Re: Are pre- postrouting states device independent ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Am 02.05.11 12:07, schrieb Jan Engelhardt:
> On Monday 2011-05-02 11:37, Falk Nisius wrote:
> 
>> I have a box with some virtual machines.
>> One of them has a firewalling function without any natting,
>> like the following scheme.
>>
>> +--------+
>> |        |192.168.11.42/30
>> | guest1 |------------------+
>> |        |       br11       |
>> +--------+                  |  192.168.11.41/30  +---------+
>>                            +--------------------|         |
>>                                                 | guest3  |
>> +--------+                  +--------------------| (fw)    |
>> |        |192.168.11.46/30  |  192.168.11.45/30  +---------+
>> | guest2 |------------------+                         | 192.168.10.2/30
>> |        |       br12                                 | hostnet
>> +--------+
>>
>> The traffic on the br11 and br12 is allowed.
>> There is an rule to SNAT guest1 to extern-IP-one
>> There is an rule to SNAT guest2 to extern-IP-two
>> There is an rule to SNAT guest3 to extern-IP-three
> 
> You will have to post the entire rules, not some fragment, and in 
> iptable-save -c format.
> 
Sorry it would a long post, I havn't reduced the ruleset that are 192
lines. The line 97 ist the intresting SNAT. I added also a log file to
see the traffic from 192.168.11.46 in one case and from 192.168.10.2 in
the other case:


iptable-save -c
-----------------------------------------------------------------------
# Generated by iptables-save v1.4.4 on Mon May  2 12:55:54 2011
*nat
:PREROUTING ACCEPT [237:15672]
:OUTPUT ACCEPT [46:3080]
:POSTROUTING ACCEPT [0:0]
[0:0] -A PREROUTING -d 127.0.0.1/32 -i lo -j ACCEPT
[1:60] -A PREROUTING -d 178.63.21.11/32 -j ULOG --ulog-prefix "prerout  "
[0:0] -A PREROUTING -d 46.4.84.231/32 -i eth0 -p icmp -m icmp
--icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A PREROUTING -d 46.4.84.231/32 -i eth0 -p icmp -m icmp
--icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
[5:300] -A PREROUTING -d 46.4.84.231/32 -i eth0 -p tcp -m tcp --dport 22
-m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A PREROUTING -s 46.4.84.231/32 -d 46.4.84.231/32 -i eth0 -p tcp
-m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A PREROUTING -s 46.4.84.232/32 -d 46.4.84.231/32 -i eth0 -p tcp
-m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A PREROUTING -s 188.40.120.5/32 -d 46.4.84.231/32 -i eth0 -p tcp
-m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A PREROUTING -s 188.40.120.22/32 -d 46.4.84.231/32 -i eth0 -p tcp
-m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A PREROUTING -s 178.63.21.11/32 -d 46.4.84.231/32 -i eth0 -p tcp
-m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A PREROUTING -s 178.63.67.86/32 -d 46.4.84.231/32 -i eth0 -p tcp
-m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A PREROUTING -s 178.63.67.87/32 -d 46.4.84.231/32 -i eth0 -p tcp
-m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A PREROUTING -d 46.4.84.231/32 -i eth0 -p tcp -m tcp --sport 80
-m state --state ESTABLISHED -j ACCEPT
[0:0] -A PREROUTING -s 78.46.1.93/32 -d 46.4.84.231/32 -i eth0 -p tcp -m
tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A PREROUTING -s 188.40.2.183/32 -d 46.4.84.231/32 -i eth0 -p tcp
-m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A PREROUTING -s 188.40.2.183/32 -d 46.4.84.231/32 -i eth0 -p tcp
-m tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A PREROUTING -s 188.40.2.183/32 -d 46.4.84.231/32 -i eth0 -p tcp
-m tcp --sport 1024:65535 --dport 1024:65535 -m state --state
ESTABLISHED -j ACCEPT
[0:0] -A PREROUTING -s 188.40.2.183/32 -d 46.4.84.231/32 -i eth0 -p tcp
-m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A PREROUTING -s 192.168.10.2/32 -i hostnet -p icmp -m icmp
--icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
[0:0] -A PREROUTING -s 192.168.10.2/32 -i hostnet -p tcp -m tcp --dport
80 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A PREROUTING -s 192.168.10.2/32 -i hostnet -p tcp -m tcp --dport
443 -m state --state NEW,ESTABLISHED -j ACCEPT
[4:295] -A PREROUTING -s 192.168.10.2/32 -d 213.133.98.98/32 -i hostnet
-p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
[4:295] -A PREROUTING -s 192.168.10.2/32 -d 213.133.99.99/32 -i hostnet
-p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
[4:295] -A PREROUTING -s 192.168.10.2/32 -d 213.133.100.100/32 -i
hostnet -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A PREROUTING -s 192.168.10.2/32 -d 213.239.239.164/32 -i hostnet
-p udp -m udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A PREROUTING -s 192.168.10.2/32 -d 213.239.239.165/32 -i hostnet
-p udp -m udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A PREROUTING -s 192.168.10.2/32 -d 213.239.239.166/32 -i hostnet
-p udp -m udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
[6:384] -A PREROUTING -d 46.4.84.231/32 -i eth0 -p tcp -m tcp --dport
443 -m state --state NEW,ESTABLISHED -j DNAT --to-destination 192.168.10.2
[0:0] -A PREROUTING -d 46.4.84.231/32 -i eth0 -p udp -m udp --dport 1196
-m state --state NEW,ESTABLISHED -j DNAT --to-destination 192.168.10.2
[0:0] -A PREROUTING -d 46.4.84.231/32 -i eth0 -p udp -m udp --dport 1194
-m state --state NEW,ESTABLISHED -j DNAT --to-destination 192.168.10.2
[0:0] -A PREROUTING -s 192.168.10.2/32 -d 178.63.67.86/32 -i hostnet -p
udp -m udp --dport 1195 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A PREROUTING -s 192.168.10.2/32 -d 178.63.67.87/32 -i hostnet -p
udp -m udp --dport 1195 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A PREROUTING -s 192.168.11.46/32 -i hostnet -j ACCEPT
[0:0] -A PREROUTING -d 192.168.10.1/32 -i lo -j ACCEPT
[0:0] -A PREROUTING -i hostnet -j ACCEPT
[12:1020] -A PREROUTING -i br_12 -j ACCEPT
[1:28] -A PREROUTING -j ULOG --ulog-prefix "PREROUT  "
[0:0] -A OUTPUT -s 127.0.0.1/32 -o lo -j ACCEPT
[0:0] -A OUTPUT -d 178.63.21.11/32 -j ULOG --ulog-prefix "noutput  "
[0:0] -A OUTPUT -s 46.4.84.231/32 -o eth0 -p icmp -m icmp --icmp-type 8
-m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 46.4.84.231/32 -o eth0 -p icmp -m icmp --icmp-type 0
-m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 46.4.84.231/32 -o eth0 -p tcp -m tcp --sport 22 -m
state --state ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 46.4.84.231/32 -d 46.4.84.231/32 -o eth0 -p tcp -m
tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 46.4.84.231/32 -d 46.4.84.232/32 -o eth0 -p tcp -m
tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 46.4.84.231/32 -d 188.40.120.5/32 -o eth0 -p tcp -m
tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 46.4.84.231/32 -d 188.40.120.22/32 -o eth0 -p tcp -m
tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 46.4.84.231/32 -d 178.63.21.11/32 -o eth0 -p tcp -m
tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 46.4.84.231/32 -d 178.63.67.86/32 -o eth0 -p tcp -m
tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 46.4.84.231/32 -d 178.63.67.87/32 -o eth0 -p tcp -m
tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 46.4.84.231/32 -o eth0 -p tcp -m tcp --dport 80 -m
state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 46.4.84.231/32 -d 78.46.1.93/32 -o eth0 -p tcp -m tcp
--dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 46.4.84.231/32 -d 188.40.2.183/32 -o eth0 -p tcp -m
tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 46.4.84.231/32 -d 188.40.2.183/32 -o eth0 -p tcp -m
tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 46.4.84.231/32 -d 188.40.2.183/32 -o eth0 -p tcp -m
tcp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 46.4.84.231/32 -d 188.40.2.183/32 -o eth0 -p tcp -m
tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 192.168.10.1/32 -o lo -j ACCEPT
[7:616] -A OUTPUT -o hostnet -j ACCEPT
[0:0] -A OUTPUT -o br_12 -j ACCEPT
[0:0] -A OUTPUT -j ULOG --ulog-prefix "nOUTPUT  "
[0:0] -A POSTROUTING -s 127.0.0.1/32 -o lo -j ACCEPT
[1:60] -A POSTROUTING -d 178.63.21.11/32 -j ULOG --ulog-prefix "postrout "
[0:0] -A POSTROUTING -s 46.4.84.231/32 -o eth0 -p icmp -m icmp
--icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
[0:0] -A POSTROUTING -s 46.4.84.231/32 -o eth0 -p icmp -m icmp
--icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A POSTROUTING -s 46.4.84.231/32 -o eth0 -p tcp -m tcp --sport 22
-m state --state ESTABLISHED -j ACCEPT
[0:0] -A POSTROUTING -s 46.4.84.231/32 -d 46.4.84.231/32 -o eth0 -p tcp
-m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A POSTROUTING -s 46.4.84.231/32 -d 46.4.84.232/32 -o eth0 -p tcp
-m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A POSTROUTING -s 46.4.84.231/32 -d 188.40.120.5/32 -o eth0 -p tcp
-m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A POSTROUTING -s 46.4.84.231/32 -d 188.40.120.22/32 -o eth0 -p
tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A POSTROUTING -s 46.4.84.231/32 -d 178.63.21.11/32 -o eth0 -p tcp
-m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A POSTROUTING -s 46.4.84.231/32 -d 178.63.67.86/32 -o eth0 -p tcp
-m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A POSTROUTING -s 46.4.84.231/32 -d 178.63.67.87/32 -o eth0 -p tcp
-m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A POSTROUTING -s 46.4.84.231/32 -o eth0 -p tcp -m tcp --dport 80
-m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A POSTROUTING -s 46.4.84.231/32 -d 78.46.1.93/32 -o eth0 -p tcp
-m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A POSTROUTING -s 46.4.84.231/32 -d 188.40.2.183/32 -o eth0 -p tcp
-m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A POSTROUTING -s 46.4.84.231/32 -d 188.40.2.183/32 -o eth0 -p tcp
-m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A POSTROUTING -s 46.4.84.231/32 -d 188.40.2.183/32 -o eth0 -p tcp
-m tcp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A POSTROUTING -s 46.4.84.231/32 -d 188.40.2.183/32 -o eth0 -p tcp
-m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A POSTROUTING -s 192.168.10.2/32 -o eth0 -p icmp -m icmp
--icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j SNAT
--to-source 46.4.84.231
[0:0] -A POSTROUTING -s 192.168.10.2/32 -o eth0 -p tcp -m tcp --dport 80
-m state --state NEW,ESTABLISHED -j SNAT --to-source 46.4.84.231
[0:0] -A POSTROUTING -s 192.168.10.2/32 -o eth0 -p tcp -m tcp --dport
443 -m state --state NEW,ESTABLISHED -j SNAT --to-source 46.4.84.231
[4:295] -A POSTROUTING -s 192.168.10.2/32 -d 213.133.98.98/32 -o eth0 -p
udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j SNAT
--to-source 46.4.84.231
[4:295] -A POSTROUTING -s 192.168.10.2/32 -d 213.133.99.99/32 -o eth0 -p
udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j SNAT
--to-source 46.4.84.231
[4:295] -A POSTROUTING -s 192.168.10.2/32 -d 213.133.100.100/32 -o eth0
-p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j SNAT
--to-source 46.4.84.231
[0:0] -A POSTROUTING -s 192.168.10.2/32 -d 213.239.239.164/32 -o eth0 -p
udp -m udp --dport 123 -m state --state NEW,ESTABLISHED -j SNAT
--to-source 46.4.84.231
[0:0] -A POSTROUTING -s 192.168.10.2/32 -d 213.239.239.165/32 -o eth0 -p
udp -m udp --dport 123 -m state --state NEW,ESTABLISHED -j SNAT
--to-source 46.4.84.231
[0:0] -A POSTROUTING -s 192.168.10.2/32 -d 213.239.239.166/32 -o eth0 -p
udp -m udp --dport 123 -m state --state NEW,ESTABLISHED -j SNAT
--to-source 46.4.84.231
[6:384] -A POSTROUTING -d 192.168.10.2/32 -o hostnet -p tcp -m tcp
--dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A POSTROUTING -d 192.168.10.2/32 -o hostnet -p udp -m udp --dport
1196 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A POSTROUTING -d 192.168.10.2/32 -o hostnet -p udp -m udp --dport
1194 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A POSTROUTING -s 192.168.10.2/32 -d 178.63.67.86/32 -o eth0 -p
udp -m udp --dport 1195 -m state --state NEW,ESTABLISHED -j SNAT
--to-source 46.4.84.231
[0:0] -A POSTROUTING -s 192.168.10.2/32 -d 178.63.67.87/32 -o eth0 -p
udp -m udp --dport 1195 -m state --state NEW,ESTABLISHED -j SNAT
--to-source 46.4.84.231
[0:0] -A POSTROUTING -s 192.168.11.46/32 -o eth0 -j SNAT --to-source
46.4.84.252
[0:0] -A POSTROUTING -s 192.168.10.1/32 -o lo -j ACCEPT
[7:616] -A POSTROUTING -o hostnet -j ACCEPT
[12:1020] -A POSTROUTING -o br_12 -j ACCEPT
[0:0] -A POSTROUTING -j ULOG --ulog-prefix "POSTROUT "
COMMIT
# Completed on Mon May  2 12:55:54 2011
# Generated by iptables-save v1.4.4 on Mon May  2 12:55:54 2011
*filter
:INPUT DROP [2:80]
:FORWARD DROP [10:798]
:OUTPUT DROP [10:400]
[0:0] -A INPUT -d 127.0.0.1/32 -i lo -j ACCEPT
[0:0] -A INPUT -d 178.63.21.11/32 -j ULOG --ulog-prefix "input    "
[0:0] -A INPUT -d 46.4.84.231/32 -i eth0 -p icmp -m icmp --icmp-type 0
-m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -d 46.4.84.231/32 -i eth0 -p icmp -m icmp --icmp-type 8
-m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
[5:300] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW
-m recent --set --name DEFAULT --rsource
[10:544] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state
NEW,ESTABLISHED -m recent --update --seconds 60 --hitcount 3 --name
DEFAULT --rsource -j REJECT --reject-with tcp-reset
[192:15152] -A INPUT -d 46.4.84.231/32 -i eth0 -p tcp -m tcp --dport 22
-m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -s 46.4.84.231/32 -d 46.4.84.231/32 -i eth0 -p tcp -m tcp
--sport 22 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A INPUT -s 46.4.84.232/32 -d 46.4.84.231/32 -i eth0 -p tcp -m tcp
--sport 22 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A INPUT -s 188.40.120.5/32 -d 46.4.84.231/32 -i eth0 -p tcp -m
tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A INPUT -s 188.40.120.22/32 -d 46.4.84.231/32 -i eth0 -p tcp -m
tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A INPUT -s 178.63.21.11/32 -d 46.4.84.231/32 -i eth0 -p tcp -m
tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A INPUT -s 178.63.67.86/32 -d 46.4.84.231/32 -i eth0 -p tcp -m
tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A INPUT -s 178.63.67.87/32 -d 46.4.84.231/32 -i eth0 -p tcp -m
tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A INPUT -d 46.4.84.231/32 -i eth0 -p tcp -m tcp --sport 80 -m
state --state ESTABLISHED -j ACCEPT
[0:0] -A INPUT -s 78.46.1.93/32 -d 46.4.84.231/32 -i eth0 -p tcp -m tcp
--sport 443 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A INPUT -s 188.40.2.183/32 -d 46.4.84.231/32 -i eth0 -p tcp -m
tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A INPUT -s 188.40.2.183/32 -d 46.4.84.231/32 -i eth0 -p tcp -m
tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -s 188.40.2.183/32 -d 46.4.84.231/32 -i eth0 -p tcp -m
tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED
-j ACCEPT
[0:0] -A INPUT -s 188.40.2.183/32 -d 46.4.84.231/32 -i eth0 -p tcp -m
tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A INPUT -d 192.168.10.1/32 -i lo -j ACCEPT
[219:14400] -A INPUT -i hostnet -j ACCEPT
[2:64] -A INPUT -i br_12 -j ACCEPT
[1:28] -A INPUT -j ULOG --ulog-prefix "INPUT    "
[8:480] -A FORWARD -d 178.63.21.11/32 -j ULOG --ulog-prefix "forward  "
[0:0] -A FORWARD -s 192.168.10.2/32 -i hostnet -o eth0 -p icmp -m icmp
--icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -d 192.168.10.2/32 -i eth0 -o hostnet -p icmp -m icmp
--icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -s 192.168.10.2/32 -i hostnet -o eth0 -p tcp -m tcp
--dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -d 192.168.10.2/32 -i eth0 -o hostnet -p tcp -m tcp
--sport 80 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -s 192.168.10.2/32 -i hostnet -o eth0 -p tcp -m tcp
--dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -d 192.168.10.2/32 -i eth0 -o hostnet -p tcp -m tcp
--sport 443 -m state --state ESTABLISHED -j ACCEPT
[4:295] -A FORWARD -s 192.168.10.2/32 -d 213.133.98.98/32 -i hostnet -o
eth0 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
[4:588] -A FORWARD -s 213.133.98.98/32 -d 192.168.10.2/32 -i eth0 -o
hostnet -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
[4:295] -A FORWARD -s 192.168.10.2/32 -d 213.133.99.99/32 -i hostnet -o
eth0 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
[4:588] -A FORWARD -s 213.133.99.99/32 -d 192.168.10.2/32 -i eth0 -o
hostnet -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
[4:295] -A FORWARD -s 192.168.10.2/32 -d 213.133.100.100/32 -i hostnet
-o eth0 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
[4:588] -A FORWARD -s 213.133.100.100/32 -d 192.168.10.2/32 -i eth0 -o
hostnet -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
[1:76] -A FORWARD -s 192.168.10.2/32 -d 213.239.239.164/32 -i hostnet -o
eth0 -p udp -m udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
[1:76] -A FORWARD -s 213.239.239.164/32 -d 192.168.10.2/32 -i eth0 -o
hostnet -p udp -m udp --sport 123 -m state --state ESTABLISHED -j ACCEPT
[1:76] -A FORWARD -s 192.168.10.2/32 -d 213.239.239.165/32 -i hostnet -o
eth0 -p udp -m udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
[1:76] -A FORWARD -s 213.239.239.165/32 -d 192.168.10.2/32 -i eth0 -o
hostnet -p udp -m udp --sport 123 -m state --state ESTABLISHED -j ACCEPT
[2:152] -A FORWARD -s 192.168.10.2/32 -d 213.239.239.166/32 -i hostnet
-o eth0 -p udp -m udp --dport 123 -m state --state NEW,ESTABLISHED -j
ACCEPT
[2:152] -A FORWARD -s 213.239.239.166/32 -d 192.168.10.2/32 -i eth0 -o
hostnet -p udp -m udp --sport 123 -m state --state ESTABLISHED -j ACCEPT
[207:32698] -A FORWARD -d 192.168.10.2/32 -i eth0 -o hostnet -p tcp -m
tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
[427:443820] -A FORWARD -s 192.168.10.2/32 -i hostnet -o eth0 -p tcp -m
tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
[2942:360158] -A FORWARD -d 192.168.10.2/32 -i eth0 -o hostnet -p udp -m
udp --dport 1196 -m state --state NEW,ESTABLISHED -j ACCEPT
[4119:627911] -A FORWARD -s 192.168.10.2/32 -i hostnet -o eth0 -p udp -m
udp --sport 1196 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -d 192.168.10.2/32 -i eth0 -o hostnet -p udp -m udp
--dport 1194 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -s 192.168.10.2/32 -i hostnet -o eth0 -p udp -m udp
--sport 1194 -m state --state ESTABLISHED -j ACCEPT
[21:2133] -A FORWARD -s 192.168.10.2/32 -d 178.63.67.86/32 -i hostnet -o
eth0 -p udp -m udp --dport 1195 -m state --state NEW,ESTABLISHED -j ACCEPT
[21:2181] -A FORWARD -s 178.63.67.86/32 -d 192.168.10.2/32 -i eth0 -o
hostnet -p udp -m udp --sport 1195 -m state --state ESTABLISHED -j ACCEPT
[21:2133] -A FORWARD -s 192.168.10.2/32 -d 178.63.67.87/32 -i hostnet -o
eth0 -p udp -m udp --dport 1195 -m state --state NEW,ESTABLISHED -j ACCEPT
[21:2181] -A FORWARD -s 178.63.67.87/32 -d 192.168.10.2/32 -i eth0 -o
hostnet -p udp -m udp --sport 1195 -m state --state ESTABLISHED -j ACCEPT
[7:384] -A FORWARD -s 192.168.11.46/32 -i hostnet -o eth0 -j ACCEPT
[0:0] -A FORWARD -d 192.168.11.46/32 -i eth0 -o hostnet -j ACCEPT
[0:0] -A FORWARD -i hostnet -j ACCEPT
[0:0] -A FORWARD -o hostnet -j ACCEPT
[7024:449355] -A FORWARD -i br_12 -j ACCEPT
[0:0] -A FORWARD -o br_12 -j ACCEPT
[0:0] -A FORWARD -j ULOG --ulog-prefix "FORWARD  "
[0:0] -A OUTPUT -s 127.0.0.1/32 -o lo -j ACCEPT
[0:0] -A OUTPUT -d 178.63.21.11/32 -j ULOG --ulog-prefix "output   "
[0:0] -A OUTPUT -s 46.4.84.231/32 -o eth0 -p icmp -m icmp --icmp-type 8
-m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 46.4.84.231/32 -o eth0 -p icmp -m icmp --icmp-type 0
-m state --state RELATED,ESTABLISHED -j ACCEPT
[152:41730] -A OUTPUT -s 46.4.84.231/32 -o eth0 -p tcp -m tcp --sport 22
-m state --state ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 46.4.84.231/32 -d 46.4.84.231/32 -o eth0 -p tcp -m
tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 46.4.84.231/32 -d 46.4.84.232/32 -o eth0 -p tcp -m
tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 46.4.84.231/32 -d 188.40.120.5/32 -o eth0 -p tcp -m
tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 46.4.84.231/32 -d 188.40.120.22/32 -o eth0 -p tcp -m
tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 46.4.84.231/32 -d 178.63.21.11/32 -o eth0 -p tcp -m
tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 46.4.84.231/32 -d 178.63.67.86/32 -o eth0 -p tcp -m
tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 46.4.84.231/32 -d 178.63.67.87/32 -o eth0 -p tcp -m
tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 46.4.84.231/32 -o eth0 -p tcp -m tcp --dport 80 -m
state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 46.4.84.231/32 -d 78.46.1.93/32 -o eth0 -p tcp -m tcp
--dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 46.4.84.231/32 -d 188.40.2.183/32 -o eth0 -p tcp -m
tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 46.4.84.231/32 -d 188.40.2.183/32 -o eth0 -p tcp -m
tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 46.4.84.231/32 -d 188.40.2.183/32 -o eth0 -p tcp -m
tcp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 46.4.84.231/32 -d 188.40.2.183/32 -o eth0 -p tcp -m
tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 192.168.10.1/32 -o lo -j ACCEPT
[217:14056] -A OUTPUT -o hostnet -j ACCEPT
[0:0] -A OUTPUT -o br_12 -j ACCEPT
[10:400] -A OUTPUT -j ULOG --ulog-prefix "OUTPUT   "
COMMIT
# Completed on Mon May  2 12:55:54 2011


packet logs
---------------------------------------------------------------------

May  2 12:52:31 root1 prerout   IN=br_12 OUT=
MAC=52:54:00:12:34:57:52:54:00:12:34:58:08:00  SRC=192.168.11.46
DST=178.63.21.11 LEN=60 TOS=00 PREC=0x00 TTL=128 ID=22565 PROTO=ICMP
TYPE=8 CODE=0 ID=512 SEQ=36353
May  2 12:52:31 root1 forward   IN=br_12 OUT=br_12
MAC=52:54:00:12:34:57:52:54:00:12:34:58:08:00  SRC=192.168.11.46
DST=178.63.21.11 LEN=60 TOS=00 PREC=0x00 TTL=128 ID=22565 PROTO=ICMP
TYPE=8 CODE=0 ID=512 SEQ=36353
May  2 12:52:31 root1 postrout  IN= OUT=br_12 MAC= SRC=192.168.11.46
DST=178.63.21.11 LEN=60 TOS=00 PREC=0x00 TTL=128 ID=22565 PROTO=ICMP
TYPE=8 CODE=0 ID=512 SEQ=36353
May  2 12:52:31 root1 forward   IN=hostnet OUT=eth0
MAC=ba:ad:b3:2f:1b:0b:52:54:00:12:34:56:08:00  SRC=192.168.11.46
DST=178.63.21.11 LEN=60 TOS=00 PREC=0x00 TTL=126 ID=22565 PROTO=ICMP
TYPE=8 CODE=0 ID=512 SEQ=36353
May  2 12:52:36 root1 forward   IN=br_12 OUT=br_12
MAC=52:54:00:12:34:57:52:54:00:12:34:58:08:00  SRC=192.168.11.46
DST=178.63.21.11 LEN=60 TOS=00 PREC=0x00 TTL=128 ID=22659 PROTO=ICMP
TYPE=8 CODE=0 ID=512 SEQ=36609
May  2 12:52:36 root1 forward   IN=hostnet OUT=eth0
MAC=ba:ad:b3:2f:1b:0b:52:54:00:12:34:56:08:00  SRC=192.168.11.46
DST=178.63.21.11 LEN=60 TOS=00 PREC=0x00 TTL=126 ID=22659 PROTO=ICMP
TYPE=8 CODE=0 ID=512 SEQ=36609
May  2 12:52:42 root1 forward   IN=br_12 OUT=br_12
MAC=52:54:00:12:34:57:52:54:00:12:34:58:08:00  SRC=192.168.11.46
DST=178.63.21.11 LEN=60 TOS=00 PREC=0x00 TTL=128 ID=22776 PROTO=ICMP
TYPE=8 CODE=0 ID=512 SEQ=36865
May  2 12:52:42 root1 forward   IN=hostnet OUT=eth0
MAC=ba:ad:b3:2f:1b:0b:52:54:00:12:34:56:08:00  SRC=192.168.11.46
DST=178.63.21.11 LEN=60 TOS=00 PREC=0x00 TTL=126 ID=22776 PROTO=ICMP
TYPE=8 CODE=0 ID=512 SEQ=36865
May  2 12:52:47 root1 forward   IN=br_12 OUT=br_12
MAC=52:54:00:12:34:57:52:54:00:12:34:58:08:00  SRC=192.168.11.46
DST=178.63.21.11 LEN=60 TOS=00 PREC=0x00 TTL=128 ID=22887 PROTO=ICMP
TYPE=8 CODE=0 ID=512 SEQ=37121
May  2 12:52:47 root1 forward   IN=hostnet OUT=eth0
MAC=ba:ad:b3:2f:1b:0b:52:54:00:12:34:56:08:00  SRC=192.168.11.46
DST=178.63.21.11 LEN=60 TOS=00 PREC=0x00 TTL=126 ID=22887 PROTO=ICMP
TYPE=8 CODE=0 ID=512 SEQ=37121

May  2 12:58:56 root1 prerout   IN=hostnet OUT=
MAC=ba:ad:b3:2f:1b:0b:52:54:00:12:34:56:08:00  SRC=192.168.10.2
DST=178.63.21.11 LEN=84 TOS=00 PREC=0x00 TTL=64 ID=2433 PROTO=ICMP
TYPE=8 CODE=0 ID=1767 SEQ=0
May  2 12:58:56 root1 forward   IN=hostnet OUT=eth0
MAC=ba:ad:b3:2f:1b:0b:52:54:00:12:34:56:08:00  SRC=192.168.10.2
DST=178.63.21.11 LEN=84 TOS=00 PREC=0x00 TTL=63 ID=2433 PROTO=ICMP
TYPE=8 CODE=0 ID=1767 SEQ=0
May  2 12:58:56 root1 postrout  IN= OUT=eth0 MAC= SRC=192.168.10.2
DST=178.63.21.11 LEN=84 TOS=00 PREC=0x00 TTL=63 ID=2433 PROTO=ICMP
TYPE=8 CODE=0 ID=1767 SEQ=0
May  2 12:58:57 root1 forward   IN=hostnet OUT=eth0
MAC=ba:ad:b3:2f:1b:0b:52:54:00:12:34:56:08:00  SRC=192.168.10.2
DST=178.63.21.11 LEN=84 TOS=00 PREC=0x00 TTL=63 ID=4026 PROTO=ICMP
TYPE=8 CODE=0 ID=1767 SEQ=1
May  2 12:58:58 root1 forward   IN=hostnet OUT=eth0
MAC=ba:ad:b3:2f:1b:0b:52:54:00:12:34:56:08:00  SRC=192.168.10.2
DST=178.63.21.11 LEN=84 TOS=00 PREC=0x00 TTL=63 ID=61758 CE PROTO=ICMP
TYPE=8 CODE=0 ID=1767 SEQ=2

Thanks for help
Falk
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux