Problem iptables udp port

Alles rund um Netzwerktechnik und Protokolle
termi11
Posts: 34
Joined: 2004-05-10 10:07
Location: Luxemburg

Problem iptables udp port

Post by termi11 »

Hallo,
hab einen kleinen Linux Server (AliX) als Router/Firewall.
Auf diesem sollen einige Ports weitergeleitet werden, was auch sehr gut funktioniert, bis auf ein udp port:

Script sieht so aus:

Code: Select all

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding
# Drop ICMP echo-request messages sent to broadcast or multicast addresses - ping
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Enable TCP SYN cookie protection from SYN floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# Dont Log packets with impossible source addresses
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians

#At boot, by default no address rewriting is attempted.
#2 = To enable verbose mode:
#1 = enabled
if [ -e /proc/sys/net/ipv4/ip_dynaddr ]
then
        echo "2" > /proc/sys/net/ipv4/ip_dynaddr
fi
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_irc
modprobe ip_nat_ftp
modprobe iptable_nat
modprobe ip_conntrack_ftp
modprobe ip_nat_pptp
modprobe ip_conntrack_pptp
modprobe ip_gre
        $IPTABLES -F
        $IPTABLES -X
        $IPTABLES -t nat -F
        $IPTABLES -t nat -X
        $IPTABLES -t mangle -F
        $IPTABLES -t mangle -X
        $IPTABLES -F INPUT
        $IPTABLES -F FORWARD
        $IPTABLES -F OUTPUT
        #$IPTABLES -F SSH_CHECK

        $IPTABLES -P INPUT DROP
        $IPTABLES -P OUTPUT DROP
        $IPTABLES -P FORWARD DROP
        for i in ${CLASS_A} ${CLASS_B} ${CLASS_C} ${CLASS_D} ${CLASS_E} ${LOOPBACK}
        do
           $IPTABLES -A INPUT -i $OUTDEV -s $i -j DROP
        done

        #Force SYN packets check
        #Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them:
        $IPTABLES -A INPUT -i $OUTDEV -p tcp ! --syn -m state --state NEW  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Syn"
        $IPTABLES -A INPUT -i $OUTDEV -p tcp ! --syn -m state --state NEW -j DROP

        #Force Fragments packets check
        #Packets with incoming fragments drop them. This attack result into Linux server panic such data loss.
        $IPTABLES -A INPUT -i $OUTDEV -f  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"
        $IPTABLES -A INPUT -i $OUTDEV -f -j DROP

        # block bad stuff
        $IPTABLES  -A INPUT -i $OUTDEV -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
        $IPTABLES  -A INPUT -i $OUTDEV -p tcp --tcp-flags ALL ALL -j DROP
        $IPTABLES  -A INPUT -i $OUTDEV -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
        $IPTABLES  -A INPUT -i $OUTDEV -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
        $IPTABLES  -A INPUT -i $OUTDEV -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
        $IPTABLES  -A INPUT -i $OUTDEV -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
        $IPTABLES  -A INPUT -i $OUTDEV -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
        $IPTABLES  -A INPUT -i $OUTDEV -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
        $IPTABLES  -A INPUT -i $OUTDEV -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
        $IPTABLES  -A INPUT -i $OUTDEV -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

        # Allow unlimited traffic on the loopback interface
        $IPTABLES -I INPUT -i lo -j ACCEPT
        $IPTABLES -I OUTPUT -o lo -j ACCEPT
.
.
.
#Masquerade
        $IPTABLES -t nat -A POSTROUTING -o $OUTDEV -j MASQUERADE
        $IPTABLES -A FORWARD -i $INDEV -o $OUTDEV -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
        $IPTABLES -A FORWARD -i $OUTDEV -o $INDEV -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


        $IPTABLES -t nat -A PREROUTING -p udp -i $OUTDEV --dport 54277 -j DNAT --to-destination $SRV_IP
        $IPTABLES -A FORWARD -p udp -d $SRV_IP --dport 54277 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
        $IPTABLES -A INPUT -j LOG --log-prefix "Drop INPUT:"
        $IPTABLES -A OUTPUT -j LOG --log-prefix "Drop OUTPUT:"
        $IPTABLES -A FORWARD -j LOG --log-prefix "Drop FORWARD:"

        $IPTABLES -A INPUT -j DROP
        $IPTABLES -A OUTPUT -j DROP
        $IPTABLES -A FORWARD -j DROP

Wie gesagt, alle ports, welche ich weiter leite funktionieren, bis auf 54277 udp:

Code: Select all

May 13 13:16:50 fw kernel: [18862.438887] Drop INPUT:IN=ppp0 OUT= MAC= SRC=xxx.xxx.xxx.xxxDST=my.ip LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=36354 DPT=54277 LEN=20
May 13 13:16:50 fw kernel: [18862.440257] Drop INPUT:IN=ppp0 OUT= MAC= SRC=xxx.xxx.xxx.xxx DST=my.ip LEN=48 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=36354 DPT=54277 LEN=28
May 13 13:16:50 fw kernel: [18862.444800] Drop INPUT:IN=ppp0 OUT= MAC= SRC=xxx.xxx.xxx.xxx DST=my.ip LEN=48 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=36354 DPT=54277 LEN=28
May 13 13:16:50 fw kernel: [18862.550720] Drop OUTPUT:IN= OUT=ppp0 SRC=xxx.xxx.xxx.xxx DST=my.ip LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=63375 PROTO=ICMP TYPE=3 CODE=3 [SRC=xxx.xxx.xxx.xxx DST=my.ip LEN=48 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=36354 DPT=54277 LEN=28 ]
Ich leite diese doch weiter, werden trotzdem geblocked. Verstehe nicht weshalb.
Besten Dank für jede Hilfe.