{"id":2888,"date":"2023-07-17T18:46:01","date_gmt":"2023-07-17T16:46:01","guid":{"rendered":"http:\/\/fliegerhorst.dyndns.org\/?p=2888"},"modified":"2023-07-21T17:16:27","modified_gmt":"2023-07-21T15:16:27","slug":"arnos-ip-tables-firewall","status":"publish","type":"post","link":"https:\/\/fliegerhorst.dyndns.org\/index.php\/2023\/07\/17\/arnos-ip-tables-firewall\/","title":{"rendered":"Arnos IP-Tables Firewall"},"content":{"rendered":"\n

Ein richtiger Server sollte auch eine Firewall haben :-). Naja, es mag Leute geben die meinen das eine Firewall v\u00f6lliger Bl\u00f6dsinn ist aber immerhin ist man damit in der Lage einige zus\u00e4tzliche Checks zu machen wie z.B. einen sogennanten ‚Nullscan‘ zu erkennen oder andere fiese Tricks der b\u00f6sen Buben da draussen.<\/p>\n\n\n\n

Arnos IP-Tables Firewall ist in den Debian 10 Repositories enthalten und kann mit dem Installationsprogramm der Wahl – aptitude oder synaptic – installiert werden.<\/p>\n\n\n\n

Im Grunde mu\u00df dann nur noch die Konfigurationsdatei firewall.conf<\/kbd> entsprechend angepasst werden um brauchbare Ergebnisse zu erzielen. Ich habe demnach folgendes eingestellt und hier habe ich nur die Einstellungen aufgef\u00fchrt an denen ich auch tats\u00e4chlich \u00c4nderungen vorgenommen habe:<\/p>\n\n\n\n

\n
\n
# The external interface(s) that will be protected (and used as internet\n# connection). This is probably ppp+ or dsl+ for non-transparent(!) (A)DSL\n# modems otherwise it's probably "ethX" (eg. eth0). Multiple interfaces should\n# be space separated.\n# ------------------------------------------------------------------------------\nEXT_IF="enp1s0"<\/pre><\/div>\n<\/div>\n\n\n\n
\n
Auf meiner Platform heisst das externe Interface „enp1s0“.<\/p>\n<\/div>\n<\/div>\n\n\n\n
\n
\n
# Enable if THIS machines (dynamically) obtains its IP through (IPv4) DHCP\n# and possibly (IPv6) DHCPv6 (from your ISP)\n# ------------------------------------------------------------------------------\nEXT_IF_DHCP_IP=0<\/pre><\/div>\n<\/div>\n\n\n\n
\n
Der Server hat eine feste IPv4 Adresse. Er wird nicht \u00fcber einen \u00fcbergeordneten DHCP-Server mit einer IP-Addresse versorgt.<\/p>\n<\/div>\n<\/div>\n\n\n\n
\n
\n
# Enable if THIS machines (dynamically) obtains its IP through (IPv6) DHCPv6\n# and not (IPv4) DHCP. Applies only when EXT_IF_DHCP_IP is set to "0".\n# (IPv6 Only)\n# ------------------------------------------------------------------------------\nEXT_IF_DHCPV6_IPV6=0<\/pre><\/div>\n<\/div>\n\n\n\n
\n
Der Server unterst\u00fctzt kein IPv6.<\/p>\n<\/div>\n<\/div>\n\n\n\n
\n
\n
#\n# Internal (LAN) interface settings\n#\n# Specify here your internal network (LAN) interface(s). Multiple(!) interfaces\n# should be space separated. Remark this if you don't have any internal network\n# interfaces. Note that by default ALL traffic is accepted from these\n# interfaces. Traffic between multiple (seperate) internal interfaces is\n# blocked by default. Use the IF_TRUSTS setting (below) to enable traffic for\n# those.\n# ------------------------------------------------------------------------------\nINT_IF="enp2s0"<\/pre><\/div>\n<\/div>\n\n\n\n
\n
Auf meiner Platform heisst das interne Interface „enp2s0“.<\/p>\n<\/div>\n<\/div>\n\n\n\n
\n
\n
# Specify here the internal IPv4 subnet(s) which is\/are connected to the\n# interface(s). For multiple interfaces(!) you can either specify\n# multiple subnets here or specify one big subnet for all internal interfaces.\n# Note that this variable is mainly used for antispoofing.\n# ------------------------------------------------------------------------------\nINTERNAL_NET="192.168.2.0\/24"<\/pre><\/div>\n<\/div>\n\n\n\n
\n
Das interne Netz hat die Adresse 192.168.2.0\/24.<\/p>\n<\/div>\n<\/div>\n\n\n\n
\n
\n
#\n# NAT (Masquerade, SNAT, DNAT) settings (IPv4 only!)\n#\n# Enable this if you want to perform NAT (masquerading) for your internal\n# network (LAN) (eg. share your internet connection with your internal\n# net(s) connected to eg. INT_IF)\n# ------------------------------------------------------------------------------\nNAT=1<\/pre><\/div>\n<\/div>\n\n\n\n
\n
Dies ist eine der wichtigsten Einstellungen. Sie sorgt daf\u00fcr dass Datenpakete, die nicht f\u00fcr den Server selbst bestimmt sind, durch den Server hindurch geroutet werden.<\/p>\n\n\n\n
Bei Network Address Translation (NAT) wird in beide Richtungen – ein- und ausgehend – die Quelladresse bzw. die Zieladdresse in jedem einzelnen Paket entsprechend umgeschrieben.<\/p>\n<\/div>\n<\/div>\n\n\n\n
\n
\n
# NAT TCP\/UDP\/IP forwards. Forward ports or protocols from the gateway to\n# an internal client through (D)NAT. Note that you can also use these\n# variables to forward ports to DMZ hosts.\n# ....\n# ------------------------------------------------------------------------------\nNAT_FORWARD_TCP="81>192.168.2.15~80"\nNAT_FORWARD_UDP=""\nNAT_FORWARD_IP=""<\/pre><\/div>\n\n\n\n
<\/p>\n<\/div>\n\n\n\n
\n
Dies ist eine spezielle Port-Forwarding Einstellung um ein Ger\u00e4t im internen Netz von extern erreichen zu k\u00f6nnen.<\/p>\n\n\n\n
Hier werden alle externen Datenpakete die an den Port 81 gerichtet sind an die interne Addresse 192.168.2.15 an den Port 80 weiter geleitet.<\/p>\n\n\n\n
In diesem Fall ist das ein simpler Videorecorder der von extern programmiert werden k\u00f6nnen soll.<\/p>\n<\/div>\n<\/div>\n\n\n\n
\n
\n
# Enable this to allow for ICMP-requests(ping) from your LAN\n# ------------------------------------------------------------------------------\nLAN_OPEN_ICMP=1<\/pre><\/div>\n<\/div>\n\n\n\n
\n
Hier erlaube ich ICMP am externen Interface. Dies k\u00f6nnte z.B. ein PING sein.<\/p>\n<\/div>\n<\/div>\n\n\n\n
\n
\n
# Put in the following variables which ports or IP protocols you want to leave\n# open to the whole world.\n# ------------------------------------------------------------------------------\nOPEN_TCP="2222 25 80 81"\nOPEN_UDP=""\nOPEN_IP=""<\/pre><\/div>\n<\/div>\n\n\n\n
\n
Diese Einstellung ist im Prinzip die wichtigste Einstellung. Hier werden die Ports festgelegt die nach au\u00dfen hin prinzipiell ge\u00f6ffnet sind.<\/p>\n\n\n\n
Der Server unterst\u00fctzt die Services SSH, SMPT HTTP und einen anderen HTTP Server an Port 81 (s.o. Port Forwarding)<\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
Ein richtiger Server sollte auch eine Firewall haben :-). Naja, es mag Leute geben die meinen das eine Firewall v\u00f6lliger Bl\u00f6dsinn ist aber immerhin ist man damit in der Lage einige zus\u00e4tzliche Checks zu machen wie z.B. einen sogennanten ‚Nullscan‘ zu erkennen oder andere fiese Tricks der b\u00f6sen Buben da draussen. Arnos IP-Tables Firewall ist[…]<\/p>\n","protected":false},"author":1,"featured_media":3037,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"zakra_general_container_width":0,"zakra_general_content_width":0,"zakra_general_sidebar_width":0,"zakra_sticky_header":"customizer","zakra_header_main_area":true,"zakra_site_logo_width":0,"zakra_header_top_enabled":"customizer","zakra_header_top_style":"customizer","zakra_primary_menu_item_style":"customizer","zakra_page_header_text_color":"","zakra_page_header_layout":"customizer","zakra_page_title_bg":"","zakra_footer_widgets_bg_image":0,"zakra_page_title_bg_repeat":"customizer","zakra_page_title_bg_position":"customizer","zakra_page_title_bg_size":"customizer","zakra_page_title_bg_attachment":"customizer","zakra_breadcrumbs_enabled":"customizer","zakra_breadcrumbs_text_color":"","zakra_breadcrumbs_separator_color":"","zakra_breadcrumbs_link_color":"","zakra_breadcrumbs_link_hover_color":"","zakra_page_title_bg_image":0,"zakra_footer_widgets_enabled":"customizer","zakra_footer_column_layout_1_style":"customizer","zakra_footer_widgets_bg":"","zakra_footer_widgets_bg_repeat":"customizer","zakra_footer_widgets_bg_position":"customizer","zakra_footer_widgets_bg_size":"customizer","zakra_footer_widgets_bg_attachment":"customizer","zakra_footer_bar_enabled":"customizer","zakra_footer_bar_style":"customizer","zakra_page_container_layout":"customizer","zakra_page_sidebar_layout":"customizer","zakra_remove_content_margin":false,"zakra_sidebar":"customizer","zakra_transparent_header":"customizer","zakra_logo":0,"zakra_main_header_style":"default","zakra_menu_item_color":"","zakra_menu_item_hover_color":"","zakra_menu_item_active_color":"","zakra_menu_active_style":"","zakra_page_header":true,"ngg_post_thumbnail":0,"footnotes":""},"categories":[1],"tags":[13],"class_list":["post-2888","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-server","tag-linux"],"_links":{"self":[{"href":"https:\/\/fliegerhorst.dyndns.org\/index.php\/wp-json\/wp\/v2\/posts\/2888","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fliegerhorst.dyndns.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fliegerhorst.dyndns.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fliegerhorst.dyndns.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fliegerhorst.dyndns.org\/index.php\/wp-json\/wp\/v2\/comments?post=2888"}],"version-history":[{"count":0,"href":"https:\/\/fliegerhorst.dyndns.org\/index.php\/wp-json\/wp\/v2\/posts\/2888\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fliegerhorst.dyndns.org\/index.php\/wp-json\/wp\/v2\/media\/3037"}],"wp:attachment":[{"href":"https:\/\/fliegerhorst.dyndns.org\/index.php\/wp-json\/wp\/v2\/media?parent=2888"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fliegerhorst.dyndns.org\/index.php\/wp-json\/wp\/v2\/categories?post=2888"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fliegerhorst.dyndns.org\/index.php\/wp-json\/wp\/v2\/tags?post=2888"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}