From: Luca Ferrari <fluca1978@infinito.it>
To: linux-admin@vger.kernel.org
Subject: iptables problem
Date: Tue, 15 Feb 2005 09:27:18 +0100 [thread overview]
Message-ID: <200502150927.18164.fluca1978@infinito.it> (raw)
Hi,
I've a problem with iptables on a machine which is a firewall. The logs
reports the following thing:
firewall:~ # grep 192.168.2.200 /var/log/messages | grep DPT=53
Feb 14 11:45:52 firewall kernel: PUPPUFIREWALLIN=eth1 OUT=eth1
SRC=192.168.2.200 DST=217.97.32.2 LEN=50 TOS=0x00 PREC=0x00 TTL=126 ID=9
PROTO=UDP SPT=1025 DPT=53 LEN=30
Feb 14 11:47:40 firewall kernel: PUPPUFIREWALLIN=eth1 OUT=eth1
SRC=192.168.2.200 DST=217.97.32.2 LEN=72 TOS=0x00 PREC=0x00 TTL=126 ID=812
PROTO=UDP SPT=1025 DPT=53 LEN=52
where the machine 192.168.2.200 is locked and cannot work with the DNS (port
53) specified. But if I try to do an iptables-save, I got the following:
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 212.97.32.2 -i eth1 -o eth1 -p tcp
-m tcp --dport 53 -j ACCEPT
that should accept each connection from an host of the 192.168.2.0 network to
the specified DNS server. The same thing occur for other machines.
The following is a complete dump of the iptables-save command, do you have any
idea about how to fix this problem?
firewall:~ # iptables-save
# Generated by iptables-save v1.2.8 on Tue Feb 15 12:08:25 2005
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [160:11248]
:drop-and-log-it - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.0.0/255.255.0.0 -i eth1 -j
ACCEPT
-A INPUT -s 192.168.0.0/255.255.0.0 -d 192.168.2.0/255.255.255.0 -i eth1 -j
ACCEPT
-A INPUT -s 192.168.2.7 -i eth1 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 212.97.32.2 -i eth1 -p tcp -m tcp
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 212.97.32.2 -i eth1 -p udp -m udp
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 151.99.250.2 -i eth1 -p tcp -m tcp
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 151.99.250.2 -i eth1 -p udp -m udp
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 195.223.145.5 -i eth1 -p tcp -m tcp
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 195.223.145.5 -i eth1 -p udp -m udp
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -p tcp -m tcp
--dport 110 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -p udp -m udp
--dport 110 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -p tcp -m tcp
--dport 25 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -p udp -m udp
--dport 25 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 54681 -j
ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -i eth1 -p udp -m udp --dport 54681 -j
ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 217.55.134.22 -i eth1 -p tcp -m tcp
--dport 21 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.106.77.78 -i eth1 -p tcp -j
ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p tcp -m tcp
--dport 8080 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p udp -m udp
--dport 8080 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p tcp -m tcp
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p udp -m udp
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p tcp -m tcp
--dport 137:139 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p udp -m udp
--dport 137:139 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p tcp -m tcp
--dport 445 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p udp -m udp
--dport 445 -j ACCEPT
-A INPUT -s 192.168.2.2 -d 192.168.2.7 -i eth1 -p tcp -m tcp --dport 23 -j
ACCEPT
-A INPUT -d 217.58.77.224/255.255.255.240 -i eth1 -p tcp -m tcp --dport 23 -j
REJECT --reject-with icmp-port-unreachable
-A INPUT -d 217.58.77.224/255.255.255.240 -i eth1 -p udp -m udp --dport 23 -j
REJECT --reject-with icmp-port-unreachable
-A INPUT -s 192.168.84.1 -d 192.168.2.7 -i eth1 -p tcp -m tcp --dport 23 -j
ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -i eth1 -j drop-and-log-it
-A INPUT -d 192.168.2.7 -i eth1 -p icmp -j ACCEPT
-A INPUT -d 192.168.2.7 -i eth1 -p tcp -m state --state
NEW,RELATED,ESTABLISHED -m tcp --dport 80 -j ACCEPT
-A INPUT -d 192.168.2.7 -i eth1 -p tcp -m tcp --sport 1024:65535 --dport 21 -j
ACCEPT
-A INPUT -s 192.168.2.7 -i eth1 -p tcp -m tcp --sport 21 --dport 1024:65535 -j
ACCEPT
-A INPUT -d 192.168.2.7 -i eth1 -p tcp -m tcp --sport 1024:65535 --dport 20 -j
ACCEPT
-A INPUT -s 192.168.2.7 -i eth1 -p tcp -m tcp --sport 20 --dport 1024:65535 -j
ACCEPT
-A INPUT -d 192.168.2.7 -i eth1 -p udp -m udp --sport 1024:65535 --dport 21 -j
ACCEPT
-A INPUT -s 192.168.2.7 -i eth1 -p udp -m udp --sport 21 --dport 1024:65535 -j
ACCEPT
-A INPUT -d 192.168.2.7 -i eth1 -p udp -m udp --sport 1024:65535 --dport 20 -j
ACCEPT
-A INPUT -s 192.168.2.7 -i eth1 -p udp -m udp --sport 20 --dport 1024:65535 -j
ACCEPT
-A INPUT -i eth1 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp
--dport 22 -j ACCEPT
-A INPUT -i eth1 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp
--dport 22 -j ACCEPT
-A INPUT -d 192.168.2.7 -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j drop-and-log-it
-A INPUT -i eth1 -p tcp -m tcp --dport 53 -j REJECT --reject-with
icmp-port-unreachable
-A INPUT -i eth1 -p udp -m udp --dport 53 -j REJECT --reject-with
icmp-port-unreachable
-A INPUT -i eth1 -p tcp -m tcp --dport 111 -j REJECT --reject-with
icmp-port-unreachable
-A INPUT -i eth1 -p udp -m udp --dport 111 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.0.0/255.255.0.0 -i eth1 -j
ACCEPT
-A FORWARD -s 192.168.0.0/255.255.0.0 -d 192.168.2.0/255.255.255.0 -i eth1 -j
ACCEPT
-A FORWARD -p tcp -m multiport --dports
6881,6882,6883,6884,6885,6886,6887,muse,6889,kazaa -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -p udp -m multiport --dports
6881,6882,6883,6884,6885,6886,6887,muse,6889,kazaa -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -p tcp -m multiport --dports gnutella-svc,gnutella-rtr -j REJECT
--reject-with icmp-port-unreachable
-A FORWARD -p udp -m multiport --dports gnutella-svc,gnutella-rtr -j REJECT
--reject-with icmp-port-unreachable
-A FORWARD -p udp -m multiport --dports
4711,4665,kar2ouche,rfa,4662,http-alt,9955 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -p tcp -m tcp --dport 4242:4299 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -p udp -m udp --dport 4242:4299 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -p tcp -m tcp --dport 6881:6999 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -p udp -m udp --dport 6881:6999 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -s 192.168.2.0/255.255.255.0 -i eth1 -o eth1 -p tcp -m tcp --dport
54681 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -i eth1 -o eth1 -p udp -m udp --dport
54681 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.4.0/255.255.255.0 -i eth1
-o eth1 -p tcp -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.4.0/255.255.255.0 -i eth1
-o eth1 -p udp -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 217.55.134.22 -i eth1 -o eth1 -p
tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.106.77.78 -i eth1 -o eth1 -p
tcp -j ACCEPT
-A FORWARD -i eth1 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.2.7 -i eth1 -o eth1 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 212.97.32.2 -i eth1 -o eth1 -p tcp
-m tcp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 212.97.32.2 -i eth1 -o eth1 -p udp
-m udp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 151.99.250.2 -i eth1 -o eth1 -p tcp
-m tcp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 151.99.250.2 -i eth1 -o eth1 -p udp
-m udp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 195.223.145.5 -i eth1 -o eth1 -p
udp -m udp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 195.223.145.5 -i eth1 -o eth1 -p
tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -o eth1 -p
tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -o eth1 -p
udp -m udp --dport 110 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -o eth1 -p
tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -o eth1 -p
udp -m udp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 85.33.98.138 -i eth1 -o eth1 -p tcp
-m tcp --dport 110 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 85.33.98.138 -i eth1 -o eth1 -p udp
-m udp --dport 110 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 85.33.98.138 -i eth1 -o eth1 -p tcp
-m tcp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 85.33.98.138 -i eth1 -o eth1 -p udp
-m udp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 85.33.98.138 -i eth1 -o eth1 -p tcp
-m tcp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 85.33.98.138 -i eth1 -o eth1 -p udp
-m udp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 151.4.29.163 -i eth1 -o eth1 -p tcp
-m tcp --dport 110 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 151.4.29.163 -i eth1 -o eth1 -p udp
-m udp --dport 110 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 151.4.29.163 -i eth1 -o eth1 -p tcp
-m tcp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 151.4.29.163 -i eth1 -o eth1 -p udp
-m udp --dport 25 -j ACCEPT
-A FORWARD -j drop-and-log-it
-A OUTPUT -s 192.168.2.0/255.255.255.0 -d 192.168.0.0/255.255.0.0 -o eth1 -j
ACCEPT
-A OUTPUT -s 192.168.0.0/255.255.0.0 -d 192.168.2.0/255.255.255.0 -o eth1 -j
ACCEPT
-A OUTPUT -d 192.168.4.0/255.255.255.0 -p tcp -j ACCEPT
-A OUTPUT -d 192.168.4.0/255.255.255.0 -p udp -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 192.168.2.7 -d 192.168.2.0/255.255.255.0 -o eth1 -j ACCEPT
-A OUTPUT -s 192.168.2.7 -d 192.168.2.0/255.255.255.0 -o eth1 -j ACCEPT
-A OUTPUT -d 192.168.2.0/255.255.255.0 -o eth1 -j drop-and-log-it
-A OUTPUT -s 192.168.2.7 -o eth1 -j ACCEPT
-A OUTPUT -j drop-and-log-it
-A drop-and-log-it -j LOG --log-prefix "PUPPUFIREWALL" --log-level info
-A drop-and-log-it -j DROP
COMMIT
# Completed on Tue Feb 15 12:08:26 2005
# Generated by iptables-save v1.2.8 on Tue Feb 15 12:08:26 2005
*nat
:PREROUTING ACCEPT [132819:9929714]
:POSTROUTING ACCEPT [366:23571]
:OUTPUT ACCEPT [574:72057]
-A PREROUTING -s 192.168.2.0/255.255.255.0 -d ! 192.168.2.7 -i eth1 -p tcp -m
tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.2.7
COMMIT
# Completed on Tue Feb 15 12:08:26 2005
Luca
--
Luca Ferrari,
fluca1978@infinito.it
next reply other threads:[~2005-02-15 8:27 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-02-15 8:27 Luca Ferrari [this message]
-- strict thread matches above, loose matches on Subject: below --
2005-02-15 10:30 iptables problem Your Name
2005-02-15 10:39 ` Luca Ferrari
2005-02-15 20:09 ` Andreas Unterkircher
2005-02-15 20:25 ` Adrian C.
2005-02-16 8:17 ` Luca Ferrari
2005-02-17 18:45 Your Name
2005-02-17 19:28 ` Adam Lang
2005-02-18 8:45 ` Luca Ferrari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200502150927.18164.fluca1978@infinito.it \
--to=fluca1978@infinito.it \
--cc=linux-admin@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).