Diverse Fragen zu Routing mit IPTables

StefanBogi · 19. Dezember 2007

Hi,

ich benutze seit einiger Zeit einen Computer mit Debian Installation als Router.
Es Greifen 4 Windows Clients auf einen W-Lan Accesspoint zu, welcher die Daten an das Interface eth1 des Routers weiterleitet.
Über erth0 ist das DSL-Modem angeschlossen.
Alle Clients kommen problemlos ins Internet, und ich kann den Router auch per SSH o.ä. aus dem Internet Administrieren. Soweit alles in Ordnung.
Zum Routen benutze ich IPTables.

Jetzt meine erste Frage:
Es ist mir momentan nicht möglich mit den Windows Clients untereinander zu Kommunizieren. Ich Kann sie weder gegenseitig anpingen, noch auf Ihre Freigaben zugreifen. Es scheint also als ob die Pakete von Client zu Client nicht geroutet werden, oder irgendwo verloren gehen.

Mein Accesspoint kann das Routing des Netzwerks leider nicht übernehmen.
Wie müsste ich IPTables Konfigurieren damit die Cleint "direkt" miteinander Kommunizieren können?!

Vom Server aus kann ich (natürlich) alle Client IP's pingen. Genau so können auch alle Clients den Server Pingen, nur das gegenseitige Pingen der Clients und wie gesagt das zugreifen auf deren Freigaben funktioniert nicht.

Über Lösungsvorschläge würde ich mich sehr Freuen!
Gruss,
Stefan

Dennis Wronka · 19. Dezember 2007

Wird grundsaetzlich erstmal alles zur Linux-Box geroutet?
Oder ist diese lediglich als Default-Gateway eingetragen?

Und wie sehen die Regeln auf der Linux-Box aus?

StefanBogi · 19. Dezember 2007

Hi,

der Router hat nen DHCP Server laufen und wird bei den Windows Clients als Standardgateway eingetragen.
Auch der Accesspoint ist also DHCP Client, dient also wirklich nur als Bridge.

Tja, die Regeln auf der Linux Box sind glaube ich ziemlich Kraut und Rüben, reicht es wenn ich hier iptables -L poste? ... Ich mache das einfach mal!
Man sieht darin das ich vorhin schonmal versucht habe den Netzwerkinternen zu routen ...

Code:

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     0    --  localhost/24         localhost/24
DROP       0    --  anywhere             anywhere            state INVALID
MY_DROP    tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
MY_DROP    tcp  --  anywhere             anywhere            tcp flags:FIN,SYN/FIN,SYN
MY_DROP    tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN,RST
MY_DROP    tcp  --  anywhere             anywhere            tcp flags:FIN,RST/FIN,RST
MY_DROP    tcp  --  anywhere             anywhere            tcp flags:FIN,ACK/FIN
MY_DROP    tcp  --  anywhere             anywhere            tcp flags:PSH,ACK/PSH
MY_DROP    tcp  --  anywhere             anywhere            tcp flags:ACK,URG/URG
ACCEPT     0    --  anywhere             anywhere
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:www
REJECT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssmtp reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere            state NEW tcp dpt:pop3 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere            state NEW tcp dpt:pop3s reject-with icmp-port-unreachable
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:imap2
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:nntp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:netbios-ns
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:netbios-dgm
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:netbios-ssn
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:microsoft-ds
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-ns
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-dgm
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-ssn
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:microsoft-ds
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:mysql
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:ntp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ircd
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:4661
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:4662
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:4663
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:4665
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:4673
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:4672
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpts:24500:24505
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:telnet
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:5155
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:5155
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:5156
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:5156
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:isakmp
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:5000
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:openvpn
DROP       icmp --  anywhere             anywhere            state NEW icmp echo-request
ACCEPT     0    --  anywhere             anywhere
MY_REJECT  0    --  anywhere             anywhere
ACCEPT     0    --  localhost/24         localhost/24

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     0    --  localhost/24         localhost/24
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN tcpmss match 1400:1536 TCPMSS clamp to PMTU
DROP       0    --  anywhere             anywhere            state INVALID
MY_DROP    tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
MY_DROP    tcp  --  anywhere             anywhere            tcp flags:FIN,SYN/FIN,SYN
MY_DROP    tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN,RST
MY_DROP    tcp  --  anywhere             anywhere            tcp flags:FIN,RST/FIN,RST
MY_DROP    tcp  --  anywhere             anywhere            tcp flags:FIN,ACK/FIN
MY_DROP    tcp  --  anywhere             anywhere            tcp flags:PSH,ACK/PSH
MY_DROP    tcp  --  anywhere             anywhere            tcp flags:ACK,URG/URG
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT     0    --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
MY_REJECT  0    --  anywhere             anywhere
ACCEPT     0    --  anywhere             debian.Brammer21a.de
ACCEPT     0    --  anywhere             localhost/24
ACCEPT     0    --  localhost/14         localhost/24
ACCEPT     0    --  localhost/14         localhost/24
ACCEPT     0    --  localhost/24         localhost/24

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     0    --  localhost/24         localhost/24
DROP       0    --  anywhere             anywhere            state INVALID
ACCEPT     0    --  anywhere             anywhere
ACCEPT     0    --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
MY_REJECT  0    --  anywhere             anywhere
ACCEPT     0    --  localhost/24         localhost/24
ACCEPT     0    --  localhost/24         localhost/24

Chain MY_DROP (14 references)
target     prot opt source               destination
DROP       0    --  anywhere             anywhere

Chain MY_REJECT (3 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable
DROP       icmp --  anywhere             anywhere
REJECT     0    --  anywhere             anywhere            reject-with icmp-proto-unreachable
debian:#

Dennis Wronka · 19. Dezember 2007

Code:

iptables -L -v

ist in der Regel besser, da ausfuehrlicher.
Aber ich werd mir den Output morgen frueh mal anschauen und gucken ob ich was sehe.

StefanBogi · 19. Dezember 2007

hier nochmal die iptables -L -v ausgabe

Code:

iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  572 60272 ACCEPT     0    --  any    any     localhost/24         localhost/24
 1326 98420 DROP       0    --  any    any     anywhere             anywhere            state INVALID
    0     0 MY_DROP    tcp  --  ppp0   any     anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
    0     0 MY_DROP    tcp  --  ppp0   any     anywhere             anywhere            tcp flags:FIN,SYN/FIN,SYN
    0     0 MY_DROP    tcp  --  any    any     anywhere             anywhere            tcp flags:SYN,RST/SYN,RST
    1    40 MY_DROP    tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,RST/FIN,RST
    0     0 MY_DROP    tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,ACK/FIN
    0     0 MY_DROP    tcp  --  any    any     anywhere             anywhere            tcp flags:PSH,ACK/PSH
    0     0 MY_DROP    tcp  --  any    any     anywhere             anywhere            tcp flags:ACK,URG/URG
68293   41M ACCEPT     0    --  lo     any     anywhere             anywhere
3186K  381M ACCEPT     0    --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
  917 47248 ACCEPT     tcp  --  ppp0   any     anywhere             anywhere            state NEW tcp dpt:www
   89  4636 REJECT     tcp  --  ppp0   any     anywhere             anywhere            state NEW tcp dpt:smtp reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  ppp0   any     anywhere             anywhere            state NEW tcp dpt:ssmtp reject-with icmp-port-unreachable
    3   144 REJECT     tcp  --  ppp0   any     anywhere             anywhere            state NEW tcp dpt:pop3 reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  ppp0   any     anywhere             anywhere            state NEW tcp dpt:pop3s reject-with icmp-port-unreachable
   12   624 ACCEPT     tcp  --  ppp0   any     anywhere             anywhere            state NEW tcp dpt:imap2
    0     0 ACCEPT     tcp  --  ppp0   any     anywhere             anywhere            state NEW tcp dpt:imaps
    0     0 ACCEPT     tcp  --  ppp0   any     anywhere             anywhere            state NEW tcp dpt:nntp
   12   544 ACCEPT     tcp  --  ppp0   any     anywhere             anywhere            state NEW tcp dpt:domain
    5   375 ACCEPT     udp  --  ppp0   any     anywhere             anywhere            state NEW udp dpt:domain
   24  1336 ACCEPT     tcp  --  ppp0   any     anywhere             anywhere            state NEW tcp dpt:ftp
    0     0 ACCEPT     tcp  --  ppp0   any     anywhere             anywhere            state NEW tcp dpt:netbios-ns
    0     0 ACCEPT     tcp  --  ppp0   any     anywhere             anywhere            state NEW tcp dpt:netbios-dgm
 7184  372K ACCEPT     tcp  --  ppp0   any     anywhere             anywhere            state NEW tcp dpt:netbios-ssn
14826  751K ACCEPT     tcp  --  ppp0   any     anywhere             anywhere            state NEW tcp dpt:microsoft-ds
  107  8346 ACCEPT     udp  --  ppp0   any     anywhere             anywhere            state NEW udp dpt:netbios-ns
    0     0 ACCEPT     udp  --  ppp0   any     anywhere             anywhere            state NEW udp dpt:netbios-dgm
    0     0 ACCEPT     udp  --  ppp0   any     anywhere             anywhere            state NEW udp dpt:netbios-ssn
    0     0 ACCEPT     udp  --  ppp0   any     anywhere             anywhere            state NEW udp dpt:microsoft-ds
51051 3062K ACCEPT     tcp  --  ppp0   any     anywhere             anywhere            state NEW tcp dpt:ssh
   15   744 ACCEPT     tcp  --  ppp0   any     anywhere             anywhere            state NEW tcp dpt:mysql
    0     0 ACCEPT     udp  --  ppp0   any     anywhere             anywhere            state NEW udp dpt:ntp
    0     0 ACCEPT     tcp  --  ppp0   any     anywhere             anywhere            state NEW tcp dpt:ircd
   48  2324 ACCEPT     tcp  --  ppp0   any     anywhere             anywhere            state NEW tcp dpt:4661
45157 2229K ACCEPT     tcp  --  ppp0   any     anywhere             anywhere            state NEW tcp dpt:4662
    0     0 ACCEPT     tcp  --  ppp0   any     anywhere             anywhere            state NEW tcp dpt:4663
  953 45830 ACCEPT     udp  --  ppp0   any     anywhere             anywhere            state NEW udp dpt:4665
  194  7691 ACCEPT     udp  --  ppp0   any     anywhere             anywhere            state NEW udp dpt:4673
52010 3646K ACCEPT     udp  --  ppp0   any     anywhere             anywhere            state NEW udp dpt:4672
    0     0 ACCEPT     tcp  --  ppp0   any     anywhere             anywhere            state NEW tcp dpts:24500:24505
    7   356 ACCEPT     tcp  --  ppp0   any     anywhere             anywhere            state NEW tcp dpt:telnet
    0     0 ACCEPT     tcp  --  ppp0   any     anywhere             anywhere            state NEW tcp dpt:5155
    0     0 ACCEPT     udp  --  ppp0   any     anywhere             anywhere            state NEW udp dpt:5155
    0     0 ACCEPT     tcp  --  ppp0   any     anywhere             anywhere            state NEW tcp dpt:5156
    0     0 ACCEPT     udp  --  ppp0   any     anywhere             anywhere            state NEW udp dpt:5156
    0     0 ACCEPT     esp  --  ppp0   any     anywhere             anywhere
    0     0 ACCEPT     ah   --  ppp0   any     anywhere             anywhere
   83 24224 ACCEPT     udp  --  ppp0   any     anywhere             anywhere            state NEW udp dpt:isakmp
    0     0 ACCEPT     udp  --  ppp0   any     anywhere             anywhere            state NEW udp dpt:5000
    0     0 ACCEPT     udp  --  ppp0   any     anywhere             anywhere            state NEW udp dpt:openvpn
 1527  101K DROP       icmp --  ppp0   any     anywhere             anywhere            state NEW icmp echo-request
20984 3151K ACCEPT     0    --  eth1   any     anywhere             anywhere
 113K   19M MY_REJECT  0    --  any    any     anywhere             anywhere
    0     0 ACCEPT     0    --  any    any     localhost/24         localhost/24

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     0    --  any    any     localhost/24         localhost/24
 2371  114K TCPMSS     tcp  --  any    ppp0    anywhere             anywhere            tcp flags:SYN,RST/SYN tcpmss match 1400:1536 TCPMSS clamp to PMTU
    0     0 DROP       0    --  any    any     anywhere             anywhere            state INVALID
    0     0 MY_DROP    tcp  --  ppp0   any     anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
    0     0 MY_DROP    tcp  --  ppp0   any     anywhere             anywhere            tcp flags:FIN,SYN/FIN,SYN
    0     0 MY_DROP    tcp  --  ppp0   any     anywhere             anywhere            tcp flags:SYN,RST/SYN,RST
   14   560 MY_DROP    tcp  --  ppp0   any     anywhere             anywhere            tcp flags:FIN,RST/FIN,RST
    0     0 MY_DROP    tcp  --  ppp0   any     anywhere             anywhere            tcp flags:FIN,ACK/FIN
    0     0 MY_DROP    tcp  --  ppp0   any     anywhere             anywhere            tcp flags:PSH,ACK/PSH
    0     0 MY_DROP    tcp  --  ppp0   any     anywhere             anywhere            tcp flags:ACK,URG/URG
 228K   11M TCPMSS     tcp  --  any    any     anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
  31M 1593M ACCEPT     0    --  !ppp0  any     anywhere             anywhere            state NEW,RELATED,ESTABLISHED
  51M   64G ACCEPT     0    --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  eth1   any     anywhere             anywhere
    0     0 MY_REJECT  0    --  ppp0   any     anywhere             anywhere
    0     0 ACCEPT     0    --  eth1   any     anywhere             debian.Brammer21a.de
    0     0 ACCEPT     0    --  eth1   any     anywhere             localhost/24
    0     0 ACCEPT     0    --  any    any     localhost/14         localhost/24
    0     0 ACCEPT     0    --  any    any     localhost/14         localhost/24
    0     0 ACCEPT     0    --  any    any     localhost/24         localhost/24

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  394 75930 ACCEPT     0    --  any    any     localhost/24         localhost/24
  256 24889 DROP       0    --  any    any     anywhere             anywhere            state INVALID
68293   41M ACCEPT     0    --  any    lo      anywhere             anywhere
4138K 2943M ACCEPT     0    --  any    any     anywhere             anywhere            state NEW,RELATED,ESTABLISHED
    0     0 MY_REJECT  0    --  any    any     anywhere             anywhere
    0     0 ACCEPT     0    --  any    any     localhost/24         localhost/24
    0     0 ACCEPT     0    --  any    any     localhost/24         localhost/24

Chain MY_DROP (14 references)
 pkts bytes target     prot opt in     out     source               destination
   15   600 DROP       0    --  any    any     anywhere             anywhere

Chain MY_REJECT (3 references)
 pkts bytes target     prot opt in     out     source               destination
39710 2283K REJECT     tcp  --  any    any     anywhere             anywhere            reject-with tcp-reset
73470   17M REJECT     udp  --  any    any     anywhere             anywhere            reject-with icmp-port-unreachable
    0     0 DROP       icmp --  any    any     anywhere             anywhere
    0     0 REJECT     0    --  any    any     anywhere             anywhere            reject-with icmp-proto-unreachable

Diverse Fragen zu Routing mit IPTables

StefanBogi

Grünschnabel

Dennis Wronka

Soulcollector

StefanBogi

Grünschnabel

Dennis Wronka

Soulcollector

StefanBogi

Grünschnabel

Neue Beiträge