lsmod | grep xt_state ?
Albert
lsmod | grep xt_state ?
Albert
Ich habe das Script nicht in /etc/init.d/ipsec sondern unter /root/ipsec.sh gespeichert, aber das dürfte ja wohl keinen Unterschied machen.
Wenn ich es ausführe erhalte ich
root@OpenWrt:/etc# /root/ipsec.sh restart
Stopping strongSwan IPsec...
Starting strongSwan 5.3.3 IPsec [starter]...
!! Your strongswan.conf contains manual plugin load options for charon.
!! This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
Der Tunnel kommt nicht zustande:
root@OpenWrt:/etc# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.18.20, mips):
uptime: 2 minutes, since Nov 08 19:40:09 2015
malloc: sbrk 94208, mmap 0, used 77968, free 16240
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
Listening IP addresses:
188.192.81.113
192.168.1.1
fd4c:dd00:f364::1
Connections:
racoon-cougar: 188.192.81.113...88.198.76.220 IKEv2
racoon-cougar: local: [cougar.tvdr.de] uses pre-shared key authentication
racoon-cougar: remote: [racoon.tvdr.de] uses pre-shared key authentication
racoon-cougar: child: 192.168.1.0/24 === 88.198.76.220/32 TUNNEL
Security Associations (0 up, 0 connecting):
none
Alles anzeigen
Und hier die erzeugte ipsec.conf:
conn racoon-cougar
keyexchange=ikev2
left=188.xx.xx.113
right=88.xx.xx.220
leftsubnet=192.168.1.0/24
leftauth=psk
rightauth=psk
rightsubnet=88.xx.xx.220/32
auto=start
leftid=@cougar.tvdr.de
rightid=@racoon.tvdr.de
esp=aes 128-sha1-modp2048
ike=aes128-sha1-modp2048
type=tunnel
Alles anzeigen
Klaus
Nimm noch mal von der Post 100 die /etc/ipsec/firewall.sh. Ich habe den Aufruf von /etc/functions.sh nach /lib/functions.sh geändert.
Albert
root@OpenWrt:/etc# /etc/init.d/firewall restart
Warning: Section @zone[2] (vpn) has no device, network, subnet or extra options
does not specify a protocol, assuming TCP+UDP
does not specify a protocol, assuming TCP+UDP
Warning: Section @zone[2] (vpn) has no device, network, subnet or extra options
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv4 raw table
* Flushing IPv6 filter table
* Flushing IPv6 mangle table
* Flushing IPv6 raw table
* Flushing conntrack table ...
* Populating IPv4 filter table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-Ping'
* Rule 'Allow-IGMP'
* Rule 'IPSec ESP'
* Rule 'IPSec IKE'
* Rule 'IPSec NAT-T'
* Rule 'Auth Header'
* Rule 'forward_vpn'
* Forward 'lan' -> 'wan'
* Populating IPv4 nat table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Populating IPv4 mangle table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Populating IPv4 raw table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Populating IPv6 filter table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Rule 'Allow-DHCPv6'
* Rule 'Allow-MLD'
* Rule 'Allow-ICMPv6-Input'
* Rule 'Allow-ICMPv6-Forward'
* Forward 'lan' -> 'wan'
* Populating IPv6 mangle table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Populating IPv6 raw table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.user'
iptables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables v1.4.21: Couldn't load target `zone_vpn_nat':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.21: Couldn't load target `zone_vpn_REJECT':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.21: Couldn't load target `zone_vpn_REJECT':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables v1.4.21: Couldn't load target `zone_vpn':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
Alles anzeigen
Klaus
Wo liegt jetzt die functions.sh? Aufruf vielleicht nur /lib/functions.sh ohne führende Punkt?
Albert
Die liegt in /lib/functions.sh.
Wenn ich den Punkt wegnehme sieht es so aus:
[/code]
root@OpenWrt:/etc# /etc/init.d/firewall restart
Warning: Section @zone[2] (vpn) has no device, network, subnet or extra options
does not specify a protocol, assuming TCP+UDP
does not specify a protocol, assuming TCP+UDP
Warning: Section @zone[2] (vpn) has no device, network, subnet or extra options
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv4 raw table
* Flushing IPv6 filter table
* Flushing IPv6 mangle table
* Flushing IPv6 raw table
* Flushing conntrack table ...
* Populating IPv4 filter table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-Ping'
* Rule 'Allow-IGMP'
* Rule 'IPSec ESP'
* Rule 'IPSec IKE'
* Rule 'IPSec NAT-T'
* Rule 'Auth Header'
* Rule 'forward_vpn'
* Forward 'lan' -> 'wan'
* Populating IPv4 nat table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Populating IPv4 mangle table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Populating IPv4 raw table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Populating IPv6 filter table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Rule 'Allow-DHCPv6'
* Rule 'Allow-MLD'
* Rule 'Allow-ICMPv6-Input'
* Rule 'Allow-ICMPv6-Forward'
* Forward 'lan' -> 'wan'
* Populating IPv6 mangle table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Populating IPv6 raw table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.user'
/root/firewall.sh: line 78: config_load: not found
/root/firewall.sh: line 79: config_foreach: not found
iptables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
/root/firewall.sh: line 98: config_foreach: not found
iptables: No chain/target/match by that name.
iptables v1.4.21: Couldn't load target `zone_vpn_nat':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.21: Couldn't load target `zone_vpn_REJECT':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.21: Couldn't load target `zone_vpn_REJECT':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
/root/firewall.sh: line 127: config_foreach: not found
! Failed with exit code 127
[/code]
Also wohl doch eher *mit* Punkt.
Klaus
Eine kleine Änderung bei /etc/config/firewall um zu sehen, ob wir damit den Fehler Couldn't load target `zone_vpn_nat' wegbekommen.
Albert
Das hier wäre die Brechstange (bezogen auf Post 100):
- /etc/init.d/ipsec löschen.
- /etc/config/ipsec nicht ändern.
- /etc/config/firewall, die zwei Einträge: forward_vpn und nat_vpn entfernen.
- /etc/ipsec/firewall.sh löschen.
- /etc/strongswan.conf verwenden.
- /etc/ipsec.conf verwenden.
- /etc/firewall.user hat neuen Inhalt.
Albert
Nach der Änderung aus Posting 127:
root@OpenWrt:/etc/config# /etc/init.d/firewall restart
Warning: Section @zone[2] (vpn) has no device, network, subnet or extra options
does not specify a protocol, assuming TCP+UDP
does not specify a protocol, assuming TCP+UDP
does not specify a protocol, assuming TCP+UDP
Warning: Section @zone[2] (vpn) has no device, network, subnet or extra options
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv4 raw table
* Flushing IPv6 filter table
* Flushing IPv6 mangle table
* Flushing IPv6 raw table
* Flushing conntrack table ...
* Populating IPv4 filter table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-Ping'
* Rule 'Allow-IGMP'
* Rule 'IPSec ESP'
* Rule 'IPSec IKE'
* Rule 'IPSec NAT-T'
* Rule 'Auth Header'
* Rule 'forward_vpn'
* Rule 'nat_vpn'
* Forward 'lan' -> 'wan'
* Populating IPv4 nat table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Populating IPv4 mangle table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Populating IPv4 raw table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Populating IPv6 filter table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Rule 'Allow-DHCPv6'
* Rule 'Allow-MLD'
* Rule 'Allow-ICMPv6-Input'
* Rule 'Allow-ICMPv6-Forward'
* Forward 'lan' -> 'wan'
* Populating IPv6 mangle table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Populating IPv6 raw table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.user'
iptables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables v1.4.21: Couldn't load target `zone_vpn_nat':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.21: Couldn't load target `zone_vpn_REJECT':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.21: Couldn't load target `zone_vpn_REJECT':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables v1.4.21: Couldn't load target `zone_vpn':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
Alles anzeigen
Mit den Änderungen aus Posting 128:
root@OpenWrt:/etc# /etc/init.d/firewall restart
Warning: Section @zone[2] (vpn) has no device, network, subnet or extra options
does not specify a protocol, assuming TCP+UDP
Warning: Section @zone[2] (vpn) has no device, network, subnet or extra options
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv4 raw table
* Flushing IPv6 filter table
* Flushing IPv6 mangle table
* Flushing IPv6 raw table
* Flushing conntrack table ...
* Populating IPv4 filter table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-Ping'
* Rule 'Allow-IGMP'
* Rule 'IPSec ESP'
* Rule 'IPSec IKE'
* Rule 'IPSec NAT-T'
* Rule 'Auth Header'
* Forward 'lan' -> 'wan'
* Populating IPv4 nat table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Populating IPv4 mangle table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Populating IPv4 raw table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Populating IPv6 filter table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Rule 'Allow-DHCPv6'
* Rule 'Allow-MLD'
* Rule 'Allow-ICMPv6-Input'
* Rule 'Allow-ICMPv6-Forward'
* Forward 'lan' -> 'wan'
* Populating IPv6 mangle table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Populating IPv6 raw table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.user'
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
root@OpenWrt:/etc# /etc/init.d/ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.3.3 IPsec [starter]...
root@OpenWrt:/etc# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.18.20, mips):
uptime: 7 seconds, since Nov 09 08:50:00 2015
malloc: sbrk 266240, mmap 0, used 233384, free 32856
worker threads: 5 of 16 idle, 7/0/4/0 working, job queue: 0/0/0/0, scheduled: 5
loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-libipsec kernel-netlink resolve socket-default farp stroke smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck uci addrblock unity
Listening IP addresses:
188.192.81.113
192.168.1.1
fd4c:dd00:f364::1
Connections:
racoon: %any...88.198.76.220 IKEv1/2
racoon: local: [cougar.tvdr.de] uses pre-shared key authentication
racoon: remote: [racoon.tvdr.de] uses pre-shared key authentication
racoon: child: 192.168.1.0/24 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
racoon[1]: ESTABLISHED 6 seconds ago, 188.192.81.113[cougar.tvdr.de]...88.198.76.220[racoon.tvdr.de]
racoon[1]: IKEv2 SPIs: f4bdb41408e73642_i* 3130f5bf2dfa7bec_r, pre-shared key reauthentication in 2 hours
racoon[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Alles anzeigen
Der Tunnel kommt damit zwar zustande, aber es gehen nach wie vor keine Daten durch.
Da sind auch noch zwei Fehlermeldungen beim Firewall-Restart ("No chain/target/match by that name").
Klaus
Ich habe jetzt /etc/firewall.user ( Posting 128 ) dahingehend bearbeitet, dass auch das Subnet angegeben wird.
Die 5 Zeilen kannst Du aber auch an der Konsole eingeben, dann sehen wir, welche nicht passt.
Wie sah die ursprüngliche Firewall Konfiguration aus (/rom/etc/config/firewall)?
Albert
Da passt gleich die erste nicht:
root@OpenWrt:/etc# iptables -t nat -I zone_wan_nat -s 88.198.76.220/32 -j ACCEPT
iptables: No chain/target/match by that name.
(ich habe jetzt mal aufgehört mit dem "xx.xx", denn die IP meines Web-Servers ist eh öffentlich bekannt ;-).
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fe80::/10
option src_port 547
option dest_ip fe80::/10
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
# option src lan
# option src_ip 192.168.45.2
# option dest wan
# option proto tcp
# option target REJECT
# block a specific mac on wan
#config rule
# option dest wan
# option src_mac 00:11:22:33:44:66
# option target REJECT
# block incoming ICMP traffic on a zone
#config rule
# option src lan
# option proto ICMP
# option target DROP
# port redirect port coming in on wan to lan
#config redirect
# option src wan
# option src_dport 80
# option dest lan
# option dest_ip 192.168.16.235
# option dest_port 80
# option proto tcp
# port redirect of remapped ssh port (22001) on wan
#config redirect
# option src wan
# option src_dport 22001
# option dest lan
# option dest_port 22
# option proto tcp
# allow IPsec/ESP and ISAKMP passthrough
config rule
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
### FULL CONFIG SECTIONS
#config rule
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 80
# option dest wan
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
# option target REJECT
#config redirect
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 1024
# option src_dport 80
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
Alles anzeigen
Klaus
Irgendwie habe ich es schon gerochen. Eine iptables-save > /etc/iptables/rules.v4 wäre auch nicht schlecht. Ich kann mir kaum vorstellen, dass die zone_wan_nat nicht existiert, bzw. sehen wir uns mal an, was wir überhaupt haben.
Albert
Bitteschön:
# Generated by iptables-save v1.4.21 on Mon Nov 9 13:23:57 2015
*nat
:PREROUTING ACCEPT [3660:405219]
:INPUT ACCEPT [274:37230]
:OUTPUT ACCEPT [212:18441]
:POSTROUTING ACCEPT [2:120]
:delegate_postrouting - [0:0]
:delegate_prerouting - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -j delegate_prerouting
-A POSTROUTING -j delegate_postrouting
-A delegate_postrouting -m comment --comment "user chain for postrouting" -j postrouting_rule
-A delegate_postrouting -o br-lan -j zone_lan_postrouting
-A delegate_postrouting -o eth0 -j zone_wan_postrouting
-A delegate_prerouting -m comment --comment "user chain for prerouting" -j prerouting_rule
-A delegate_prerouting -i br-lan -j zone_lan_prerouting
-A delegate_prerouting -i eth0 -j zone_wan_prerouting
-A zone_lan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_lan_rule
-A zone_lan_postrouting -j MASQUERADE
-A zone_lan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_lan_rule
-A zone_vpn_postrouting -m comment --comment "user chain for postrouting" -j postrouting_vpn_rule
-A zone_vpn_postrouting -j MASQUERADE
-A zone_vpn_prerouting -m comment --comment "user chain for prerouting" -j prerouting_vpn_rule
-A zone_wan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_wan_rule
-A zone_wan_postrouting -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_wan_rule
COMMIT
# Completed on Mon Nov 9 13:23:57 2015
# Generated by iptables-save v1.4.21 on Mon Nov 9 13:23:57 2015
*raw
:PREROUTING ACCEPT [88696:52965060]
:OUTPUT ACCEPT [1066:127294]
:delegate_notrack - [0:0]
-A PREROUTING -j delegate_notrack
COMMIT
# Completed on Mon Nov 9 13:23:57 2015
# Generated by iptables-save v1.4.21 on Mon Nov 9 13:23:57 2015
*mangle
:PREROUTING ACCEPT [88700:52965268]
:INPUT ACCEPT [1976:351093]
:FORWARD ACCEPT [86137:52429312]
:OUTPUT ACCEPT [1071:128418]
:POSTROUTING ACCEPT [87208:52557730]
:fwmark - [0:0]
:mssfix - [0:0]
-A PREROUTING -j fwmark
-A FORWARD -j mssfix
-A mssfix -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Nov 9 13:23:57 2015
# Generated by iptables-save v1.4.21 on Mon Nov 9 13:23:57 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:delegate_forward - [0:0]
:delegate_input - [0:0]
:delegate_output - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpn_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpn_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_dest_REJECT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -s 88.198.76.220/32 -j ACCEPT
-A INPUT -j delegate_input
-A FORWARD -d 88.198.76.220/32 -j ACCEPT
-A FORWARD -s 88.198.76.220/32 -j ACCEPT
-A FORWARD -j delegate_forward
-A OUTPUT -j delegate_output
-A delegate_forward -m comment --comment "user chain for forwarding" -j forwarding_rule
-A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_forward -i br-lan -j zone_lan_forward
-A delegate_forward -i eth0 -j zone_wan_forward
-A delegate_forward -j reject
-A delegate_input -i lo -j ACCEPT
-A delegate_input -m comment --comment "user chain for input" -j input_rule
-A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A delegate_input -i br-lan -j zone_lan_input
-A delegate_input -i eth0 -j zone_wan_input
-A delegate_output -o lo -j ACCEPT
-A delegate_output -m comment --comment "user chain for output" -j output_rule
-A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_output -o br-lan -j zone_lan_output
-A delegate_output -o eth0 -j zone_wan_output
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
-A syn_flood -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
-A zone_lan_forward -m comment --comment "user chain for forwarding" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_lan_forward -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "user chain for input" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_lan_input -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "user chain for output" -j output_lan_rule
-A zone_lan_output -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -j ACCEPT
-A zone_vpn_forward -m comment --comment "user chain for forwarding" -j forwarding_vpn_rule
-A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_vpn_forward -j zone_vpn_dest_REJECT
-A zone_vpn_input -m comment --comment "user chain for input" -j input_vpn_rule
-A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_vpn_input -j zone_vpn_src_REJECT
-A zone_vpn_output -m comment --comment "user chain for output" -j output_vpn_rule
-A zone_vpn_output -j zone_vpn_dest_ACCEPT
-A zone_wan_dest_ACCEPT -o eth0 -j ACCEPT
-A zone_wan_dest_REJECT -o eth0 -j reject
-A zone_wan_forward -m comment --comment "user chain for forwarding" -j forwarding_wan_rule
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_wan_forward -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "user chain for input" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment Allow-DHCP-Renew -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment Allow-Ping -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment Allow-IGMP -j ACCEPT
-A zone_wan_input -p esp -m comment --comment "IPSec ESP" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 500 -m comment --comment "IPSec IKE" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 500 -m comment --comment "IPSec IKE" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 4500 -m comment --comment "IPSec NAT-T" -j ACCEPT
-A zone_wan_input -p ah -m comment --comment "Auth Header" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_wan_input -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "user chain for output" -j output_wan_rule
-A zone_wan_output -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0 -j reject
COMMIT
# Completed on Mon Nov 9 13:23:57 2015
Alles anzeigen
Klaus
Das sieht wieder mal ganz anders als erwartet aus. Ich kann nicht einmal forward_vpn entdecken, was LuCI angelegt hat und ein zone_wan_nat gibt es auch nicht.
Versuchen wir also den Firewall und NAT wie folgt zu überlisten:
Ich hoffe es greift, denn mir gehen langsam die Ideen aus.
Ich habe noch eine mögliche Alternative gefunden.
Albert
Bei beiden Versionen kommen keine Fehlermeldungen mehr, und ipsec baut in beiden Fällen den Tunnel auf.
Mit der ersten Variante kann ich dann aber weder traceroute noch ssh zu racoon machen. Die zweite Variante verhält sich so wie bisher. In beiden Fällen gehen keine Daten durch den Tunnel.
Die erste Variante scheint aber zumindest irgendwie zu greifen, denn es wird ausschließlich die Strecke zu racoon "abgefangen".
Falls dir nicht noch irgend etwas grandioses einfällt werde ich wohl doch mal OpenVPN probieren müssen. Ich kann dir schließlich nicht ewig
deine Zeit stehlen...
Klaus
Falls dir nicht noch irgend etwas grandioses einfällt werde ich wohl doch mal OpenVPN probieren müssen. Ich kann dir schließlich nicht ewig deine Zeit stehlen...
Ich würde mich freuen, wenn mir eine grandiose Idee einfallen würde. Du stiehlst mir die Zeit bestimmt nicht, ich sitze meistens vor dem PC. Über OpenWRT versuchen das Problem zu lösen könntest Du langsam angehen, wir haben genug Informationen gesammelt. Zweigleisig zu fahren ist immer besser.
Nicht desto trotz, wenn die erste /etc/firewall.user schon mal gezuckt hat, dann hier noch eine:
Greift es auch nicht, dann mein vermutlich letzter Versuch wäre es über die Zonen Forwards abfangen zu wollen:
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'IPSec ESP'
option src 'wan'
option proto 'esp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'IPSec IKE'
option src 'wan'
option dest_port '500'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'IPSec NAT-T'
option src 'wan'
option dest_port '4500'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Auth Header'
option src 'wan'
option proto 'ah'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option dest_ip '88.198.76.220'
option family 'ipv4'
config forwarding
option dest 'lan'
option src 'vpn'
option family 'ipv4'
config forwarding
option dest 'vpn'
option src 'lan'
option family 'ipv4'
config forwarding
option src 'lan'
option dest 'wan'
config include
option path '/etc/firewall.user'
option reload 1
Alles anzeigen
Albert
In beiden Fällen kam zwar ein Tunnel zustande, aber es ging wieder gar nichts (kein traceroute, kein ssh).
Ich versuche jetzt mal OpenVPN und werde dann berichten.
Erstmal vieln Dank für dein Hilfe.
Klaus
Erstmal vieln Dank für dein Hilfe.
Sehr gern geschehen, auch wenn es leider nicht geholfen hat. Wenn Du magst, dann schicke mir einen Link per Mail mit Deinem nächsten Versuche. Ich würde es stillschweigend verfolgen und ggf. ein Paar Hinweise an Dich liefern.
Albert
Klaus, bist Du schon ein Stück weitergekommen?
Albert
Auf dem Client habe ich inzwischen OpenVPN installiert und zumindest so weit gebracht, daß es nach dem Server sucht. Serverseitig werde ich hoffentlich dieses WE weiterkommen. Ich werde auf jeden Fall das Ergebnis hier berichten.
Klaus
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!