SuSefirewall2 blocked interes Netz tap0

Thorsten185 · 4 Aug. 2006

Hallo,
mein Wlan möchte ich mit Openvpn absichern, was auch prima funktioniert. Nur leider spielt die FW nicht mit. Wenn ich tap0 als externes Netzwerk eintrage kann ich von einem PC aus arbeiten, aber nicht von der anderen Seite, wie es sich gehört.
Bei intern geht garnichts und alle Packete werden weggeworfen.

Funktionieren sollte es eigentlich so:

Wlan0 extern und nur udp 5000 wird akzeptiert
tap0 ist intern

z.B. so ein verworfener Ping:
Aug 4 22:39:42 j kernel: SFW2-FWDint-DROP-DEFLT IN=eth1 OUT=tap0 SRC=192.168.50.50 DST=10.0.0.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=873 DF PROTO=ICMP TYPE=8 CODE=0 ID=9756 SEQ=874

Wie in den Openvpn Workshops mit den IPTABLES gearbeitet wird möchte ich eigentlich nicht machen, da es ja anders auch gehen sollte, oder?

rolle · 4 Aug. 2006

Poste doch mal die Ausgabe von 'ifconfig'.

Thorsten185 · 4 Aug. 2006

Vielleicht sollte ich dazusagen das ich nicht an dem PC mit Firewall arbeite sonder von eth1 ankomme.

eth1 Protokoll:Ethernet Hardware Adresse 00:11:2F:B4:01:51
inet Adresse:192.168.50.40 Bcast:192.168.50.255 Maske:255.255.255.0
inet6 Adresse: fe80::211:2fff:feb4:151/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:818 errors:0 dropped:0 overruns:0 frame:0
TX packets:632 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 Sendewarteschlangenlänge:1000
RX bytes:161985 (158.1 Kb) TX bytes:255737 (249.7 Kb)
Interrupt:5 Basisadresse:0x8800

lo Protokoll:Lokale Schleife
inet Adresse:127.0.0.1 Maske:255.0.0.0
inet6 Adresse: ::1/128 Gültigkeitsbereich:Maschine
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:388 errors:0 dropped:0 overruns:0 frame:0
TX packets:388 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 Sendewarteschlangenlänge:0
RX bytes:17632 (17.2 Kb) TX bytes:17632 (17.2 Kb)

tap0 Protokoll:Ethernet Hardware Adresse 52:5A:39:7A:22:31
inet Adresse:10.0.0.2 Bcast:10.0.0.255 Maske:255.255.255.0
inet6 Adresse: fe80::505a:39ff:fe7a:2231/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:185 errors:0 dropped:0 overruns:0 frame:0
TX packets:171 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 Sendewarteschlangenlänge:100
RX bytes:18156 (17.7 Kb) TX bytes:16726 (16.3 Kb)

wlan0 Protokoll:Ethernet Hardware Adresse 00:90:5B:B2:16

E
inet Adresse:192.168.100.111 Bcast:192.168.100.255 Maske:255.255.255.0
inet6 Adresse: fe80::290:5bff:feb2:16de/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:223 errors:0 dropped:0 overruns:0 frame:0
TX packets:264 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 Sendewarteschlangenlänge:1000
RX bytes:34702 (33.8 Kb) TX bytes:38102 (37.2 Kb)

framp · 4 Aug. 2006

Thorsten185 schrieb:
Wlan0 extern und nur udp 5000 wird akzeptiert
tap0 ist intern

OpenVPN benutzt standardmaessig Port 1194. Hast Du das umgeschossen?

Lade Dir mal das kleine Script von hier runter und poste die Ausgabe die Du als root erhaeltst.

Thorsten185 · 4 Aug. 2006

Also ich denke schon das ich Port 5000 benutze. Es funktioniert ja Teilweise auch. Ich kann immer nur von einer Seite zugreifen. Hier auch das kleine OPENVPN Script:

remote 192.168.100.20
dev tap
ifconfig 10.0.0.2 255.255.255.0 10.0.0.1
secret key.txt
port 5000

Code:

collectNWData.sh 0.2.4.3

*** cat /etc/SuSE-release
SUSE LINUX 10.0 (i586)
VERSION = 10.0

*** cat /etc/resolv.conf | grep -v "^#" | grep -v "^$"
domain msheimnetz
nameserver 217.237.151.115
nameserver 217.237.150.33

*** cat /etc/hosts | grep -v "^#" | grep -v "^$" | grep -v "::"
127.0.0.1       localhost
192.168.33.33   jac.msheimnetz
192.168.100.111 jac.msheimnetz
192.168.50.40   jac.msheimnetz jac

*** cat /proc/sys/net/ipv4/ip_forward
1

*** iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere
MASQUERADE  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

*** route -n
Kernel IP Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
217.0.116.89    0.0.0.0         255.255.255.255 UH    0      0        0 dsl0
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 wlan0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tap0
192.168.50.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         217.0.116.89    0.0.0.0         UG    0      0        0 dsl0

*** ifconfig
dsl0      Protokoll:Punkt-zu-Punkt Verbindung
          inet Adresse:84.147.205.186  P-z-P:217.0.116.89  Maske:255.255.255.255
          UP PUNKTZUPUNKT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:2351 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2452 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 Sendewarteschlangenlänge:3
          RX bytes:1695474 (1.6 Mb)  TX bytes:451287 (440.7 Kb)

eth0      Protokoll:Ethernet  Hardware Adresse 00:08:A1:67:1C:D4
          inet Adresse:192.168.2.101  Bcast:192.168.2.255  Maske:255.255.255.0
          inet6 Adresse: fe80::208:a1ff:fe67:1cd4/64 Gültigkeitsbereich:Verbindu
ng
          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2421 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2636 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 Sendewarteschlangenlänge:1000
          RX bytes:1752080 (1.6 Mb)  TX bytes:523947 (511.6 Kb)
          Interrupt:11 Basisadresse:0x6000

eth1      Protokoll:Ethernet  Hardware Adresse 00:11:2F:B4:01:51
          inet Adresse:192.168.50.40  Bcast:192.168.50.255  Maske:255.255.255.0
          inet6 Adresse: fe80::211:2fff:feb4:151/64 Gültigkeitsbereich:Verbindun
g
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:31713 errors:0 dropped:0 overruns:0 frame:0
          TX packets:47689 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 Sendewarteschlangenlänge:1000
          RX bytes:2672531 (2.5 Mb)  TX bytes:23356241 (22.2 Mb)
          Interrupt:5 Basisadresse:0x8800

lo        Protokoll:Lokale Schleife
          inet Adresse:127.0.0.1  Maske:255.0.0.0
          inet6 Adresse: ::1/128 Gültigkeitsbereich:Maschine
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:423 errors:0 dropped:0 overruns:0 frame:0
          TX packets:423 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 Sendewarteschlangenlänge:0
          RX bytes:18899 (18.4 Kb)  TX bytes:18899 (18.4 Kb)

tap0      Protokoll:Ethernet  Hardware Adresse 52:5A:39:7A:22:31
          inet Adresse:10.0.0.2  Bcast:10.0.0.255  Maske:255.255.255.0
          inet6 Adresse: fe80::505a:39ff:fe7a:2231/64 Gültigkeitsbereich:Verbind
ung
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3193 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2152 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 Sendewarteschlangenlänge:100
          RX bytes:413069 (403.3 Kb)  TX bytes:538428 (525.8 Kb)

wlan0     Protokoll:Ethernet  Hardware Adresse 00:90:5B:B2:16:DE
          inet Adresse:192.168.100.111  Bcast:192.168.100.255  Maske:255.255.255
.0
          inet6 Adresse: fe80::290:5bff:feb2:16de/64 Gültigkeitsbereich:Verbindu
ng
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:33664 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20532 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 Sendewarteschlangenlänge:1000
          RX bytes:7256507 (6.9 Mb)  TX bytes:1935110 (1.8 Mb)


*** iwconfig 2>/dev/null
wlan0     IEEE 802.11-b  ESSID:"test"  Nickname:"test"
          Mode:Ad-Hoc  Frequency:2.442 GHz  Cell: 02:90:B3:31:17:2E
          Bit Rate:11 Mb/s   Tx-Power:18 dBm
          Retry min limit:8   RTS thr:off   Fragment thr:off
          Encryption key:off
          Link Quality=18/92  Signal level=-74 dBm  Noise level=-92 dBm
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0


*** pingMyLocalIPs # ping all local IPs returned by ifconfig

*** ping -c1 -W 3 195.135.220.3
PING 195.135.220.3 (195.135.220.3) 56(84) bytes of data.
64 bytes from 195.135.220.3: icmp_seq=1 ttl=56 time=79.4 ms

--- 195.135.220.3 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 79.486/79.486/79.486/0.000 ms

*** ping -c1 -W 3 www.suse.de
PING turing.suse.de (195.135.220.3) 56(84) bytes of data.
64 bytes from turing.suse.de (195.135.220.3): icmp_seq=1 ttl=56 time=66.5 ms

--- turing.suse.de ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 66.511/66.511/66.511/0.000 ms

*** lspci
00:00.0 Host bridge: VIA Technologies, Inc. VT8377 [KT400/KT600 AGP] Host Bridge
 (rev 80)
00:01.0 PCI bridge: VIA Technologies, Inc. VT8237 PCI Bridge
00:0d.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139
C+ (rev 10)
00:0e.0 Multimedia controller: Philips Semiconductors SAA7146 (rev 01)
00:0f.0 RAID bus controller: VIA Technologies, Inc. VIA VT6420 SATA RAID Control
ler (rev 80)
00:0f.1 IDE interface: VIA Technologies, Inc. VT82C586A/B/VT82C686/A/B/VT823x/A/
C PIPC Bus Master IDE (rev 06)
00:10.0 USB Controller: VIA Technologies, Inc. VT82xxxxx UHCI USB 1.1 Controller
 (rev 81)
00:10.1 USB Controller: VIA Technologies, Inc. VT82xxxxx UHCI USB 1.1 Controller
 (rev 81)
00:10.2 USB Controller: VIA Technologies, Inc. VT82xxxxx UHCI USB 1.1 Controller
 (rev 81)
00:10.3 USB Controller: VIA Technologies, Inc. VT82xxxxx UHCI USB 1.1 Controller
 (rev 81)
00:10.4 USB Controller: VIA Technologies, Inc. USB 2.0 (rev 86)
00:11.0 ISA bridge: VIA Technologies, Inc. VT8237 ISA bridge [KT600/K8T800/K8T89
0 South]
00:11.5 Multimedia audio controller: VIA Technologies, Inc. VT8233/A/8235/8237 A
C97 Audio Controller (rev 60)
00:12.0 Ethernet controller: VIA Technologies, Inc. VT6102 [Rhine-II] (rev 78)
00:13.0 Ethernet controller: Intel Corporation 82557/8/9 [Ethernet Pro 100] (rev
 08)
01:00.0 VGA compatible controller: nVidia Corporation NV34 [GeForce FX 5200] (re
v a1)

*** lsusb
Bus 005 Device 001: ID 0000:0000
Bus 004 Device 001: ID 0000:0000
Bus 003 Device 001: ID 0000:0000
Bus 002 Device 001: ID 0000:0000
Bus 001 Device 003: ID 0846:4110 NetGear, Inc. MA111 WiFi (v1)
Bus 001 Device 001: ID 0000:0000

*** iptables -L -vn
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

   39  1383 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

15327 1523K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED
    0     0 input_int  all  --  *      *       0.0.0.0/0            0.0.0.0/0
        policy match dir in pol ipsec proto 50
   29  4891 input_int  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0

   80  8821 input_int  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0

  823 71259 input_int  all  --  tap0   *       0.0.0.0/0            0.0.0.0/0

   34  4573 input_ext  all  --  dsl0   *       0.0.0.0/0            0.0.0.0/0

  143 22513 input_ext  all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0

    0     0 input_ext  all  --  *      *       0.0.0.0/0            0.0.0.0/0

    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
        limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET
'
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0


Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

  202 12088 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    0     0 forward_int  all  --  *      *       0.0.0.0/0            0.0.0.0/0
          policy match dir in pol ipsec proto 50
    0     0 forward_int  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0

21689 1606K forward_int  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0

    0     0 forward_int  all  --  tap0   *       0.0.0.0/0            0.0.0.0/0

 2091 1589K forward_ext  all  --  dsl0   *       0.0.0.0/0            0.0.0.0/0

30258 6603K forward_ext  all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0

    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
        limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTIN
G '
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0


Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

   39  1383 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0

19801   16M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
        state NEW,RELATED,ESTABLISHED
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
        limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR '

Chain forward_ext (2 references)
 pkts bytes target     prot opt in     out     source               destination

    2   168 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 12
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 14
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 18
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 3 code 2
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 5
    0     0 ACCEPT     all  --  *      dsl0    0.0.0.0/0            0.0.0.0/0
        state NEW,RELATED,ESTABLISHED
 2089 1589K ACCEPT     all  --  dsl0   *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      wlan0   0.0.0.0/0            0.0.0.0/0
        state NEW,RELATED,ESTABLISHED
30258 6603K ACCEPT     all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
        limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DE
FLT '
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0


Chain forward_int (4 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 12
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 14
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 18
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 3 code 2
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 5
 2088  420K ACCEPT     all  --  *      dsl0    0.0.0.0/0            0.0.0.0/0
        state NEW,RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  dsl0   *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED
18165 1066K ACCEPT     all  --  *      wlan0   0.0.0.0/0            0.0.0.0/0
        state NEW,RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED
   76  6384 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
        limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DE
FLT '
 1436  120K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0


Chain input_ext (3 references)
 pkts bytes target     prot opt in     out     source               destination

   29  5449 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
        PKTTYPE = broadcast limit: avg 3/min burst 5 LOG flags 6 level 4 prefix
`SFW2-DROP-BCASTe '
   96 15748 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
        PKTTYPE = broadcast
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        icmp type 4
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 12
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 14
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 18
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 3 code 2
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED icmp type 5
    0     0 ACCEPT     all  --  *      *       10.0.0.0             0.0.0.0/0
        state NEW,RELATED,ESTABLISHED
    0     0 ACCEPT     udp  --  *      *       192.168.100.20       0.0.0.0/0
        state NEW,RELATED,ESTABLISHED udp dpt:5000
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        tcp dpt:113 state NEW limit: avg 3/min burst 5 LOG flags 6 level 4 prefi
x `SFW2-INext-REJECT '
    0     0 reject_func  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
          tcp dpt:113 state NEW
   51  7481 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
        limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEF
LT '
   81 11338 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0


Chain input_int (4 references)
 pkts bytes target     prot opt in     out     source               destination

  932 84971 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0


Chain reject_func (1 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        reject-with tcp-reset
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0
        reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
        reject-with icmp-proto-unreachable

*** cat /etc/sysconfig/SuSEfirewall2 | grep -v "^#" | grep -v "^$"
FW_DEV_EXT="any dsl0 wlan-bus-usb-1-2:1.0"
FW_DEV_INT="eth-id-00:08:a1:67:1c:d4 eth-id-00:11:2f:b4:01:51 eth-id-3 tap0"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="0/0"
FW_PROTECT_FROM_INT="no"
FW_SERVICES_EXT_TCP=""
FW_SERVICES_EXT_UDP=""
FW_SERVICES_EXT_IP=""
FW_SERVICES_EXT_RPC=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_DMZ_RPC=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_SERVICES_INT_RPC=""
FW_SERVICES_DROP_EXT=""
FW_SERVICES_REJECT_EXT="0/0,tcp,113"
FW_SERVICES_ACCEPT_EXT=""
FW_TRUSTED_NETS="10.0.0.0 192.168.100.20,udp,5000"
FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
FW_ALLOW_INCOMING_HIGHPORTS_UDP=""
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="yes"
FW_LOG_ACCEPT_CRIT="no"
FW_LOG_ACCEPT_ALL="no"
FW_LOG_LIMIT=""
FW_LOG=""
FW_KERNEL_SECURITY="no"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="no"
FW_ALLOW_PING_DMZ="yes"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_SOURCEQUENCH=""
FW_ALLOW_FW_BROADCAST_EXT="no"
FW_ALLOW_FW_BROADCAST_INT="no"
FW_ALLOW_FW_BROADCAST_DMZ="no"
FW_IGNORE_FW_BROADCAST_EXT="no"
FW_IGNORE_FW_BROADCAST_INT="no"
FW_IGNORE_FW_BROADCAST_DMZ="no"
FW_ALLOW_CLASS_ROUTING=""
FW_CUSTOMRULES=""
FW_REJECT=""
FW_HTB_TUNE_DEV=""
FW_IPv6=""
FW_IPv6_REJECT_OUTGOING=""
FW_IPSEC_TRUST="int"
FW_ZONES=""
FW_USE_IPTABLES_BATCH=""
FW_LOAD_MODULES=""

Thorsten185 · 5 Aug. 2006

kann man da nicht ein custom script in die SuSefirewall2-Einstellung hängen? Ganz unten kann man ja diese zusätzlichen Regeln einhängen.

Je eine für OUTPUT INPUT FORWARD und jeweils alles ACCEPT. Nur das ist ja dann was für Experten. Wer weiß was dann alles offen ist.

:?:

framp · 22 Aug. 2006

Bei mir steht im custom script

Code:

        /usr/sbin/iptables -I INPUT -i tun0 -s $id -j ACCEPT
        /usr/sbin/iptables -I OUTPUT -o tun0 -d $id -j ACCEPT
        /usr/sbin/iptables -I FORWARD -o tun0 -i nic0 -d $id -j ACCEPT
        /usr/sbin/iptables -I FORWARD -i tun0 -o nic0 -s $id -j ACCEPT

wobei $id vorher auf die IP Adresse gesetzt wurde, die per OpenVPN rein darf und nic0 das NIC ist, welches ins interne Netz von der FW geht.

SuSefirewall2 blocked interes Netz tap0

Thorsten185

Newbie

rolle

Guru

Thorsten185

Newbie

framp

Moderator

Thorsten185

Newbie

Thorsten185

Newbie

framp

Moderator