nicht angemeldet
Hellihello
Ist der DHCP-Server schon konfiguriert? Oder noch in der Mache?
Der laeuft jetzt. Immerhin erhalten die Rechner eine Ip-Adresse von ihm.
Loading simple rc.firewall-iptables version 0.76..
External Interface: eth0
Internal Interface: eth1
loading modules: - Verifying that all kernel modules are ok
----------------------------------------------------------------------
ip_tables, ip_conntrack, ip_conntrack_ftp, ip_conntrack_irc, iptable_nat, ip_nat_ftp, ----------------------------------------------------------------------
Done loading modules.
Enabling forwarding..
Enabling DynamicAddr..
Clearing any existing rules and setting default policy..
FWD: Allow all connections OUT and only existing and related ones IN
Enabling SNAT (MASQUERADE) functionality on eth0
rc.firewall-iptables v0.76 done.
Firewall/IP-Masq-Script hab ich auch laufen lassen. Der die Clientrechner aber kriegen kein Internet.
Das ist die dhcpd.conf, die ich eingebaut habe. Im Bereich Nameserver vermutlich nicht korrekt?
////////////////////////////
Sample configuration file for ISC dhcpd for Debian
$Id: dhcpd.conf,v 1.4.2.2 2002/07/10 03:50:33 peloy Exp $
subnet 10.123.123.0 netmask 255.255.255.0 {
range 10.123.123.128 10.123.123.254; # Range of IP addresses to be issued to DHCP clients
option subnet-mask 255.255.255.0; # Default subnet mask to be used by DHCP clients
option broadcast-address 10.123.123.255; # Default broadcastaddress to be used by DHCP clients
option routers 10.123.123.1; # Default gateway to be used by DHCP clients
option domain-name "your-domain.org";
option domain-name-servers 40.175.42.254, 40.175.42.253; # Default DNS to be used by DHCP clients
option netbios-name-servers 10.123.123.100; # Specify a WINS server for MS/Windows clients.
# (Optional. Specify if used on your network)
# DHCP requests are not forwarded. Applies when there is more than one ethernet device and forwarding is configured.
# option ipforwarding off;
default-lease-time 21600; # Amount of time in seconds that a client may keep the IP address
max-lease-time 43200;
option time-offset -18000; # Eastern Standard Time
# option ntp-servers 10.123.123.1; # Default NTP server to be used by DHCP clients
# option netbios-name-servers 10.123.123.1;
--- Selects point-to-point node (default is hybrid). Don't change this unless you understand Netbios very well
# option netbios-node-type 2;
# We want the nameserver "ns2" to appear at a fixed address.
# Name server with this specified MAC address will recieve this IP.
host ns2 {
next-server ns2.your-domain.com;
hardware ethernet 00:02:c3:d0:e5:83;
fixed-address 40.175.42.254;
}
# Laser printer obtains IP address via DHCP. This assures that the
# printer with this MAC address will get this IP address every time.
#host laser-printer-lex1 {
# hardware ethernet 08:00:2b:4c:a3:82;
# fixed-address 10.123.123.120;
#}
}
////////////////////////////
Ip-Masq-Script
ein paar Kommentarzeilen geloescht, da ich der Geschwaetzigkeit bezichtigt wurde
////////////////////////////
#!/bin/sh
rc.firewall-iptables
FWVER=0.76
echo -e "\n\nLoading simple rc.firewall-iptables version $FWVER..\n"
** Please use the "whereis iptables" command to figure out
** where your copy is and change the path below to reflect
** your setup
IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
#Setting the EXTERNAL and INTERNAL interfaces for the network
EXTIF="eth0"
INTIF="eth1"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
#======================================================================
#== No editing beyond this line is required for initial MASQ testing ==
echo -en " loading modules: "
Need to verify that all modules have all required dependencies
echo " - Verifying that all kernel modules are ok"
$DEPMOD -a
===============================================================
echo "----------------------------------------------------------------------"
#Load the main body of the IPTABLES module - "iptable"
# - Loaded automatically when the "iptables" command is invoked
# - Loaded manually to clean up kernel auto-loading timing issues
echo -en "ip_tables, "
$MODPROBE ip_tables
#Load the IPTABLES filtering module - "iptable_filter"
# - Loaded automatically when filter policies are activated
#Load the stateful connection tracking framework - "ip_conntrack"
# - Loaded manually to clean up kernel auto-loading timing issues
echo -en "ip_conntrack, "
$MODPROBE ip_conntrack
#Load the FTP tracking mechanism for full FTP tracking
Enabled by default -- insert a "#" on the next line to deactivate
echo -en "ip_conntrack_ftp, "
$MODPROBE ip_conntrack_ftp
#Load the IRC tracking mechanism for full IRC tracking
Enabled by default -- insert a "#" on the next line to deactivate
echo -en "ip_conntrack_irc, "
$MODPROBE ip_conntrack_irc
#Load the general IPTABLES NAT code - "iptable_nat"
# - Loaded automatically when MASQ functionality is turned on
# - Loaded manually to clean up kernel auto-loading timing issues
echo -en "iptable_nat, "
$MODPROBE iptable_nat
#Loads the FTP NAT functionality into the core IPTABLES code
Required to support non-PASV FTP.
Enabled by default -- insert a "#" on the next line to deactivate
echo -en "ip_nat_ftp, "
$MODPROBE ip_nat_ftp
#Loads the IRC NAT functionality into the core IPTABLES code
Required to support NAT of IRC DCC requests
Disabled by default -- remove the "#" on the next line to activate
#echo -e "ip_nat_irc"
#$MODPROBE ip_nat_irc
echo "----------------------------------------------------------------------"
echo -e " Done loading modules.\n"
#CRITICAL: Enable IP forwarding since it is disabled by default since
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
Dynamic IP users:
# If you get your IP address dynamically from SLIP, PPP, or DHCP,
# enable this following option. This enables dynamic-address hacking
# which makes the life with Diald and similar programs much easier.
echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
Enable simple IP forwarding and Masquerading
# NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.
# NOTE #2: The following is an example for an internal LAN address in the
# 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask
# connecting to the Internet on external interface "eth0". This
# example will MASQ internal traffic out to the Internet but not
# allow non-initiated traffic into your internal network.
# ** Please change the above network numbers, subnet mask, and your
# *** Internet connection interface name to match your setup
#Clearing any previous configuration
# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
# The default for FORWARD is DROP (REJECT is not a valid policy)
# Isn't ACCEPT insecure? To some degree, YES, but this is our testing
# phase. Once we know that IPMASQ is working well, I recommend you run
# the rc.firewall-*-stronger rulesets which set the defaults to DROP but
# also include the critical additional rulesets to still let you connect to
# the IPMASQ server, etc.
echo " Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo -e "\nrc.firewall-iptables v$FWVER done.\n"
///////////////////////////////////////////////////////
Dank und Gruß,