Thanks for reply,
here are some more details :
simple NAT device which has
eth0 on LAN 192.168.0.x
eth1 on WAN (dedicated ethernet link with static IP)
[root@natasha /]# iptables -V
iptables v1.2.9
[root@natasha /]# uname -a
Linux natasha.cybergeneration.com 2.4.20-16.9 #1 Thu May 22 18:22:56 EDT
2003 i686 i686 i386 GNU/Linux
I attached output of iptables, y.y.y. is my WAN IP range and x.x.x. is a
range
outside. Problematic REJECT rule can be found in FORWARD chain.
Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau
----- Original Message -----
From: "Jason Opperisano" <Jopperisano@xxxxxxxxxxxxxxxx>
To: <netfilter@xxxxxxxxxxxxxxxxxxx>
Sent: Wednesday, August 11, 2004 11:44 AM
Subject: RE: Question about REJECT in FORWARD rule
> What I'd like to do is something like :
> $IPTABLES -A FORWARD -i $LAN_IFACE -p tcp --dport 445 --dst
sql.se.rv.er -j
> REJECT --reject-with tcp-reset
>
> My problem :
> Packet seems OK (iptables change source ip and port) and is
> TCP RST, but it is sent to the external interface, and my LAN
> hosts do not get the reply and must wait for a timeout to occur
> (since another firewall protects the SQL Server and drops TCP 445)
>
> Is there any way to force an interface for the REJECT rule ?
>
> Is there any configuration that could cause this to happen ?
there is something wrong with your configuration. post the output of
"iptables -vnL; iptables -vnL -t nat; iptables -vnL -t mangle" and clue us
in as to which interface is inside, outside, dmz, etc...
-j
Chain PREROUTING (policy ACCEPT 1898 packets, 337K bytes)
pkts bytes target prot opt in out source destination
69 4892 TOS udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10
63 74359 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 TOS set 0x08
Chain INPUT (policy ACCEPT 335 packets, 23221 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 1559 packets, 313K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 197 packets, 17553 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1741 packets, 328K bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 112 packets, 10305 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
21 1126 MASQUERADE all -- * eth1 192.168.0.0/24 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy DROP 1 packets, 40 bytes)
pkts bytes target prot opt in out source destination
3 268 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
134 8046 CHECK_BANNED_IPS_IN all -- * * 0.0.0.0/0 0.0.0.0/0
134 8046 IN_FIREWALL all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `firewall::INPUT '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 1 packets, 58 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 sql.se.rv.er tcp dpt:445 reject-with tcp-reset
291 105K IN_NAT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
232 23807 OUT_NAT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 10 packets, 2892 bytes)
pkts bytes target prot opt in out source destination
3 268 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
78 6361 OUT_FIREWALL all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `firewall::OUTPUT '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain BAD_IP (22 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `firewall::BAD_IP '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain BAD_STATE (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `firewall::BAD_STATE '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain BAD_TCP_FLAGS (11 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `firewall::BAD_TCP_FLAGS '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain BANNED_IP (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `firewall::BANNED_IP '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain CHECK_BAD_IPS_IN (2 references)
pkts bytes target prot opt in out source destination
0 0 BAD_IP all -- * * 0.0.0.0/8 0.0.0.0/0
0 0 BAD_IP all -- * * 10.0.0.0/8 0.0.0.0/0
0 0 BAD_IP all -- * * 127.0.0.0/8 0.0.0.0/0
0 0 BAD_IP all -- * * 169.254.0.0/16 0.0.0.0/0
0 0 BAD_IP all -- * * 172.16.0.0/12 0.0.0.0/0
0 0 BAD_IP all -- * * 192.0.0.0/24 0.0.0.0/0
0 0 BAD_IP all -- * * 224.0.0.0/4 0.0.0.0/0
0 0 BAD_IP all -- * * 240.0.0.0/5 0.0.0.0/0
0 0 BAD_IP all -- * * 255.255.255.255 0.0.0.0/0
Chain CHECK_BAD_IPS_OUT (1 references)
pkts bytes target prot opt in out source destination
0 0 BAD_IP all -- * * 0.0.0.0/0 0.0.0.0/8
0 0 BAD_IP all -- * * 0.0.0.0/0 10.0.0.0/8
0 0 BAD_IP all -- * * 0.0.0.0/0 127.0.0.0/8
0 0 BAD_IP all -- * * 0.0.0.0/0 169.254.0.0/16
0 0 BAD_IP all -- * * 0.0.0.0/0 172.16.0.0/12
0 0 BAD_IP all -- * * 0.0.0.0/0 192.0.0.0/24
0 0 BAD_IP all -- * * 0.0.0.0/0 224.0.0.0/4
0 0 BAD_IP all -- * * 0.0.0.0/0 240.0.0.0/5
0 0 BAD_IP all -- * * 0.0.0.0/0 255.255.255.255
Chain CHECK_BAD_STATE (1 references)
pkts bytes target prot opt in out source destination
0 0 BAD_STATE all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
Chain CHECK_BANNED_IPS_IN (2 references)
pkts bytes target prot opt in out source destination
0 0 BANNED_IP all -- * * 1.1.1.1 0.0.0.0/0
Chain CHECK_BANNED_IPS_OUT (1 references)
pkts bytes target prot opt in out source destination
0 0 BANNED_IP all -- * * 0.0.0.0/0 1.1.1.1
Chain CHECK_TCP_FLAGS (2 references)
pkts bytes target prot opt in out source destination
0 0 BAD_TCP_FLAGS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
0 0 BAD_TCP_FLAGS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
0 0 BAD_TCP_FLAGS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
0 0 BAD_TCP_FLAGS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
0 0 BAD_TCP_FLAGS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
0 0 BAD_TCP_FLAGS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
0 0 BAD_TCP_FLAGS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 BAD_TCP_FLAGS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 BAD_TCP_FLAGS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
0 0 BAD_TCP_FLAGS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x2B
0 0 BAD_TCP_FLAGS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37
Chain CHECK_TCP_SYN_FLOOD (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 10
0 0 TCP_SYN_FLOOD all -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_FIREWALL (1 references)
pkts bytes target prot opt in out source destination
134 8046 CHECK_BAD_STATE all -- * * 0.0.0.0/0 0.0.0.0/0
134 8046 IN_IP_CHECK all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_FIREWALL_ICMP icmp -- * * 0.0.0.0/0 0.0.0.0/0
107 5699 CHECK_TCP_FLAGS tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:22 state NEW
109 5947 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:135
22 1716 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
1 229 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
0 0 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900
2 154 DROP udp -- eth1 * y.y.y.209 0.0.0.0/0 udp dpt:712
0 0 DROP udp -- eth1 * x.x.x.1 0.0.0.0/0 udp dpt:520
0 0 DROP udp -- eth1 * y.y.y.193 0.0.0.0/0 udp dpt:520
0 0 DROP 2 -- eth0 * 192.168.0.200 224.0.0.1
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `firewall::IN_FIREWALL '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_FIREWALL_ICMP (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 192.168.0.0/24 0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `firewall::IN_FIREWALL_ICMP '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_IP_CHECK (1 references)
pkts bytes target prot opt in out source destination
134 8046 CHECK_BAD_IPS_IN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 BAD_IP all -- eth0 * 192.168.0.1 0.0.0.0/0
0 0 BAD_IP all -- eth0 * y.y.y.195 0.0.0.0/0
0 0 BAD_IP all -- eth1 * 192.168.0.0/24 0.0.0.0/0
0 0 BAD_IP all -- eth1 * y.y.y.195 0.0.0.0/0
Chain IN_NAT (1 references)
pkts bytes target prot opt in out source destination
291 105K CHECK_BANNED_IPS_IN all -- * * 0.0.0.0/0 0.0.0.0/0
291 105K CHECK_BAD_IPS_IN all -- * * 0.0.0.0/0 0.0.0.0/0
272 102K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
19 2588 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `firewall::IN_NAT '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUT_FIREWALL (1 references)
pkts bytes target prot opt in out source destination
78 6361 OUT_IP_CHECK all -- * * 0.0.0.0/0 0.0.0.0/0
76 6215 CHECK_TCP_FLAGS tcp -- * * 0.0.0.0/0 0.0.0.0/0
78 6361 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.0.3 udp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.0.5 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 x.x.x.33 tcp dpt:3306
0 0 ACCEPT tcp -- * * 0.0.0.0/0 x.x.x.33 tcp dpt:21
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `firewall::OUT_FIREWALL '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUT_IP_CHECK (1 references)
pkts bytes target prot opt in out source destination
78 6361 CHECK_BAD_IPS_OUT all -- * * 0.0.0.0/0 0.0.0.0/0
76 5922 RETURN all -- * eth0 192.168.0.1 0.0.0.0/0
2 439 RETURN all -- * eth1 y.y.y.195 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `firewall::OUT_IP_CHECK '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUT_NAT (1 references)
pkts bytes target prot opt in out source destination
232 23807 CHECK_BANNED_IPS_OUT all -- * * 0.0.0.0/0 0.0.0.0/0
3 156 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
14 1052 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
199 21475 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
16 1124 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23456 LOG flags 0 level 7 prefix `firewall::OUT_NAT '
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `firewall::OUT_NAT '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain TCP_SYN_FLOOD (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `firewall::TCP_SYN_FLOOD '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
