Tim Ritberg schrieb:
> Am 11.08.2016 um 09:42 schrieb Wolfgang Bauer:
>> Servus.
>>
>> OS sind auf dem Desktop-PC Mageia-5, auf dem Netbook Kubuntu.
>> Beide Rechner gehen über einen NAT Router/Modem ins Internet.
>>
>> Auf dem Desktop-PC: Firewall aktiviert mit 104 Regeln.
> Wozu auf dem Desktop eine Firewall wenn du doch einen Router mit NAT hast?
Klar kann ich die abschalten, ein ungutes Gefühl bleibt aber.
> poste mal iptables-save hier
[root@linux-2 wolfgang]# iptables-save
# Generated by iptables-save v1.4.21 on Thu Aug 11 10:30:24 2016
*nat
:PREROUTING ACCEPT [96:15096]
:INPUT ACCEPT [27:2430]
:OUTPUT ACCEPT [1143:78894]
:POSTROUTING ACCEPT [1643:108894]
:enp3s0_masq - [0:0]
-A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner 972 -j RETURN
-A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -o enp3s0 -j enp3s0_masq
-A enp3s0_masq -s
192.168.1.0/24 -j MASQUERADE
COMMIT
# Completed on Thu Aug 11 10:30:24 2016
# Generated by iptables-save v1.4.21 on Thu Aug 11 10:30:24 2016
*mangle
:PREROUTING ACCEPT [16077:2615282]
:INPUT ACCEPT [16077:2615282]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [16121:1374554]
:POSTROUTING ACCEPT [16307:1391621]
:tcfor - [0:0]
:tcin - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
-A PREROUTING -j tcpre
-A INPUT -j tcin
-A FORWARD -j MARK --set-xmark 0x0/0xff
-A FORWARD -j tcfor
-A OUTPUT -j tcout
-A POSTROUTING -j tcpost
COMMIT
# Completed on Thu Aug 11 10:30:24 2016
# Generated by iptables-save v1.4.21 on Thu Aug 11 10:30:24 2016
*raw
:PREROUTING ACCEPT [16077:2615282]
:OUTPUT ACCEPT [16145:1376354]
-A PREROUTING -p udp -m udp --dport 10080 -j CT --helper amanda
-A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp
-A PREROUTING -p udp -m udp --dport 1719 -j CT --helper RAS
-A PREROUTING -p tcp -m tcp --dport 1720 -j CT --helper Q.931
-A PREROUTING -p tcp -m tcp --dport 6667 -j CT --helper irc
-A PREROUTING -p udp -m udp --dport 137 -j CT --helper netbios-ns
-A PREROUTING -p tcp -m tcp --dport 1723 -j CT --helper pptp
-A PREROUTING -p tcp -m tcp --dport 6566 -j CT --helper sane
-A PREROUTING -p udp -m udp --dport 5060 -j CT --helper sip
-A PREROUTING -p udp -m udp --dport 161 -j CT --helper snmp
-A PREROUTING -p udp -m udp --dport 69 -j CT --helper tftp
-A OUTPUT -p udp -m udp --dport 10080 -j CT --helper amanda
-A OUTPUT -p tcp -m tcp --dport 21 -j CT --helper ftp
-A OUTPUT -p udp -m udp --dport 1719 -j CT --helper RAS
-A OUTPUT -p tcp -m tcp --dport 1720 -j CT --helper Q.931
-A OUTPUT -p tcp -m tcp --dport 6667 -j CT --helper irc
-A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns
-A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
-A OUTPUT -p tcp -m tcp --dport 6566 -j CT --helper sane
-A OUTPUT -p udp -m udp --dport 5060 -j CT --helper sip
-A OUTPUT -p udp -m udp --dport 161 -j CT --helper snmp
-A OUTPUT -p udp -m udp --dport 69 -j CT --helper tftp
COMMIT
# Completed on Thu Aug 11 10:30:24 2016
# Generated by iptables-save v1.4.21 on Thu Aug 11 10:30:24 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Broadcast - [0:0]
:Drop - [0:0]
:Ifw - [0:0]
:Reject - [0:0]
:dynamic - [0:0]
:enp0s19f2u4c2_fwd - [0:0]
:enp0s19f2u4c2_in - [0:0]
:enp3s0_fwd - [0:0]
:enp3s0_in - [0:0]
:fw-fw - [0:0]
:fw-net - [0:0]
:logdrop - [0:0]
:logflags - [0:0]
:logreject - [0:0]
:net-fw - [0:0]
:net_frwd - [0:0]
:reject - [0:0]
:sfilter - [0:0]
:shorewall - [0:0]
:tcpflags - [0:0]
:wlp4s6_fwd - [0:0]
:wlp4s6_in - [0:0]
-A INPUT -j Ifw
-A INPUT -i enp0s19f2u4c2 -j enp0s19f2u4c2_in
-A INPUT -i enp3s0 -j enp3s0_in
-A INPUT -i wlp4s6 -j wlp4s6_in
-A INPUT -i lo -j ACCEPT
-A INPUT -j Reject
-A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6
-A INPUT -g reject
-A FORWARD -i enp0s19f2u4c2 -j enp0s19f2u4c2_fwd
-A FORWARD -i enp3s0 -j enp3s0_fwd
-A FORWARD -i wlp4s6 -j wlp4s6_fwd
-A FORWARD -j Reject
-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6
-A FORWARD -g reject
-A OUTPUT -o enp0s19f2u4c2 -j fw-net
-A OUTPUT -o enp3s0 -j fw-net
-A OUTPUT -o wlp4s6 -j fw-net
-A OUTPUT -o lo -j fw-fw
-A OUTPUT -j Reject
-A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:REJECT:" --log-level 6
-A OUTPUT -g reject
-A Broadcast -m addrtype --dst-type BROADCAST -j DROP
-A Broadcast -m addrtype --dst-type MULTICAST -j DROP
-A Broadcast -m addrtype --dst-type ANYCAST -j DROP
-A Drop
-A Drop -j Broadcast
-A Drop -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Drop -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Drop -m conntrack --ctstate INVALID -j DROP
-A Drop -p udp -m multiport --dports 135,445 -m comment --comment SMB -j DROP
-A Drop -p udp -m udp --dport 137:139 -m comment --comment SMB -j DROP
-A Drop -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -j DROP
-A Drop -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -j DROP
-A Drop -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP
-A Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A Drop -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
-A Ifw -m set --match-set ifw_wl src -j RETURN
-A Ifw -m set --match-set ifw_bl src -j DROP
-A Ifw -m conntrack --ctstate INVALID,NEW -m psd--psd-weight-threshold 10 --psd-delay-threshold 10000 --psd-lo-ports-weight 2 --psd-hi-ports-weight 1 -j IFWLOG--log-prefix "SCAN"
-A Reject
-A Reject -j Broadcast
-A Reject -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Reject -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Reject -m conntrack --ctstate INVALID -j DROP
-A Reject -p udp -m multiport --dports 135,445 -m comment --comment SMB -j reject
-A Reject -p udp -m udp --dport 137:139 -m comment --comment SMB -j reject
-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -j reject
-A Reject -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -j reject
-A Reject -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP
-A Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A Reject -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
-A enp0s19f2u4c2_fwd -o enp0s19f2u4c2 -g sfilter
-A enp0s19f2u4c2_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A enp0s19f2u4c2_fwd -p tcp -j tcpflags
-A enp0s19f2u4c2_fwd -j net_frwd
-A enp0s19f2u4c2_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A enp0s19f2u4c2_in -p tcp -j tcpflags
-A enp0s19f2u4c2_in -j net-fw
-A enp3s0_fwd -o enp3s0 -g sfilter
-A enp3s0_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A enp3s0_fwd -p tcp -j tcpflags
-A enp3s0_fwd -j net_frwd
-A enp3s0_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A enp3s0_in -p tcp -j tcpflags
-A enp3s0_in -j net-fw
-A fw-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw-fw -p tcp -m tcp --dport 3128 -m conntrack --ctorigdstport 80 -j ACCEPT
-A fw-fw -j ACCEPT
-A fw-net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw-net -p tcp -m tcp --dport 80 -m owner --uid-owner 972 -j ACCEPT
-A fw-net -j ACCEPT
-A logdrop -j DROP
-A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6 --log-ip-options
-A logflags -j DROP
-A logreject -j reject
-A net-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A net-fw -j Drop
-A net-fw -j LOG --log-prefix "Shorewall:net-fw:DROP:" --log-level 6
-A net-fw -j DROP
-A net_frwd -o enp0s19f2u4c2 -j ACCEPT
-A net_frwd -o enp3s0 -j ACCEPT
-A net_frwd -o wlp4s6 -j ACCEPT
-A reject -m addrtype --src-type BROADCAST -j DROP
-A reject -s
224.0.0.0/4 -j DROP
-A reject -p igmp -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A sfilter -j LOG --log-prefix "Shorewall:sfilter:DROP:" --log-level 6
-A sfilter -j DROP
-A shorewall -m recent --set --name %CURRENTTIME --mask 255.255.255.255 --rsource
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags
-A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g logflags
-A wlp4s6_fwd -o wlp4s6 -g sfilter
-A wlp4s6_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A wlp4s6_fwd -p tcp -j tcpflags
-A wlp4s6_fwd -j net_frwd
-A wlp4s6_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A wlp4s6_in -p tcp -j tcpflags
-A wlp4s6_in -j net-fw
COMMIT
# Completed on Thu Aug 11 10:30:24 2016
Wolfgang
--
Wer weiß, was du morgen schon erreicht hättest,
würdest du es heute versuchen.