[Berlin-wireless] nanostation2 openwrt dhcp uplink und firewall
Lutz gruhlke
lutz.gruhlke
Do Okt 22 13:57:30 CEST 2009
Am 22.10.2009 um 13:51 schrieb Jo-Philipp Wich:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Poste einfach mal deine /etc/config/firewall und die Ausgabe von
> "iptables -nvL".
root at 104-78-0-1:~# cat /etc/config/firewall
config 'defaults'
option 'syn_flood' '1'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'drop_invalid' '0'
config 'zone'
option 'name' 'lan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
config 'zone'
option 'name' 'wan'
option 'input' 'REJECT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'masq' '1'
option 'mtu_fix' '1'
option 'local_restrict' '1'
option 'network' 'wan cfg056d96 cfg054fca'
config 'forwarding'
option 'src' 'lan'
option 'dest' 'wan'
config 'rule'
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '68'
option 'target' 'ACCEPT'
config 'include'
option 'path' '/etc/firewall.user'
config 'zone'
option 'masq' '1'
option 'input' 'REJECT'
option 'forward' 'REJECT'
option 'name' 'freifunk'
option 'output' 'ACCEPT'
option 'network' 'wifi0'
config 'forwarding'
option 'dest' 'freifunk'
option 'src' 'lan'
config 'forwarding'
option 'dest' 'freifunk'
option 'src' 'freifunk'
config 'rule'
option 'proto' 'icmp'
option 'target' 'ACCEPT'
option 'src' 'freifunk'
config 'rule'
option 'dest_port' '80'
option 'proto' 'tcp'
option 'target' 'ACCEPT'
option 'src' 'freifunk'
config 'rule'
option 'dest_port' '443'
option 'proto' 'tcp'
option 'target' 'ACCEPT'
option 'src' 'freifunk'
config 'rule'
option 'dest_port' '22'
option 'proto' 'tcp'
option 'target' 'ACCEPT'
option 'src' 'freifunk'
config 'rule'
option 'dest_port' '698'
option 'proto' 'udp'
option 'target' 'ACCEPT'
option 'src' 'freifunk'
config 'rule'
option 'dest_port' '17990'
option 'proto' 'tcp'
option 'target' 'ACCEPT'
option 'src' 'freifunk'
config 'include'
option 'path' '/etc/firewall.freifunk'
config 'advanced'
option 'tcp_westwood' '1'
option 'tcp_ecn' '0'
option 'ip_conntrack_max' '8192'
config 'rule'
option 'dest_port' '53'
option 'src' 'freifunk'
option 'target' 'ACCEPT'
option 'proto' 'udp'
config 'rule'
option 'src_port' '68'
option 'src' 'freifunk'
option 'target' 'ACCEPT'
option 'dest_port' '67'
option 'proto' 'udp'
config 'rule'
option 'dest_port' '8082'
option 'src' 'freifunk'
option 'target' 'ACCEPT'
option 'proto' 'tcp'
config 'forwarding'
option 'dest' 'wan'
option 'src' 'freifunk'
#############################
root at 104-78-0-1:~# iptables -nvL
Chain INPUT (policy ACCEPT 9 packets, 571 bytes)
pkts bytes target prot opt in out source
destination
6166 278K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
64 3520 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
29 1768 syn_flood tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x17/0x02
1325 76425 input_rule all -- * * 0.0.0.0/0
0.0.0.0/0
1325 76425 input all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
856 184K zone_wan_MSSFIX all -- * *
0.0.0.0/0 0.0.0.0/0
724 176K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
133 7980 forwarding_rule all -- * *
0.0.0.0/0 0.0.0.0/0
133 7980 forward all -- * * 0.0.0.0/0
0.0.0.0/0
4 192 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1 packets, 48 bytes)
pkts bytes target prot opt in out source
destination
6255 401K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
64 3520 ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
708 42467 output_rule all -- * * 0.0.0.0/0
0.0.0.0/0
708 42467 output all -- * * 0.0.0.0/0
0.0.0.0/0
Chain forward (1 references)
pkts bytes target prot opt in out source
destination
129 7788 zone_freifunk_forward all -- ath0 *
0.0.0.0/0 0.0.0.0/0
0 0 zone_wan_forward all -- eth0 *
0.0.0.0/0 0.0.0.0/0
Chain forwarding_freifunk (1 references)
pkts bytes target prot opt in out source
destination
Chain forwarding_lan (1 references)
pkts bytes target prot opt in out source
destination
Chain forwarding_rule (1 references)
pkts bytes target prot opt in out source
destination
Chain forwarding_wan (1 references)
pkts bytes target prot opt in out source
destination
Chain input (1 references)
pkts bytes target prot opt in out source
destination
711 45050 zone_freifunk all -- ath0 *
0.0.0.0/0 0.0.0.0/0
608 30908 zone_wan all -- eth0 * 0.0.0.0/0
0.0.0.0/0
Chain input_freifunk (1 references)
pkts bytes target prot opt in out source
destination
Chain input_lan (1 references)
pkts bytes target prot opt in out source
destination
Chain input_rule (1 references)
pkts bytes target prot opt in out source
destination
Chain input_wan (1 references)
pkts bytes target prot opt in out source
destination
Chain luci_splash_filter (1 references)
pkts bytes target prot opt in out source
destination
17 1164 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 MAC 00:21:00:97:84:81
49 3136 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
48 2528 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-net-prohibited
Chain luci_splash_forwarding (1 references)
pkts bytes target prot opt in out source
destination
0 0 RETURN all -- * * 0.0.0.0/0
104.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0
10.104.215.32/27
114 6828 luci_splash_filter all -- * *
0.0.0.0/0 0.0.0.0/0
Chain output (1 references)
pkts bytes target prot opt in out source
destination
708 42467 zone_lan_ACCEPT all -- * *
0.0.0.0/0 0.0.0.0/0
708 42467 zone_wan_ACCEPT all -- * *
0.0.0.0/0 0.0.0.0/0
566 31678 zone_freifunk_ACCEPT all -- * *
0.0.0.0/0 0.0.0.0/0
Chain output_rule (1 references)
pkts bytes target prot opt in out source
destination
Chain reject (5 references)
pkts bytes target prot opt in out source
destination
18 1446 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
667 37285 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
Chain syn_flood (1 references)
pkts bytes target prot opt in out source
destination
29 1768 RETURN tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 25/sec burst 50
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain zone_freifunk (1 references)
pkts bytes target prot opt in out source
destination
711 45050 input_freifunk all -- * *
0.0.0.0/0 0.0.0.0/0
3 252 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
22 1328 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443
2 124 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
557 29280 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:698
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:17990
35 2407 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
10 3280 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:68 dpt:67
5 316 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:8082
77 8063 zone_freifunk_REJECT all -- * *
0.0.0.0/0 0.0.0.0/0
Chain zone_freifunk_ACCEPT (3 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- ath0 * 0.0.0.0/0
0.0.0.0/0
565 31630 ACCEPT all -- * ath0 0.0.0.0/0
0.0.0.0/0
Chain zone_freifunk_DROP (0 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- ath0 * 0.0.0.0/0
0.0.0.0/0
0 0 DROP all -- * ath0 0.0.0.0/0
0.0.0.0/0
Chain zone_freifunk_MSSFIX (0 references)
pkts bytes target prot opt in out source
destination
0 0 TCPMSS tcp -- * ath0 0.0.0.0/0
0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
Chain zone_freifunk_REJECT (2 references)
pkts bytes target prot opt in out source
destination
77 8063 reject all -- ath0 * 0.0.0.0/0
0.0.0.0/0
0 0 reject all -- * ath0 0.0.0.0/0
0.0.0.0/0
Chain zone_freifunk_forward (1 references)
pkts bytes target prot opt in out source
destination
114 6828 luci_splash_forwarding all -- ath0 *
10.104.215.32/27 0.0.0.0/0
32 2124 zone_wan_ACCEPT all -- * *
0.0.0.0/0 0.0.0.0/0
0 0 zone_freifunk_ACCEPT all -- * *
0.0.0.0/0 0.0.0.0/0
0 0 forwarding_freifunk all -- * *
0.0.0.0/0 0.0.0.0/0
0 0 zone_freifunk_REJECT all -- * *
0.0.0.0/0 0.0.0.0/0
Chain zone_lan (0 references)
pkts bytes target prot opt in out source
destination
0 0 input_lan all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 zone_lan_ACCEPT all -- * *
0.0.0.0/0 0.0.0.0/0
Chain zone_lan_ACCEPT (2 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- ath0 eth0 0.0.0.0/0
192.168.5.1
0 0 REJECT all -- ath0 eth0 0.0.0.0/0
192.168.5.0/24 reject-with icmp-port-unreachable
Chain zone_lan_DROP (0 references)
pkts bytes target prot opt in out source
destination
Chain zone_lan_MSSFIX (0 references)
pkts bytes target prot opt in out source
destination
Chain zone_lan_REJECT (1 references)
pkts bytes target prot opt in out source
destination
Chain zone_lan_forward (0 references)
pkts bytes target prot opt in out source
destination
0 0 zone_freifunk_ACCEPT all -- * *
0.0.0.0/0 0.0.0.0/0
0 0 zone_wan_ACCEPT all -- * *
0.0.0.0/0 0.0.0.0/0
0 0 forwarding_lan all -- * *
0.0.0.0/0 0.0.0.0/0
0 0 zone_lan_REJECT all -- * *
0.0.0.0/0 0.0.0.0/0
Chain zone_wan (1 references)
pkts bytes target prot opt in out source
destination
608 30908 input_wan all -- * * 0.0.0.0/0
0.0.0.0/0
1 328 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:68
604 30476 zone_wan_REJECT all -- * *
0.0.0.0/0 0.0.0.0/0
Chain zone_wan_ACCEPT (3 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- eth0 * 0.0.0.0/0
0.0.0.0/0
174 12913 ACCEPT all -- * eth0 0.0.0.0/0
0.0.0.0/0
Chain zone_wan_DROP (0 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 DROP all -- * eth0 0.0.0.0/0
0.0.0.0/0
Chain zone_wan_MSSFIX (1 references)
pkts bytes target prot opt in out source
destination
75 4756 TCPMSS tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
Chain zone_wan_REJECT (2 references)
pkts bytes target prot opt in out source
destination
604 30476 reject all -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 reject all -- * eth0 0.0.0.0/0
0.0.0.0/0
Chain zone_wan_forward (1 references)
pkts bytes target prot opt in out source
destination
0 0 forwarding_wan all -- * *
0.0.0.0/0 0.0.0.0/0
0 0 zone_wan_REJECT all -- * *
0.0.0.0/0 0.0.0.0/0
root at 104-78-0-1:~#
Mehr Informationen über die Mailingliste Berlin