Re: iptables - external IP address on internal interface?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, 2011-04-14 at 21:24 +0100, Andrew Beverley wrote:
> > Ok, trying with Thunderbird this time... (and it too seems to be 
> > wrapping the text) <sigh>
> > 
> 
> Not sure about Thunderbird, but Evolution has a "preformat" option that
> doesn't wrap the text.
> 
> Anyway, back to the original subject, can you post the output from
> "iptables-save" instead, as this has additional detail such as the
> interfaces in the rules.
> 
> As a thought before you do so, if you're doing NAT in the normal way to
> share an internet connection, then what you are seeing is to be
> expected. You would normally SNAT on the internet-facing interface, not
> on the LAN-facing interface, meaning that traffic on the LAN interface
> will be going from/to public IP addresses.
> 
> Andy
> 
> 
> 
> ------------------------
> This email was scanned by BitDefender.


Output of "iptables-save" below.

*however*

I *think* I may have solved it - I will know when I see the logs tomorrow morning.

I changed my MASQ entry from MASQUERADE any to only MASQ my internal IP. (see last but two lines)

Also - unless I misunderstand the rules - my SNAT is applied to the external interface?



# Generated by iptables-save v1.3.5 on Fri Apr 15 14:07:02 2011
*filter
:INPUT DROP [664:37461]
:FORWARD DROP [334:41022]
:OUTPUT ACCEPT [17005:1927625]
:BADTCP - [0:0]
:LOG_DROP - [0:0]
:LOG_REJECT - [0:0]
:NEWNOTSYN - [0:0]
:PORTFWACCESS - [0:0]
:PSCAN - [0:0]
:XTACCESS - [0:0]
-A INPUT -i eth1 -p tcp -m tcp --dport 1026:1028 -j DROP 
-A INPUT -i eth1 -p udp -m udp --dport 1026:1028 -j DROP 
-A INPUT -i eth1 -p udp -m udp --dport 67 -j DROP 
-A INPUT -i eth1 -p udp -m udp --dport 68 -j DROP 
-A INPUT -j BADTCP 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -m state --state NEW -j ACCEPT 
-A INPUT -s 127.0.0.0/255.0.0.0 -m state --state NEW -j DROP 
-A INPUT -d 127.0.0.0/255.0.0.0 -m state --state NEW -j DROP 
-A INPUT -i eth0 -p ! icmp -m state --state NEW -j ACCEPT 
-A INPUT -m state --state NEW -j XTACCESS 
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 5 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT 
-A INPUT -m limit --limit 10/min -j LOG --log-prefix "INPUT " 
-A INPUT -d 224.0.0.0/240.0.0.0 -i eth1 -p udp -j ACCEPT 
-A INPUT -d 224.0.0.0/240.0.0.0 -i eth1 -p igmp -j ACCEPT 
-A INPUT -d 224.0.0.0/240.0.0.0 -i eth1 -j DROP 
-A INPUT -s 224.0.0.0/240.0.0.0 -i eth1 -j DROP 
-A INPUT -s 240.0.0.0/240.0.0.0 -i eth1 -j DROP 
-A FORWARD -j BADTCP 
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -i lo -m state --state NEW -j ACCEPT 
-A FORWARD -s 127.0.0.0/255.0.0.0 -m state --state NEW -j DROP 
-A FORWARD -d 127.0.0.0/255.0.0.0 -m state --state NEW -j DROP 
-A FORWARD -i eth0 -m state --state NEW -j ACCEPT 
-A FORWARD -m state --state NEW -j PORTFWACCESS 
-A FORWARD -m limit --limit 10/min -j LOG --log-prefix "OUTPUT " 
-A FORWARD -s $ACCESS_IP1 -d 192.168.0.2 -i eth1 -p udp -m udp --dport 5060 -j ACCEPT 
-A FORWARD -s $ACCESS_IP1 -d 192.168.0.2 -i eth1 -p udp -m udp --dport 1024:65535 -j ACCEPT 
-A FORWARD -s $ACCESS_NET1/255.255.255.240 -d 192.168.0.2 -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT 
-A FORWARD -s $ACCESS_IP2 -d 192.168.0.2 -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT 
-A FORWARD -s $ACCESS_IP3 -d 192.168.0.2 -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT 
-A FORWARD -s $ACCESS_IP2 -d 192.168.0.2 -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT 
-A FORWARD -s $ACCESS_NET1/255.255.255.240 -d 192.168.0.2 -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT 
-A FORWARD -s $ACCESS_IP3 -d 192.168.0.2 -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT 
-A FORWARD -s $ACCESS_IP3 -d 192.168.0.2 -i eth1 -p tcp -m tcp --dport 20 -j ACCEPT 
-A FORWARD -s $ACCESS_IP3 -d 192.168.0.2 -i eth1 -p tcp -m tcp --dport 21 -j ACCEPT 
-A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j PSCAN 
-A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j PSCAN 
-A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j PSCAN 
-A BADTCP -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j PSCAN 
-A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j PSCAN 
-A BADTCP -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j NEWNOTSYN 
-A LOG_DROP -m limit --limit 10/min -j LOG 
-A LOG_DROP -j DROP 
-A LOG_REJECT -m limit --limit 10/min -j LOG 
-A LOG_REJECT -j REJECT --reject-with icmp-port-unreachable 
-A NEWNOTSYN -m limit --limit 10/min -j LOG --log-prefix "NEW not SYN? " 
-A NEWNOTSYN -j DROP 
-A PSCAN -p tcp -m limit --limit 10/min -j LOG --log-prefix "TCP Scan? " 
-A PSCAN -p udp -m limit --limit 10/min -j LOG --log-prefix "UDP Scan? " 
-A PSCAN -p icmp -m limit --limit 10/min -j LOG --log-prefix "ICMP Scan? " 
-A PSCAN -f -m limit --limit 10/min -j LOG --log-prefix "FRAG Scan? " 
-A PSCAN -j DROP 
-A XTACCESS -d $EXT_IP -i eth1 -p tcp -m tcp --dport 20 -m state --state NEW -j ACCEPT 
-A XTACCESS -d $EXT_IP -i eth1 -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT 
-A XTACCESS -d $EXT_IP -i eth1 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT 
-A XTACCESS -s $ACCESS_IP4 -d $EXT_IP -i eth1 -p tcp -m tcp --dport 5000 -m state --state NEW -j ACCEPT 
-A XTACCESS -s $ACCESS_IP1 -d 192.168.0.2 -i eth1 -p udp -m udp --dport 1024:65535 -j ACCEPT 
-A XTACCESS -s $ACCESS_IP1 -d 192.168.0.2 -i eth1 -p udp -m udp --dport 5060 -j ACCEPT 
-A XTACCESS -s $ACCESS_IP2 -d 192.168.0.2 -i eth1 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A XTACCESS -s $ACCESS_IP3 -d 192.168.0.2 -i eth1 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A XTACCESS -s $ACCESS_IP2 -d $EXT_IP -i eth1 -p tcp -m state --state NEW -m tcp --dport 223 -j ACCEPT 
-A XTACCESS -s $ACCESS_IP5 -d 192.168.0.2 -i eth1 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A XTACCESS -s $ACCESS_IP5 -d $EXT_IP -i eth1 -p tcp -m state --state NEW -m tcp --dport 81 -j ACCEPT 
-A XTACCESS -s $ACCESS_IP5 -d $EXT_IP -i eth1 -p tcp -m state --state NEW -m tcp --dport 223 -j ACCEPT 
-A XTACCESS -s $ACCESS_IP6 -d $EXT_IP -i eth1 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A XTACCESS -s $ACCESS_IP2 -d $EXT_IP -i eth1 -p tcp -m state --state NEW -m tcp --dport 10000 -j ACCEPT 
-A XTACCESS -s $ACCESS_IP5 -d $EXT_IP -i eth1 -p tcp -m state --state NEW -m tcp --dport 10000 -j ACCEPT 
-A XTACCESS -s $ACCESS_IP5 -d $EXT_IP -i eth1 -p tcp -m state --state NEW -m tcp --dport 5901 -j ACCEPT 
-A XTACCESS -s $ACCESS_IP2 -d $EXT_IP -i eth1 -p tcp -m state --state NEW -m tcp --dport 5901 -j ACCEPT 
-A XTACCESS -s $ACCESS_IP5 -d $EXT_IP -i eth1 -p tcp -m state --state NEW -m tcp --dport 5900 -j ACCEPT 
-A XTACCESS -s $ACCESS_IP2 -d $EXT_IP -i eth1 -p tcp -m state --state NEW -m tcp --dport 5900 -j ACCEPT 
COMMIT
# Completed on Fri Apr 15 14:07:02 2011
# Generated by iptables-save v1.3.5 on Fri Apr 15 14:07:02 2011
*mangle
:PREROUTING ACCEPT [956876:478976939]
:INPUT ACCEPT [18575:3467763]
:FORWARD ACCEPT [938301:475509176]
:OUTPUT ACCEPT [17013:1928657]
:POSTROUTING ACCEPT [954894:477352925]
:PORTFWMANGLE - [0:0]
-A PREROUTING -j PORTFWMANGLE 
-A PREROUTING -d 224.0.0.1 -j DROP 
COMMIT
# Completed on Fri Apr 15 14:07:02 2011
# Generated by iptables-save v1.3.5 on Fri Apr 15 14:07:02 2011
*nat
:PREROUTING ACCEPT [18632:1718874]
:POSTROUTING ACCEPT [6861:531454]
:OUTPUT ACCEPT [6856:531214]
-A PREROUTING -d $EXT_IP -i eth1 -p udp -m udp --dport 5060 -j DNAT --to-destination 192.168.0.2:5060 
-A PREROUTING -d $EXT_IP -i eth1 -p udp -m udp --dport 1024:65535 -j DNAT --to-destination 192.168.0.2:1024-65535 
-A PREROUTING -d $EXT_IP -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.2:80 
-A PREROUTING -d $EXT_IP -i eth1 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.0.2:22 
-A PREROUTING -d $EXT_IP -i eth1 -p tcp -m tcp --dport 20 -j DNAT --to-destination 192.168.0.2:20 
-A PREROUTING -d $EXT_IP -i eth1 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.0.2:21 
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -m mark --mark 0x1 -j SNAT --to-source 192.168.0.1 
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth1 -j MASQUERADE 
COMMIT
# Completed on Fri Apr 15 14:07:02 2011


--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux