SLUT
#
# ------------------------------------------------------------------