Hallo!
Ich habe schon Zahlreiche Probleme mit diesem Forum lösen können. Danke dafür.
Nun ist es aber soweit das ich leider mit meinem know how nicht mehr weiterkomme.
Trotz nach meiner Meinung nach korrekten Einstellungen der UFW, lese ich immer wieder in der ufw.log das der Port. IP's für source und destination wurden absichtlich offen gehalten, da ich schritt für schritt die Firewall schärfer machen möchte.
Hier ein Auszug aus der log
Mar 11 20:25:57 nextcloudpi kernel: [53732.710046] [UFW BLOCK] IN=eth0 OUT= MAC=XXXXX SRC=192.168.1.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2 Mar 11 20:32:37 nextcloudpi kernel: [ 155.274066] [UFW BLOCK] IN=eth0 OUT= MAC=XXXXX SRC=192.168.1.4 DST=192.168.1.30 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=25256 DF PROTO=TCP SPT=53601 DPT=2010 WINDOW=591 RES=0x00 ACK FIN URGP=0
Ich habe mit sudo ufw allow in on eth0 from 192.168.1.4 den Datenverkehr für die IP geöffnet, dennoch wird der port 2010 gesperrt Nachträglich habe ich dan den Port 2010 einzeln geöffnet. Fehler bleibt leider bestehen.
Bitte um Untertützung wo hier der Fehler liegt
Die Ausgabe sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] Anywhere on eth0 ALLOW FWD 10.6.0.0/24 on wg0
[ 2] 2127/udp ALLOW IN Anywhere # allow-wireguard
[ 3] 3353 ALLOW IN Anywhere
[ 4] 80/tcp ALLOW IN Anywhere
[ 5] 443/tcp ALLOW IN Anywhere
[ 6] 4443/tcp ALLOW IN Anywhere
[ 7] DNS ALLOW IN Anywhere
[ 8] Samba ALLOW IN Anywhere
[ 9] 2049 ALLOW IN Anywhere
[10] 8087 ALLOW IN Anywhere
[11] 8081 ALLOW IN Anywhere
[12] Anywhere on eth0 ALLOW IN 192.168.1.4
[13] 1882 ALLOW IN Anywhere
[14] 2010 ALLOW IN Anywhere
[15] 61991 ALLOW IN Anywhere
[16] 3353 (v6) ALLOW IN Anywhere (v6)
[17] 80/tcp (v6) ALLOW IN Anywhere (v6)
[18] 443/tcp (v6) ALLOW IN Anywhere (v6)
[19] 4443/tcp (v6) ALLOW IN Anywhere (v6)
[20] DNS (v6) ALLOW IN Anywhere (v6)
[21] Samba (v6) ALLOW IN Anywhere (v6)
[22] 2049 (v6) ALLOW IN Anywhere (v6)
[23] 8087 (v6) ALLOW IN Anywhere (v6)
[24] 2127/udp (v6) ALLOW IN Anywhere (v6) # allow-wireguard
[25] 8081 (v6) on lo ALLOW IN Anywhere (v6)
[26] 1882 (v6) ALLOW IN Anywhere (v6)
[27] 2010 (v6) ALLOW IN Anywhere (v6)
[28] 61991 (v6) ALLOW IN Anywhere (v6)Die user.rules
*filter :ufw-user-input - [0:0] :ufw-user-output - [0:0] :ufw-user-forward - [0:0] :ufw-before-logging-input - [0:0] :ufw-before-logging-output - [0:0] :ufw-before-logging-forward - [0:0] :ufw-user-logging-input - [0:0] :ufw-user-logging-output - [0:0] :ufw-user-logging-forward - [0:0] :ufw-after-logging-input - [0:0] :ufw-after-logging-output - [0:0] :ufw-after-logging-forward - [0:0] :ufw-logging-deny - [0:0] :ufw-logging-allow - [0:0] :ufw-user-limit - [0:0] :ufw-user-limit-accept - [0:0] ### RULES ### ### tuple ### route:allow any any 0.0.0.0/0 any 10.6.0.0/24 in_wg0!out_eth0 -A ufw-user-forward -i wg0 -o eth0 -s 10.6.0.0/24 -j ACCEPT ### tuple ### allow udp 2127 0.0.0.0/0 any 0.0.0.0/0 in comment=616c6c6f772d776972656775617264 -A ufw-user-input -p udp --dport 2127 -j ACCEPT ### tuple ### allow any 3353 0.0.0.0/0 any 0.0.0.0/0 in -A ufw-user-input -p tcp --dport 3353 -j ACCEPT -A ufw-user-input -p udp --dport 3353 -j ACCEPT ### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 in
Ausgabe von sudo iptables -nvx -L
Chain INPUT (policy ACCEPT 8 packets, 288 bytes)
pkts bytes target prot opt in out source destination
225093 114338682 ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
225093 114338682 ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
104 7050 ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
8 288 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
8 288 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
8 288 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 42 packets, 3088 bytes)
pkts bytes target prot opt in out source destination
227407 108057964 ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
227407 108057964 ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
2032 110802 ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
2032 110802 ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
2032 110802 ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
2032 110802 ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
209619 105404222 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
14950 8855434 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
44 1760 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
44 1760 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
480 77266 ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
116 54866 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
364 22400 ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
209619 105404222 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
15756 2542940 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2032 110802 ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
96 6762 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
1783 92716 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
207 14998 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
24 960 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
96 6762 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
254 13888 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
124 55154 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
102 8224 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:2127
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3353
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3353
1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
1 44 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /* 'dapp_DNS' */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* 'dapp_DNS' */
6 1462 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 137,138 /* 'dapp_Samba' */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 139,445 /* 'dapp_Samba' */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2049
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:2049
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8087
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:8087
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8081
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:8081
41 2132 ACCEPT all -- eth0 * 192.168.1.4 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1882
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1882
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2010
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:2010
87 5220 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:61991
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:61991
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- wg0 eth0 10.6.0.0/24 0.0.0.0/0
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0–––––––--UPDATE-–––––––-
Ich habe mir mal die log von fail2ban angesehen. Tatsächlich stand hier in der ufwban die IP-Adresse 192.168.1.4 als banned drin. Ich habe diese nun entfernt und warte mal einen Tag ab, ob weitere Einträge in der log stattfinden.