Re: iptables problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tuesday 15 February 2005 21:09 Andreas Unterkircher's cat walking on the 
keyboard  wrote:

> As far as I can see and unterstand your intend, you are only forwarding
> (FORWARD-Chain) the internal request to the external interfaces.
> Since private networks (10/8, 172.16/16, 192.168/24) are not routed in
> the public internet you have to masquerade (NAT) the outgoing
> request, so it doesn't contain the internal ips anymore:
>
> -A POSTROUTING -s 192.168.2.0/255.255.255.0 -d 212.97.32.2 -i eth1 -o eth1
> -p tcp -m tcp --dport 53 -j SNAT --to $YOUR_EXTERNAL_IP_IN_THE_INTERNET
>

I'm not sure of what you're saying, since the machine goes on the internet 
thru an ADSL router, that performs NAT by itself, so the firewall, as far as 
I'll use eth1 both as internal and external interface, will only forward 
requests to the ADSL router. However, here there's the output of the iptables 
-L -n:

firewall:~ # iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  192.168.2.0/24       192.168.0.0/16
ACCEPT     all  --  192.168.0.0/16       192.168.2.0/24
ACCEPT     all  --  192.168.2.7          0.0.0.0/0
ACCEPT     tcp  --  192.168.2.0/24       212.97.32.2        tcp dpt:53
ACCEPT     udp  --  192.168.2.0/24       212.97.32.2        udp dpt:53
ACCEPT     tcp  --  192.168.2.0/24       151.99.250.2       tcp dpt:53
ACCEPT     udp  --  192.168.2.0/24       151.99.250.2       udp dpt:53
ACCEPT     tcp  --  192.168.2.0/24       195.223.145.5      tcp dpt:53
ACCEPT     udp  --  192.168.2.0/24       195.223.145.5      udp dpt:53
ACCEPT     tcp  --  192.168.2.0/24       192.106.77.15      tcp dpt:110
ACCEPT     udp  --  192.168.2.0/24       192.106.77.15      udp dpt:110
ACCEPT     tcp  --  192.168.2.0/24       192.106.77.15      tcp dpt:25
ACCEPT     udp  --  192.168.2.0/24       192.106.77.15      udp dpt:25
ACCEPT     tcp  --  192.168.2.0/24       0.0.0.0/0          tcp dpt:54681
ACCEPT     udp  --  192.168.2.0/24       0.0.0.0/0          udp dpt:54681
ACCEPT     tcp  --  192.168.2.0/24       217.55.134.22      tcp dpt:21
ACCEPT     tcp  --  192.168.2.0/24       192.106.77.78
ACCEPT     tcp  --  192.168.2.0/24       192.168.2.7        tcp dpt:8080
ACCEPT     udp  --  192.168.2.0/24       192.168.2.7        udp dpt:8080
ACCEPT     tcp  --  192.168.2.0/24       192.168.2.7        tcp dpt:53
ACCEPT     udp  --  192.168.2.0/24       192.168.2.7        udp dpt:53
ACCEPT     tcp  --  192.168.2.0/24       192.168.2.7        tcp dpts:137:139
ACCEPT     udp  --  192.168.2.0/24       192.168.2.7        udp dpts:137:139
ACCEPT     tcp  --  192.168.2.0/24       192.168.2.7        tcp dpt:445
ACCEPT     udp  --  192.168.2.0/24       192.168.2.7        udp dpt:445
ACCEPT     tcp  --  192.168.2.2          192.168.2.7        tcp dpt:23
REJECT     tcp  --  0.0.0.0/0            217.58.77.224/28   tcp dpt:23 
reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            217.58.77.224/28   udp dpt:23 
reject-with icmp-port-unreachable
ACCEPT     tcp  --  192.168.84.1         192.168.2.7        tcp dpt:23
drop-and-log-it  all  --  192.168.2.0/24       0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            192.168.2.7
ACCEPT     tcp  --  0.0.0.0/0            192.168.2.7        state 
NEW,RELATED,ESTABLISHED tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            192.168.2.7        tcp 
spts:1024:65535 dpt:21
ACCEPT     tcp  --  192.168.2.7          0.0.0.0/0          tcp spt:21 
dpts:1024:65535
ACCEPT     tcp  --  0.0.0.0/0            192.168.2.7        tcp 
spts:1024:65535 dpt:20
ACCEPT     tcp  --  192.168.2.7          0.0.0.0/0          tcp spt:20 
dpts:1024:65535
ACCEPT     udp  --  0.0.0.0/0            192.168.2.7        udp 
spts:1024:65535 dpt:21
ACCEPT     udp  --  192.168.2.7          0.0.0.0/0          udp spt:21 
dpts:1024:65535
ACCEPT     udp  --  0.0.0.0/0            192.168.2.7        udp 
spts:1024:65535 dpt:20
ACCEPT     udp  --  192.168.2.7          0.0.0.0/0          udp spt:20 
dpts:1024:65535
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state 
NEW,RELATED,ESTABLISHED tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state 
NEW,RELATED,ESTABLISHED tcp dpt:22
ACCEPT     all  --  0.0.0.0/0            192.168.2.7        state 
RELATED,ESTABLISHED
drop-and-log-it  all  --  0.0.0.0/0            0.0.0.0/0
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:53 
reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:53 
reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:111 
reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:111 
reject-with icmp-port-unreachable

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  192.168.2.0/24       192.168.0.0/16
ACCEPT     all  --  192.168.0.0/16       192.168.2.0/24
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          multiport dports 
6881,6882,6883,6884,6885,6886,6887,6888,6889,1214 reject-with 
icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0          multiport dports 
6881,6882,6883,6884,6885,6886,6887,6888,6889,1214 reject-with 
icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          multiport dports 
6346,6347 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0          multiport dports 
6346,6347 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0          multiport dports 
4711,4665,4661,4672,4662,8080,9955 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpts:4242:4299 
reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0          udp dpts:4242:4299 
reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpts:6881:6999 
reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0          udp dpts:6881:6999 
reject-with icmp-port-unreachable
ACCEPT     tcp  --  192.168.2.0/24       0.0.0.0/0          tcp dpt:54681
ACCEPT     udp  --  192.168.2.0/24       0.0.0.0/0          udp dpt:54681
ACCEPT     tcp  --  192.168.2.0/24       192.168.4.0/24
ACCEPT     udp  --  192.168.2.0/24       192.168.4.0/24
ACCEPT     tcp  --  192.168.2.0/24       217.55.134.22      tcp dpt:21
ACCEPT     tcp  --  192.168.2.0/24       192.106.77.78
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state 
RELATED,ESTABLISHED
ACCEPT     all  --  192.168.2.7          0.0.0.0/0
ACCEPT     tcp  --  192.168.2.0/24       212.97.32.2        tcp dpt:53
ACCEPT     udp  --  192.168.2.0/24       212.97.32.2        udp dpt:53
ACCEPT     tcp  --  192.168.2.0/24       151.99.250.2       tcp dpt:53
ACCEPT     udp  --  192.168.2.0/24       151.99.250.2       udp dpt:53
ACCEPT     udp  --  192.168.2.0/24       195.223.145.5      udp dpt:53
ACCEPT     tcp  --  192.168.2.0/24       195.223.145.5      tcp dpt:53
ACCEPT     tcp  --  192.168.2.0/24       192.106.77.15      tcp dpt:110
ACCEPT     udp  --  192.168.2.0/24       192.106.77.15      udp dpt:110
ACCEPT     tcp  --  192.168.2.0/24       192.106.77.15      tcp dpt:25
ACCEPT     udp  --  192.168.2.0/24       192.106.77.15      udp dpt:25
ACCEPT     tcp  --  192.168.2.0/24       85.33.98.138       tcp dpt:110
ACCEPT     udp  --  192.168.2.0/24       85.33.98.138       udp dpt:110
ACCEPT     tcp  --  192.168.2.0/24       85.33.98.138       tcp dpt:25
ACCEPT     udp  --  192.168.2.0/24       85.33.98.138       udp dpt:25
ACCEPT     tcp  --  192.168.2.0/24       85.33.98.138       tcp dpt:25
ACCEPT     udp  --  192.168.2.0/24       85.33.98.138       udp dpt:25
ACCEPT     tcp  --  192.168.2.0/24       151.4.29.163       tcp dpt:110
ACCEPT     udp  --  192.168.2.0/24       151.4.29.163       udp dpt:110
ACCEPT     tcp  --  192.168.2.0/24       151.4.29.163       tcp dpt:25
ACCEPT     udp  --  192.168.2.0/24       151.4.29.163       udp dpt:25
drop-and-log-it  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  192.168.2.0/24       192.168.0.0/16
ACCEPT     all  --  192.168.0.0/16       192.168.2.0/24
ACCEPT     tcp  --  0.0.0.0/0            192.168.4.0/24
ACCEPT     udp  --  0.0.0.0/0            192.168.4.0/24
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  192.168.2.7          192.168.2.0/24
ACCEPT     all  --  192.168.2.7          192.168.2.0/24
drop-and-log-it  all  --  0.0.0.0/0            192.168.2.0/24
ACCEPT     all  --  192.168.2.7          0.0.0.0/0
drop-and-log-it  all  --  0.0.0.0/0            0.0.0.0/0

Chain drop-and-log-it (5 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 
6 prefix `PUPPUFIREWALL'
DROP       all  --  0.0.0.0/0            0.0.0.0/0
firewall:~ #


Any idea?

Luca

-- 
Luca Ferrari,
fluca1978@xxxxxxxxxxx
-
: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Newbie]     [Audio]     [Hams]     [Kernel Newbies]     [Util Linux NG]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Device Drivers]     [Samba]     [Video 4 Linux]     [Git]     [Fedora Users]

  Powered by Linux