• Willkommen im Linux Club - dem deutschsprachigen Supportforum für GNU/Linux. Registriere dich kostenlos, um alle Inhalte zu sehen und Fragen zu stellen.

pptpd auf SuSE 9.2, kein Ping ins interne Lan

msdoes

Newbie
Hallo!

Ich habe folgendes Problem:

Router mit SuSEfirewall2 und 3 Netzwerkkarten

eth0 192.168.30.1
eth1 192.168.31.254
eth0 62.8.XXX.XXX & 62.8.XXX.XXX

nun habe ich pptpd installiert und läuft auch. Zumindest kann ich vom Klienten das ppp0 auf dem Router pingen. Man kann eigentlich alles pingen, bis auf das interne Lan. Man kann vom internen Lan auch problemlos auf den VPN-Clienten pingen, und auch sonst überall hin. Nur halt nicht vom MPN-Clienten ins interne Lan.

Bin nun am ende mit meinem Latein und hoffe, einer von euch hat einen Rat.

Anbei mal die Konfigurationsdateien und Infos, die ich so zusammen geragen habe....

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.3.180 * 255.255.255.255 UH 0 0 0 ppp0
62.8.XXX.XXX * 255.255.255.248 U 0 0 0 eth2
192.168.134.0 192.168.31.250 255.255.255.0 UG 0 0 0 eth1
192.168.133.0 192.168.31.250 255.255.255.0 UG 0 0 0 eth1
192.168.31.0 * 255.255.255.0 U 0 0 0 eth1
192.168.30.0 * 255.255.255.0 U 0 0 0 eth0
192.6.2.0 192.168.31.250 255.255.255.0 UG 0 0 0 eth1
link-local * 255.255.0.0 U 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default 62.8.XXX.XXX 0.0.0.0 UG 0 0 0 eth2

SuSEfirewall2

FW_QUICKMODE="no"
FW_DEV_EXT="eth1 eth2"
FW_DEV_INT="eth0 ppp0"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="0/0"
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_SERVICES="no"
FW_SERVICES_EXT_TCP="1723 3200:3400 550 http https imap imaps pop3 pop3s smtp ssh"
FW_SERVICES_EXT_UDP=""
FW_SERVICES_EXT_IP="GRE"
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_SERVICES_QUICK_TCP=""
FW_SERVICES_QUICK_UDP=""
FW_SERVICES_QUICK_IP=""
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="yes"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="no"
FW_FORWARD=""
FW_FORWARD_MASQ="0/0,192.168.30.2,tcp,25,25,62.8.XXX.XX0 0/0,192.168.30.5,tcp,143,143,62.8.XXX.XX1 0/0,192.168.30.5,tcp,443,443,62.8.XXX.XX1 0/0,192.168.30.5,tcp,25,25,62.8.XXX.XX1 0/0,192.168.30.5,tcp,443,443,62.8.XXX.XX1"
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="yes"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="yes"
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="yes"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING=""
FW_CUSTOMRULES=""
FW_REJECT="no"
FW_HTB_TUNE_DEV=""
FW_SERVICES_EXT_RPC=""
FW_SERVICES_DMZ_RPC=""
FW_SERVICES_INT_RPC=""
FW_ANTISPOOF="no"
FW_IPv6=""
FW_IPv6_REJECT_OUTGOING="yes"
FW_IPSEC_TRUST="no"
FW_LOG=""
FW_SERVICES_DROP_EXT=""
FW_SERVICES_REJECT_EXT="0/0,tcp,113"
FW_LOG_LIMIT=""


pptpd.conf
speed 115200
option /etc/ppp/options.ppp0
debug
localip 192.168.3.1
remoteip 192.168.3.180-185
pidfile /var/run/pptpd.pid


options.ppp0
lock
debug
auth
name test02
require-mschap
require-mschap-v2
require-mppe-128
proxyarp


iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
LOG tcp -- anywhere anywhere state RELATED LOG level warning tcp-options ip-options prefix `SFW2--ACC-RELATED '
LOG udp -- anywhere anywhere state RELATED LOG level warning tcp-options ip-options prefix `SFW2--ACC-RELATED '
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
input_ext all -- anywhere anywhere
input_ext all -- anywhere anywhere
input_ext all -- anywhere anywhere
input_int all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
forward_ext all -- anywhere anywhere
forward_ext all -- anywhere anywhere
forward_ext all -- anywhere anywhere
forward_int all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING '
DROP all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
LOG icmp -- anywhere anywhere icmp time-exceeded LOG level warning tcp-options ip-options prefix `SFW2-OUT-TRACERT-ATTEMPT '
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp port-unreachable
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp network-prohibited
ACCEPT icmp -- anywhere anywhere icmp host-prohibited
ACCEPT icmp -- anywhere anywhere icmp communication-prohibited
DROP icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR '

Chain forward_dmz (0 references)
target prot opt source destination
LOG icmp -- anywhere anywhere icmp echo-request LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz-ACC-PING '
ACCEPT icmp -- anywhere anywhere state NEW icmp echo-request
LOG icmp -- anywhere anywhere icmp echo-request LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz-ACC-PING '
ACCEPT icmp -- anywhere anywhere state NEW icmp echo-request
LOG icmp -- anywhere anywhere icmp echo-request LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz-ACC-PING '
ACCEPT icmp -- anywhere anywhere state NEW icmp echo-request
LOG all -- anywhere anywhere state INVALID LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz-DROP-DEFLT-INV '
DROP all -- anywhere anywhere state INVALID
LOG icmp -- anywhere anywhere state RELATED icmp destination-unreachable LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz-FWD-RELA '
LOG icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz-FWD-RELA '
ACCEPT icmp -- anywhere anywhere state RELATED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz-ACC-MASQ '
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere state RELATED,ESTABLISHED LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-MASQ '
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz-ACC-MASQ '
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere state RELATED,ESTABLISHED LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-MASQ '
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz-ACC-MASQ '
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere state RELATED,ESTABLISHED LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-MASQ '
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG tcp -- anywhere wolf-01.retco.de tcp dpt:smtp LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz-ACC-REVMASQ '
ACCEPT tcp -- anywhere wolf-01.retco.de tcp dpt:smtp
LOG tcp -- anywhere mail.retco.de tcp dpt:imap LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz-ACC-REVMASQ '
ACCEPT tcp -- anywhere mail.retco.de tcp dpt:imap
LOG tcp -- anywhere mail.retco.de tcp dpt:https LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz-ACC-REVMASQ '
ACCEPT tcp -- anywhere mail.retco.de tcp dpt:https
LOG tcp -- anywhere mail.retco.de tcp dpt:smtp LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz-ACC-REVMASQ '
ACCEPT tcp -- anywhere mail.retco.de tcp dpt:smtp
LOG tcp -- anywhere mail.retco.de tcp dpt:https LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz-ACC-REVMASQ '
ACCEPT tcp -- anywhere mail.retco.de tcp dpt:https
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz-DROP-DEFLT '
DROP all -- anywhere anywhere

Chain forward_ext (3 references)
target prot opt source destination
LOG icmp -- anywhere anywhere icmp echo-reply LOG level warning tcp-options ip-options prefix `SFW2-FWDext-ACC-PING '
ACCEPT icmp -- anywhere anywhere state ESTABLISHED icmp echo-reply
LOG all -- anywhere anywhere state INVALID LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT-INV '
DROP all -- anywhere anywhere state INVALID
LOG icmp -- anywhere anywhere state RELATED icmp destination-unreachable LOG level warning tcp-options ip-options prefix `SFW2-FWDext-FWD-RELA '
LOG icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply LOG level warning tcp-options ip-options prefix `SFW2-FWDext-FWD-RELA '
ACCEPT icmp -- anywhere anywhere state RELATED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SFW2-FWDext-ACC-MASQ '
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere state RELATED,ESTABLISHED LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-MASQ '
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SFW2-FWDext-ACC-MASQ '
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere state RELATED,ESTABLISHED LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-MASQ '
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SFW2-FWDext-ACC-MASQ '
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere state RELATED,ESTABLISHED LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-MASQ '
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG tcp -- anywhere wolf-01.retco.de tcp dpt:smtp LOG level warning tcp-options ip-options prefix `SFW2-FWDext-ACC-REVMASQ '
ACCEPT tcp -- anywhere wolf-01.retco.de tcp dpt:smtp
LOG tcp -- anywhere mail.retco.de tcp dpt:imap LOG level warning tcp-options ip-options prefix `SFW2-FWDext-ACC-REVMASQ '
ACCEPT tcp -- anywhere mail.retco.de tcp dpt:imap
LOG tcp -- anywhere mail.retco.de tcp dpt:https LOG level warning tcp-options ip-options prefix `SFW2-FWDext-ACC-REVMASQ '
ACCEPT tcp -- anywhere mail.retco.de tcp dpt:https
LOG tcp -- anywhere mail.retco.de tcp dpt:smtp LOG level warning tcp-options ip-options prefix `SFW2-FWDext-ACC-REVMASQ '
ACCEPT tcp -- anywhere mail.retco.de tcp dpt:smtp
LOG tcp -- anywhere mail.retco.de tcp dpt:https LOG level warning tcp-options ip-options prefix `SFW2-FWDext-ACC-REVMASQ '
ACCEPT tcp -- anywhere mail.retco.de tcp dpt:https
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
DROP all -- anywhere anywhere

Chain forward_int (1 references)
target prot opt source destination
LOG icmp -- anywhere anywhere icmp echo-request LOG level warning tcp-options ip-options prefix `SFW2-FWDint-ACC-PING '
ACCEPT icmp -- anywhere anywhere state NEW icmp echo-request
LOG icmp -- anywhere anywhere icmp echo-request LOG level warning tcp-options ip-options prefix `SFW2-FWDint-ACC-PING '
ACCEPT icmp -- anywhere anywhere state NEW icmp echo-request
LOG icmp -- anywhere anywhere icmp echo-request LOG level warning tcp-options ip-options prefix `SFW2-FWDint-ACC-PING '
ACCEPT icmp -- anywhere anywhere state NEW icmp echo-request
LOG all -- anywhere anywhere state INVALID LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT-INV '
DROP all -- anywhere anywhere state INVALID
LOG icmp -- anywhere anywhere state RELATED icmp destination-unreachable LOG level warning tcp-options ip-options prefix `SFW2-FWDint-FWD-RELA '
LOG icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply LOG level warning tcp-options ip-options prefix `SFW2-FWDint-FWD-RELA '
ACCEPT icmp -- anywhere anywhere state RELATED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SFW2-FWDint-ACC-MASQ '
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere state RELATED,ESTABLISHED LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-MASQ '
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SFW2-FWDint-ACC-MASQ '
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere state RELATED,ESTABLISHED LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-MASQ '
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SFW2-FWDint-ACC-MASQ '
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere state RELATED,ESTABLISHED LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-MASQ '
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG tcp -- anywhere wolf-01.retco.de tcp dpt:smtp LOG level warning tcp-options ip-options prefix `SFW2-FWDint-ACC-REVMASQ '
ACCEPT tcp -- anywhere wolf-01.retco.de tcp dpt:smtp
LOG tcp -- anywhere mail.retco.de tcp dpt:imap LOG level warning tcp-options ip-options prefix `SFW2-FWDint-ACC-REVMASQ '
ACCEPT tcp -- anywhere mail.retco.de tcp dpt:imap
LOG tcp -- anywhere mail.retco.de tcp dpt:https LOG level warning tcp-options ip-options prefix `SFW2-FWDint-ACC-REVMASQ '
ACCEPT tcp -- anywhere mail.retco.de tcp dpt:https
LOG tcp -- anywhere mail.retco.de tcp dpt:smtp LOG level warning tcp-options ip-options prefix `SFW2-FWDint-ACC-REVMASQ '
ACCEPT tcp -- anywhere mail.retco.de tcp dpt:smtp
LOG tcp -- anywhere mail.retco.de tcp dpt:https LOG level warning tcp-options ip-options prefix `SFW2-FWDint-ACC-REVMASQ '
ACCEPT tcp -- anywhere mail.retco.de tcp dpt:https
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
DROP all -- anywhere anywhere

Chain input_dmz (0 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
LOG icmp -- anywhere anywhere icmp source-quench LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-SOURCEQUENCH '
ACCEPT icmp -- anywhere anywhere icmp source-quench
LOG icmp -- anywhere anywhere icmp echo-request LOG level warning tcp-options ip-options prefix `SFW2-INdmz-ACC-PING '
ACCEPT icmp -- anywhere anywhere icmp echo-request
LOG icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply LOG level warning tcp-options ip-options prefix `SFW2-INdmz-ACC-ICMP '
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
LOG icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable LOG level warning tcp-options ip-options prefix `SFW2-INdmz-ACC-ICMP '
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
LOG icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded LOG level warning tcp-options ip-options prefix `SFW2-INdmz-ACC-ICMP '
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
LOG icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem LOG level warning tcp-options ip-options prefix `SFW2-INdmz-ACC-ICMP '
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
LOG icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply LOG level warning tcp-options ip-options prefix `SFW2-INdmz-ACC-ICMP '
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
LOG icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply LOG level warning tcp-options ip-options prefix `SFW2-INdmz-ACC-ICMP '
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
LOG all -- anywhere anywhere state INVALID LOG level warning tcp-options ip-options prefix `SFW2-INdmz-DROP-DEFLT-INV '
DROP all -- anywhere anywhere state INVALID
LOG udp -- anywhere anywhere udp dpts:1024:65535 LOG level warning tcp-options ip-options prefix `SFW2-INdmz-ACC-HiUDP '
ACCEPT udp -- anywhere anywhere state NEW udp dpts:1024:65535
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SFW2-INdmz-DROP-DEFLT '
DROP all -- anywhere anywhere

Chain input_ext (3 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
LOG icmp -- anywhere anywhere icmp source-quench LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-SOURCEQUENCH '
ACCEPT icmp -- anywhere anywhere icmp source-quench
LOG icmp -- anywhere anywhere icmp echo-request LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-PING '
ACCEPT icmp -- anywhere anywhere icmp echo-request
LOG icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-ICMP '
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
LOG icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-ICMP '
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
LOG icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-ICMP '
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
LOG icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-ICMP '
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
LOG icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-ICMP '
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
LOG icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-ICMP '
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
LOG all -- anywhere anywhere state INVALID LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT-INV '
DROP all -- anywhere anywhere state INVALID
LOG gre -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-IP '
ACCEPT gre -- anywhere anywhere
LOG tcp -- anywhere anywhere tcp dpt:pptp LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:pptp
LOG tcp -- anywhere anywhere tcp dpts:tick-port:csms2 LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpts:tick-port:csms2
LOG tcp -- anywhere anywhere tcp dpt:new-rwho LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:new-rwho
LOG tcp -- anywhere anywhere tcp dpt:http LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:http
LOG tcp -- anywhere anywhere tcp dpt:https LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:https
LOG tcp -- anywhere anywhere tcp dpt:imap LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
LOG tcp -- anywhere anywhere tcp dpt:imaps LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
LOG tcp -- anywhere anywhere tcp dpt:pop3 LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
LOG tcp -- anywhere anywhere tcp dpt:pop3s LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
LOG tcp -- anywhere anywhere tcp dpt:smtp LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
LOG tcp -- anywhere anywhere tcp dpt:ssh LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
LOG tcp -- anywhere anywhere tcp dpt:ident state NEW LOG level warning tcp-options ip-options prefix `SFW2-INext-REJECT '
reject_func tcp -- anywhere anywhere tcp dpt:ident state NEW
LOG udp -- anywhere anywhere udp dpts:1024:65535 LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-HiUDP '
ACCEPT udp -- anywhere anywhere state NEW udp dpts:1024:65535
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
DROP all -- anywhere anywhere

Chain input_int (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SFW2-INint-ACC-ALL-INT '
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere PKTTYPE = broadcast
LOG icmp -- anywhere anywhere icmp source-quench LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-SOURCEQUENCH '
ACCEPT icmp -- anywhere anywhere icmp source-quench
LOG icmp -- anywhere anywhere icmp echo-request LOG level warning tcp-options ip-options prefix `SFW2-INint-ACC-PING '
ACCEPT icmp -- anywhere anywhere icmp echo-request
LOG icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply LOG level warning tcp-options ip-options prefix `SFW2-INint-ACC-ICMP '
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
LOG icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable LOG level warning tcp-options ip-options prefix `SFW2-INint-ACC-ICMP '
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
LOG icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded LOG level warning tcp-options ip-options prefix `SFW2-INint-ACC-ICMP '
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
LOG icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem LOG level warning tcp-options ip-options prefix `SFW2-INint-ACC-ICMP '
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
LOG icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply LOG level warning tcp-options ip-options prefix `SFW2-INint-ACC-ICMP '
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
LOG icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply LOG level warning tcp-options ip-options prefix `SFW2-INint-ACC-ICMP '
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
LOG all -- anywhere anywhere state INVALID LOG level warning tcp-options ip-options prefix `SFW2-INint-DROP-DEFLT-INV '
DROP all -- anywhere anywhere state INVALID
LOG udp -- anywhere anywhere udp dpts:1024:65535 LOG level warning tcp-options ip-options prefix `SFW2-INint-ACC-HiUDP '
ACCEPT udp -- anywhere anywhere state NEW udp dpts:1024:65535
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SFW2-INint-DROP-DEFLT '
DROP all -- anywhere anywhere

Chain reject_func (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable

Vielen Dank schon mal im Vorraus!
 

gaw

Hacker
Wieso ist eth0 doppelt bzw. dreifach belegt?

Das kann doch so gar nicht funktionieren, und wo ist die dritte Netzwerkkarte geblieben?

MIt freundlichen Grüßen
gaw
 
Hey

Mehrere IPs auf eine physikalische NWK geht schon. Die heisen dann aber eth0:1 usw. Aber wenn du drei hast müsste schon eth0, eth1 und eth2 da sein
In der routingtabelle sind sie ja auch.

By Huflatisch
 

gaw

Hacker
Mach es für ihn doch nicht noch komplizierter. Was soll er mit aliasen anfangen?

Mit freundlichen Grüßen
gaw
 
OP
M

msdoes

Newbie
sorry sollte ja eigendlich eth2 lauten:

62.8.XXX.XX0 & 62.8.XXX.XX1 eth2

und den alias habe ich gesetzt, weil ich ins interne lan zwei Ports forwarden muß...

Danke für die schnelle Antwort.

msdoes
 

jado

Member
Wenn es an den IPTables Regeln liegt, sollte man im LogFile (vermutlich /var/log/messages) Einträge: "kernel: Drop"
mit dem Text "PROTO=ICMP" finden.

Anhand der Einträge kannst du dann die Ursache eingrenzen.


greez
 
OP
M

msdoes

Newbie
jado schrieb:
Wenn es an den IPTables Regeln liegt, sollte man im LogFile (vermutlich /var/log/messages) Einträge: "kernel: Drop"
mit dem Text "PROTO=ICMP" finden.

Anhand der Einträge kannst du dann die Ursache eingrenzen.


greez

Nur leider erscheint kein solcher Eintrag in der /var/log/messages, wenn ich mit tail -f beobachte und versuche auf das interne Lan zuzugreifen.
Jedoch werd ich mal danach suchen...

Erstmal Danke!
 
OP
M

msdoes

Newbie
SuSEfirewall2
Code:
FW_QUICKMODE="no" 
FW_DEV_EXT="eth1 eth2" 
FW_DEV_INT="eth0 ppp0" 
FW_DEV_DMZ="" 
FW_ROUTE="yes" 
FW_MASQUERADE="yes" 
FW_MASQ_DEV="$FW_DEV_EXT" 
FW_MASQ_NETS="0/0" 
FW_PROTECT_FROM_INTERNAL="no" 
FW_AUTOPROTECT_SERVICES="no" 
FW_SERVICES_EXT_TCP="1723 3200:3400 550 http https imap imaps pop3 pop3s smtp ssh" 
FW_SERVICES_EXT_UDP="" 
FW_SERVICES_EXT_IP="GRE" 
FW_SERVICES_DMZ_TCP="" 
FW_SERVICES_DMZ_UDP="" 
FW_SERVICES_DMZ_IP="" 
FW_SERVICES_INT_TCP="1723" 
FW_SERVICES_INT_UDP="" 
FW_SERVICES_INT_IP="GRE" 
FW_SERVICES_QUICK_TCP="" 
FW_SERVICES_QUICK_UDP="" 
FW_SERVICES_QUICK_IP="" 
FW_TRUSTED_NETS="" 
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" 
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" 
FW_SERVICE_AUTODETECT="yes" 
FW_SERVICE_DNS="yes" 
FW_SERVICE_DHCLIENT="no" 
FW_SERVICE_DHCPD="no" 
FW_SERVICE_SQUID="no" 
FW_SERVICE_SAMBA="no" 
FW_FORWARD="192.168.3.0/24,192.168.30.0/24 192.168.30.0/24,192.168.3.0/24" 
FW_FORWARD_MASQ="0/0,192.168.30.2,tcp,25,25,62.8.XXX.XX0 0/0,192.168.30.5,tcp,143,143,62.8.XXX.XX1 0/0,192.168.30.5,tcp,443,443,62.8.XXX.XX1 0/0,192.168.30.5,tcp,25,25,62.8.XXX.XX1 0/0,192.168.30.5,tcp,443,443,62.8.XXX.XX1" 
FW_REDIRECT="" 
FW_LOG_DROP_CRIT="yes" 
FW_LOG_DROP_ALL="yes" 
FW_LOG_ACCEPT_CRIT="yes" 
FW_LOG_ACCEPT_ALL="yes" 
FW_KERNEL_SECURITY="yes" 
FW_STOP_KEEP_ROUTING_STATE="no" 
FW_ALLOW_PING_FW="yes" 
FW_ALLOW_PING_DMZ="no" 
FW_ALLOW_PING_EXT="yes" 
FW_ALLOW_FW_TRACEROUTE="yes" 
FW_ALLOW_FW_SOURCEQUENCH="yes" 
FW_ALLOW_FW_BROADCAST="no" 
FW_IGNORE_FW_BROADCAST="yes" 
FW_ALLOW_CLASS_ROUTING="" 
FW_CUSTOMRULES="" 
FW_REJECT="no" 
FW_HTB_TUNE_DEV="" 
FW_SERVICES_EXT_RPC="" 
FW_SERVICES_DMZ_RPC="" 
FW_SERVICES_INT_RPC="" 
FW_ANTISPOOF="no" 
FW_IPv6="" 
FW_IPv6_REJECT_OUTGOING="yes" 
FW_IPSEC_TRUST="no" 
FW_LOG="" 
FW_SERVICES_DROP_EXT="" 
FW_SERVICES_REJECT_EXT="0/0,tcp,113" 
FW_LOG_LIMIT=""

so, leider hatte es von euch keiner gesehen, das ich es in FW_SERVICES_INT_ und in FW_FORWARD= nicht eingetragen hatte. Nun gehts!

Grüße

msdoes
 
OP
M

msdoes

Newbie
Sorry, aber nach dem die Angriffe deutlich mehr wurden, habe ich die externen IPs ausgeXt. :evil:

Grüße
msdoes
 
Oben