--- On Wed, 12/1/10, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote:
> From: Jan Engelhardt <jengelh@xxxxxxxxxx>
> Subject: Re: Forward ssh to an internal server not working
> To: "Landy Landy" <landysaccount@xxxxxxxxx>
> Cc: netfilter@xxxxxxxxxxxxxxx
> Date: Wednesday, December 1, 2010, 10:29 PM
> On Thursday 2010-12-02 04:27, Landy
> Landy wrote:
>
> >
> >--- On Wed, 12/1/10, Jan Engelhardt <jengelh@xxxxxxxxxx>
> wrote:
> >>>
> >>>Can someone please tell me why I cannot access
> a
> >>>machine inside my LAN from outside? These are
> my rules to
> >>>try to accomplish that task:
> >> >
> >> >$iptables -t nat -A PREROUTING -i $EXT_IFACE
> -p tcp \
> >> > -s $UNIVERSE --sport
> >> $UNPRIVPORTS -d $EXT_IP --dport 22 \
> >> > -j DNAT --to-destination
> >> 172.16.0.200:22
>
> These may not be all rules. Post complete rulesets as
> output by
> `iptables-save` and also `ip addr` and `ip route show table
> all`.
>
Ok.
IC_Server:/etc/msd# ip route show table all
190.8.46.40/29 dev eth1 proto kernel scope link src 190.8.46.42
172.16.0.0/16 dev eth0 proto kernel scope link src 172.16.0.1
default via 190.8.46.41 dev eth1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 172.16.0.1 dev eth0 table local proto kernel scope host src 172.16.0.1
broadcast 172.16.0.0 dev eth0 table local proto kernel scope link src 172.16.0.1
broadcast 190.8.46.47 dev eth1 table local proto kernel scope link src 190.8.46.42
broadcast 172.16.255.255 dev eth0 table local proto kernel scope link src 172.16.0.1
local 190.8.46.42 dev eth1 table local proto kernel scope host src 190.8.46.42
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 190.8.46.40 dev eth1 table local proto kernel scope link src 190.8.46.42
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
fe80::/64 dev eth0 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth1 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
default via fe80::c171:bc1:2a0b:66b9 dev eth0 proto kernel metric 1024 expires 0sec mtu 1500 advmss 1440 hoplimit 4294967295
unreachable default dev lo table unspec proto none metric -1 error -101 hoplimit 255
local ::1 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295
local fe80::209:6bff:fe8c:bfdc via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295
local fe80::209:6bff:fe8c:bfdd via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295
ff00::/8 dev eth0 table local metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev eth1 table local metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
unreachable default dev lo table unspec proto none metric -1 error -101 hoplimit 255
IC_Server:/etc/msd# iptables-save
# Generated by iptables-save v1.4.2 on Wed Dec 1 23:38:03 2010
*nat
:PREROUTING ACCEPT [131:9526]
:POSTROUTING ACCEPT [220:12521]
:OUTPUT ACCEPT [1884:120545]
-A PREROUTING -s 172.16.0.0/16 -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -s 172.16.0.0/16 -d 172.16.0.1/32 -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 8080 -j REDIRECT --to-ports 80
-A PREROUTING -d 190.8.46.42/32 -i eth1 -p tcp -m tcp --sport 1024:65535 --dport 8080 -j REDIRECT --to-ports 80
-A PREROUTING -d 190.8.46.42/32 -i eth1 -p tcp -m tcp --dport 22 -j DNAT --to-destination 172.16.0.200:22
-A PREROUTING -d 190.8.46.42/32 -i eth1 -p tcp -m tcp --sport 1:65535 --dport 22 -j DNAT --to-destination 172.16.0.200:22
-A PREROUTING -d 190.8.46.42/32 -i eth1 -p tcp -m tcp --dport 3306 -j DNAT --to-destination 172.16.0.3:3306
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Wed Dec 1 23:38:03 2010
# Generated by iptables-save v1.4.2 on Wed Dec 1 23:38:03 2010
*mangle
:PREROUTING ACCEPT [80016:83194298]
:INPUT ACCEPT [79872:83178328]
:FORWARD ACCEPT [144:15970]
:OUTPUT ACCEPT [53820:39324110]
:POSTROUTING ACCEPT [53950:39337140]
-A PREROUTING -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10/0x3f
-A PREROUTING -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10/0x3f
-A PREROUTING -p tcp -m tcp --sport 2222 -j TOS --set-tos 0x10/0x3f
-A PREROUTING -p tcp -m tcp --dport 2222 -j TOS --set-tos 0x10/0x3f
-A PREROUTING -p udp -m udp --sport 53 -j TOS --set-tos 0x10/0x3f
-A PREROUTING -p udp -m udp --dport 53 -j TOS --set-tos 0x10/0x3f
-A PREROUTING -p icmp -j TOS --set-tos 0x10/0x3f
-A PREROUTING -p icmp -j TOS --set-tos 0x10/0x3f
COMMIT
# Completed on Wed Dec 1 23:38:03 2010
# Generated by iptables-save v1.4.2 on Wed Dec 1 23:38:03 2010
*filter
:INPUT DROP [75:89901]
:FORWARD DROP [1:48]
:OUTPUT ACCEPT [937:67328]
:ip_check - [0:0]
:p2p_check - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -s 172.16.0.0/16 -d 172.16.0.1/32 -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 3128 -m state --state NEW -j ACCEPT
-A INPUT -s 172.16.0.1/32 -j DROP
-A INPUT -s 190.8.46.42/32 -j DROP
-A INPUT -d 224.0.0.0/4 -p ! udp -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -p icmp -f -j LOG --log-prefix "Fragmented INPUTing ICMP: "
-A INPUT -p icmp -f -j ACCEPT
-A INPUT -d 190.8.46.42/32 -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -s 172.16.0.0/16 -d 172.16.0.1/32 -i eth0 -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
-A INPUT -s 172.16.0.0/16 -d 172.16.0.1/32 -i eth0 -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -s 172.16.0.0/16 -d 172.16.0.1/32 -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -p udp -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -p tcp -m state --state NEW -j ACCEPT
-A INPUT -s 0.0.0.0/32 -d 255.255.255.255/32 -i eth0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A INPUT -s 0.0.0.0/32 -d 172.16.0.1/32 -i eth0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A INPUT -s 172.16.0.0/16 -d 172.16.0.1/32 -i eth0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2222 -m state --state NEW -j ACCEPT
-A INPUT -s 172.16.0.0/16 -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -s 172.16.0.0/16 -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 3306 -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --sport 1024:65535 --dport 3306 -m state --state NEW -j ACCEPT
-A INPUT -s 190.8.46.42/32 -p udp -m udp --sport 3279:65535 --dport 33434:33523 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT
-A FORWARD -s 172.16.0.0/16 -i eth0 -j ip_check
-A FORWARD -j p2p_check
-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -d 172.16.0.200/32 -i eth1 -o eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A FORWARD -s 172.16.0.200/32 -i eth0 -o eth1 -p tcp -m tcp --sport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 172.16.0.1/32 -j DROP
-A FORWARD -s 190.8.46.42/32 -j DROP
-A FORWARD -s ! 172.16.0.0/16 -i eth0 -j DROP
-A FORWARD -s ! 172.16.0.1/32 -o eth0 -j DROP
-A FORWARD -d 255.255.255.255/32 -j DROP
-A FORWARD -d 224.0.0.0/4 -p ! udp -j DROP
-A FORWARD -p icmp -f -j LOG --log-prefix "Fragmented FORWARDED ICMP: "
-A FORWARD -p icmp -f -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A FORWARD -o eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A FORWARD -d 172.16.0.0/16 -o eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A FORWARD -s 172.16.0.0/16 -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
-A FORWARD -s 172.16.0.0/16 -i eth0 -o eth1 -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW -j ACCEPT
-A FORWARD -s 172.16.0.0/16 -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW -j ACCEPT
-A FORWARD -d 172.16.0.200/32 -i eth1 -o eth0 -p tcp -m tcp --sport 1:65535 --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 172.16.0.0/16 -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW -j ACCEPT
-A FORWARD -s 172.16.0.0/16 -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW -j ACCEPT
-A FORWARD -i eth1 -o eth0 -p tcp -m tcp --dport 8444 -j ACCEPT
-A FORWARD -s 172.16.0.0/16 -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW -j ACCEPT
-A FORWARD -s 172.16.0.0/16 -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 8080 -m state --state NEW -j ACCEPT
-A FORWARD -s 172.16.0.0/16 -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 81 -m state --state NEW -j ACCEPT
-A FORWARD -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 8080 -m state --state NEW -j ACCEPT
-A FORWARD -s 172.16.0.0/16 -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW -j ACCEPT
-A FORWARD -d 172.16.0.3/32 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 3306 -m state --state NEW -j ACCEPT
-A FORWARD -s 172.16.0.0/16 -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 25 -m state --state NEW -j ACCEPT
-A FORWARD -s 172.16.0.0/16 -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 110 -m state --state NEW -j ACCEPT
-A FORWARD -s 172.16.0.0/16 -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW -j ACCEPT
-A FORWARD -s 172.16.0.0/16 -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 1863 -m state --state NEW -j ACCEPT
-A FORWARD -s 172.16.0.0/16 -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 6891 -m state --state NEW -j ACCEPT
-A FORWARD -s 172.16.0.0/16 -i eth0 -o eth1 -p udp -m udp --sport 1024:65535 --dport 6891 -m state --state NEW -j ACCEPT
-A FORWARD -s 172.16.0.0/16 -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 6900 -m state --state NEW -j ACCEPT
-A FORWARD -s 172.16.0.0/16 -i eth0 -o eth1 -p udp -m udp --sport 1024:65535 --dport 6900 -m state --state NEW -j ACCEPT
-A FORWARD -s 172.16.0.0/16 -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 23399 -m state --state NEW -j ACCEPT
-A FORWARD -s 172.16.0.0/16 -i eth0 -o eth1 -p udp -m udp --sport 3279:65535 --dport 33434:33523 -m state --state NEW -j ACCEPT
-A FORWARD -s 172.16.0.0/16 -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 5050:5100 -m state --state NEW -j ACCEPT
-A FORWARD -s 172.16.0.0/16 -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 11999 -m state --state NEW -j ACCEPT
-A FORWARD -s 172.16.0.0/16 -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 51127 -m state --state NEW -j ACCEPT
-A FORWARD -s 172.16.0.0/16 -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 8636 -m state --state NEW -j ACCEPT
-A FORWARD -s 172.16.0.0/16 -i eth0 -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW -j ACCEPT
-A FORWARD -s 172.16.0.0/16 -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 6112 -m state --state NEW -j ACCEPT
-A FORWARD -s 172.16.0.0/16 -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 8090 -m state --state NEW -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -s 172.16.0.1/32 -o eth0 -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s ! 172.16.0.1/32 -o eth0 -j DROP
-A OUTPUT -s 0.0.0.0/32 -d 255.255.255.255/32 -o eth0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A OUTPUT -p icmp -f -j LOG --log-prefix "Fragmented OUTPUTing ICMP: "
-A OUTPUT -p icmp -f -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
-A OUTPUT -s 0.0.0.0/32 -d 255.255.255.255/32 -o eth0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A OUTPUT -s 172.16.0.1/32 -d 255.255.255.255/32 -o eth0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A OUTPUT -s 172.16.0.1/32 -d 172.16.0.0/16 -o eth0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A OUTPUT -s 172.16.0.1/32 -d 172.16.0.0/16 -o eth0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A OUTPUT -s 172.16.0.1/32 -d 172.16.0.200/32 -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 190.8.46.42/32 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -s 190.8.46.42/32 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW -j ACCEPT
-A OUTPUT -s 190.8.46.42/32 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW -j ACCEPT
-A OUTPUT -s 190.8.46.42/32 -o eth1 -p udp -m udp --sport 3279:65535 --dport 33434:33523 -j ACCEPT
-A OUTPUT -s 190.8.46.42/32 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 8090 -m state --state NEW -j ACCEPT
-A ip_check -s 172.16.100.1/32 -j RETURN
-A ip_check -s 172.16.100.10/32 -j RETURN
-A ip_check -s 172.16.100.11/32 -j RETURN
-A ip_check -s 172.16.100.12/32 -j RETURN
-A ip_check -s 172.16.100.13/32 -j RETURN
-A ip_check -s 172.16.100.14/32 -j RETURN
-A ip_check -s 172.16.100.2/32 -j RETURN
-A ip_check -s 172.16.100.3/32 -j RETURN
-A ip_check -s 172.16.100.5/32 -j RETURN
-A ip_check -s 172.16.100.7/32 -j RETURN
-A ip_check -s 172.16.100.8/32 -j RETURN
-A ip_check -s 172.16.100.9/32 -j RETURN
-A ip_check -s 172.16.200.200/32 -j RETURN
-A ip_check -s 172.16.0.200/32 -j RETURN
-A ip_check -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A ip_check -s 172.16.0.0/16 -i eth0 -j REJECT --reject-with icmp-net-prohibited
-A p2p_check -s 172.16.100.1/32 -j ACCEPT
-A p2p_check -d 172.16.100.1/32 -j ACCEPT
-A p2p_check -s 172.16.100.2/32 -j ACCEPT
-A p2p_check -d 172.16.100.2/32 -j ACCEPT
-A p2p_check -s 172.16.100.5/32 -j ACCEPT
-A p2p_check -d 172.16.100.5/32 -j ACCEPT
-A p2p_check -j RETURN
COMMIT
# Completed on Wed Dec 1 23:38:03 2010
IC_Server:/etc/msd# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:09:6b:8c:bf:dc brd ff:ff:ff:ff:ff:ff
inet 172.16.0.1/16 brd 172.16.255.255 scope global eth0
inet6 fe80::209:6bff:fe8c:bfdc/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:09:6b:8c:bf:dd brd ff:ff:ff:ff:ff:ff
inet 190.8.46.42/29 brd 190.8.46.47 scope global eth1
inet6 fe80::209:6bff:fe8c:bfdd/64 scope link
valid_lft forever preferred_lft forever
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
