Rewrote script; Still can't get out from DNAT'ed servers...

All of lore.kernel.org
 help / color / mirror / Atom feed

* Rewrote script; Still can't get out from DNAT'ed servers...
@ 2004-02-19 15:36 Madison Kelly
  0 siblings, 0 replies; only message in thread
From: Madison Kelly @ 2004-02-19 15:36 UTC (permalink / raw)
  To: netfilter

Hi all,

   A few days ago I posted a problem I had with 'iptables' (Fedora Core 
1, 2.4.2166 kernel) and NAT'ed servers. I never got a reply but I also 
found some big problems so I re-wrote a good chunk of my script but the 
problem remains. I hope no one minds me asking again for help with the 
new info in 'iptables-save' :)

   I have my network setup like this:
LAN clients - 192.168.1.0/24, eth0
SRV clients - 192.168.2.0/24, eth1
Public IPs - 111.222.33.32/27, eth2

eth0 - 192.168.1.1
eth1 - 192.168.2.1
eth2 - 111.222.33.34
eth2:0 - 111.222.33.46
eth2:1 - 111.222.33.47
eth2:2 - 111.222.33.48

   I have all of my LAN SNAT'ed behind the firewall's IP address and 
that network is working great.

   I have each Server client DNAT/SNAT'ed behind a single public IP 
address. For example, the machine I am currently testing from is DNAT to 
192.168.2.12 and SNAT'ed to 111.222.33.47. I have a test web server up 
and 'sshd' running and I specifically allowed ports 22 and 80 into that 
server. Internet and LAN clients -can- connect to the server just fine. 
The problem lies in that the server -cannot- connect out to the Internet.

   I think it has something to do with the DNAT because when I simply 
SNAT the 192.168.2.0/24 subnet behind the firewall (as though it too 
where a LAN subnet) then I can connect out fine.

   Does anyone have any suggestions as to what I could be doing wrong? I 
admit the script is still being debug'ed so there may still be unrelated 
problems, too.

   Thanks again for any potential help!

Madison

  PS - Watch the answer end up being one that was staring me in the face! :)

  -= 'iptables-save' =-
# Generated by iptables-save v1.2.9 on Thu Feb 19 10:20:06 2004
*mangle
:PREROUTING ACCEPT [39:3516]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [39:3516]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [36:3216]
COMMIT
# Completed on Thu Feb 19 10:20:06 2004
# Generated by iptables-save v1.2.9 on Thu Feb 19 10:20:06 2004
*nat
:PREROUTING ACCEPT [4:400]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 111.222.33.47 -j DNAT --to-destination 192.168.2.12
-A PREROUTING -d 111.222.33.48 -j DNAT --to-destination 192.168.2.11
-A PREROUTING -d 111.222.33.46 -j DNAT --to-destination 192.168.2.15
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth2 -j SNAT --to-source 
111.222.33.34
-A POSTROUTING -s 192.168.2.12 -j SNAT --to-source 111.222.33.47
-A POSTROUTING -s 192.168.2.11 -j SNAT --to-source 111.222.33.48
-A POSTROUTING -s 192.168.2.15 -j SNAT --to-source 111.222.33.46
COMMIT
# Completed on Thu Feb 19 10:20:06 2004
# Generated by iptables-save v1.2.9 on Thu Feb 19 10:20:06 2004
*filter
:INPUT DROP [0:0]
:FORWARD DROP [3:300]
:OUTPUT ACCEPT [0:0]
:FWIN - [0:0]
:FWOUT - [0:0]
:LANIN - [0:0]
:LANOUT - [0:0]
:LDROP - [0:0]
:LREJECT - [0:0]
:LTREJECT - [0:0]
:SRVIN - [0:0]
:SRVOUT - [0:0]
:TCPACCEPT - [0:0]
:TREJECT - [0:0]
:UDPACCEPT - [0:0]
:ULDROP - [0:0]
:ULREJECT - [0:0]
:ULTREJECT - [0:0]
-A INPUT -i eth2 -j FWIN
-A INPUT -i eth0 -j FWIN
-A INPUT -i eth1 -j FWIN
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
-A FORWARD -i eth2 -o eth0 -j LANIN
-A FORWARD -i eth0 -o eth2 -j LANOUT
-A FORWARD -i eth2 -o eth1 -j SRVIN
-A FORWARD -i eth1 -o eth2 -j SRVOUT
-A FORWARD -i eth1 -o eth0 -j LANIN
-A FORWARD -i eth0 -o eth1 -j LANOUT
-A OUTPUT -o eth2 -j FWOUT
-A OUTPUT -o eth0 -j FWOUT
-A OUTPUT -o eth1 -j FWOUT
-A FWIN -m state --state INVALID -j TREJECT
-A FWIN -p tcp -m mac --mac-source 00:50:BA:D2:31:0F -m tcp --dport 22 
-j TCPACCEPT
-A FWIN -p tcp -m mac --mac-source 00:02:B3:07:F6:1A -m tcp --dport 22 
-j TCPACCEPT
-A FWIN -p tcp -m mac --mac-source 00:60:97:6D:A1:0E -m tcp --dport 22 
-j TCPACCEPT
-A FWIN -p udp -m mac --mac-source 00:50:BA:D2:31:0F -m udp --dport 22 
-j UDPACCEPT
-A FWIN -p udp -m mac --mac-source 00:02:B3:07:F6:1A -m udp --dport 22 
-j UDPACCEPT
-A FWIN -p udp -m mac --mac-source 00:60:97:6D:A1:0E -m udp --dport 22 
-j UDPACCEPT
-A FWIN -i eth0 -p tcp -m tcp --dport 53 -j TCPACCEPT
-A FWIN -i eth0 -p udp -m udp --dport 53 -j UDPACCEPT
-A FWIN -i eth1 -p tcp -m tcp --dport 53 -j TCPACCEPT
-A FWIN -i eth1 -p udp -m udp --dport 53 -j UDPACCEPT
-A FWIN -p icmp -m icmp --icmp-type 5 -j TREJECT
-A FWIN -p icmp -m icmp --icmp-type 9 -j TREJECT
-A FWIN -p icmp -m icmp --icmp-type 10 -j TREJECT
-A FWIN -p icmp -m icmp --icmp-type 15 -j TREJECT
-A FWIN -p icmp -m icmp --icmp-type 16 -j TREJECT
-A FWIN -p icmp -m icmp --icmp-type 17 -j TREJECT
-A FWIN -p icmp -m icmp --icmp-type 18 -j TREJECT
-A FWIN -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A FWIN -p icmp -m icmp --icmp-type 8 -j TREJECT
-A FWIN -p icmp -m icmp ! --icmp-type 8 -j ACCEPT
-A FWIN -m state --state ESTABLISHED -j ACCEPT
-A FWIN -p tcp -m tcp --dport 1024:65535 -m state --state RELATED -j 
TCPACCEPT
-A FWIN -p udp -m udp --dport 1024:65535 -m state --state RELATED -j 
UDPACCEPT
-A FWIN -j TREJECT
-A FWOUT -j ACCEPT
-A LANIN -m state --state INVALID -j TREJECT
-A LANIN -p icmp -m icmp --icmp-type 5 -j TREJECT
-A LANIN -p icmp -m icmp --icmp-type 9 -j TREJECT
-A LANIN -p icmp -m icmp --icmp-type 10 -j TREJECT
-A LANIN -p icmp -m icmp --icmp-type 15 -j TREJECT
-A LANIN -p icmp -m icmp --icmp-type 16 -j TREJECT
-A LANIN -p icmp -m icmp --icmp-type 17 -j TREJECT
-A LANIN -p icmp -m icmp --icmp-type 18 -j TREJECT
-A LANIN -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A LANIN -p icmp -m icmp --icmp-type 8 -j TREJECT
-A LANIN -p icmp -m icmp ! --icmp-type 8 -j ACCEPT
-A LANIN -m state --state ESTABLISHED -j ACCEPT
-A LANIN -p tcp -m tcp --dport 1024:65535 -m state --state RELATED -j 
TCPACCEPT
-A LANIN -p udp -m udp --dport 1024:65535 -m state --state RELATED -j 
UDPACCEPT
-A LANIN -s 192.168.2.12 -d 192.168.1.100 -p tcp -m tcp --dport 22 -j 
TCPACCEPT
-A LANIN -s 192.168.2.12 -d 192.168.1.100 -p udp -m udp --dport 22 -j 
UDPACCEPT
-A LANIN -j TREJECT
-A LANOUT -s 192.168.1.0/255.255.255.0 -o eth2 -j ACCEPT
-A LANOUT -j ACCEPT
-A LDROP -p tcp -m limit --limit 2/sec -j LOG --log-prefix "TCP Dropped 
" --log-level 6
-A LDROP -p udp -m limit --limit 2/sec -j LOG --log-prefix "UDP Dropped 
" --log-level 6
-A LDROP -p icmp -m limit --limit 2/sec -j LOG --log-prefix "ICMP 
Dropped " --log-level 6
-A LDROP -f -m limit --limit 2/sec -j LOG --log-prefix "FRAGMENT Dropped "
-A LDROP -j DROP
-A LREJECT -p tcp -m limit --limit 2/sec -j LOG --log-prefix "TCP 
Rejected " --log-level 6
-A LREJECT -p udp -m limit --limit 2/sec -j LOG --log-prefix "UDP 
Rejected " --log-level 6
-A LREJECT -p icmp -m limit --limit 2/sec -j LOG --log-prefix "ICMP 
Rejected " --log-level 6
-A LREJECT -f -m limit --limit 2/sec -j LOG --log-prefix "FRAGMENT 
Rejected "
-A LREJECT -j REJECT --reject-with icmp-port-unreachable
-A LTREJECT -p tcp -m limit --limit 2/sec -j LOG --log-prefix "TCP 
Rejected " --log-level 6
-A LTREJECT -p udp -m limit --limit 2/sec -j LOG --log-prefix "UDP 
Rejected " --log-level 6
-A LTREJECT -p icmp -m limit --limit 2/sec -j LOG --log-prefix "ICMP 
Rejected " --log-level 6
-A LTREJECT -f -m limit --limit 2/sec -j LOG --log-prefix "FRAGMENT 
Rejected "
-A LTREJECT -j TREJECT
-A SRVIN -m state --state INVALID -j TREJECT
-A SRVIN -p icmp -m icmp --icmp-type 5 -j TREJECT
-A SRVIN -p icmp -m icmp --icmp-type 9 -j TREJECT
-A SRVIN -p icmp -m icmp --icmp-type 10 -j TREJECT
-A SRVIN -p icmp -m icmp --icmp-type 15 -j TREJECT
-A SRVIN -p icmp -m icmp --icmp-type 16 -j TREJECT
-A SRVIN -p icmp -m icmp --icmp-type 17 -j TREJECT
-A SRVIN -p icmp -m icmp --icmp-type 18 -j TREJECT
-A SRVIN -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A SRVIN -p icmp -m icmp --icmp-type 8 -j TREJECT
-A SRVIN -p icmp -m icmp ! --icmp-type 8 -j ACCEPT
-A SRVIN -m state --state ESTABLISHED -j ACCEPT
-A SRVIN -p tcp -m tcp --dport 1024:65535 -m state --state RELATED -j 
TCPACCEPT
-A SRVIN -p udp -m udp --dport 1024:65535 -m state --state RELATED -j 
UDPACCEPT
-A SRVIN -d 192.168.2.12 -p tcp -m tcp --dport 22 -j TCPACCEPT
-A SRVIN -d 192.168.2.12 -p tcp -m tcp --dport 53 -j TCPACCEPT
-A SRVIN -d 192.168.2.12 -p tcp -m tcp --dport 80 -j TCPACCEPT
-A SRVIN -d 192.168.2.12 -p udp -m udp --dport 22 -j UDPACCEPT
-A SRVIN -d 192.168.2.12 -p udp -m udp --dport 53 -j UDPACCEPT
-A SRVIN -d 192.168.2.12 -p udp -m udp --dport 80 -j UDPACCEPT
-A SRVIN -d 192.168.2.11 -p tcp -m tcp --dport 22 -j TCPACCEPT
-A SRVIN -d 192.168.2.11 -p tcp -m tcp --dport 25 -j TCPACCEPT
-A SRVIN -d 192.168.2.11 -p tcp -m tcp --dport 53 -j TCPACCEPT
-A SRVIN -d 192.168.2.11 -p tcp -m tcp --dport 80 -j TCPACCEPT
-A SRVIN -d 192.168.2.11 -p tcp -m tcp --dport 110 -j TCPACCEPT
-A SRVIN -d 192.168.2.11 -p udp -m udp --dport 22 -j UDPACCEPT
-A SRVIN -d 192.168.2.11 -p udp -m udp --dport 25 -j UDPACCEPT
-A SRVIN -d 192.168.2.11 -p udp -m udp --dport 53 -j UDPACCEPT
-A SRVIN -d 192.168.2.11 -p udp -m udp --dport 80 -j UDPACCEPT
-A SRVIN -d 192.168.2.11 -p udp -m udp --dport 110 -j UDPACCEPT
-A SRVIN -d 192.168.2.15 -p tcp -m tcp --dport 22 -j TCPACCEPT
-A SRVIN -d 192.168.2.15 -p tcp -m tcp --dport 53 -j TCPACCEPT
-A SRVIN -d 192.168.2.15 -p tcp -m tcp --dport 80 -j TCPACCEPT
-A SRVIN -d 192.168.2.15 -p udp -m udp --dport 22 -j UDPACCEPT
-A SRVIN -d 192.168.2.15 -p udp -m udp --dport 53 -j UDPACCEPT
-A SRVIN -d 192.168.2.15 -p udp -m udp --dport 80 -j UDPACCEPT
-A SRVIN -j TREJECT
-A SRVOUT -s 192.168.2.0/255.255.255.0 -o eth2 -j ACCEPT
-A SRVOUT -j ACCEPT
-A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 
20/sec -j ACCEPT
-A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 
2/sec -j LOG --log-prefix "Possible SynFlood "
-A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j TREJECT
-A TCPACCEPT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A TCPACCEPT -m limit --limit 2/sec -j LOG --log-prefix "Mismatch in 
TCPACCEPT "
-A TCPACCEPT -j TREJECT
-A TREJECT -p tcp -j REJECT --reject-with tcp-reset
-A TREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
-A TREJECT -p icmp -j DROP
-A TREJECT -j REJECT --reject-with icmp-port-unreachable
-A UDPACCEPT -p udp -j ACCEPT
-A UDPACCEPT -m limit --limit 2/sec -j LOG --log-prefix "Mismatch on 
UDPACCEPT "
-A UDPACCEPT -j TREJECT
-A ULDROP -p tcp -m limit --limit 2/sec -j ULOG --ulog-prefix "LDROP_TCP"
-A ULDROP -p udp -m limit --limit 2/sec -j ULOG --ulog-prefix "LDROP_UDP"
-A ULDROP -p icmp -m limit --limit 2/sec -j ULOG --ulog-prefix "LDROP_ICMP"
-A ULDROP -f -m limit --limit 2/sec -j ULOG --ulog-prefix "LDROP_FRAG"
-A ULDROP -j DROP
-A ULREJECT -p tcp -m limit --limit 2/sec -j ULOG --ulog-prefix 
"LREJECT_TCP"
-A ULREJECT -p udp -m limit --limit 2/sec -j ULOG --ulog-prefix 
"LREJECT_UDP"
-A ULREJECT -p icmp -m limit --limit 2/sec -j ULOG --ulog-prefix 
"LREJECT_UDP"
-A ULREJECT -f -m limit --limit 2/sec -j ULOG --ulog-prefix "LREJECT_FRAG"
-A ULREJECT -j REJECT --reject-with icmp-port-unreachable
-A ULTREJECT -p tcp -m limit --limit 2/sec -j ULOG --ulog-prefix 
"LTREJECT_TCP"
-A ULTREJECT -p udp -m limit --limit 2/sec -j ULOG --ulog-prefix 
"LTREJECT_UDP"
-A ULTREJECT -p icmp -m limit --limit 2/sec -j ULOG --ulog-prefix 
"LTREJECT_ICMP"
-A ULTREJECT -f -m limit --limit 2/sec -j ULOG --ulog-prefix 
"LTREJECT_FRAG"
-A ULTREJECT -p tcp -j REJECT --reject-with tcp-reset
-A ULTREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
-A ULTREJECT -p icmp -j DROP
-A ULTREJECT -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Thu Feb 19 10:20:06 2004
  -= 'iptables-save' =-



^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2004-02-19 15:36 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-02-19 15:36 Rewrote script; Still can't get out from DNAT'ed servers Madison Kelly

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.