iptables problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,
I've a problem with iptables on a machine which is a firewall. The logs 
reports the following thing:

firewall:~ # grep 192.168.2.200 /var/log/messages | grep DPT=53
Feb 14 11:45:52 firewall kernel: PUPPUFIREWALLIN=eth1 OUT=eth1 
SRC=192.168.2.200 DST=217.97.32.2 LEN=50 TOS=0x00 PREC=0x00 TTL=126 ID=9 
PROTO=UDP SPT=1025 DPT=53 LEN=30
Feb 14 11:47:40 firewall kernel: PUPPUFIREWALLIN=eth1 OUT=eth1 
SRC=192.168.2.200 DST=217.97.32.2 LEN=72 TOS=0x00 PREC=0x00 TTL=126 ID=812 
PROTO=UDP SPT=1025 DPT=53 LEN=52

where the machine 192.168.2.200 is locked and cannot work with the DNS (port 
53) specified. But if I try to do an iptables-save, I got the following:

-A FORWARD -s 192.168.2.0/255.255.255.0 -d 212.97.32.2 -i eth1 -o eth1 -p tcp 
-m tcp --dport 53 -j ACCEPT

that should accept each connection from an host of the 192.168.2.0 network to 
the specified DNS server. The same thing occur for other machines.

The following is a complete dump of the iptables-save command, do you have any 
idea about how to fix this problem?

firewall:~ # iptables-save
# Generated by iptables-save v1.2.8 on Tue Feb 15 12:08:25 2005
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [160:11248]
:drop-and-log-it - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.0.0/255.255.0.0 -i eth1 -j 
ACCEPT
-A INPUT -s 192.168.0.0/255.255.0.0 -d 192.168.2.0/255.255.255.0 -i eth1 -j 
ACCEPT
-A INPUT -s 192.168.2.7 -i eth1 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 212.97.32.2 -i eth1 -p tcp -m tcp 
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 212.97.32.2 -i eth1 -p udp -m udp 
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 151.99.250.2 -i eth1 -p tcp -m tcp 
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 151.99.250.2 -i eth1 -p udp -m udp 
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 195.223.145.5 -i eth1 -p tcp -m tcp 
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 195.223.145.5 -i eth1 -p udp -m udp 
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -p tcp -m tcp 
--dport 110 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -p udp -m udp 
--dport 110 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -p tcp -m tcp 
--dport 25 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -p udp -m udp 
--dport 25 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 54681 -j 
ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -i eth1 -p udp -m udp --dport 54681 -j 
ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 217.55.134.22 -i eth1 -p tcp -m tcp 
--dport 21 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.106.77.78 -i eth1 -p tcp -j 
ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p tcp -m tcp 
--dport 8080 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p udp -m udp 
--dport 8080 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p tcp -m tcp 
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p udp -m udp 
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p tcp -m tcp 
--dport 137:139 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p udp -m udp 
--dport 137:139 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p tcp -m tcp 
--dport 445 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p udp -m udp 
--dport 445 -j ACCEPT
-A INPUT -s 192.168.2.2 -d 192.168.2.7 -i eth1 -p tcp -m tcp --dport 23 -j 
ACCEPT
-A INPUT -d 217.58.77.224/255.255.255.240 -i eth1 -p tcp -m tcp --dport 23 -j 
REJECT --reject-with icmp-port-unreachable
-A INPUT -d 217.58.77.224/255.255.255.240 -i eth1 -p udp -m udp --dport 23 -j 
REJECT --reject-with icmp-port-unreachable
-A INPUT -s 192.168.84.1 -d 192.168.2.7 -i eth1 -p tcp -m tcp --dport 23 -j 
ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -i eth1 -j drop-and-log-it
-A INPUT -d 192.168.2.7 -i eth1 -p icmp -j ACCEPT
-A INPUT -d 192.168.2.7 -i eth1 -p tcp -m state --state 
NEW,RELATED,ESTABLISHED -m tcp --dport 80 -j ACCEPT
-A INPUT -d 192.168.2.7 -i eth1 -p tcp -m tcp --sport 1024:65535 --dport 21 -j 
ACCEPT
-A INPUT -s 192.168.2.7 -i eth1 -p tcp -m tcp --sport 21 --dport 1024:65535 -j 
ACCEPT
-A INPUT -d 192.168.2.7 -i eth1 -p tcp -m tcp --sport 1024:65535 --dport 20 -j 
ACCEPT
-A INPUT -s 192.168.2.7 -i eth1 -p tcp -m tcp --sport 20 --dport 1024:65535 -j 
ACCEPT
-A INPUT -d 192.168.2.7 -i eth1 -p udp -m udp --sport 1024:65535 --dport 21 -j 
ACCEPT
-A INPUT -s 192.168.2.7 -i eth1 -p udp -m udp --sport 21 --dport 1024:65535 -j 
ACCEPT
-A INPUT -d 192.168.2.7 -i eth1 -p udp -m udp --sport 1024:65535 --dport 20 -j 
ACCEPT
-A INPUT -s 192.168.2.7 -i eth1 -p udp -m udp --sport 20 --dport 1024:65535 -j 
ACCEPT
-A INPUT -i eth1 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp 
--dport 22 -j ACCEPT
-A INPUT -i eth1 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp 
--dport 22 -j ACCEPT
-A INPUT -d 192.168.2.7 -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j drop-and-log-it
-A INPUT -i eth1 -p tcp -m tcp --dport 53 -j REJECT --reject-with 
icmp-port-unreachable
-A INPUT -i eth1 -p udp -m udp --dport 53 -j REJECT --reject-with 
icmp-port-unreachable
-A INPUT -i eth1 -p tcp -m tcp --dport 111 -j REJECT --reject-with 
icmp-port-unreachable
-A INPUT -i eth1 -p udp -m udp --dport 111 -j REJECT --reject-with 
icmp-port-unreachable
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.0.0/255.255.0.0 -i eth1 -j 
ACCEPT
-A FORWARD -s 192.168.0.0/255.255.0.0 -d 192.168.2.0/255.255.255.0 -i eth1 -j 
ACCEPT
-A FORWARD -p tcp -m multiport --dports 
6881,6882,6883,6884,6885,6886,6887,muse,6889,kazaa -j REJECT --reject-with 
icmp-port-unreachable
-A FORWARD -p udp -m multiport --dports 
6881,6882,6883,6884,6885,6886,6887,muse,6889,kazaa -j REJECT --reject-with 
icmp-port-unreachable
-A FORWARD -p tcp -m multiport --dports gnutella-svc,gnutella-rtr -j REJECT 
--reject-with icmp-port-unreachable
-A FORWARD -p udp -m multiport --dports gnutella-svc,gnutella-rtr -j REJECT 
--reject-with icmp-port-unreachable
-A FORWARD -p udp -m multiport --dports 
4711,4665,kar2ouche,rfa,4662,http-alt,9955 -j REJECT --reject-with 
icmp-port-unreachable
-A FORWARD -p tcp -m tcp --dport 4242:4299 -j REJECT --reject-with 
icmp-port-unreachable
-A FORWARD -p udp -m udp --dport 4242:4299 -j REJECT --reject-with 
icmp-port-unreachable
-A FORWARD -p tcp -m tcp --dport 6881:6999 -j REJECT --reject-with 
icmp-port-unreachable
-A FORWARD -p udp -m udp --dport 6881:6999 -j REJECT --reject-with 
icmp-port-unreachable
-A FORWARD -s 192.168.2.0/255.255.255.0 -i eth1 -o eth1 -p tcp -m tcp --dport 
54681 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -i eth1 -o eth1 -p udp -m udp --dport 
54681 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.4.0/255.255.255.0 -i eth1 
-o eth1 -p tcp -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.4.0/255.255.255.0 -i eth1 
-o eth1 -p udp -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 217.55.134.22 -i eth1 -o eth1 -p 
tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.106.77.78 -i eth1 -o eth1 -p 
tcp -j ACCEPT
-A FORWARD -i eth1 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.2.7 -i eth1 -o eth1 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 212.97.32.2 -i eth1 -o eth1 -p tcp 
-m tcp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 212.97.32.2 -i eth1 -o eth1 -p udp 
-m udp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 151.99.250.2 -i eth1 -o eth1 -p tcp 
-m tcp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 151.99.250.2 -i eth1 -o eth1 -p udp 
-m udp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 195.223.145.5 -i eth1 -o eth1 -p 
udp -m udp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 195.223.145.5 -i eth1 -o eth1 -p 
tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -o eth1 -p 
tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -o eth1 -p 
udp -m udp --dport 110 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -o eth1 -p 
tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -o eth1 -p 
udp -m udp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 85.33.98.138 -i eth1 -o eth1 -p tcp 
-m tcp --dport 110 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 85.33.98.138 -i eth1 -o eth1 -p udp 
-m udp --dport 110 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 85.33.98.138 -i eth1 -o eth1 -p tcp 
-m tcp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 85.33.98.138 -i eth1 -o eth1 -p udp 
-m udp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 85.33.98.138 -i eth1 -o eth1 -p tcp 
-m tcp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 85.33.98.138 -i eth1 -o eth1 -p udp 
-m udp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 151.4.29.163 -i eth1 -o eth1 -p tcp 
-m tcp --dport 110 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 151.4.29.163 -i eth1 -o eth1 -p udp 
-m udp --dport 110 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 151.4.29.163 -i eth1 -o eth1 -p tcp 
-m tcp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 151.4.29.163 -i eth1 -o eth1 -p udp 
-m udp --dport 25 -j ACCEPT
-A FORWARD -j drop-and-log-it
-A OUTPUT -s 192.168.2.0/255.255.255.0 -d 192.168.0.0/255.255.0.0 -o eth1 -j 
ACCEPT
-A OUTPUT -s 192.168.0.0/255.255.0.0 -d 192.168.2.0/255.255.255.0 -o eth1 -j 
ACCEPT
-A OUTPUT -d 192.168.4.0/255.255.255.0 -p tcp -j ACCEPT
-A OUTPUT -d 192.168.4.0/255.255.255.0 -p udp -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 192.168.2.7 -d 192.168.2.0/255.255.255.0 -o eth1 -j ACCEPT
-A OUTPUT -s 192.168.2.7 -d 192.168.2.0/255.255.255.0 -o eth1 -j ACCEPT
-A OUTPUT -d 192.168.2.0/255.255.255.0 -o eth1 -j drop-and-log-it
-A OUTPUT -s 192.168.2.7 -o eth1 -j ACCEPT
-A OUTPUT -j drop-and-log-it
-A drop-and-log-it -j LOG --log-prefix "PUPPUFIREWALL" --log-level info
-A drop-and-log-it -j DROP
COMMIT
# Completed on Tue Feb 15 12:08:26 2005
# Generated by iptables-save v1.2.8 on Tue Feb 15 12:08:26 2005
*nat
:PREROUTING ACCEPT [132819:9929714]
:POSTROUTING ACCEPT [366:23571]
:OUTPUT ACCEPT [574:72057]
-A PREROUTING -s 192.168.2.0/255.255.255.0 -d ! 192.168.2.7 -i eth1 -p tcp -m 
tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.2.7
COMMIT
# Completed on Tue Feb 15 12:08:26 2005


Luca

-- 
Luca Ferrari,
fluca1978@xxxxxxxxxxx
-
: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Newbie]     [Audio]     [Hams]     [Kernel Newbies]     [Util Linux NG]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Device Drivers]     [Samba]     [Video 4 Linux]     [Git]     [Fedora Users]

  Powered by Linux