Ich habe hier auf meiner Sarge-Kiste einen Iptables-Paketfilter laufen. Normalerweise funktioniert der auch ganz gut, nur nach meinem heutigen Providerwechsel komm ich plötzlich nicht mehr über meine Adresse (Alice: 70.48.x.x) auf den Rechner. Änder ich diese Adresse mittels Uni-VPN auf eine 141.x.x.x Adresse, gehts.
Dasselbe Problem habe ich, wenn ich bei meinen Eltern im LAN bin (dort steht der Rechner hinter einem WLan Router, über den auch die anderen Rechner angebunden sind). Solange die FW aktiv ist, kommen alle externen Nutzer (ausser AliceKunden) auf den Rechner, nur meine Eltern nicht. Das funktioniert erst, sobald ich die FW abschalte.
Bisher hat das nur genervt, aber ich konnte ja mittels physischer Tastatur die FW kurz herunterfahren; meine Eltern gehen da eh nicht drauf. Aber jetzt sitze ich doch einige hundert Kilometer weg und komme nur mit grossen Schwierigkeiten drauf. Und ohne FW funktioniert ja auch kein Routing ... auch nicht schön.
Kann mir jmd. sagen woran das liegt / -en könnte? Ich kann gerne noch ein paar Infos hier reinstellen, falls notwendig.
Dev.zum Router: /dev/eth0: 192.168.1.11, Router: 192.168.1.250 (=DefaultGW), ElternPC: 192.168.1.10
VPN-Dev: /dev/tun0: 172.16.1.1
2.Netzwerkkarte (deaktiviert): /dev/eth1: 192.168.100.60
ISDN-Karte: /dev/ippp0: 192.168.2.10 (wird aber derzeit nicht genutzt)
debian:/home/kniffte# iptables -V
iptables v1.2.11
debian:/home/kniffte# uname -r
2.6.17.13
debian:/home/kniffte# less /etc/firehol/firehol.conf
Code: Select all
# See the section "Adding Services" in the documentation
# Example service x, listening on port TCP/z
# > server_x_ports="tcp/z"
# > client_x_ports="default"
server_openvpn_ports="tcp/21"
client_openvpn_ports="any"
## Settings for openVPN:
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -d 172.16.1.0/24 -i eth0 -j ACCEPT
iptables -A FORWARD -d 172.16.1.0/24 -i lo -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
# for DefaultGW operations of OpenVPN:
iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -o eth0 -j MASQUERADE
## Settings for ISDN-CallIN
iptables -A INPUT -i ippp+ -j ACCEPT
iptables -A FORWARD -i ippp+ -j ACCEPT
iptables -A FORWARD -d 192.168.2.0/24 -i eth0 -j ACCEPT
iptables -A FORWARD -d 192.168.2.0/24 -i eth1 -j ACCEPT
iptables -A FORWARD -d 192.168.2.0/24 -i lo -j ACCEPT
iptables -A FORWARD -d 192.168.2.0/24 -i ippp0 -j ACCEPT
iptables -A OUTPUT -o ippp+ -j ACCEPT
# for DefaultGW operations of ISDN-CallIN:
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE
FIREHOL_LOG_MODE="ULOG"
FIREHOL_LOG_LEVEL="--log-level warning"
FIREHOL_LOG_OPTIONS="--log-tcp-options --log-ip-options"
FIREHOL_LOG_FREQUENCY="1/second"
#FIREHOL_LOG_FREQUENCY="30/minute"
#FIREHOL_LOG_BURST="5"
FIREHOL_LOG_BURST="2"
# ----------------------------------------------------------------------------
# NETWORK DEFINITIONS - Normally, only these are to be touched by you.
# ----------------------------------------------------------------------------
# You can define anything you like, assuming you are using it later.
# --- HOME ---
# The definition of our HOME LAN.
HOME_MYIP="192.168.100.60" # The IP on our HOME LAN
HOME_MYIF="eth1" # The HOME LAN interface
HOME_BCAST="192.168.100.255" # The HOME LAN broadcast
HOME_LAN="192.168.100.0/16" # The HOME LAN
HOME_SERVICES="all"
# Do we run a DHCP server on the HOME LAN?
HOME_DHCP=0 # Set to 0 to disable
# --- PUBLIC ---
# The definition of our PUBLIC interface.
PUBLIC_MYIP="" # Leave empty for dynamic IP
PUBLIC_MYIF="eth0" # The public interface
PUBLIC_SERVICES="ssh http openvpn icmp https"
#PUBLIC_SERVICES="ssh openvpn"
# Is the PPP interface a DIAL-ON-DEMAND?
DIAL_ON_DEMAND=0 # Set to 0 to disable
# --- TRUSTED ---
# Hosts in the internet I trust for accessing private services
# Empty these to disable.
TRUSTED_PCS=""
TRUSTED_SERVICES=""
# --- TRANSPARENT CACHE ---
# Run a transparent cache?
SQUID_PORT="" # Leave empty to disable SQUID
SQUID_USERS="squid" # Users to be excluded from the cache
SQUID_EXCLUDE="" # Web Server IPs to be excluded from the cache
# --- BLACKLIST ---
# A space-separated list of IPs to be blocked.
blacklist=""
# ----------------------------------------------------------------------------
# HELPERS
# ----------------------------------------------------------------------------
# Block all traffic from/to certain IPs
if [ ! -z "${blacklist}" ]
then
blacklist full "${blacklist}"
fi
# Setup a transparent squid, only if SQUID_PORT is set.
if [ ! -z "${SQUID_PORT}" ]
then
transparent_squid "${SQUID_PORT}" "${SQUID_USERS}"
inface "${HOME_MYIF}" src "${HOME_LAN}"
`test ! -z "${SQUID_EXCLUDE}" && echo "dst not '${SQUID_EXCLUDE}'"`
fi
# ----------------------------------------------------------------------------
# NETWORK ADDRESS TRANSLATION
# ----------------------------------------------------------------------------
# Change the source/destination of packets...
# Should we do SNAT or MASQUERADE?
# If there is a PUBLIC_MYIP defined, we should do SNAT, otherwise MASQ.
#
if [ ! -z "${PUBLIC_MYIP}" ]
then
snat to "${PUBLIC_MYIP}"
outface "${PUBLIC_MYIF}"
src "${HOME_LAN}" dst not "${UNROUTABLE_IPS}"
else
masquerade "${PUBLIC_MYIF}"
fi
# To have some public service hit an internal machine, do this:
# (the example redirects external port TCP/26 to internal IP 10.0.0.2 port 25)
#
# > dnat to 10.0.0.2:25
# > inface "${PUBLIC_MYIF}"
# > src not "${HOME_LAN} ${UNROUTABLE_IPS}"
# > proto tcp dport 26
#
# For each such statement, the router at the end has to support it.
# ----------------------------------------------------------------------------
# PROTECT SELF
# ----------------------------------------------------------------------------
# Protect the firewall host...
# --- HOME ---
# Protect us from the HOME LAN
interface "${HOME_MYIF}" home src "${HOME_LAN}" dst "${HOME_MYIP} ${HOME_BCAST}"
policy reject
server "${HOME_SERVICES}" accept
client all accept
# DHCP needs 0.0.0.0/255.255.255.255 access.
if [ ${HOME_DHCP} -eq 1 ]
then
interface "${HOME_MYIF}" dhcp
server dhcp accept
fi
# --- PUBLIC ---
# Protect us from the PUBLIC
interface "${PUBLIC_MYIF}" internet
src not "${UNROUTABLE_IPS}"
`test ! -z "${PUBLIC_MYIP}" && echo "dst '${PUBLIC_MYIP}'"`
protection strong
policy drop
# Are there any trusted PCs/services?
if [ ! -z "${TRUSTED_PCS}" -a ! -z "${TRUSTED_SERVICES}" ]
then
server "${TRUSTED_SERVICES}" accept src "${TRUSTED_PCS}"
fi
server "${PUBLIC_SERVICES}" accept
client all accept
# DIAL-ON-DEMAND needs this in case there is a PUBLIC_MYIP defined.
if [ ${DIAL_ON_DEMAND} -eq 1 ]
then
interface "${PUBLIC_MYIF}" dialup
client all accept
fi
# ----------------------------------------------------------------------------
# PROTECT ROUTING
# ----------------------------------------------------------------------------
# Protect the LAN...
# Route traffic for the clients on the LAN
router internet2lan inface "${PUBLIC_MYIF}" outface "${HOME_MYIF}"
src not "${UNROUTABLE_IPS}" dst "${HOME_LAN}"
# route all client traffic
client all accept
# For the dnat example above, this is needed:
# > server smtp accept dst 10.0.0.2
debian:/home/kniffte# iptables -L
Code: Select all
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
in_home all -- localhost/16 localhost
in_home all -- localhost/16 localhost
in_internet all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
ULOG all -- anywhere anywhere limit: avg 1/sec burst 2 ULOG copy_range 0 nlgroup 1 prefix `IN-unknown:' queue_threshold 1
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere localhost/24
ACCEPT all -- anywhere localhost/24
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere localhost/24
ACCEPT all -- anywhere localhost/24
ACCEPT all -- anywhere localhost/24
ACCEPT all -- anywhere localhost/24
in_internet2lan all -- anywhere localhost/16
out_internet2lan all -- localhost/16 anywhere
ACCEPT all -- anywhere anywhere state RELATED
ULOG all -- anywhere anywhere limit: avg 1/sec burst 2 ULOG copy_range 0 nlgroup 1 prefix `PASS-unknown:' queue_threshold 1
DROP all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
out_home all -- localhost localhost/16
out_home all -- localhost localhost/16
out_internet all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
ULOG all -- anywhere anywhere limit: avg 1/sec burst 2 ULOG copy_range 0 nlgroup 1 prefix `OUT-unknown:' queue_threshold 1
DROP all -- anywhere anywhere
Chain in_home (2 references)
target prot opt source destination
in_home_all_s1 all -- anywhere anywhere
in_home_irc_s2 all -- anywhere anywhere
in_home_ftp_s3 all -- anywhere anywhere
in_home_all_c4 all -- anywhere anywhere
in_home_irc_c5 all -- anywhere anywhere
in_home_ftp_c6 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
ULOG tcp -- anywhere anywhere limit: avg 1/sec burst 2 ULOG copy_range 0 nlgroup 1 prefix `IN-home:' queue_threshold 1
REJECT tcp -- anywhere anywhere reject-with tcp-reset
ULOG all -- anywhere anywhere limit: avg 1/sec burst 2 ULOG copy_range 0 nlgroup 1 prefix `IN-home:' queue_threshold 1
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain in_home_all_c4 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state ESTABLISHED
Chain in_home_all_s1 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state NEW,ESTABLISHED
Chain in_home_ftp_c6 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ftp dpts:1024:4999 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data dpts:1024:4999 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:4999 state ESTABLISHED
Chain in_home_ftp_s3 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ftp-data state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:4999 state RELATED,ESTABLISHED
Chain in_home_irc_c5 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ircd dpts:1024:4999 state ESTABLISHED
Chain in_home_irc_s2 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ircd state NEW,ESTABLISHED
Chain in_internet (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/7 anywhere
RETURN all -- 2.0.0.0/8 anywhere
RETURN all -- 5.0.0.0/8 anywhere
RETURN all -- 7.0.0.0/8 anywhere
RETURN all -- 23.0.0.0/8 anywhere
RETURN all -- 27.0.0.0/8 anywhere
RETURN all -- 31.0.0.0/8 anywhere
RETURN all -- 36.0.0.0/7 anywhere
RETURN all -- 39.0.0.0/8 anywhere
RETURN all -- 41.0.0.0/8 anywhere
RETURN all -- 42.0.0.0/8 anywhere
RETURN all -- 73.0.0.0/8 anywhere
RETURN all -- h-74-0-0-0.dllatx37.covad.net/7 anywhere
RETURN all -- mo-76-0-0-0.dhcp.embarqhsd.net/6 anywhere
RETURN all -- 89.0.0.0/8 anywhere
RETURN all -- AMontpellier-257-1-113-net.w90-0.abo.wanadoo.fr/7 anywhere
RETURN all -- 92.0.0.0/6 anywhere
RETURN all -- 96.0.0.0/3 anywhere
RETURN all -- 173.0.0.0/8 anywhere
RETURN all -- 174.0.0.0/7 anywhere
RETURN all -- 176.0.0.0/5 anywhere
RETURN all -- 184.0.0.0/6 anywhere
RETURN all -- ip-189-0-0-0.user.vivozap.com.br/8 anywhere
RETURN all -- 190.0.0.0/8 anywhere
RETURN all -- 197.0.0.0/8 anywhere
RETURN all -- 223.0.0.0/8 anywhere
RETURN all -- 240.0.0.0/4 anywhere
RETURN all -- localhost/8 anywhere
RETURN all -- 169.254.0.0/16 anywhere
RETURN all -- localhost/12 anywhere
RETURN all -- 192.0.2.0/24 anywhere
RETURN all -- 192.88.99.0/24 anywhere
RETURN all -- localhost/16 anywhere
DROP all -- anywhere anywhere state INVALID
pr_internet_fragments all -f anywhere anywhere
pr_internet_nosyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
pr_internet_icmpflood icmp -- anywhere anywhere icmp echo-request
pr_internet_synflood tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
pr_internet_malxmas tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
pr_internet_malnull tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
pr_internet_malbad tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
pr_internet_malbad tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
pr_internet_malbad tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
pr_internet_malbad tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
in_internet_ssh_s1 all -- anywhere anywhere
in_internet_http_s2 all -- anywhere anywhere
in_internet_openvpn_s3 all -- anywhere anywhere
in_internet_icmp_s4 all -- anywhere anywhere
in_internet_https_s5 all -- anywhere anywhere
in_internet_all_c6 all -- anywhere anywhere
in_internet_irc_c7 all -- anywhere anywhere
in_internet_ftp_c8 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
ULOG all -- anywhere anywhere limit: avg 1/sec burst 2 ULOG copy_range 0 nlgroup 1 prefix `IN-internet:' queue_threshold 1
DROP all -- anywhere anywhere
Chain in_internet2lan (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/7 anywhere
RETURN all -- 2.0.0.0/8 anywhere
RETURN all -- 5.0.0.0/8 anywhere
RETURN all -- 7.0.0.0/8 anywhere
RETURN all -- 23.0.0.0/8 anywhere
RETURN all -- 27.0.0.0/8 anywhere
RETURN all -- 31.0.0.0/8 anywhere
RETURN all -- 36.0.0.0/7 anywhere
RETURN all -- 39.0.0.0/8 anywhere
RETURN all -- 41.0.0.0/8 anywhere
RETURN all -- 42.0.0.0/8 anywhere
RETURN all -- 73.0.0.0/8 anywhere
RETURN all -- h-74-0-0-0.dllatx37.covad.net/7 anywhere
RETURN all -- mo-76-0-0-0.dhcp.embarqhsd.net/6 anywhere
RETURN all -- 89.0.0.0/8 anywhere
RETURN all -- AMontpellier-257-1-113-net.w90-0.abo.wanadoo.fr/7 anywhere
RETURN all -- 92.0.0.0/6 anywhere
RETURN all -- 96.0.0.0/3 anywhere
RETURN all -- 173.0.0.0/8 anywhere
RETURN all -- 174.0.0.0/7 anywhere
RETURN all -- 176.0.0.0/5 anywhere
RETURN all -- 184.0.0.0/6 anywhere
RETURN all -- ip-189-0-0-0.user.vivozap.com.br/8 anywhere
RETURN all -- 190.0.0.0/8 anywhere
RETURN all -- 197.0.0.0/8 anywhere
RETURN all -- 223.0.0.0/8 anywhere
RETURN all -- 240.0.0.0/4 anywhere
RETURN all -- localhost/8 anywhere
RETURN all -- 169.254.0.0/16 anywhere
RETURN all -- localhost/12 anywhere
RETURN all -- 192.0.2.0/24 anywhere
RETURN all -- 192.88.99.0/24 anywhere
RETURN all -- localhost/16 anywhere
DROP all -- anywhere anywhere state INVALID
pr_internet_fragments all -f anywhere anywhere
pr_internet_nosyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
pr_internet_icmpflood icmp -- anywhere anywhere icmp echo-request
pr_internet_synflood tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
pr_internet_malxmas tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
pr_internet_malnull tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
pr_internet_malbad tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
pr_internet_malbad tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
pr_internet_malbad tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
pr_internet_malbad tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
in_internet_ssh_s1 all -- anywhere anywhere
in_internet_http_s2 all -- anywhere anywhere
in_internet_openvpn_s3 all -- anywhere anywhere
in_internet_icmp_s4 all -- anywhere anywhere
in_internet_https_s5 all -- anywhere anywhere
in_internet_all_c6 all -- anywhere anywhere
in_internet_irc_c7 all -- anywhere anywhere
in_internet_ftp_c8 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
ULOG all -- anywhere anywhere limit: avg 1/sec burst 2 ULOG copy_range 0 nlgroup 1 prefix `IN-internet:' queue_threshold 1
DROP all -- anywhere anywhere
Chain in_internet2lan (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/7 anywhere
RETURN all -- 2.0.0.0/8 anywhere
RETURN all -- 5.0.0.0/8 anywhere
RETURN all -- 7.0.0.0/8 anywhere
RETURN all -- 23.0.0.0/8 anywhere
RETURN all -- 27.0.0.0/8 anywhere
RETURN all -- 31.0.0.0/8 anywhere
RETURN all -- 36.0.0.0/7 anywhere
RETURN all -- 39.0.0.0/8 anywhere
RETURN all -- 41.0.0.0/8 anywhere
RETURN all -- 42.0.0.0/8 anywhere
RETURN all -- 73.0.0.0/8 anywhere
RETURN all -- h-74-0-0-0.dllatx37.covad.net/7 anywhere
RETURN all -- mo-76-0-0-0.dhcp.embarqhsd.net/6 anywhere
RETURN all -- 89.0.0.0/8 anywhere
RETURN all -- AMontpellier-257-1-113-net.w90-0.abo.wanadoo.fr/7 anywhere
RETURN all -- 92.0.0.0/6 anywhere
RETURN all -- 96.0.0.0/3 anywhere
RETURN all -- 173.0.0.0/8 anywhere
RETURN all -- 174.0.0.0/7 anywhere
RETURN all -- 176.0.0.0/5 anywhere
RETURN all -- 184.0.0.0/6 anywhere
RETURN all -- ip-189-0-0-0.user.vivozap.com.br/8 anywhere
RETURN all -- 190.0.0.0/8 anywhere
RETURN all -- 197.0.0.0/8 anywhere
RETURN all -- 223.0.0.0/8 anywhere
RETURN all -- 240.0.0.0/4 anywhere
RETURN all -- localhost/8 anywhere
RETURN all -- 169.254.0.0/16 anywhere
RETURN all -- localhost/12 anywhere
RETURN all -- 192.0.2.0/24 anywhere
RETURN all -- 192.88.99.0/24 anywhere
RETURN all -- localhost/16 anywhere
DROP all -- anywhere anywhere state INVALID
pr_internet_fragments all -f anywhere anywhere
pr_internet_nosyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
pr_internet_icmpflood icmp -- anywhere anywhere icmp echo-request
pr_internet_synflood tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
pr_internet_malxmas tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
pr_internet_malnull tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
pr_internet_malbad tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
pr_internet_malbad tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
pr_internet_malbad tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
pr_internet_malbad tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
in_internet_ssh_s1 all -- anywhere anywhere
in_internet_http_s2 all -- anywhere anywhere
in_internet_openvpn_s3 all -- anywhere anywhere
in_internet_icmp_s4 all -- anywhere anywhere
in_internet_https_s5 all -- anywhere anywhere
in_internet_all_c6 all -- anywhere anywhere
in_internet_irc_c7 all -- anywhere anywhere
in_internet_ftp_c8 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
ULOG all -- anywhere anywhere limit: avg 1/sec burst 2 ULOG copy_range 0 nlgroup 1 prefix `IN-internet:' queue_threshold 1
DROP all -- anywhere anywhere
Chain in_internet2lan (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/7 anywhere
RETURN all -- 2.0.0.0/8 anywhere
RETURN all -- 5.0.0.0/8 anywhere
RETURN all -- 7.0.0.0/8 anywhere
RETURN all -- 23.0.0.0/8 anywhere
RETURN all -- 27.0.0.0/8 anywhere
RETURN all -- 31.0.0.0/8 anywhere
RETURN all -- 36.0.0.0/7 anywhere
RETURN all -- 39.0.0.0/8 anywhere
RETURN all -- 41.0.0.0/8 anywhere
RETURN all -- 42.0.0.0/8 anywhere
RETURN all -- 73.0.0.0/8 anywhere
RETURN all -- h-74-0-0-0.dllatx37.covad.net/7 anywhere
RETURN all -- mo-76-0-0-0.dhcp.embarqhsd.net/6 anywhere
RETURN all -- 89.0.0.0/8 anywhere
RETURN all -- AMontpellier-257-1-113-net.w90-0.abo.wanadoo.fr/7 anywhere
RETURN all -- 92.0.0.0/6 anywhere
RETURN all -- 96.0.0.0/3 anywhere
RETURN all -- 173.0.0.0/8 anywhere
RETURN all -- 174.0.0.0/7 anywhere
RETURN all -- 176.0.0.0/5 anywhere
RETURN all -- 184.0.0.0/6 anywhere
RETURN all -- ip-189-0-0-0.user.vivozap.com.br/8 anywhere
RETURN all -- 190.0.0.0/8 anywhere
RETURN all -- 197.0.0.0/8 anywhere
RETURN all -- 223.0.0.0/8 anywhere
RETURN all -- 240.0.0.0/4 anywhere
RETURN all -- localhost/8 anywhere
RETURN all -- 169.254.0.0/16 anywhere
RETURN all -- localhost/12 anywhere
RETURN all -- 192.0.2.0/24 anywhere
RETURN all -- 192.88.99.0/24 anywhere
RETURN all -- localhost/16 anywhere
in_internet2lan_all_c1 all -- anywhere anywhere
in_internet2lan_irc_c2 all -- anywhere anywhere
in_internet2lan_ftp_c3 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
Chain in_internet2lan_all_c1 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state ESTABLISHED
Chain in_internet2lan_ftp_c3 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ftp dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 state ESTABLISHED
Chain in_internet2lan_irc_c2 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ircd dpts:1024:65535 state ESTABLISHED
Chain in_internet_all_c6 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state ESTABLISHED
Chain in_internet_ftp_c8 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ftp dpts:1024:4999 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data dpts:1024:4999 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:4999 state ESTABLISHED
Chain in_internet_http_s2 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:www state NEW,ESTABLISHED
Chain in_internet_https_s5 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:https state NEW,ESTABLISHED
Chain in_internet_icmp_s4 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state NEW,ESTABLISHED
Chain in_internet_irc_c7 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ircd dpts:1024:4999 state ESTABLISHED
Chain in_internet_openvpn_s3 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW,ESTABLISHED
Chain in_internet_ssh_s1 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ssh state NEW,ESTABLISHED
Chain out_home (2 references)
target prot opt source destination
out_home_all_s1 all -- anywhere anywhere
out_home_irc_s2 all -- anywhere anywhere
out_home_ftp_s3 all -- anywhere anywhere
out_home_all_c4 all -- anywhere anywhere
out_home_irc_c5 all -- anywhere anywhere
out_home_ftp_c6 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
ULOG tcp -- anywhere anywhere limit: avg 1/sec burst 2 ULOG copy_range 0 nlgroup 1 prefix `OUT-home:' queue_threshold 1
REJECT tcp -- anywhere anywhere reject-with tcp-reset
ULOG all -- anywhere anywhere limit: avg 1/sec burst 2 ULOG copy_range 0 nlgroup 1 prefix `OUT-home:' queue_threshold 1
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain out_home_all_c4 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state NEW,ESTABLISHED
Chain out_home_all_s1 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state ESTABLISHED
Chain out_home_ftp_c6 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:4999 dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:4999 dpt:ftp-data state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:4999 dpts:1024:65535 state RELATED,ESTABLISHED
Chain out_home_ftp_s3 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ftp dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:4999 dpts:1024:65535 state ESTABLISHED
Chain out_home_irc_c5 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:4999 dpt:ircd state NEW,ESTABLISHED
Chain out_home_irc_s2 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ircd dpts:1024:65535 state ESTABLISHED
Chain out_internet (1 references)
target prot opt source destination
RETURN all -- anywhere 0.0.0.0/7
RETURN all -- anywhere 2.0.0.0/8
RETURN all -- anywhere 5.0.0.0/8
RETURN all -- anywhere 7.0.0.0/8
RETURN all -- anywhere 23.0.0.0/8
RETURN all -- anywhere 27.0.0.0/8
RETURN all -- anywhere 31.0.0.0/8
RETURN all -- anywhere 36.0.0.0/7
RETURN all -- anywhere 39.0.0.0/8
RETURN all -- anywhere 41.0.0.0/8
RETURN all -- anywhere 42.0.0.0/8
RETURN all -- anywhere 73.0.0.0/8
RETURN all -- anywhere h-74-0-0-0.dllatx37.covad.net/7
RETURN all -- anywhere mo-76-0-0-0.dhcp.embarqhsd.net/6
RETURN all -- anywhere 89.0.0.0/8
RETURN all -- anywhere AMontpellier-257-1-113-net.w90-0.abo.wanadoo.fr/7
RETURN all -- anywhere 92.0.0.0/6
RETURN all -- anywhere 96.0.0.0/3
RETURN all -- anywhere 173.0.0.0/8
RETURN all -- anywhere 174.0.0.0/7
RETURN all -- anywhere 176.0.0.0/5
RETURN all -- anywhere 184.0.0.0/6
RETURN all -- anywhere ip-189-0-0-0.user.vivozap.com.br/8
RETURN all -- anywhere 190.0.0.0/8
RETURN all -- anywhere 197.0.0.0/8
RETURN all -- anywhere 223.0.0.0/8
RETURN all -- anywhere 240.0.0.0/4
RETURN all -- anywhere localhost/8
RETURN all -- anywhere 169.254.0.0/16
RETURN all -- anywhere localhost/12
RETURN all -- anywhere 192.0.2.0/24
RETURN all -- anywhere 192.88.99.0/24
RETURN all -- anywhere localhost/16
out_internet_ssh_s1 all -- anywhere anywhere
out_internet_http_s2 all -- anywhere anywhere
out_internet_openvpn_s3 all -- anywhere anywhere
out_internet_icmp_s4 all -- anywhere anywhere
out_internet_https_s5 all -- anywhere anywhere
out_internet_all_c6 all -- anywhere anywhere
out_internet_irc_c7 all -- anywhere anywhere
out_internet_ftp_c8 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
ULOG all -- anywhere anywhere limit: avg 1/sec burst 2 ULOG copy_range 0 nlgroup 1 prefix `OUT-internet:' queue_threshold 1
DROP all -- anywhere anywhere
Chain out_internet2lan (1 references)
target prot opt source destination
RETURN all -- anywhere 0.0.0.0/7
RETURN all -- anywhere 2.0.0.0/8
RETURN all -- anywhere 5.0.0.0/8
RETURN all -- anywhere 7.0.0.0/8
RETURN all -- anywhere 23.0.0.0/8
RETURN all -- anywhere 27.0.0.0/8
RETURN all -- anywhere 31.0.0.0/8
RETURN all -- anywhere 36.0.0.0/7
RETURN all -- anywhere 39.0.0.0/8
RETURN all -- anywhere 41.0.0.0/8
RETURN all -- anywhere 42.0.0.0/8
RETURN all -- anywhere 73.0.0.0/8
RETURN all -- anywhere h-74-0-0-0.dllatx37.covad.net/7
RETURN all -- anywhere mo-76-0-0-0.dhcp.embarqhsd.net/6
RETURN all -- anywhere 89.0.0.0/8
RETURN all -- anywhere AMontpellier-257-1-113-net.w90-0.abo.wanadoo.fr/7
RETURN all -- anywhere 92.0.0.0/6
RETURN all -- anywhere 96.0.0.0/3
RETURN all -- anywhere 173.0.0.0/8
RETURN all -- anywhere 174.0.0.0/7
RETURN all -- anywhere 176.0.0.0/5
RETURN all -- anywhere 184.0.0.0/6
RETURN all -- anywhere ip-189-0-0-0.user.vivozap.com.br/8
RETURN all -- anywhere 190.0.0.0/8
RETURN all -- anywhere 197.0.0.0/8
RETURN all -- anywhere 223.0.0.0/8
RETURN all -- anywhere 240.0.0.0/4
RETURN all -- anywhere localhost/8
RETURN all -- anywhere 169.254.0.0/16
RETURN all -- anywhere localhost/12
RETURN all -- anywhere 192.0.2.0/24
RETURN all -- anywhere 192.88.99.0/24
RETURN all -- anywhere localhost/16
out_internet2lan_all_c1 all -- anywhere anywhere
out_internet2lan_irc_c2 all -- anywhere anywhere
out_internet2lan_ftp_c3 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
Chain out_internet2lan_all_c1 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state NEW,ESTABLISHED
Chain out_internet2lan_ftp_c3 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ftp-data state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
Chain out_internet2lan_irc_c2 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ircd state NEW,ESTABLISHED
Chain out_internet_all_c6 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state NEW,ESTABLISHED
Chain out_internet_ftp_c8 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:4999 dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:4999 dpt:ftp-data state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:4999 dpts:1024:65535 state RELATED,ESTABLISHED
Chain out_internet_http_s2 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:www dpts:1024:65535 state ESTABLISHED
Chain out_internet_https_s5 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:https dpts:1024:65535 state ESTABLISHED
Chain out_internet_icmp_s4 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state ESTABLISHED
Chain out_internet_irc_c7 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:4999 dpt:ircd state NEW,ESTABLISHED
Chain out_internet_openvpn_s3 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ftp state ESTABLISHED
Chain out_internet_ssh_s1 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ssh dpts:1024:65535 state ESTABLISHED
Chain pr_internet_fragments (1 references)
target prot opt source destination
ULOG all -- anywhere anywhere limit: avg 1/sec burst 2 ULOG copy_range 0 nlgroup 1 prefix `PACKET FRAGMENTS:' queue_threshold 1
DROP all -- anywhere anywhere
Chain pr_internet_icmpflood (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere limit: avg 100/sec burst 50
ULOG all -- anywhere anywhere limit: avg 1/sec burst 2 ULOG copy_range 0 nlgroup 1 prefix `ICMP FLOOD:' queue_threshold 1
DROP all -- anywhere anywhere
Chain pr_internet_malbad (4 references)
target prot opt source destination
ULOG all -- anywhere anywhere limit: avg 1/sec burst 2 ULOG copy_range 0 nlgroup 1 prefix `MALFORMED BAD:' queue_threshold 1
DROP all -- anywhere anywhere
Chain pr_internet_malnull (1 references)
target prot opt source destination
ULOG all -- anywhere anywhere limit: avg 1/sec burst 2 ULOG copy_range 0 nlgroup 1 prefix `MALFORMED NULL:' queue_threshold 1
DROP all -- anywhere anywhere
Chain pr_internet_malxmas (1 references)
target prot opt source destination
ULOG all -- anywhere anywhere limit: avg 1/sec burst 2 ULOG copy_range 0 nlgroup 1 prefix `MALFORMED XMAS:' queue_threshold 1
DROP all -- anywhere anywhere
Chain pr_internet_nosyn (1 references)
target prot opt source destination
ULOG all -- anywhere anywhere limit: avg 1/sec burst 2 ULOG copy_range 0 nlgroup 1 prefix `NEW TCP w/o SYN:' queue_threshold 1
DROP all -- anywhere anywhere
Chain pr_internet_synflood (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere limit: avg 100/sec burst 50
ULOG all -- anywhere anywhere limit: avg 1/sec burst 2 ULOG copy_range 0 nlgroup 1 prefix `SYN FLOOD:' queue_threshold 1
DROP all -- anywhere anywhere
... an allem anderen hab ich nichts geändert.
Danke Euch.
kniffte