From: Madison Kelly <linux@alteeve.com>
To: netfilter@lists.netfilter.org
Subject: Rewrote script; Still can't get out from DNAT'ed servers...
Date: Thu, 19 Feb 2004 10:36:12 -0500 [thread overview]
Message-ID: <4034D7EC.2010206@alteeve.com> (raw)
Hi all,
A few days ago I posted a problem I had with 'iptables' (Fedora Core
1, 2.4.2166 kernel) and NAT'ed servers. I never got a reply but I also
found some big problems so I re-wrote a good chunk of my script but the
problem remains. I hope no one minds me asking again for help with the
new info in 'iptables-save' :)
I have my network setup like this:
LAN clients - 192.168.1.0/24, eth0
SRV clients - 192.168.2.0/24, eth1
Public IPs - 111.222.33.32/27, eth2
eth0 - 192.168.1.1
eth1 - 192.168.2.1
eth2 - 111.222.33.34
eth2:0 - 111.222.33.46
eth2:1 - 111.222.33.47
eth2:2 - 111.222.33.48
I have all of my LAN SNAT'ed behind the firewall's IP address and
that network is working great.
I have each Server client DNAT/SNAT'ed behind a single public IP
address. For example, the machine I am currently testing from is DNAT to
192.168.2.12 and SNAT'ed to 111.222.33.47. I have a test web server up
and 'sshd' running and I specifically allowed ports 22 and 80 into that
server. Internet and LAN clients -can- connect to the server just fine.
The problem lies in that the server -cannot- connect out to the Internet.
I think it has something to do with the DNAT because when I simply
SNAT the 192.168.2.0/24 subnet behind the firewall (as though it too
where a LAN subnet) then I can connect out fine.
Does anyone have any suggestions as to what I could be doing wrong? I
admit the script is still being debug'ed so there may still be unrelated
problems, too.
Thanks again for any potential help!
Madison
PS - Watch the answer end up being one that was staring me in the face! :)
-= 'iptables-save' =-
# Generated by iptables-save v1.2.9 on Thu Feb 19 10:20:06 2004
*mangle
:PREROUTING ACCEPT [39:3516]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [39:3516]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [36:3216]
COMMIT
# Completed on Thu Feb 19 10:20:06 2004
# Generated by iptables-save v1.2.9 on Thu Feb 19 10:20:06 2004
*nat
:PREROUTING ACCEPT [4:400]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 111.222.33.47 -j DNAT --to-destination 192.168.2.12
-A PREROUTING -d 111.222.33.48 -j DNAT --to-destination 192.168.2.11
-A PREROUTING -d 111.222.33.46 -j DNAT --to-destination 192.168.2.15
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth2 -j SNAT --to-source
111.222.33.34
-A POSTROUTING -s 192.168.2.12 -j SNAT --to-source 111.222.33.47
-A POSTROUTING -s 192.168.2.11 -j SNAT --to-source 111.222.33.48
-A POSTROUTING -s 192.168.2.15 -j SNAT --to-source 111.222.33.46
COMMIT
# Completed on Thu Feb 19 10:20:06 2004
# Generated by iptables-save v1.2.9 on Thu Feb 19 10:20:06 2004
*filter
:INPUT DROP [0:0]
:FORWARD DROP [3:300]
:OUTPUT ACCEPT [0:0]
:FWIN - [0:0]
:FWOUT - [0:0]
:LANIN - [0:0]
:LANOUT - [0:0]
:LDROP - [0:0]
:LREJECT - [0:0]
:LTREJECT - [0:0]
:SRVIN - [0:0]
:SRVOUT - [0:0]
:TCPACCEPT - [0:0]
:TREJECT - [0:0]
:UDPACCEPT - [0:0]
:ULDROP - [0:0]
:ULREJECT - [0:0]
:ULTREJECT - [0:0]
-A INPUT -i eth2 -j FWIN
-A INPUT -i eth0 -j FWIN
-A INPUT -i eth1 -j FWIN
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
-A FORWARD -i eth2 -o eth0 -j LANIN
-A FORWARD -i eth0 -o eth2 -j LANOUT
-A FORWARD -i eth2 -o eth1 -j SRVIN
-A FORWARD -i eth1 -o eth2 -j SRVOUT
-A FORWARD -i eth1 -o eth0 -j LANIN
-A FORWARD -i eth0 -o eth1 -j LANOUT
-A OUTPUT -o eth2 -j FWOUT
-A OUTPUT -o eth0 -j FWOUT
-A OUTPUT -o eth1 -j FWOUT
-A FWIN -m state --state INVALID -j TREJECT
-A FWIN -p tcp -m mac --mac-source 00:50:BA:D2:31:0F -m tcp --dport 22
-j TCPACCEPT
-A FWIN -p tcp -m mac --mac-source 00:02:B3:07:F6:1A -m tcp --dport 22
-j TCPACCEPT
-A FWIN -p tcp -m mac --mac-source 00:60:97:6D:A1:0E -m tcp --dport 22
-j TCPACCEPT
-A FWIN -p udp -m mac --mac-source 00:50:BA:D2:31:0F -m udp --dport 22
-j UDPACCEPT
-A FWIN -p udp -m mac --mac-source 00:02:B3:07:F6:1A -m udp --dport 22
-j UDPACCEPT
-A FWIN -p udp -m mac --mac-source 00:60:97:6D:A1:0E -m udp --dport 22
-j UDPACCEPT
-A FWIN -i eth0 -p tcp -m tcp --dport 53 -j TCPACCEPT
-A FWIN -i eth0 -p udp -m udp --dport 53 -j UDPACCEPT
-A FWIN -i eth1 -p tcp -m tcp --dport 53 -j TCPACCEPT
-A FWIN -i eth1 -p udp -m udp --dport 53 -j UDPACCEPT
-A FWIN -p icmp -m icmp --icmp-type 5 -j TREJECT
-A FWIN -p icmp -m icmp --icmp-type 9 -j TREJECT
-A FWIN -p icmp -m icmp --icmp-type 10 -j TREJECT
-A FWIN -p icmp -m icmp --icmp-type 15 -j TREJECT
-A FWIN -p icmp -m icmp --icmp-type 16 -j TREJECT
-A FWIN -p icmp -m icmp --icmp-type 17 -j TREJECT
-A FWIN -p icmp -m icmp --icmp-type 18 -j TREJECT
-A FWIN -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A FWIN -p icmp -m icmp --icmp-type 8 -j TREJECT
-A FWIN -p icmp -m icmp ! --icmp-type 8 -j ACCEPT
-A FWIN -m state --state ESTABLISHED -j ACCEPT
-A FWIN -p tcp -m tcp --dport 1024:65535 -m state --state RELATED -j
TCPACCEPT
-A FWIN -p udp -m udp --dport 1024:65535 -m state --state RELATED -j
UDPACCEPT
-A FWIN -j TREJECT
-A FWOUT -j ACCEPT
-A LANIN -m state --state INVALID -j TREJECT
-A LANIN -p icmp -m icmp --icmp-type 5 -j TREJECT
-A LANIN -p icmp -m icmp --icmp-type 9 -j TREJECT
-A LANIN -p icmp -m icmp --icmp-type 10 -j TREJECT
-A LANIN -p icmp -m icmp --icmp-type 15 -j TREJECT
-A LANIN -p icmp -m icmp --icmp-type 16 -j TREJECT
-A LANIN -p icmp -m icmp --icmp-type 17 -j TREJECT
-A LANIN -p icmp -m icmp --icmp-type 18 -j TREJECT
-A LANIN -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A LANIN -p icmp -m icmp --icmp-type 8 -j TREJECT
-A LANIN -p icmp -m icmp ! --icmp-type 8 -j ACCEPT
-A LANIN -m state --state ESTABLISHED -j ACCEPT
-A LANIN -p tcp -m tcp --dport 1024:65535 -m state --state RELATED -j
TCPACCEPT
-A LANIN -p udp -m udp --dport 1024:65535 -m state --state RELATED -j
UDPACCEPT
-A LANIN -s 192.168.2.12 -d 192.168.1.100 -p tcp -m tcp --dport 22 -j
TCPACCEPT
-A LANIN -s 192.168.2.12 -d 192.168.1.100 -p udp -m udp --dport 22 -j
UDPACCEPT
-A LANIN -j TREJECT
-A LANOUT -s 192.168.1.0/255.255.255.0 -o eth2 -j ACCEPT
-A LANOUT -j ACCEPT
-A LDROP -p tcp -m limit --limit 2/sec -j LOG --log-prefix "TCP Dropped
" --log-level 6
-A LDROP -p udp -m limit --limit 2/sec -j LOG --log-prefix "UDP Dropped
" --log-level 6
-A LDROP -p icmp -m limit --limit 2/sec -j LOG --log-prefix "ICMP
Dropped " --log-level 6
-A LDROP -f -m limit --limit 2/sec -j LOG --log-prefix "FRAGMENT Dropped "
-A LDROP -j DROP
-A LREJECT -p tcp -m limit --limit 2/sec -j LOG --log-prefix "TCP
Rejected " --log-level 6
-A LREJECT -p udp -m limit --limit 2/sec -j LOG --log-prefix "UDP
Rejected " --log-level 6
-A LREJECT -p icmp -m limit --limit 2/sec -j LOG --log-prefix "ICMP
Rejected " --log-level 6
-A LREJECT -f -m limit --limit 2/sec -j LOG --log-prefix "FRAGMENT
Rejected "
-A LREJECT -j REJECT --reject-with icmp-port-unreachable
-A LTREJECT -p tcp -m limit --limit 2/sec -j LOG --log-prefix "TCP
Rejected " --log-level 6
-A LTREJECT -p udp -m limit --limit 2/sec -j LOG --log-prefix "UDP
Rejected " --log-level 6
-A LTREJECT -p icmp -m limit --limit 2/sec -j LOG --log-prefix "ICMP
Rejected " --log-level 6
-A LTREJECT -f -m limit --limit 2/sec -j LOG --log-prefix "FRAGMENT
Rejected "
-A LTREJECT -j TREJECT
-A SRVIN -m state --state INVALID -j TREJECT
-A SRVIN -p icmp -m icmp --icmp-type 5 -j TREJECT
-A SRVIN -p icmp -m icmp --icmp-type 9 -j TREJECT
-A SRVIN -p icmp -m icmp --icmp-type 10 -j TREJECT
-A SRVIN -p icmp -m icmp --icmp-type 15 -j TREJECT
-A SRVIN -p icmp -m icmp --icmp-type 16 -j TREJECT
-A SRVIN -p icmp -m icmp --icmp-type 17 -j TREJECT
-A SRVIN -p icmp -m icmp --icmp-type 18 -j TREJECT
-A SRVIN -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A SRVIN -p icmp -m icmp --icmp-type 8 -j TREJECT
-A SRVIN -p icmp -m icmp ! --icmp-type 8 -j ACCEPT
-A SRVIN -m state --state ESTABLISHED -j ACCEPT
-A SRVIN -p tcp -m tcp --dport 1024:65535 -m state --state RELATED -j
TCPACCEPT
-A SRVIN -p udp -m udp --dport 1024:65535 -m state --state RELATED -j
UDPACCEPT
-A SRVIN -d 192.168.2.12 -p tcp -m tcp --dport 22 -j TCPACCEPT
-A SRVIN -d 192.168.2.12 -p tcp -m tcp --dport 53 -j TCPACCEPT
-A SRVIN -d 192.168.2.12 -p tcp -m tcp --dport 80 -j TCPACCEPT
-A SRVIN -d 192.168.2.12 -p udp -m udp --dport 22 -j UDPACCEPT
-A SRVIN -d 192.168.2.12 -p udp -m udp --dport 53 -j UDPACCEPT
-A SRVIN -d 192.168.2.12 -p udp -m udp --dport 80 -j UDPACCEPT
-A SRVIN -d 192.168.2.11 -p tcp -m tcp --dport 22 -j TCPACCEPT
-A SRVIN -d 192.168.2.11 -p tcp -m tcp --dport 25 -j TCPACCEPT
-A SRVIN -d 192.168.2.11 -p tcp -m tcp --dport 53 -j TCPACCEPT
-A SRVIN -d 192.168.2.11 -p tcp -m tcp --dport 80 -j TCPACCEPT
-A SRVIN -d 192.168.2.11 -p tcp -m tcp --dport 110 -j TCPACCEPT
-A SRVIN -d 192.168.2.11 -p udp -m udp --dport 22 -j UDPACCEPT
-A SRVIN -d 192.168.2.11 -p udp -m udp --dport 25 -j UDPACCEPT
-A SRVIN -d 192.168.2.11 -p udp -m udp --dport 53 -j UDPACCEPT
-A SRVIN -d 192.168.2.11 -p udp -m udp --dport 80 -j UDPACCEPT
-A SRVIN -d 192.168.2.11 -p udp -m udp --dport 110 -j UDPACCEPT
-A SRVIN -d 192.168.2.15 -p tcp -m tcp --dport 22 -j TCPACCEPT
-A SRVIN -d 192.168.2.15 -p tcp -m tcp --dport 53 -j TCPACCEPT
-A SRVIN -d 192.168.2.15 -p tcp -m tcp --dport 80 -j TCPACCEPT
-A SRVIN -d 192.168.2.15 -p udp -m udp --dport 22 -j UDPACCEPT
-A SRVIN -d 192.168.2.15 -p udp -m udp --dport 53 -j UDPACCEPT
-A SRVIN -d 192.168.2.15 -p udp -m udp --dport 80 -j UDPACCEPT
-A SRVIN -j TREJECT
-A SRVOUT -s 192.168.2.0/255.255.255.0 -o eth2 -j ACCEPT
-A SRVOUT -j ACCEPT
-A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit
20/sec -j ACCEPT
-A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit
2/sec -j LOG --log-prefix "Possible SynFlood "
-A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j TREJECT
-A TCPACCEPT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A TCPACCEPT -m limit --limit 2/sec -j LOG --log-prefix "Mismatch in
TCPACCEPT "
-A TCPACCEPT -j TREJECT
-A TREJECT -p tcp -j REJECT --reject-with tcp-reset
-A TREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
-A TREJECT -p icmp -j DROP
-A TREJECT -j REJECT --reject-with icmp-port-unreachable
-A UDPACCEPT -p udp -j ACCEPT
-A UDPACCEPT -m limit --limit 2/sec -j LOG --log-prefix "Mismatch on
UDPACCEPT "
-A UDPACCEPT -j TREJECT
-A ULDROP -p tcp -m limit --limit 2/sec -j ULOG --ulog-prefix "LDROP_TCP"
-A ULDROP -p udp -m limit --limit 2/sec -j ULOG --ulog-prefix "LDROP_UDP"
-A ULDROP -p icmp -m limit --limit 2/sec -j ULOG --ulog-prefix "LDROP_ICMP"
-A ULDROP -f -m limit --limit 2/sec -j ULOG --ulog-prefix "LDROP_FRAG"
-A ULDROP -j DROP
-A ULREJECT -p tcp -m limit --limit 2/sec -j ULOG --ulog-prefix
"LREJECT_TCP"
-A ULREJECT -p udp -m limit --limit 2/sec -j ULOG --ulog-prefix
"LREJECT_UDP"
-A ULREJECT -p icmp -m limit --limit 2/sec -j ULOG --ulog-prefix
"LREJECT_UDP"
-A ULREJECT -f -m limit --limit 2/sec -j ULOG --ulog-prefix "LREJECT_FRAG"
-A ULREJECT -j REJECT --reject-with icmp-port-unreachable
-A ULTREJECT -p tcp -m limit --limit 2/sec -j ULOG --ulog-prefix
"LTREJECT_TCP"
-A ULTREJECT -p udp -m limit --limit 2/sec -j ULOG --ulog-prefix
"LTREJECT_UDP"
-A ULTREJECT -p icmp -m limit --limit 2/sec -j ULOG --ulog-prefix
"LTREJECT_ICMP"
-A ULTREJECT -f -m limit --limit 2/sec -j ULOG --ulog-prefix
"LTREJECT_FRAG"
-A ULTREJECT -p tcp -j REJECT --reject-with tcp-reset
-A ULTREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
-A ULTREJECT -p icmp -j DROP
-A ULTREJECT -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Thu Feb 19 10:20:06 2004
-= 'iptables-save' =-
reply other threads:[~2004-02-19 15:36 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4034D7EC.2010206@alteeve.com \
--to=linux@alteeve.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.