On Thu, 2011-04-14 at 21:24 +0100, Andrew Beverley wrote: > > Ok, trying with Thunderbird this time... (and it too seems to be > > wrapping the text) <sigh> > > > > Not sure about Thunderbird, but Evolution has a "preformat" option that > doesn't wrap the text. > > Anyway, back to the original subject, can you post the output from > "iptables-save" instead, as this has additional detail such as the > interfaces in the rules. > > As a thought before you do so, if you're doing NAT in the normal way to > share an internet connection, then what you are seeing is to be > expected. You would normally SNAT on the internet-facing interface, not > on the LAN-facing interface, meaning that traffic on the LAN interface > will be going from/to public IP addresses. > > Andy > > > > ------------------------ > This email was scanned by BitDefender. Output of "iptables-save" below. *however* I *think* I may have solved it - I will know when I see the logs tomorrow morning. I changed my MASQ entry from MASQUERADE any to only MASQ my internal IP. (see last but two lines) Also - unless I misunderstand the rules - my SNAT is applied to the external interface? # Generated by iptables-save v1.3.5 on Fri Apr 15 14:07:02 2011 *filter :INPUT DROP [664:37461] :FORWARD DROP [334:41022] :OUTPUT ACCEPT [17005:1927625] :BADTCP - [0:0] :LOG_DROP - [0:0] :LOG_REJECT - [0:0] :NEWNOTSYN - [0:0] :PORTFWACCESS - [0:0] :PSCAN - [0:0] :XTACCESS - [0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 1026:1028 -j DROP -A INPUT -i eth1 -p udp -m udp --dport 1026:1028 -j DROP -A INPUT -i eth1 -p udp -m udp --dport 67 -j DROP -A INPUT -i eth1 -p udp -m udp --dport 68 -j DROP -A INPUT -j BADTCP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -m state --state NEW -j ACCEPT -A INPUT -s 127.0.0.0/255.0.0.0 -m state --state NEW -j DROP -A INPUT -d 127.0.0.0/255.0.0.0 -m state --state NEW -j DROP -A INPUT -i eth0 -p ! icmp -m state --state NEW -j ACCEPT -A INPUT -m state --state NEW -j XTACCESS -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 5 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT -A INPUT -m limit --limit 10/min -j LOG --log-prefix "INPUT " -A INPUT -d 224.0.0.0/240.0.0.0 -i eth1 -p udp -j ACCEPT -A INPUT -d 224.0.0.0/240.0.0.0 -i eth1 -p igmp -j ACCEPT -A INPUT -d 224.0.0.0/240.0.0.0 -i eth1 -j DROP -A INPUT -s 224.0.0.0/240.0.0.0 -i eth1 -j DROP -A INPUT -s 240.0.0.0/240.0.0.0 -i eth1 -j DROP -A FORWARD -j BADTCP -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -m state --state NEW -j ACCEPT -A FORWARD -s 127.0.0.0/255.0.0.0 -m state --state NEW -j DROP -A FORWARD -d 127.0.0.0/255.0.0.0 -m state --state NEW -j DROP -A FORWARD -i eth0 -m state --state NEW -j ACCEPT -A FORWARD -m state --state NEW -j PORTFWACCESS -A FORWARD -m limit --limit 10/min -j LOG --log-prefix "OUTPUT " -A FORWARD -s $ACCESS_IP1 -d 192.168.0.2 -i eth1 -p udp -m udp --dport 5060 -j ACCEPT -A FORWARD -s $ACCESS_IP1 -d 192.168.0.2 -i eth1 -p udp -m udp --dport 1024:65535 -j ACCEPT -A FORWARD -s $ACCESS_NET1/255.255.255.240 -d 192.168.0.2 -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT -A FORWARD -s $ACCESS_IP2 -d 192.168.0.2 -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT -A FORWARD -s $ACCESS_IP3 -d 192.168.0.2 -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT -A FORWARD -s $ACCESS_IP2 -d 192.168.0.2 -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT -A FORWARD -s $ACCESS_NET1/255.255.255.240 -d 192.168.0.2 -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT -A FORWARD -s $ACCESS_IP3 -d 192.168.0.2 -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT -A FORWARD -s $ACCESS_IP3 -d 192.168.0.2 -i eth1 -p tcp -m tcp --dport 20 -j ACCEPT -A FORWARD -s $ACCESS_IP3 -d 192.168.0.2 -i eth1 -p tcp -m tcp --dport 21 -j ACCEPT -A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j PSCAN -A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j PSCAN -A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j PSCAN -A BADTCP -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j PSCAN -A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j PSCAN -A BADTCP -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j NEWNOTSYN -A LOG_DROP -m limit --limit 10/min -j LOG -A LOG_DROP -j DROP -A LOG_REJECT -m limit --limit 10/min -j LOG -A LOG_REJECT -j REJECT --reject-with icmp-port-unreachable -A NEWNOTSYN -m limit --limit 10/min -j LOG --log-prefix "NEW not SYN? " -A NEWNOTSYN -j DROP -A PSCAN -p tcp -m limit --limit 10/min -j LOG --log-prefix "TCP Scan? " -A PSCAN -p udp -m limit --limit 10/min -j LOG --log-prefix "UDP Scan? " -A PSCAN -p icmp -m limit --limit 10/min -j LOG --log-prefix "ICMP Scan? " -A PSCAN -f -m limit --limit 10/min -j LOG --log-prefix "FRAG Scan? " -A PSCAN -j DROP -A XTACCESS -d $EXT_IP -i eth1 -p tcp -m tcp --dport 20 -m state --state NEW -j ACCEPT -A XTACCESS -d $EXT_IP -i eth1 -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT -A XTACCESS -d $EXT_IP -i eth1 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT -A XTACCESS -s $ACCESS_IP4 -d $EXT_IP -i eth1 -p tcp -m tcp --dport 5000 -m state --state NEW -j ACCEPT -A XTACCESS -s $ACCESS_IP1 -d 192.168.0.2 -i eth1 -p udp -m udp --dport 1024:65535 -j ACCEPT -A XTACCESS -s $ACCESS_IP1 -d 192.168.0.2 -i eth1 -p udp -m udp --dport 5060 -j ACCEPT -A XTACCESS -s $ACCESS_IP2 -d 192.168.0.2 -i eth1 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A XTACCESS -s $ACCESS_IP3 -d 192.168.0.2 -i eth1 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A XTACCESS -s $ACCESS_IP2 -d $EXT_IP -i eth1 -p tcp -m state --state NEW -m tcp --dport 223 -j ACCEPT -A XTACCESS -s $ACCESS_IP5 -d 192.168.0.2 -i eth1 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A XTACCESS -s $ACCESS_IP5 -d $EXT_IP -i eth1 -p tcp -m state --state NEW -m tcp --dport 81 -j ACCEPT -A XTACCESS -s $ACCESS_IP5 -d $EXT_IP -i eth1 -p tcp -m state --state NEW -m tcp --dport 223 -j ACCEPT -A XTACCESS -s $ACCESS_IP6 -d $EXT_IP -i eth1 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A XTACCESS -s $ACCESS_IP2 -d $EXT_IP -i eth1 -p tcp -m state --state NEW -m tcp --dport 10000 -j ACCEPT -A XTACCESS -s $ACCESS_IP5 -d $EXT_IP -i eth1 -p tcp -m state --state NEW -m tcp --dport 10000 -j ACCEPT -A XTACCESS -s $ACCESS_IP5 -d $EXT_IP -i eth1 -p tcp -m state --state NEW -m tcp --dport 5901 -j ACCEPT -A XTACCESS -s $ACCESS_IP2 -d $EXT_IP -i eth1 -p tcp -m state --state NEW -m tcp --dport 5901 -j ACCEPT -A XTACCESS -s $ACCESS_IP5 -d $EXT_IP -i eth1 -p tcp -m state --state NEW -m tcp --dport 5900 -j ACCEPT -A XTACCESS -s $ACCESS_IP2 -d $EXT_IP -i eth1 -p tcp -m state --state NEW -m tcp --dport 5900 -j ACCEPT COMMIT # Completed on Fri Apr 15 14:07:02 2011 # Generated by iptables-save v1.3.5 on Fri Apr 15 14:07:02 2011 *mangle :PREROUTING ACCEPT [956876:478976939] :INPUT ACCEPT [18575:3467763] :FORWARD ACCEPT [938301:475509176] :OUTPUT ACCEPT [17013:1928657] :POSTROUTING ACCEPT [954894:477352925] :PORTFWMANGLE - [0:0] -A PREROUTING -j PORTFWMANGLE -A PREROUTING -d 224.0.0.1 -j DROP COMMIT # Completed on Fri Apr 15 14:07:02 2011 # Generated by iptables-save v1.3.5 on Fri Apr 15 14:07:02 2011 *nat :PREROUTING ACCEPT [18632:1718874] :POSTROUTING ACCEPT [6861:531454] :OUTPUT ACCEPT [6856:531214] -A PREROUTING -d $EXT_IP -i eth1 -p udp -m udp --dport 5060 -j DNAT --to-destination 192.168.0.2:5060 -A PREROUTING -d $EXT_IP -i eth1 -p udp -m udp --dport 1024:65535 -j DNAT --to-destination 192.168.0.2:1024-65535 -A PREROUTING -d $EXT_IP -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.2:80 -A PREROUTING -d $EXT_IP -i eth1 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.0.2:22 -A PREROUTING -d $EXT_IP -i eth1 -p tcp -m tcp --dport 20 -j DNAT --to-destination 192.168.0.2:20 -A PREROUTING -d $EXT_IP -i eth1 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.0.2:21 -A POSTROUTING -s 192.168.0.0/255.255.255.0 -m mark --mark 0x1 -j SNAT --to-source 192.168.0.1 -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth1 -j MASQUERADE COMMIT # Completed on Fri Apr 15 14:07:02 2011 -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html