From: Luca Ferrari <fluca1978@infinito.it>
To: linux-admin@vger.kernel.org
Subject: Re: iptables problem
Date: Wed, 16 Feb 2005 09:17:01 +0100 [thread overview]
Message-ID: <200502160917.01150.fluca1978@infinito.it> (raw)
In-Reply-To: <42125709.8020204@netshadow.at>
On Tuesday 15 February 2005 21:09 Andreas Unterkircher's cat walking on the
keyboard wrote:
> As far as I can see and unterstand your intend, you are only forwarding
> (FORWARD-Chain) the internal request to the external interfaces.
> Since private networks (10/8, 172.16/16, 192.168/24) are not routed in
> the public internet you have to masquerade (NAT) the outgoing
> request, so it doesn't contain the internal ips anymore:
>
> -A POSTROUTING -s 192.168.2.0/255.255.255.0 -d 212.97.32.2 -i eth1 -o eth1
> -p tcp -m tcp --dport 53 -j SNAT --to $YOUR_EXTERNAL_IP_IN_THE_INTERNET
>
I'm not sure of what you're saying, since the machine goes on the internet
thru an ADSL router, that performs NAT by itself, so the firewall, as far as
I'll use eth1 both as internal and external interface, will only forward
requests to the ADSL router. However, here there's the output of the iptables
-L -n:
firewall:~ # iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 192.168.2.0/24 192.168.0.0/16
ACCEPT all -- 192.168.0.0/16 192.168.2.0/24
ACCEPT all -- 192.168.2.7 0.0.0.0/0
ACCEPT tcp -- 192.168.2.0/24 212.97.32.2 tcp dpt:53
ACCEPT udp -- 192.168.2.0/24 212.97.32.2 udp dpt:53
ACCEPT tcp -- 192.168.2.0/24 151.99.250.2 tcp dpt:53
ACCEPT udp -- 192.168.2.0/24 151.99.250.2 udp dpt:53
ACCEPT tcp -- 192.168.2.0/24 195.223.145.5 tcp dpt:53
ACCEPT udp -- 192.168.2.0/24 195.223.145.5 udp dpt:53
ACCEPT tcp -- 192.168.2.0/24 192.106.77.15 tcp dpt:110
ACCEPT udp -- 192.168.2.0/24 192.106.77.15 udp dpt:110
ACCEPT tcp -- 192.168.2.0/24 192.106.77.15 tcp dpt:25
ACCEPT udp -- 192.168.2.0/24 192.106.77.15 udp dpt:25
ACCEPT tcp -- 192.168.2.0/24 0.0.0.0/0 tcp dpt:54681
ACCEPT udp -- 192.168.2.0/24 0.0.0.0/0 udp dpt:54681
ACCEPT tcp -- 192.168.2.0/24 217.55.134.22 tcp dpt:21
ACCEPT tcp -- 192.168.2.0/24 192.106.77.78
ACCEPT tcp -- 192.168.2.0/24 192.168.2.7 tcp dpt:8080
ACCEPT udp -- 192.168.2.0/24 192.168.2.7 udp dpt:8080
ACCEPT tcp -- 192.168.2.0/24 192.168.2.7 tcp dpt:53
ACCEPT udp -- 192.168.2.0/24 192.168.2.7 udp dpt:53
ACCEPT tcp -- 192.168.2.0/24 192.168.2.7 tcp dpts:137:139
ACCEPT udp -- 192.168.2.0/24 192.168.2.7 udp dpts:137:139
ACCEPT tcp -- 192.168.2.0/24 192.168.2.7 tcp dpt:445
ACCEPT udp -- 192.168.2.0/24 192.168.2.7 udp dpt:445
ACCEPT tcp -- 192.168.2.2 192.168.2.7 tcp dpt:23
REJECT tcp -- 0.0.0.0/0 217.58.77.224/28 tcp dpt:23
reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 217.58.77.224/28 udp dpt:23
reject-with icmp-port-unreachable
ACCEPT tcp -- 192.168.84.1 192.168.2.7 tcp dpt:23
drop-and-log-it all -- 192.168.2.0/24 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 192.168.2.7
ACCEPT tcp -- 0.0.0.0/0 192.168.2.7 state
NEW,RELATED,ESTABLISHED tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 192.168.2.7 tcp
spts:1024:65535 dpt:21
ACCEPT tcp -- 192.168.2.7 0.0.0.0/0 tcp spt:21
dpts:1024:65535
ACCEPT tcp -- 0.0.0.0/0 192.168.2.7 tcp
spts:1024:65535 dpt:20
ACCEPT tcp -- 192.168.2.7 0.0.0.0/0 tcp spt:20
dpts:1024:65535
ACCEPT udp -- 0.0.0.0/0 192.168.2.7 udp
spts:1024:65535 dpt:21
ACCEPT udp -- 192.168.2.7 0.0.0.0/0 udp spt:21
dpts:1024:65535
ACCEPT udp -- 0.0.0.0/0 192.168.2.7 udp
spts:1024:65535 dpt:20
ACCEPT udp -- 192.168.2.7 0.0.0.0/0 udp spt:20
dpts:1024:65535
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
NEW,RELATED,ESTABLISHED tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
NEW,RELATED,ESTABLISHED tcp dpt:22
ACCEPT all -- 0.0.0.0/0 192.168.2.7 state
RELATED,ESTABLISHED
drop-and-log-it all -- 0.0.0.0/0 0.0.0.0/0
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:111
reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:111
reject-with icmp-port-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.2.0/24 192.168.0.0/16
ACCEPT all -- 192.168.0.0/16 192.168.2.0/24
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports
6881,6882,6883,6884,6885,6886,6887,6888,6889,1214 reject-with
icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports
6881,6882,6883,6884,6885,6886,6887,6888,6889,1214 reject-with
icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports
6346,6347 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports
6346,6347 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports
4711,4665,4661,4672,4662,8080,9955 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:4242:4299
reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:4242:4299
reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:6881:6999
reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:6881:6999
reject-with icmp-port-unreachable
ACCEPT tcp -- 192.168.2.0/24 0.0.0.0/0 tcp dpt:54681
ACCEPT udp -- 192.168.2.0/24 0.0.0.0/0 udp dpt:54681
ACCEPT tcp -- 192.168.2.0/24 192.168.4.0/24
ACCEPT udp -- 192.168.2.0/24 192.168.4.0/24
ACCEPT tcp -- 192.168.2.0/24 217.55.134.22 tcp dpt:21
ACCEPT tcp -- 192.168.2.0/24 192.106.77.78
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT all -- 192.168.2.7 0.0.0.0/0
ACCEPT tcp -- 192.168.2.0/24 212.97.32.2 tcp dpt:53
ACCEPT udp -- 192.168.2.0/24 212.97.32.2 udp dpt:53
ACCEPT tcp -- 192.168.2.0/24 151.99.250.2 tcp dpt:53
ACCEPT udp -- 192.168.2.0/24 151.99.250.2 udp dpt:53
ACCEPT udp -- 192.168.2.0/24 195.223.145.5 udp dpt:53
ACCEPT tcp -- 192.168.2.0/24 195.223.145.5 tcp dpt:53
ACCEPT tcp -- 192.168.2.0/24 192.106.77.15 tcp dpt:110
ACCEPT udp -- 192.168.2.0/24 192.106.77.15 udp dpt:110
ACCEPT tcp -- 192.168.2.0/24 192.106.77.15 tcp dpt:25
ACCEPT udp -- 192.168.2.0/24 192.106.77.15 udp dpt:25
ACCEPT tcp -- 192.168.2.0/24 85.33.98.138 tcp dpt:110
ACCEPT udp -- 192.168.2.0/24 85.33.98.138 udp dpt:110
ACCEPT tcp -- 192.168.2.0/24 85.33.98.138 tcp dpt:25
ACCEPT udp -- 192.168.2.0/24 85.33.98.138 udp dpt:25
ACCEPT tcp -- 192.168.2.0/24 85.33.98.138 tcp dpt:25
ACCEPT udp -- 192.168.2.0/24 85.33.98.138 udp dpt:25
ACCEPT tcp -- 192.168.2.0/24 151.4.29.163 tcp dpt:110
ACCEPT udp -- 192.168.2.0/24 151.4.29.163 udp dpt:110
ACCEPT tcp -- 192.168.2.0/24 151.4.29.163 tcp dpt:25
ACCEPT udp -- 192.168.2.0/24 151.4.29.163 udp dpt:25
drop-and-log-it all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.2.0/24 192.168.0.0/16
ACCEPT all -- 192.168.0.0/16 192.168.2.0/24
ACCEPT tcp -- 0.0.0.0/0 192.168.4.0/24
ACCEPT udp -- 0.0.0.0/0 192.168.4.0/24
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 192.168.2.7 192.168.2.0/24
ACCEPT all -- 192.168.2.7 192.168.2.0/24
drop-and-log-it all -- 0.0.0.0/0 192.168.2.0/24
ACCEPT all -- 192.168.2.7 0.0.0.0/0
drop-and-log-it all -- 0.0.0.0/0 0.0.0.0/0
Chain drop-and-log-it (5 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level
6 prefix `PUPPUFIREWALL'
DROP all -- 0.0.0.0/0 0.0.0.0/0
firewall:~ #
Any idea?
Luca
--
Luca Ferrari,
fluca1978@infinito.it
next prev parent reply other threads:[~2005-02-16 8:17 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-02-15 10:30 iptables problem Your Name
2005-02-15 10:39 ` Luca Ferrari
2005-02-15 20:09 ` Andreas Unterkircher
2005-02-15 20:25 ` Adrian C.
2005-02-16 8:17 ` Luca Ferrari [this message]
-- strict thread matches above, loose matches on Subject: below --
2005-02-17 18:45 Your Name
2005-02-17 19:28 ` Adam Lang
2005-02-18 8:45 ` Luca Ferrari
2005-02-15 8:27 Luca Ferrari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200502160917.01150.fluca1978@infinito.it \
--to=fluca1978@infinito.it \
--cc=linux-admin@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).