Nat troubles or just a plain error?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi list!


i have a firewall/gateway on our network, upgraded it from an old Debian
Lenny to Wheezy (3.2) but things do not work as before.


¿was there some change that i may be missing?
or i am doing something wrong this time?


the firewall it's placed between the LAN (and some VLANs), DMZ, VPN and
two internet links (plain DHCP on eth0 and a pppoe DSL on ppp0)

/sbin/iptables -t filter -F
/sbin/iptables -t filter -X
/sbin/iptables -t filter -Z
/sbin/iptables -t mangle -F
/sbin/iptables -t mangle -X
/sbin/iptables -t mangle -Z
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t nat -Z
/sbin/iptables -N bad_tcp_packets
/sbin/iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j
REJECT
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o eth1 -j
MASQUERADE
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
....
/sbin/iptables -A FORWARD -p tcp -i eth2 -o eth0 --dport 443 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -i eth2 -o ppp0 --dport 443 -j ACCEPT
/sbin/iptables -A FORWARD -p udp -i eth2 -o eth0 --dport 443 -j ACCEPT
/sbin/iptables -A FORWARD -p udp -i eth2 -o ppp0 --dport 443 -j ACCEPT
...
/sbin/iptables -A INPUT -p tcp -i eth2 --dport 3128 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 ! -d
192.168.0.0/16 -j REDIRECT --to-port 3128
/sbin/iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 8080 -j
REDIRECT --to-port 3128
......
# the last rules:
/sbin/iptables -A FORWARD -j REJECT
/sbin/iptables -A INPUT -j REJECT



As you can see, i'm not doing DROP neither a DROP policy; i'm using an
ACCEPT policy and REJECTs for debugging as sugested on
http://major.io/2010/04/12/best-practices-iptables/ (and seems to be
helping me on other things).

The default gw is on ppp0, the second ISP (on eth0) is used to access
only some IP ranges, and another ones are routed through the DMZ.


I'm having trouble to see some https sites that should go on the ppp0
interface if i don't use the proxy and i need it to be transparent (on
plain HTTP).



Thanks!


--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux