Hallo,
Ich habe ein Problem mit meinem iptables Regelwerk. Das Problem ist das ich keine SSH Verbindung zu stande bekomme obwohl sich die Source und das Target in einem und dem selben Netzwerksegment befinden.
Ich gebe zu ich habe eine ziemlich komplizierte Umgebung. Hier mal eine kurze Beschreibung.
2 Notebooks, N1 soll ssh zu N2 machen. Beide sind über WLan verbunden. Router/Accesspoint ist ein Rasperry mit hostapd und 2 WLan Karten als AP1 und AP2. Beide AP's wlan0 und wlan1 sind gebright br0
br0 = 10.6.90.1
br0:0 = 10.6.8.1
Die beiden Notebooks befinden sich im 10.6.90.0/24 Segment und sollten eigentlich kompletten gegenseitigen Zugriff haben. Dennoch bekomme ich einen reject von iptables
Der Unterschied ist nur das N1 mit AP1 verbunden ist und N2 mit AP2.
Interessanterweise bekomme ich mit einer ähnlichen Konfiguration eine SSH Verbindung, einziger Unterschied. Beide Clients befinden sich in unterschiedlichen Netzsegmenten. N1 10.6.90.0/24 und N2 10.6.8.0/24. Verbunden sie wieder über AP1 und AP2.
iptables rules
Das ist ist das entscheidene
Vielleicht findet ja jemand einen Ansatz für mein Problem.
Ich habe ein Problem mit meinem iptables Regelwerk. Das Problem ist das ich keine SSH Verbindung zu stande bekomme obwohl sich die Source und das Target in einem und dem selben Netzwerksegment befinden.
Ich gebe zu ich habe eine ziemlich komplizierte Umgebung. Hier mal eine kurze Beschreibung.
2 Notebooks, N1 soll ssh zu N2 machen. Beide sind über WLan verbunden. Router/Accesspoint ist ein Rasperry mit hostapd und 2 WLan Karten als AP1 und AP2. Beide AP's wlan0 und wlan1 sind gebright br0
br0 = 10.6.90.1
br0:0 = 10.6.8.1
Die beiden Notebooks befinden sich im 10.6.90.0/24 Segment und sollten eigentlich kompletten gegenseitigen Zugriff haben. Dennoch bekomme ich einen reject von iptables
Der Unterschied ist nur das N1 mit AP1 verbunden ist und N2 mit AP2.
Code:
pi-proxy01 kernel: [737046.295925] iptables REJECT packets IN=wlan0 OUT=eth0 MAC=e8:94:f6:0b:a8:31:00:21:6a:0b:d0:58:08:00 SRC=10.6.90.50 DST=77.95.231.11 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=53192 DF PROTO=TCP SPT=40566 DPT=22 SEQ=682490927 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A000633E70000000001030307)
Interessanterweise bekomme ich mit einer ähnlichen Konfiguration eine SSH Verbindung, einziger Unterschied. Beide Clients befinden sich in unterschiedlichen Netzsegmenten. N1 10.6.90.0/24 und N2 10.6.8.0/24. Verbunden sie wieder über AP1 und AP2.
iptables rules
Code:
# Generated by iptables-save v1.4.14 on Sun Sep 21 20:13:21 2014
*mangle
:PREROUTING ACCEPT [228958:139236055]
:INPUT ACCEPT [149582:95942350]
:FORWARD ACCEPT [79512:43325824]
:OUTPUT ACCEPT [160830:107776744]
:POSTROUTING ACCEPT [238785:150774043]
COMMIT
# Completed on Sun Sep 21 20:13:21 2014
# Generated by iptables-save v1.4.14 on Sun Sep 21 20:13:21 2014
*nat
:PREROUTING ACCEPT [5394:586768]
:INPUT ACCEPT [3944:465783]
:OUTPUT ACCEPT [1772:106118]
:POSTROUTING ACCEPT [280:16710]
-A PREROUTING -i br0 -p tcp -m tcp --dport 80 -m comment --comment "Prerouting Port 80(http) to SquidPort (3128)" -j REDIRECT --to-ports 3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -m comment --comment "Prerouting Port 80(http) from INET to WEBAPP01 (80)" -j DNAT --to-destination 10.6.8.20:80
-A PREROUTING -i eth0 -p tcp -m tcp --dport 8085 -m comment --comment "Prerouting Port 8085 from INET to WEBAPP01 (8085 calibre-ebooks)" -j DNAT --to-destination 10.6.8.20:8085
-A PREROUTING -i eth0 -p tcp -m tcp --dport 9418 -m comment --comment "Prerouting Port 9418 from INET to SQLDB01 (9418 git Repositorys)" -j DNAT --to-destination 10.6.8.21:9418
-A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner 13 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m comment --comment "Forward local Traffic to squid port, without user proxy" -j REDIRECT --to-ports 3128
-A POSTROUTING -o eth0 -m comment --comment "NAT packets from br0 (CLIENTNET) to eth0 (INET)" -j MASQUERADE
COMMIT
# Completed on Sun Sep 21 20:13:21 2014
# Generated by iptables-save v1.4.14 on Sun Sep 21 20:13:21 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:ACCEPTLOG - [0:0]
:DROPLOG - [0:0]
:HTTPS_WITHOUT_PROXY_FORWARD - [0:0]
:IMAPS_FORWARD - [0:0]
:PROXY01_INPUT - [0:0]
:REJECTLOG - [0:0]
:RELATED_ICMP - [0:0]
:SQLDB01_FORWARD - [0:0]
:SQLDB01_OUTPUT - [0:0]
:SSH_FORWARD - [0:0]
:SSH_INPUT - [0:0]
:SSH_OUTPUT - [0:0]
:WEBAPP01_OUTPUT - [0:0]
:WHATSAPP_FORWARD - [0:0]
:WWW_FORWARD - [0:0]
:WWW_INPUT - [0:0]
:WWW_OUTPUT - [0:0]
-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate ESTABLISHED -m limit --limit 3/sec --limit-burst 30 -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -m limit --limit 3/sec --limit-burst 30 -j RELATED_ICMP
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 30 -j ACCEPT
-A INPUT -p icmp -j DROPLOG
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -j PROXY01_INPUT
-A INPUT -j WWW_INPUT
-A INPUT -j SSH_INPUT
-A INPUT -i lo -m comment --comment "Allow loopback input to do anything" -j ACCEPT
-A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Allow INET incoming connections related to existing allowed connections" -j ACCEPT
-A INPUT -s 10.6.8.0/24 -i br0 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Allow INET 10.6.8.0/24 incoming connections related to existing allowed connections" -j ACCEPT
-A INPUT -j REJECTLOG
-A FORWARD -p icmp -j DROPLOG
-A FORWARD -j SSH_FORWARD
-A FORWARD -j WHATSAPP_FORWARD
-A FORWARD -j HTTPS_WITHOUT_PROXY_FORWARD
-A FORWARD -j IMAPS_FORWARD
-A FORWARD -j WWW_FORWARD
-A FORWARD -j SQLDB01_FORWARD
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -m tcp --dport 1024:65535 -m comment --comment "Allow forward TCP connections related to existing allowed connections" -j ACCEPT
-A FORWARD -p udp -m conntrack --ctstate RELATED,ESTABLISHED -m udp --dport 1024:65535 -m comment --comment "Allow forward UDP connections related to existing allowed connections" -j ACCEPT
-A FORWARD -j REJECTLOG
-A FORWARD -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m physdev --physdev-in wlan0 -m physdev --physdev-out wlan1 -m tcp --dport 22 -m comment --comment test -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -p icmp -m conntrack --ctstate ESTABLISHED -m limit --limit 3/sec --limit-burst 30 -j ACCEPT
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -m limit --limit 3/sec --limit-burst 30 -j RELATED_ICMP
-A OUTPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 30 -j ACCEPT
-A OUTPUT -p icmp -j DROPLOG
-A OUTPUT -j SSH_OUTPUT
-A OUTPUT -j WWW_OUTPUT
-A OUTPUT -j WEBAPP01_OUTPUT
-A OUTPUT -j SQLDB01_OUTPUT
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -o lo -m comment --comment "Allow loopback output to do anything" -j ACCEPT
-A OUTPUT -o br0 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Allow LOCNET outgoing connections EXCEPT invalid" -j ACCEPT
-A OUTPUT -j REJECTLOG
-A ACCEPTLOG -m limit --limit 3/sec --limit-burst 30 -j LOG --log-prefix "iptables ACCEPT packets " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options
-A ACCEPTLOG -j ACCEPT
-A DROPLOG -m limit --limit 3/sec --limit-burst 30 -j LOG --log-prefix "iptables DROP packets " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options
-A DROPLOG -j DROP
-A HTTPS_WITHOUT_PROXY_FORWARD -s 10.6.90.0/24 -i br0 -o eth0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m mac --mac-source CC:FA:00:A6:A3:3F -m tcp --dport 443 -m comment --comment "Allow forward HTTPS connections for Nexus5 Marko" -j ACCEPT
-A HTTPS_WITHOUT_PROXY_FORWARD -s 10.6.90.0/24 -i br0 -o eth0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m mac --mac-source 40:B0:FA:C8:18:84 -m tcp --dport 443 -m comment --comment "Allow forward HTTPS connections for Nexus4 Nadin" -j ACCEPT
-A HTTPS_WITHOUT_PROXY_FORWARD -s 10.6.90.0/24 -i br0 -o eth0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m mac --mac-source F8:DB:7F:86:FE:E8 -m tcp --dport 443 -m comment --comment "Allow forward HTTPS connections for DesireHD Isa" -j ACCEPT
-A HTTPS_WITHOUT_PROXY_FORWARD -s 10.6.90.0/24 -i br0 -o eth0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m mac --mac-source 30:85:A9:5B:77:7F -m tcp --dport 443 -m comment --comment "Allow forward HTTPS connections for Nexus7 Wohnzimmer" -j ACCEPT
-A HTTPS_WITHOUT_PROXY_FORWARD -s 10.6.90.0/24 -i br0 -o eth0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m mac --mac-source 10:BF:48:F4:3E:21 -m tcp --dport 443 -m comment --comment "Allow forward HTTPS connections for Nexus7 Schlafzimmer" -j ACCEPT
-A HTTPS_WITHOUT_PROXY_FORWARD -s 10.6.90.0/24 -i br0 -o eth0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m mac --mac-source BC:20:A4:77:43:9C -m tcp --dport 443 -m comment --comment "Allow forward HTTPS connections for Nexus10 Wohnzimmer" -j ACCEPT
-A HTTPS_WITHOUT_PROXY_FORWARD -s 10.6.90.0/24 -d 194.150.80.79/32 -i br0 -o eth0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 443 -m comment --comment "Allow forward HTTPS connections for Onlinebanking with aqbanking Software" -j ACCEPT
-A HTTPS_WITHOUT_PROXY_FORWARD -s 10.6.90.0/24 -d 62.181.135.5/32 -i br0 -o eth0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 443 -m comment --comment "Allow forward HTTPS connections for Onlinebanking with aqbanking Software" -j ACCEPT
-A HTTPS_WITHOUT_PROXY_FORWARD -j RETURN
-A IMAPS_FORWARD -s 10.6.90.0/24 -i br0 -o eth0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 993 -m comment --comment "Allow forward IMAPS connections from VLAN690" -j ACCEPT
-A IMAPS_FORWARD -j RETURN
-A PROXY01_INPUT -i br0 -p udp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m udp --dport 53 -m comment --comment "Allow inbound DNS connections" -j ACCEPT
-A PROXY01_INPUT -i br0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 53 -m comment --comment "Allow inbound DNS connections" -j ACCEPT
-A PROXY01_INPUT -i br0 -p udp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m udp --dport 123 -m comment --comment "Allow inbound NTP connections" -j ACCEPT
-A PROXY01_INPUT -i br0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 3128 -m comment --comment "Allow inbound squid connections" -j ACCEPT
-A PROXY01_INPUT -s 10.6.90.0/24 -d 10.6.90.1/32 -i br0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 8080 -m comment --comment "Allow inbound privat HTTP connections" -j ACCEPT
-A PROXY01_INPUT -s 10.6.90.0/24 -d 10.6.90.1/32 -i br0 -p udp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m udp --dport 67 -m comment --comment "Allow inbound DHCP connections" -j ACCEPT
-A PROXY01_INPUT -j RETURN
-A REJECTLOG -m limit --limit 3/sec --limit-burst 30 -j LOG --log-prefix "iptables REJECT packets " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options
-A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
-A REJECTLOG -j REJECT --reject-with icmp-port-unreachable
-A RELATED_ICMP -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A RELATED_ICMP -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A RELATED_ICMP -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A RELATED_ICMP -j DROPLOG
-A SQLDB01_FORWARD -s 10.6.90.0/24 -d 10.6.8.21/32 -i br0 -o br0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 3306 -m comment --comment "Allow forward MYSQL connections from VLAN690 to server pi-SQLDB01" -j ACCEPT
-A SQLDB01_FORWARD -j RETURN
-A SQLDB01_OUTPUT -s 10.6.8.1/32 -d 10.6.8.21/32 -o br0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 9418 -m comment --comment "Allow outbound ssh-git Server connections to server pi-sqldb01" -j ACCEPT
-A SQLDB01_OUTPUT -j RETURN
-A SSH_FORWARD -s 10.6.90.0/24 -d 10.6.8.0/24 -i br0 -o br0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 22 -m comment --comment "Allow forward SSH connections from VLAN690 to VLAN80" -j ACCEPT
-A SSH_FORWARD -j RETURN
-A SSH_FORWARD -s 10.6.90.0/24 -i br0 -o br0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 22 -m comment --comment "Allow forward SSH connections from VLAN690 to VLAN80" -j ACCEPT
-A SSH_FORWARD -j RETURN
-A SSH_INPUT -s 10.6.90.0/24 -d 10.6.90.1/32 -i br0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 22 -m comment --comment "Allow inbound SSH connections for 10.6.90.1" -j ACCEPT
-A SSH_INPUT -j RETURN
-A SSH_INPUT -s 10.6.90.0/24 -d 10.6.90.1/32 -i br0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 22 -m comment --comment "Allow inbound SSH connections to 10.6.90.1" -j ACCEPT
-A SSH_INPUT -j RETURN
-A SSH_OUTPUT -s 10.6.8.1/32 -d 10.6.8.0/24 -o br0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 22 -m comment --comment "Allow outbound SSH connections from VLAN690 to VLAN80" -j ACCEPT
-A SSH_OUTPUT -j RETURN
-A SSH_OUTPUT -s 10.6.8.1/32 -d 10.6.8.0/24 -o br0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 22 -m comment --comment "Allow outbound SSH connections from VLAN690 to VLAN80" -j ACCEPT
-A SSH_OUTPUT -j RETURN
-A WEBAPP01_OUTPUT -s 10.6.8.1/32 -d 10.6.8.20/32 -o br0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 80 -m comment --comment "Allow outbound HTTP connections from VLAN690 to server pi-webapp01" -j ACCEPT
-A WEBAPP01_OUTPUT -s 10.6.8.1/32 -d 10.6.8.20/32 -o br0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 8085 -m comment --comment "Allow outbound CALIBRE-EBOOKS connections to server pi-webapp01" -j ACCEPT
-A WEBAPP01_OUTPUT -j RETURN
-A WHATSAPP_FORWARD -s 10.6.90.0/24 -i br0 -o eth0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m mac --mac-source CC:FA:00:A6:A3:3F -m tcp --dport 5222 -m comment --comment "Allow forward WHATSAPP connections for Nexus5 Marko" -j ACCEPT
-A WHATSAPP_FORWARD -s 10.6.90.0/24 -i br0 -o eth0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m mac --mac-source 40:B0:FA:C8:18:84 -m tcp --dport 5222 -m comment --comment "Allow forward WHATSAPP connections for Nexus4 Nadin" -j ACCEPT
-A WHATSAPP_FORWARD -j RETURN
-A WWW_FORWARD -i br0 -o eth0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 587 -m comment --comment "Allow forward SMTPS Port 587 connections to INET" -j ACCEPT
-A WWW_FORWARD -i br0 -o eth0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 43 -m comment --comment "Allow forward WHOIS connections to INET" -j ACCEPT
-A WWW_FORWARD -d 10.6.8.20/32 -i eth0 -o br0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 80 -m comment --comment "Allow forward HTTP connections from INET to server pi-webapp01" -j ACCEPT
-A WWW_FORWARD -d 10.6.8.20/32 -o br0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 8085 -m comment --comment "Allow forward CALIBRE-SERVER connections to server pi-webapp01" -j ACCEPT
-A WWW_FORWARD -d 10.6.8.21/32 -o br0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 9418 -m comment --comment "Allow forward ssh-git Server connections to server pi-sqldb01" -j ACCEPT
-A WWW_FORWARD -j RETURN
-A WWW_INPUT -d 192.168.240.1/32 -i eth0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 13128 -m comment --comment "Allow inbound SSH connections to 192.168.240.1 DPT:13128" -j ACCEPT
-A WWW_INPUT -j RETURN
-A WWW_OUTPUT -o eth0 -p udp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m udp --dport 53 -m comment --comment "Allow outbound DNS connections" -j ACCEPT
-A WWW_OUTPUT -o eth0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 53 -m comment --comment "Allow outbound DNS connections" -j ACCEPT
-A WWW_OUTPUT -s 192.168.240.1/32 -o eth0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 80 -m comment --comment "Allow outbound HTTP connections" -j ACCEPT
-A WWW_OUTPUT -s 192.168.240.1/32 -o eth0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 443 -m comment --comment "Allow outbound HTTPS connections" -j ACCEPT
-A WWW_OUTPUT -o eth0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 3128 -m comment --comment "Allow outbound local squid connections" -j ACCEPT
-A WWW_OUTPUT -o eth0 -p udp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m udp --dport 123 -m comment --comment "Allow outbound NTP connections" -j ACCEPT
-A WWW_OUTPUT -s 192.168.240.1/32 -o eth0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 8245 -m comment --comment "Allow outbound NoIP Update connections" -j ACCEPT
-A WWW_OUTPUT -o eth0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 587 -m comment --comment "Allow outbound SMTPS Port 587" -j ACCEPT
-A WWW_OUTPUT -o eth0 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 43 -m comment --comment "Allow outbound WHOIS connections" -j ACCEPT
-A WWW_OUTPUT -o eth0 -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -m tcp --sport 13128 -m comment --comment "Allow outbound SSH connections SPT:13128" -j ACCEPT
-A WWW_OUTPUT -j RETURN
COMMIT
# Completed on Sun Sep 21 20:13:21 2014
Das ist ist das entscheidene
Code:
-A SSH_FORWARD -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 22 -m comment --comment "Allow forward SSH connections" -j ACCEPT
-A SSH_FORWARD -j RETURN
-A SSH_FORWARD -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 22 -m comment --comment "Allow forward SSH connections" -j ACCEPT
-A SSH_FORWARD -j RETURN
-A SSH_INPUT -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 22 -m comment --comment "Allow inbound SSH connections" -j ACCEPT
-A SSH_INPUT -j RETURN
-A SSH_INPUT -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 22 -m comment --comment "Allow inbound SSH connections" -j ACCEPT
-A SSH_INPUT -j RETURN
-A SSH_OUTPUT -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 22 -m comment --comment "Allow outbound SSH connections" -j ACCEPT
-A SSH_OUTPUT -j RETURN
-A SSH_OUTPUT -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 22 -m comment --comment "Allow outbound SSH connections from VLAN690 to VLAN80" -j ACCEPT
-A SSH_OUTPUT -j RETURN
Vielleicht findet ja jemand einen Ansatz für mein Problem.
0 commentaires:
Enregistrer un commentaire