From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Stanislav Puffler DiS." Subject: Re: still =?ISO-8859-1?Q?can=B4t_FORWARD_tcp_on_25_por?= =?ISO-8859-1?Q?t_to_another_destination=2E=2E=2E?= Date: Fri, 12 Mar 2004 17:54:42 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: <4051EB52.1000609@seznam.cz> References: <4051CF98.1020008@seznam.cz> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <4051CF98.1020008@seznam.cz> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="iso-8859-1"; format="flowed" To: Netfilter Mailing List Stanislav Puffler DiS. wrote: > Hallo, > I can=B4t still FORWARD any incoming tcp packets (port 25) from Internet = > coming to my external interface eth0 (82.142.67.253) to destination in=20 > my network (192.168.200.2). Here is my complete ruleset from=20 > iptables-save. I am 2 days without any idea or success :( Could anyone=20 > help please ? > > # Generated by iptables-save v1.2.6a on Fri Mar 12 14:53:44 2004 > *nat > :PREROUTING ACCEPT [342:36496] > :POSTROUTING ACCEPT [42:3408] > :OUTPUT ACCEPT [66:5557] > -A PREROUTING -i eth2 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports=20 > 3128 > -A PREROUTING -s 192.168.0.0/255.255.0.0 -i eth0 -j DROP > -A PREROUTING -s 172.16.0.0/255.240.0.0 -i eth0 -j DROP > -A PREROUTING -s 10.0.0.0/255.0.0.0 -i eth0 -j DROP > -A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT=20 > --to-destination 192.168.200.2:25 > -A POSTROUTING -o eth0 -j MASQUERADE > COMMIT > # Completed on Fri Mar 12 14:53:44 2004 > # Generated by iptables-save v1.2.6a on Fri Mar 12 14:53:44 2004 > *filter > :INPUT DROP [83:8337] > :FORWARD DROP [0:0] > :OUTPUT DROP [0:0] > :spoofing - [0:0] > :syn_flood - [0:0] > :tcp_segmenty - [0:0] > :udp_pakety - [0:0] > -A INPUT -i eth0 -p tcp -j tcp_segmenty > -A INPUT -i eth0 -p udp -j udp_pakety > -A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT > -A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT > -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT > -A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT > -A INPUT -i eth1 -j ACCEPT > -A INPUT -i eth2 -j ACCEPT > -A INPUT -i eth0 -p tcp -m tcp --dport 113 -j REJECT --reject-with=20 > icmp-port-unreachable > -A INPUT -i eth0 -j spoofing > -A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j syn_flood > -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT > -A INPUT -s 80.95.96.7 -i eth0 -j ACCEPT > -A INPUT -i eth1 -j ACCEPT > -A INPUT -i eth2 -j ACCEPT > -A INPUT -i lo -j ACCEPT > -A FORWARD -i eth1 -j ACCEPT > -A FORWARD -i eth2 -j ACCEPT > -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -i eth0 -o eth1 -j ACCEPT > -A FORWARD -i eth0 -j spoofing > -A FORWARD -d 192.168.200.2 -i eth0 -p tcp -m tcp --dport 25 -m state=20 > --state NEW,RELATED,ESTABLISHED -j ACCEPT > -A OUTPUT -s 127.0.0.1 -j ACCEPT > -A OUTPUT -s 192.168.0.1 -j ACCEPT > -A OUTPUT -s 192.168.200.1 -j ACCEPT > -A OUTPUT -s 82.142.67.253 -j ACCEPT > -A spoofing -s 192.168.0.0/255.255.0.0 -j DROP > -A spoofing -s 172.16.0.0/255.240.0.0 -j DROP > -A spoofing -s 10.0.0.0/255.0.0.0 -j DROP > -A syn_flood -m limit --limit 1/sec -j RETURN > -A syn_flood -j DROP > -A tcp_segmenty -p tcp -m tcp --dport 25 -j ACCEPT > -A tcp_segmenty -p tcp -m tcp --dport 80 -j ACCEPT > -A udp_pakety -p udp -m udp --dport 53 -j ACCEPT > COMMIT > # Completed on Fri Mar 12 14:53:44 2004 > > Thanks in advance, > Stanislav Puffler. Couldn=B4t be a problem, that I don=B4t have any modules in kernel to=20 forward these packets or make masquerade ? Is it possible to install=20 iptables if I haven=B4t got any modules or functions compiled in kernel ? Thank a lot. Stanley