.titleBar { margin-bottom: 5px!important; }

softphone hinter iptables; langsame verbindung

Dieses Thema im Forum "Firewalls" wurde erstellt von rseffner, 15 Juli 2005.

  1. rseffner

    rseffner Neuer User

    Registriert seit:
    5 Juni 2005
    Beiträge:
    5
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    Hallo,

    ich setze u.g. iptables script zur Paketfilterung auf einem (noch SuSE, bald
    debian) Gateway ein. Auf den Clients dahinter soll VoIP mitt 1&1 SoftPhone
    möglich sein.
    So wie es jetzt ist, geht das auch, allerdings dauert die Anmeldung recht
    lange und ich habe doch noch das eine oder andere abgewiesene Paket (siehe
    noch weiter unten) - hängt das zusammen/ist meine Lösung suboptimal?

    Vielen Dank für Euren review.


    [script]

    #! /bin/bash
    FW="iptables"
    MP="modprobe"
    LO_IP="127.0.0.1/32"
    LO_NET="127.0.0.0/8"
    ETH0_IP="192.168.100.1"
    ETH0_NET="192.168.100.0/24"
    PPP0_IP=`ifconfig ppp0 | grep "inet addr:" | awk ' { print $2 } ' | sed -e
    "s/addr://g"`
    PPP0_NET=$PPP0_IP/32

    echo "0" > /proc/sys/net/ipv4/ip_forward
    $MP ip_conntrack_ftp
    $MP ip_nat_ftp
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    for F in /proc/sys/net/ipv4/conf/*/accept_source_route; do
    echo "0" > $F
    done
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
    echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
    for F in /proc/sys/net/ipv4/conf/*/accept_redirects; do
    echo "0" > $F
    done
    for F in /proc/sys/net/ipv4/conf/*/send_redirects; do
    echo "0" > $F
    done
    for F in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo "2" > $F
    done
    for F in /proc/sys/net/ipv4/conf/*/log_martians; do
    echo "1" > $F
    done
    $FW -F
    $FW -t nat -F
    $FW -t mangle -F
    $FW -X
    $FW -t nat -X
    $FW -t mangle -X
    $FW -A INPUT -i lo -j ACCEPT
    $FW -A OUTPUT -o lo -j ACCEPT
    $FW -A INPUT -p icmp --icmp-type 0 -j ACCEPT
    $FW -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
    $FW -A FORWARD -p icmp --icmp-type 0 -j ACCEPT
    $FW -A INPUT -p icmp --icmp-type 3 -j ACCEPT
    $FW -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT
    $FW -A FORWARD -p icmp --icmp-type 3 -j ACCEPT
    $FW -A INPUT -p icmp --icmp-type 4 -j ACCEPT
    $FW -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT
    $FW -A FORWARD -p icmp --icmp-type 4 -j ACCEPT
    $FW -A INPUT -p icmp --icmp-type 8 -j ACCEPT
    $FW -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
    $FW -A FORWARD -p icmp --icmp-type 8 -j ACCEPT
    $FW -A INPUT -p icmp --icmp-type 11 -j ACCEPT
    $FW -A OUTPUT -p icmp --icmp-type 11 -j ACCEPT
    $FW -A FORWARD -p icmp --icmp-type 11 -j ACCEPT
    $FW -A INPUT -p icmp --icmp-type 12 -j ACCEPT
    $FW -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT
    $FW -A FORWARD -p icmp --icmp-type 12 -j ACCEPT
    $FW -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

    $FW -A INPUT -p tcp -m multiport --dport 22,113 -j ACCEPT
    $FW -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    $FW -A OUTPUT -o eth0 -d $ETH0_NET -j ACCEPT
    $FW -A OUTPUT -j ACCEPT

    $FW -A FORWARD -i eth0 -o ppp0 -s $ETH0_NET -d 0.0.0.0/0 -p tcp -m
    multiport --dport 20,21,22,25,53,110,119,143,443 -j ACCEPT
    $FW -A FORWARD -i eth0 -o ppp0 -s $ETH0_NET -d 0.0.0.0/0 -p udp -m
    multiport --dport 53,5060 -j ACCEPT
    $FW -A FORWARD -i eth0 -o ppp0 -s $ETH0_NET -d 0.0.0.0/0 -p udp --sport
    30000:30019 -j ACCEPT
    $FW -A FORWARD -i eth0 -o ppp0 -s $ETH0_NET -d 0.0.0.0/0 -p udp --sport
    5070:5079 -j ACCEPT
    $FW -A FORWARD -i eth0 -o ppp0 -s $ETH0_NET -d 0.0.0.0/0 -m state --state
    ESTABLISHED,RELATED -j ACCEPT
    $FW -t nat -A POSTROUTING -o ppp0 -s $ETH0_NET -d 0.0.0.0/0 -j MASQUERADE
    $FW -A FORWARD -o eth0 -i ppp0 -d $ETH0_NET -s 0.0.0.0/0 -m state --state
    ESTABLISHED,RELATED -j ACCEPT

    $FW -A INPUT -i eth0 -s $ETH0_NET -p tcp -m multiport --dport
    53,119,123,137,138,139,445,1241,3050,3128,20000 -j ACCEPT
    $FW -A INPUT -i eth0 -s $ETH0_NET -p udp -m multiport --dport
    53,123,137,138,139,631,20000 -j ACCEPT
    $FW -A INPUT -i eth0 -s 0.0.0.0/0 -d 255.255.255.255/32 -p udp --sport
    68 --dport 67 -j ACCEPT
    $FW -A INPUT -i eth0 -s $ETH0_NET -d 255.255.255.255/32 -p udp --sport
    67 --dport 68 -j ACCEPT
    $FW -A INPUT -i eth0 -s $ETH0_NET -d $ETH0_IP -p udp --sport 68 --dport
    67 -j ACCEPT
    $FW -A OUTPUT -o eth0 -d 0.0.0.0/0 -s $ETH0_IP -p udp --dport 68 --sport
    67 -j ACCEPT
    $FW -A OUTPUT -o eth0 -d $ETH0_NET -m state --state ESTABLISHED,RELATED -j
    ACCEPT
    $FW -A INPUT -j LOG --log-prefix "FIREWALL input DENY : "
    $FW -A OUTPUT -j LOG --log-prefix "FIREWALL output DENY : "
    $FW -A FORWARD -j LOG --log-prefix "FIREWALL forward DENY : "

    $FW -P INPUT DROP
    $FW -P OUTPUT DROP
    $FW -P FORWARD DROP
    echo "1" > /proc/sys/net/ipv4/ip_forward


    [ log ]

    Jul 15 10:08:19 behemot named[4990]: client 192.168.100.4#7077: query:
    _sip._udp.1und1.de IN SRV +
    Jul 15 10:08:19 behemot named[4990]: client 192.168.100.4#7077: query:
    _sip._udp.sip.1und1.de IN SRV +
    Jul 15 10:08:19 behemot named[4990]: client 192.168.100.4#7077: query:
    sip.1und1.de IN A +
    Jul 15 10:08:21 behemot kernel: FIREWALL input DENY : IN=ppp0 OUT= MAC=
    SRC=212.227.15.201 DST=84.179.9.248 LEN=84 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF
    PROTO=UDP SPT=3479 DPT=5070 LEN=64
    Jul 15 10:08:22 behemot last message repeated 4 times
    Jul 15 10:08:32 behemot named[4990]: client 192.168.100.226#2923: query:
    sip.1und1.de IN A +
    Jul 15 10:08:42 behemot named[4990]: client 192.168.100.226#2926: query:
    sip.1und1.de IN A +
    Jul 15 10:08:42 behemot kernel: FIREWALL input DENY : IN=ppp0 OUT= MAC=
    SRC=212.227.15.201 DST=84.179.9.248 LEN=84 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF
    PROTO=UDP SPT=3479 DPT=30002 LEN=64
    Jul 15 10:08:43 behemot last message repeated 4 times
    Jul 15 10:08:44 behemot kernel: FIREWALL input DENY : IN=ppp0 OUT= MAC=
    SRC=212.227.15.201 DST=84.179.9.248 LEN=84 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF
    PROTO=UDP SPT=3479 DPT=30003 LEN=64
    Jul 15 10:08:44 behemot last message repeated 4 times
    Jul 15 10:08:52 behemot named[4990]: client 192.168.100.226#2929: query:
    sip.1und1.de IN A +
    Jul 15 10:08:55 behemot named[4990]: client 192.168.100.226#2929: query:
    sip.1und1.de IN A +
    Jul 15 10:09:04 behemot last message repeated 10 times
    Jul 15 10:09:05 behemot named[4990]: client 192.168.100.226#2932: query:
    sip.1und1.de IN A +
    Jul 15 10:09:05 behemot kernel: FIREWALL input DENY : IN=ppp0 OUT= MAC=
    SRC=62.53.226.8 DST=84.179.9.248 LEN=200 TOS=0x00 PREC=0x00 TTL=248 ID=56110
    PROTO=UDP SPT=16840 DPT=30002 LEN=180
    Jul 15 10:09:07 behemot last message repeated 88 times
    Jul 15 10:09:07 behemot kernel: FIREWALL input DENY : IN=ppp0 OUT= MAC=
    SRC=62.53.226.8 DST=84.179.9.248 LEN=136 TOS=0x00 PREC=0x00 TTL=249 ID=0
    PROTO=UDP SPT=16841 DPT=30003 LEN=116
    Jul 15 10:09:07 behemot kernel: FIREWALL input DENY : IN=ppp0 OUT= MAC=
    SRC=62.53.226.8 DST=84.179.9.248 LEN=200 TOS=0x00 PREC=0x00 TTL=248 ID=56110
    PROTO=UDP SPT=16840 DPT=30002 LEN=180
    Jul 15 10:09:08 behemot last message repeated 29 times
    Jul 15 10:09:08 behemot kernel: FIREWALL input DENY : IN=ppp0 OUT= MAC=
    SRC=62.53.226.8 DST=84.179.9.248 LEN=200 TOS=0x00 PREC=0x00 TTL=248 ID=56110
    PROTO=UDP SPT=16840 DPT=30002 LEN=180
    Jul 15 10:09:08 behemot last message repeated 11 times
    Jul 15 10:09:08 behemot kernel: FIREWALL input DENY : IN=ppp0 OUT= MAC=
    SRC=62.53.226.8 DST=84.179.9.248 LEN=200 TOS=0x00 PREC=0x00 TTL=248 ID=56110
    PROTO=UDP SPT=16840 DPT=30002 LEN=180
    Jul 15 10:09:08 behemot last message repeated 11 times
    Jul 15 10:09:08 behemot kernel: FIREWALL input DENY : IN=ppp0 OUT= MAC=
    SRC=62.53.226.8 DST=84.179.9.248 LEN=200 TOS=0x00 PREC=0x00 TTL=248 ID=56110
    PROTO=UDP SPT=16840 DPT=30002 LEN=180
    Jul 15 10:09:08 behemot last message repeated 11 times
    Jul 15 10:09:08 behemot kernel: FIREWALL input DENY : IN=ppp0 OUT= MAC=
    SRC=62.53.226.8 DST=84.179.9.248 LEN=200 TOS=0x00 PREC=0x00 TTL=248 ID=56110
    PROTO=UDP SPT=16840 DPT=30002 LEN=180
    Jul 15 10:09:09 behemot last message repeated 31 times
    Jul 15 10:09:09 behemot kernel: FIREWALL input DENY : IN=ppp0 OUT= MAC=
    SRC=62.53.226.8 DST=84.179.9.248 LEN=136 TOS=0x00 PREC=0x00 TTL=249 ID=1
    PROTO=UDP SPT=16841 DPT=30003 LEN=116
    Jul 15 10:09:09 behemot kernel: FIREWALL input DENY : IN=ppp0 OUT= MAC=
    SRC=62.53.226.8 DST=84.179.9.248 LEN=200 TOS=0x00 PREC=0x00 TTL=248 ID=56110
    PROTO=UDP SPT=16840 DPT=30002 LEN=180
    Jul 15 10:09:09 behemot last message repeated 21 times
    Jul 15 10:09:09 behemot kernel: FIREWALL input DENY : IN=ppp0 OUT= MAC=
    SRC=62.53.226.8 DST=84.179.9.248 LEN=72 TOS=0x00 PREC=0x00 TTL=249 ID=2
    PROTO=UDP SPT=16841 DPT=30003 LEN=52
    Jul 15 10:09:14 behemot last message repeated 2 times
    Jul 15 10:09:20 behemot named[4990]: client 192.168.100.226#2935: query:
    sip.1und1.de IN A +



    Ronny