On 06.01.2017 17:44, Matt Killock wrote: > My server has unusual interface names, so I changed them before. > > root@aspfw2:~# route -n > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > 0.0.0.0 192.168.0.254 0.0.0.0 UG 0 0 0 enp2s12f0 > 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 enp2s12f0 > 192.168.20.0 0.0.0.0 255.255.255.0 U 0 0 0 enp2s12f1 > 192.168.40.0 0.0.0.0 255.255.255.0 U 0 0 0 enp6s7 Use iproute2. Don't use the net-tools. They're unmaintained, less powerful and lie. > [4:208] -A FORWARD -s 192.168.20.0/24 -d 212.58.244.71/32 -i enp2s12f1 -p tcp -m tcp --dport 80 -j REJECT --reject-with tcp-reset The rule is hit. Your rule set is absolutely broken, because you don't permit ctstate RELATED and at the same time, it's unnecessarily convoluted unstructered. You need to permit it to allow ICMP errors through and the TCP reset packets. I advise to rewrite the complete rule set. You should start by taking this example rule set for edge-routers, understanding the different components and rewriting your current one based of the example. You are strongly encouraged to filter traffic based on ctstates. Use the conntrack module instead of the state module. It is more powerful. Please use the documents at [2] and [3] to improve your rule set. [1] https://github.com/QueuingKoala/netfilter-samples/tree/master/rules-edge-router [2] http://sfvlug.editthis.info/wiki/Things_You_Should_Know_About_Netfilter [3] http://inai.de/images/nf-packet-flow.png -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Attachment:
signature.asc
Description: OpenPGP digital signature
