IP-Tables will nicht so

M

markus0815

New Member
Hi,

ich habe mir einen kleinen Raspberry Pi 3 genommen und habe aus dem einen VPN-Router gebaut.
Eth0 steckt an meiner Fritzbox.
Eth1 steckt ein anderer PC dran, der über VPN ins Internet gehen soll.

Ich hab mich mal mit dem Thema IPTABLES beschäftigt aber irgendwie komme ich hier nicht so ganz weiter.

Habe diesen Code hier verwendet und alles ist gut.

Code: 
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i  eth1 -o tun0 -j ACCEPT

Nun habe ich hier im Forum was über Ports gelesen, die man freischalten muss wenn man nicht alles Durchlassen will.

Mein Code dazu:
Achtung viel viel und mehr...

Code: 
#!/bin/bash

#--Internet--Fritzbox ---192.168.10.0/24--- eth0-VPN-Router-eth1 ----192.168.200.0/24--- PC 
#                        |
#                        |
#                        |--- 192.168.10.116--- NAS
#
#
#
# 192.168.10.0/24 Lan hinter Fritzbox
# 192.168.200.0/24 Lan hinter VPN-Router

iptables="/sbin/iptables"
ip6tables="/sbin/ip6tables"

echo "Regeln löschen"

$iptables -X
$iptables -F
$iptables -t nat -X
$iptables -t nat -F

echo "Default Drop"

$iptables -P INPUT -j DROP
$iptables -P OUTPUT -j DROP
$iptables -P FORWARD -j DROP

$ip6tables -P INPUT -j DROP
$ip6tables -P OUTPUT -j DROP
$ip6tables -P FORWARD -j DROP


echo "Connection Tracking"

$iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED  -j ACCEPT
$iptables -A FORWARD -m conntrack --ctstate=INVALID -j DROP
$iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED  -j ACCEPT
$iptables -A INPUT -m conntrack --ctstate=INVALID -j DROP
$iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED  -j ACCEPT
$iptables -A OUTPUT -m conntrack --ctstate=INVALID -j DROP

echo "Output"

$iptables -A OUTPUT -o eth0 -p tcp --dport=53 -j ACCEPT
$iptables -A OUTPUT -o eth0 -p tcp --dport=80 -j ACCEPT
$iptables -A OUTPUT -o eth0 -p tcp --dport=21 -j ACCEPT
$iptables -A OUTPUT -o eth0 -p tcp --dport=443 -j ACCEPT

echo "Output VPN - Ports"

$iptables -A OUTPUT -p UDP -o tun0 --dport=148 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -p UDP -o tun0 --dport=149 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -p UDP -o tun0 --dport=150 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -p UDP -o tun0 --dport=151 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -p UDP -o tun0 --dport=1148 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -p UDP -o tun0 --dport=1149 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -p UDP -o tun0 --dport=1150 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -p UDP -o tun0 --dport=1151 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -p UDP -o tun0 --dport=1194 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

$iptables -A OUTPUT -p TCP -o tun0 --dport=1194 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -p TCP -o tun0 --dport=300 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -p TCP -o tun0 --dport=301 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -p TCP -o tun0 --dport=142 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -p TCP -o tun0 --dport=152 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -p TCP -o tun0 --dport=1142 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -p TCP -o tun0 --dport=1152 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -p TCP -o tun0 --dport=53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -p TCP -o tun0 --dport=80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -p TCP -o tun0 --dport=443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -p TCP -o tun0 --dport=21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

echo "Input VPN - Ports"

$iptables -A INPUT -p UDP -i tun0 --sport=148 -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p UDP -i tun0 --sport=149 -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p UDP -i tun0 --sport=150 -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p UDP -i tun0 --sport=151 -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p UDP -i tun0 --sport=1148 -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p UDP -i tun0 --sport=1149 -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p UDP -i tun0 --sport=1150 -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p UDP -i tun0 --sport=1151 -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p UDP -i tun0 --dport=1194 -m state --state ESTABLISHED,RELATED -j ACCEPT

$iptables -A INPUT -p TCP -i tun0 --dport=1194 -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p TCP -i tun0 --sport=300 -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p TCP -i tun0 --sport=301 -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p TCP -i tun0 --sport=142 -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p TCP -i tun0 --sport=152 -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p TCP -i tun0 --sport=1142 -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p TCP -i tun0 --sport=1152 -m state --state ESTABLISHED,RELATED -j ACCEPT
 
Sort by date Sort by votes
Code: 
echo "Forward VPN - Ports"

$iptables -A FORWARD -p UDP -i eth1 -o tun0 --dport=148 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -p UDP -i eth1 -o tun0 --dport=149 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -p UDP -i eth1 -o tun0 --dport=150 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -p UDP -i eth1 -o tun0 --dport=151 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -p UDP -i eth1 -o tun0 --dport=1148 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -p UDP -i eth1 -o tun0 --dport=1149 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -p UDP -i eth1 -o tun0 --dport=1150 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -p UDP -i eth1 -o tun0 --dport=1151 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -p UDP -i eth1 -o tun0 --dport=1194 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

$iptables -A FORWARD -p TCP -i eth1 -o tun0 --dport=1194 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -p TCP -i eth1 -o tun0 --dport=300 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -p TCP -i eth1 -o tun0 --dport=301 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -p TCP -i eth1 -o tun0 --dport=142 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -p TCP -i eth1 -o tun0 --dport=152 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -p TCP -i eth1 -o tun0 --dport=1142 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -p TCP -i eth1 -o tun0 --dport=1152 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -p TCP -i eth1 -o tun0 --dport=80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -p TCP -i eth1 -o tun0 --dport=53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -p TCP -i eth1 -o tun0 --dport=443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -p TCP -i eth1 -o tun0 --dport=21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -p TCP -i eth1 -o tun0 --dport=6500 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

echo "SSH"

$iptables -A INPUT -p tcp -i eth0 -s 192.168.10.0/24 --dport 22 -m conntrack --ctstate=NEW -j ACCEPT
$iptables -A INPUT -p tcp -i eth1 -s 192.168.200.0/24 --dport 22 -m conntrack --ctstate=NEW -j ACCEPT
$iptables -A FORWARD -p tcp -i eth0 -o eth1 -s 192.168.10.0/24 -d 192.168.200.0/24 --dport 22 -m conntrack --ctstate=NEW -j ACCEPT
$iptables -A FORWARD -p tcp -i eth1 -o eth0 -s 192.168.200.0/24 -d 192.168.10.0/24 --dport 22 -m conntrack --ctstate=NEW -j ACCEPT

echo "Lo"

$iptables -A FORWARD -i lo -o lo -j ACCEPT
$iptables -A INPUT -i lo -j ACCEPT

echo "Icmp"

$iptables -A FORWARD -p icmp -i eth0 -o eth1 -s 192.168.10.0/24 -m conntrack --ctstate=NEW -j ACCEPT
$iptables -A FORWARD -p icmp -i eth1 -o eth0 -s 192.168.200.0/24 -m conntrack --ctstate=NEW -j ACCEPT
$iptables -A FORWARD -p icmp -i eth1 -o tun0 -d 0.0.0.0/0 -m conntrack --ctstate=NEW -j ACCEPT
$iptables -A FORWARD -p icmp -i eth1 -o eth0 -d 0.0.0.0/0 -m conntrack --ctstate=NEW -j ACCEPT
$iptables -A OUTPUT -p icmp -o eth0 -d 192.168.10.0/24 -m conntrack --ctstate=NEW -j ACCEPT
$iptables -A OUTPUT -p icmp -o tun0 -d 0.0.0.0/0 -m conntrack --ctstate=NEW -j ACCEPT
$iptables -A OUTPUT -p icmp -o eth1 -d 192.168.200.0/24 -m conntrack --ctstate=NEW -j ACCEPT
$iptables -A OUTPUT -p icmp -o eth0 -d 0.0.0.0/0 -m conntrack --ctstate=NEW -j ACCEPT

echo "nat"

$iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

echo "Forward Ports"

#
$iptables -A FORWARD -p TCP -i eth1 -o eth0 -s 192.168.200.0/24 --dport=21 -j ACCEPT
$iptables -A FORWARD -p TCP -i eth1 -o eth0 -s 192.168.200.0/24 --dport=53 -j ACCEPT
$iptables -A FORWARD -p TCP -i eth1 -o eth0 -s 192.168.200.0/24 --dport=80 -j ACCEPT
$iptables -A FORWARD -p TCP -i eth1 -o eth0 -s 192.168.200.0/24 --dport=443 -j ACCEPT
#
$iptables -A FORWARD -p TCP -i eth1 -o eth0 -s 192.168.200.0/24 -d 192.168.10.116/24 --dport=111 -j ACCEPT
$iptables -A FORWARD -p TCP -i eth1 -o eth0 -s 192.168.200.0/24 -d 192.168.10.116/24 --dport=892 -j ACCEPT
$iptables -A FORWARD -p TCP -i eth1 -o eth0 -s 192.168.200.0/24 -d 192.168.10.116/24 --dport=2049 -j ACCEPT
$iptables -A FORWARD -p UDP -i eth1 -o eth0 -s 192.168.200.0/24 -d 192.168.10.116/24 --dport=111 -j ACCEPT
$iptables -A FORWARD -p UDP -i eth1 -o eth0 -s 192.168.200.0/24 -d 192.168.10.116/24 --dport=892 -j ACCEPT
$iptables -A FORWARD -p UDP -i eth1 -o eth0 -s 192.168.200.0/24 -d 192.168.10.116/24 --dport=2049 -j ACCEPT

echo "Durch!!"

echo "Speichern u. Neustart"

sh -c "iptables-save > /etc/iptables.ipv4.nat"
reboot

Wenn hier jemand durchblickt, der mir sagen kann warum ich keine VPN verbindung hinbekomme dann wäre ich sehr dankbar wenn er es mir verraten würde :)
Bekomme bei dem Befehl immer meine eigene Adresse angezeigt.
Code: 
wget -O - -q icanhazip.com
Danke, Grüße und einen Happy Day euch noch.
Markus
 
Upvote 0 Downvote
You must log in or register to reply here.
Back
Top