Re: iptables forwarding packets on the same interface

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

Thanks for the quick response:

On Thu, Nov 18, 2010 at 15:56, Marek Kierdelewicz <marek@xxxxxxxxx> wrote:
>> If so, can anyone tell me
>>which iptables/routing rule(s) I need to add to forward between
>>different network IPs on the same physical interface.
>
> Please send output of iptables-save and ip ro sh from both routers.

192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.1
192.168.10.0/24 via 192.168.1.2 dev eth1
169.254.0.0/16 dev eth1  scope link  metric 1002
169.254.0.0/16 dev eth0  scope link  metric 1003
18.40.0.0/16 dev eth0  proto kernel  scope link  src 18.40.XXX.XXX
default via 18.40.0.1 dev eth0

iptables-save output is attached. The other router (192.168.1.2) is a
SonicWall device, which has IPs on both 10 and 1 networks.

Thanks for your help,

Dan

# Generated by iptables-save v1.4.5 on Thu Nov 18 16:29:21 2010
*nat
:PREROUTING ACCEPT [74020938:6740837900]
:POSTROUTING ACCEPT [2302916:158681492]
:OUTPUT ACCEPT [133475:10757082]
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 18.40.XXX.XXX 
COMMIT
# Completed on Thu Nov 18 16:29:21 2010
# Generated by iptables-save v1.4.5 on Thu Nov 18 16:29:21 2010
*filter
:INPUT DROP [1:337]
:FORWARD DROP [3:564]
:OUTPUT DROP [6:1464]
:LOG_CHAIN - [0:0]
:SSH_CHECK - [0:0]
-A INPUT -i lo -j ACCEPT 
-A INPUT -m state --state INVALID -j DROP 
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP 
-A INPUT -s 192.168.1.0/24 -i eth0 -j DROP 
-A INPUT -s 18.40.0.0/16 -i eth1 -j DROP 
-A INPUT -s 192.168.10.0/24 -i eth1 -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j SSH_CHECK 
-A INPUT -s 192.168.1.0/24 -d 192.168.1.1/32 -i eth1 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -d 18.40.XXX.XXX/32 -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -s 192.168.1.0/24 -d 192.168.1.1/32 -i eth1 -p icmp -m icmp --icmp-type any -m limit --limit 1/sec -j ACCEPT 
-A INPUT -s 192.168.1.0/24 -d 192.168.1.1/32 -i eth1 -p tcp -m state --state NEW -m tcp --dport 5666 -j ACCEPT 
-A INPUT -s 192.168.1.0/24 -d 192.168.1.1/32 -i eth1 -p tcp -m state --state NEW -m tcp --dport 4949 -j ACCEPT 
-A INPUT -s 192.168.1.0/24 -d 192.168.1.1/32 -i eth1 -p udp -m udp --sport 123 -m multiport --dports 123 -m state --state NEW -j ACCEPT 
-A INPUT -s 192.168.1.0/24 -d 192.168.1.1/32 -i eth1 -p udp -m udp --sport 1024:65535 -m multiport --dports 123 -m state --state NEW -j ACCEPT 
-A INPUT -i eth0 -p tcp -m multiport --dports 67,135,137,138,139,445,631,5353 -j DROP 
-A INPUT -i eth0 -p udp -m multiport --dports 67,135,137,138,139,445,631,5353 -j DROP 
-A INPUT -i eth0 -p tcp -m multiport --dports 68 -j DROP 
-A INPUT -i eth0 -p udp -m multiport --dports 68 -j DROP 
-A INPUT -i eth0 -p tcp -m multiport --dports 123 -j DROP 
-A INPUT -i eth0 -p udp -m multiport --dports 123 -j DROP 
-A INPUT -i eth0 -p tcp -m multiport --dports 1947,2223 -j DROP 
-A INPUT -i eth0 -p udp -m multiport --dports 1947,2223 -j DROP 
-A INPUT -d 192.168.1.0/24 -i eth1 -p tcp -m multiport --dports 67,135,137,138,139,445,631,5353 -j DROP 
-A INPUT -d 192.168.1.0/24 -i eth1 -p udp -m multiport --dports 67,135,137,138,139,445,631,5353 -j DROP 
-A INPUT -j LOG_CHAIN 
-A FORWARD -d 192.168.1.0/24 -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -d 192.168.10.0/24 -i eth1 -o eth1 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.10.0/24 -d 192.168.1.0/24 -i eth1 -o eth1 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p udp -m udp --sport 123 -m multiport --dports 123 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p icmp -m icmp --icmp-type any -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 -m multiport --dports 80,443,8080,8181,4848,4849 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 -m multiport --dports 888 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 -m multiport --dports 25,465 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 -m multiport --dports 22 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 -m multiport --dports 143,993,110,995 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 -m multiport --dports 53 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 -m multiport --dports 20,21,115,990,873 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 -m multiport --dports 88,464,749,751,389,636 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 -m multiport --dports 5222,5223 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 -m multiport --dports 1863 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 -m multiport --dports 5190 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 -m multiport --dports 6881:6999 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 -m multiport --dports 444,41443 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 -m multiport --dports 446,447,9443 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 -m multiport --dports 9418 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 -m multiport --dports 1494 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 -m multiport --dports 6666,6667 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 -m multiport --dports 10000 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 -m multiport --dports 1688 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 -m multiport --dports 43 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 -m multiport --dports 1500 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 -m multiport --dports 3306 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p udp -m udp --sport 1024:65535 -m multiport --dports 123 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p udp -m udp --sport 1024:65535 -m multiport --dports 5222,5223 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p udp -m udp --sport 1024:65535 -m multiport --dports 1863 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p udp -m udp --sport 1024:65535 -m multiport --dports 53 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p udp -m udp --sport 1024:65535 -m multiport --dports 6881:6999 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p udp -m udp --sport 1024:65535 -m multiport --dports 444,41443 -m state --state NEW -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -p udp -m udp --sport 1024:65535 -m multiport --dports 1494 -m state --state NEW -j ACCEPT 
-A FORWARD -j LOG_CHAIN 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -d 192.168.10.0/24 -o eth1 -j ACCEPT 
-A OUTPUT -j LOG_CHAIN 
-A LOG_CHAIN -m limit --limit 20/min -j LOG --log-prefix "[FIREWALL_LOG_CHAIN] " --log-level 6 
-A LOG_CHAIN -j DROP 
-A SSH_CHECK -m recent --set --name SSH --rsource 
-A SSH_CHECK -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH --rsource -j LOG --log-prefix "[FIREWALL_SSH_BRUTE] " --log-level 6 
-A SSH_CHECK -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH --rsource -j DROP 
COMMIT
# Completed on Thu Nov 18 16:29:21 2010
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux