iptables problem

iptables problem

[Luca Ferrari]

Hi,
I've a problem with iptables on a machine which is a firewall. The logs 
reports the following thing:

firewall:~ # grep 192.168.2.200 /var/log/messages | grep DPT=53
Feb 14 11:45:52 firewall kernel: PUPPUFIREWALLIN=eth1 OUT=eth1 
SRC=192.168.2.200 DST=217.97.32.2 LEN=50 TOS=0x00 PREC=0x00 TTL=126 ID=9 
PROTO=UDP SPT=1025 DPT=53 LEN=30
Feb 14 11:47:40 firewall kernel: PUPPUFIREWALLIN=eth1 OUT=eth1 
SRC=192.168.2.200 DST=217.97.32.2 LEN=72 TOS=0x00 PREC=0x00 TTL=126 ID=812 
PROTO=UDP SPT=1025 DPT=53 LEN=52

where the machine 192.168.2.200 is locked and cannot work with the DNS (port 
53) specified. But if I try to do an iptables-save, I got the following:

-A FORWARD -s 192.168.2.0/255.255.255.0 -d 212.97.32.2 -i eth1 -o eth1 -p tcp 
-m tcp --dport 53 -j ACCEPT

that should accept each connection from an host of the 192.168.2.0 network to 
the specified DNS server. The same thing occur for other machines.

The following is a complete dump of the iptables-save command, do you have any 
idea about how to fix this problem?

firewall:~ # iptables-save
# Generated by iptables-save v1.2.8 on Tue Feb 15 12:08:25 2005
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [160:11248]
:drop-and-log-it - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.0.0/255.255.0.0 -i eth1 -j 
ACCEPT
-A INPUT -s 192.168.0.0/255.255.0.0 -d 192.168.2.0/255.255.255.0 -i eth1 -j 
ACCEPT
-A INPUT -s 192.168.2.7 -i eth1 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 212.97.32.2 -i eth1 -p tcp -m tcp 
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 212.97.32.2 -i eth1 -p udp -m udp 
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 151.99.250.2 -i eth1 -p tcp -m tcp 
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 151.99.250.2 -i eth1 -p udp -m udp 
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 195.223.145.5 -i eth1 -p tcp -m tcp 
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 195.223.145.5 -i eth1 -p udp -m udp 
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -p tcp -m tcp 
--dport 110 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -p udp -m udp 
--dport 110 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -p tcp -m tcp 
--dport 25 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -p udp -m udp 
--dport 25 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 54681 -j 
ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -i eth1 -p udp -m udp --dport 54681 -j 
ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 217.55.134.22 -i eth1 -p tcp -m tcp 
--dport 21 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.106.77.78 -i eth1 -p tcp -j 
ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p tcp -m tcp 
--dport 8080 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p udp -m udp 
--dport 8080 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p tcp -m tcp 
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p udp -m udp 
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p tcp -m tcp 
--dport 137:139 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p udp -m udp 
--dport 137:139 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p tcp -m tcp 
--dport 445 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p udp -m udp 
--dport 445 -j ACCEPT
-A INPUT -s 192.168.2.2 -d 192.168.2.7 -i eth1 -p tcp -m tcp --dport 23 -j 
ACCEPT
-A INPUT -d 217.58.77.224/255.255.255.240 -i eth1 -p tcp -m tcp --dport 23 -j 
REJECT --reject-with icmp-port-unreachable
-A INPUT -d 217.58.77.224/255.255.255.240 -i eth1 -p udp -m udp --dport 23 -j 
REJECT --reject-with icmp-port-unreachable
-A INPUT -s 192.168.84.1 -d 192.168.2.7 -i eth1 -p tcp -m tcp --dport 23 -j 
ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -i eth1 -j drop-and-log-it
-A INPUT -d 192.168.2.7 -i eth1 -p icmp -j ACCEPT
-A INPUT -d 192.168.2.7 -i eth1 -p tcp -m state --state 
NEW,RELATED,ESTABLISHED -m tcp --dport 80 -j ACCEPT
-A INPUT -d 192.168.2.7 -i eth1 -p tcp -m tcp --sport 1024:65535 --dport 21 -j 
ACCEPT
-A INPUT -s 192.168.2.7 -i eth1 -p tcp -m tcp --sport 21 --dport 1024:65535 -j 
ACCEPT
-A INPUT -d 192.168.2.7 -i eth1 -p tcp -m tcp --sport 1024:65535 --dport 20 -j 
ACCEPT
-A INPUT -s 192.168.2.7 -i eth1 -p tcp -m tcp --sport 20 --dport 1024:65535 -j 
ACCEPT
-A INPUT -d 192.168.2.7 -i eth1 -p udp -m udp --sport 1024:65535 --dport 21 -j 
ACCEPT
-A INPUT -s 192.168.2.7 -i eth1 -p udp -m udp --sport 21 --dport 1024:65535 -j 
ACCEPT
-A INPUT -d 192.168.2.7 -i eth1 -p udp -m udp --sport 1024:65535 --dport 20 -j 
ACCEPT
-A INPUT -s 192.168.2.7 -i eth1 -p udp -m udp --sport 20 --dport 1024:65535 -j 
ACCEPT
-A INPUT -i eth1 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp 
--dport 22 -j ACCEPT
-A INPUT -i eth1 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp 
--dport 22 -j ACCEPT
-A INPUT -d 192.168.2.7 -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j drop-and-log-it
-A INPUT -i eth1 -p tcp -m tcp --dport 53 -j REJECT --reject-with 
icmp-port-unreachable
-A INPUT -i eth1 -p udp -m udp --dport 53 -j REJECT --reject-with 
icmp-port-unreachable
-A INPUT -i eth1 -p tcp -m tcp --dport 111 -j REJECT --reject-with 
icmp-port-unreachable
-A INPUT -i eth1 -p udp -m udp --dport 111 -j REJECT --reject-with 
icmp-port-unreachable
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.0.0/255.255.0.0 -i eth1 -j 
ACCEPT
-A FORWARD -s 192.168.0.0/255.255.0.0 -d 192.168.2.0/255.255.255.0 -i eth1 -j 
ACCEPT
-A FORWARD -p tcp -m multiport --dports 
6881,6882,6883,6884,6885,6886,6887,muse,6889,kazaa -j REJECT --reject-with 
icmp-port-unreachable
-A FORWARD -p udp -m multiport --dports 
6881,6882,6883,6884,6885,6886,6887,muse,6889,kazaa -j REJECT --reject-with 
icmp-port-unreachable
-A FORWARD -p tcp -m multiport --dports gnutella-svc,gnutella-rtr -j REJECT 
--reject-with icmp-port-unreachable
-A FORWARD -p udp -m multiport --dports gnutella-svc,gnutella-rtr -j REJECT 
--reject-with icmp-port-unreachable
-A FORWARD -p udp -m multiport --dports 
4711,4665,kar2ouche,rfa,4662,http-alt,9955 -j REJECT --reject-with 
icmp-port-unreachable
-A FORWARD -p tcp -m tcp --dport 4242:4299 -j REJECT --reject-with 
icmp-port-unreachable
-A FORWARD -p udp -m udp --dport 4242:4299 -j REJECT --reject-with 
icmp-port-unreachable
-A FORWARD -p tcp -m tcp --dport 6881:6999 -j REJECT --reject-with 
icmp-port-unreachable
-A FORWARD -p udp -m udp --dport 6881:6999 -j REJECT --reject-with 
icmp-port-unreachable
-A FORWARD -s 192.168.2.0/255.255.255.0 -i eth1 -o eth1 -p tcp -m tcp --dport 
54681 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -i eth1 -o eth1 -p udp -m udp --dport 
54681 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.4.0/255.255.255.0 -i eth1 
-o eth1 -p tcp -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.4.0/255.255.255.0 -i eth1 
-o eth1 -p udp -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 217.55.134.22 -i eth1 -o eth1 -p 
tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.106.77.78 -i eth1 -o eth1 -p 
tcp -j ACCEPT
-A FORWARD -i eth1 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.2.7 -i eth1 -o eth1 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 212.97.32.2 -i eth1 -o eth1 -p tcp 
-m tcp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 212.97.32.2 -i eth1 -o eth1 -p udp 
-m udp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 151.99.250.2 -i eth1 -o eth1 -p tcp 
-m tcp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 151.99.250.2 -i eth1 -o eth1 -p udp 
-m udp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 195.223.145.5 -i eth1 -o eth1 -p 
udp -m udp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 195.223.145.5 -i eth1 -o eth1 -p 
tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -o eth1 -p 
tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -o eth1 -p 
udp -m udp --dport 110 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -o eth1 -p 
tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -o eth1 -p 
udp -m udp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 85.33.98.138 -i eth1 -o eth1 -p tcp 
-m tcp --dport 110 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 85.33.98.138 -i eth1 -o eth1 -p udp 
-m udp --dport 110 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 85.33.98.138 -i eth1 -o eth1 -p tcp 
-m tcp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 85.33.98.138 -i eth1 -o eth1 -p udp 
-m udp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 85.33.98.138 -i eth1 -o eth1 -p tcp 
-m tcp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 85.33.98.138 -i eth1 -o eth1 -p udp 
-m udp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 151.4.29.163 -i eth1 -o eth1 -p tcp 
-m tcp --dport 110 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 151.4.29.163 -i eth1 -o eth1 -p udp 
-m udp --dport 110 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 151.4.29.163 -i eth1 -o eth1 -p tcp 
-m tcp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 151.4.29.163 -i eth1 -o eth1 -p udp 
-m udp --dport 25 -j ACCEPT
-A FORWARD -j drop-and-log-it
-A OUTPUT -s 192.168.2.0/255.255.255.0 -d 192.168.0.0/255.255.0.0 -o eth1 -j 
ACCEPT
-A OUTPUT -s 192.168.0.0/255.255.0.0 -d 192.168.2.0/255.255.255.0 -o eth1 -j 
ACCEPT
-A OUTPUT -d 192.168.4.0/255.255.255.0 -p tcp -j ACCEPT
-A OUTPUT -d 192.168.4.0/255.255.255.0 -p udp -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 192.168.2.7 -d 192.168.2.0/255.255.255.0 -o eth1 -j ACCEPT
-A OUTPUT -s 192.168.2.7 -d 192.168.2.0/255.255.255.0 -o eth1 -j ACCEPT
-A OUTPUT -d 192.168.2.0/255.255.255.0 -o eth1 -j drop-and-log-it
-A OUTPUT -s 192.168.2.7 -o eth1 -j ACCEPT
-A OUTPUT -j drop-and-log-it
-A drop-and-log-it -j LOG --log-prefix "PUPPUFIREWALL" --log-level info
-A drop-and-log-it -j DROP
COMMIT
# Completed on Tue Feb 15 12:08:26 2005
# Generated by iptables-save v1.2.8 on Tue Feb 15 12:08:26 2005
*nat
:PREROUTING ACCEPT [132819:9929714]
:POSTROUTING ACCEPT [366:23571]
:OUTPUT ACCEPT [574:72057]
-A PREROUTING -s 192.168.2.0/255.255.255.0 -d ! 192.168.2.7 -i eth1 -p tcp -m 
tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.2.7
COMMIT
# Completed on Tue Feb 15 12:08:26 2005


Luca

-- 
Luca Ferrari,
fluca1978@infinito.it

Re: iptables problem

[Your Name]

> Hi,
> I've a problem with iptables on a machine which is a firewall. The 
logs 
> reports the following thing:
> 
> firewall:~ # grep 192.168.2.200 /var/log/messages | grep DPT=53
> Feb 14 11:45:52 firewall kernel: PUPPUFIREWALLIN=eth1 OUT=eth1 
> SRC=192.168.2.200 DST=217.97.32.2 LEN=50 TOS=0x00 PREC=0x00 TTL=126 
ID=9 
> PROTO=UDP SPT=1025 DPT=53 LEN=30
> Feb 14 11:47:40 firewall kernel: PUPPUFIREWALLIN=eth1 OUT=eth1 
> SRC=192.168.2.200 DST=217.97.32.2 LEN=72 TOS=0x00 PREC=0x00 TTL=126 
ID=812 
> PROTO=UDP SPT=1025 DPT=53 LEN=52
> 
> where the machine 192.168.2.200 is locked and cannot work with the 
DNS (port 
> 53) specified. But if I try to do an iptables-save, I got the 
following:
> 
> -A FORWARD -s 192.168.2.0/255.255.255.0 -d 212.97.32.2 -i eth1 -o 
eth1 -p tcp 
> -m tcp --dport 53 -j ACCEPT
> 


The Input interface and output Interface are the same eth1, where as it 
should have been -i eth0 -o eth1. Match ur interface numbers and it 
should work.

Regards

Re: iptables problem

[Luca Ferrari]

On Tuesday 15 February 2005 11:30 Your Name's cat walking on the keyboard  
wrote:

>
> The Input interface and output Interface are the same eth1, where as it
> should have been -i eth0 -o eth1. Match ur interface numbers and it
> should work.
>

No, that's right since the machine is, temporarily. working with a single 
interface. In other words, eth1 is now the incoming/outgoing interface.

Luca


-- 
Luca Ferrari,
fluca1978@infinito.it

Re: iptables problem

[Andreas Unterkircher]

As far as I can see and unterstand your intend, you are only forwarding 
(FORWARD-Chain) the internal request to the external interfaces.
Since private networks (10/8, 172.16/16, 192.168/24) are not routed in 
the public internet you have to masquerade (NAT) the outgoing
request, so it doesn't contain the internal ips anymore:

-A POSTROUTING -s 192.168.2.0/255.255.255.0 -d 212.97.32.2 -i eth1 -o eth1 -p tcp 
-m tcp --dport 53 -j SNAT --to $YOUR_EXTERNAL_IP_IN_THE_INTERNET


Luca Ferrari wrote:

>On Tuesday 15 February 2005 11:30 Your Name's cat walking on the keyboard  
>wrote:
>
>  
>
>>The Input interface and output Interface are the same eth1, where as it
>>should have been -i eth0 -o eth1. Match ur interface numbers and it
>>should work.
>>
>>    
>>
>
>No, that's right since the machine is, temporarily. working with a single 
>interface. In other words, eth1 is now the incoming/outgoing interface.
>
>Luca
>
>
>  
>

Re: iptables problem

[Adrian C.]

Luca, please paste your iptables -L -n output here. It's much easier to follow.

--Adrian.


On Tue, 15 Feb 2005 21:09:45 +0100, Andreas Unterkircher
<unki@netshadow.at> wrote:
> As far as I can see and unterstand your intend, you are only forwarding
> (FORWARD-Chain) the internal request to the external interfaces.
> Since private networks (10/8, 172.16/16, 192.168/24) are not routed in
> the public internet you have to masquerade (NAT) the outgoing
> request, so it doesn't contain the internal ips anymore:
> 
> -A POSTROUTING -s 192.168.2.0/255.255.255.0 -d 212.97.32.2 -i eth1 -o eth1 -p tcp
> -m tcp --dport 53 -j SNAT --to $YOUR_EXTERNAL_IP_IN_THE_INTERNET
> 
> 
> Luca Ferrari wrote:
> 
> >On Tuesday 15 February 2005 11:30 Your Name's cat walking on the keyboard
> >wrote:
> >
> >
> >
> >>The Input interface and output Interface are the same eth1, where as it
> >>should have been -i eth0 -o eth1. Match ur interface numbers and it
> >>should work.
> >>
> >>
> >>
> >
> >No, that's right since the machine is, temporarily. working with a single
> >interface. In other words, eth1 is now the incoming/outgoing interface.
> >
> >Luca
> >
> >
> >
> >
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: iptables problem

[Luca Ferrari]

On Tuesday 15 February 2005 21:09 Andreas Unterkircher's cat walking on the 
keyboard  wrote:

> As far as I can see and unterstand your intend, you are only forwarding
> (FORWARD-Chain) the internal request to the external interfaces.
> Since private networks (10/8, 172.16/16, 192.168/24) are not routed in
> the public internet you have to masquerade (NAT) the outgoing
> request, so it doesn't contain the internal ips anymore:
>
> -A POSTROUTING -s 192.168.2.0/255.255.255.0 -d 212.97.32.2 -i eth1 -o eth1
> -p tcp -m tcp --dport 53 -j SNAT --to $YOUR_EXTERNAL_IP_IN_THE_INTERNET
>

I'm not sure of what you're saying, since the machine goes on the internet 
thru an ADSL router, that performs NAT by itself, so the firewall, as far as 
I'll use eth1 both as internal and external interface, will only forward 
requests to the ADSL router. However, here there's the output of the iptables 
-L -n:

firewall:~ # iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  192.168.2.0/24       192.168.0.0/16
ACCEPT     all  --  192.168.0.0/16       192.168.2.0/24
ACCEPT     all  --  192.168.2.7          0.0.0.0/0
ACCEPT     tcp  --  192.168.2.0/24       212.97.32.2        tcp dpt:53
ACCEPT     udp  --  192.168.2.0/24       212.97.32.2        udp dpt:53
ACCEPT     tcp  --  192.168.2.0/24       151.99.250.2       tcp dpt:53
ACCEPT     udp  --  192.168.2.0/24       151.99.250.2       udp dpt:53
ACCEPT     tcp  --  192.168.2.0/24       195.223.145.5      tcp dpt:53
ACCEPT     udp  --  192.168.2.0/24       195.223.145.5      udp dpt:53
ACCEPT     tcp  --  192.168.2.0/24       192.106.77.15      tcp dpt:110
ACCEPT     udp  --  192.168.2.0/24       192.106.77.15      udp dpt:110
ACCEPT     tcp  --  192.168.2.0/24       192.106.77.15      tcp dpt:25
ACCEPT     udp  --  192.168.2.0/24       192.106.77.15      udp dpt:25
ACCEPT     tcp  --  192.168.2.0/24       0.0.0.0/0          tcp dpt:54681
ACCEPT     udp  --  192.168.2.0/24       0.0.0.0/0          udp dpt:54681
ACCEPT     tcp  --  192.168.2.0/24       217.55.134.22      tcp dpt:21
ACCEPT     tcp  --  192.168.2.0/24       192.106.77.78
ACCEPT     tcp  --  192.168.2.0/24       192.168.2.7        tcp dpt:8080
ACCEPT     udp  --  192.168.2.0/24       192.168.2.7        udp dpt:8080
ACCEPT     tcp  --  192.168.2.0/24       192.168.2.7        tcp dpt:53
ACCEPT     udp  --  192.168.2.0/24       192.168.2.7        udp dpt:53
ACCEPT     tcp  --  192.168.2.0/24       192.168.2.7        tcp dpts:137:139
ACCEPT     udp  --  192.168.2.0/24       192.168.2.7        udp dpts:137:139
ACCEPT     tcp  --  192.168.2.0/24       192.168.2.7        tcp dpt:445
ACCEPT     udp  --  192.168.2.0/24       192.168.2.7        udp dpt:445
ACCEPT     tcp  --  192.168.2.2          192.168.2.7        tcp dpt:23
REJECT     tcp  --  0.0.0.0/0            217.58.77.224/28   tcp dpt:23 
reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            217.58.77.224/28   udp dpt:23 
reject-with icmp-port-unreachable
ACCEPT     tcp  --  192.168.84.1         192.168.2.7        tcp dpt:23
drop-and-log-it  all  --  192.168.2.0/24       0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            192.168.2.7
ACCEPT     tcp  --  0.0.0.0/0            192.168.2.7        state 
NEW,RELATED,ESTABLISHED tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            192.168.2.7        tcp 
spts:1024:65535 dpt:21
ACCEPT     tcp  --  192.168.2.7          0.0.0.0/0          tcp spt:21 
dpts:1024:65535
ACCEPT     tcp  --  0.0.0.0/0            192.168.2.7        tcp 
spts:1024:65535 dpt:20
ACCEPT     tcp  --  192.168.2.7          0.0.0.0/0          tcp spt:20 
dpts:1024:65535
ACCEPT     udp  --  0.0.0.0/0            192.168.2.7        udp 
spts:1024:65535 dpt:21
ACCEPT     udp  --  192.168.2.7          0.0.0.0/0          udp spt:21 
dpts:1024:65535
ACCEPT     udp  --  0.0.0.0/0            192.168.2.7        udp 
spts:1024:65535 dpt:20
ACCEPT     udp  --  192.168.2.7          0.0.0.0/0          udp spt:20 
dpts:1024:65535
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state 
NEW,RELATED,ESTABLISHED tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state 
NEW,RELATED,ESTABLISHED tcp dpt:22
ACCEPT     all  --  0.0.0.0/0            192.168.2.7        state 
RELATED,ESTABLISHED
drop-and-log-it  all  --  0.0.0.0/0            0.0.0.0/0
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:53 
reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:53 
reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:111 
reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:111 
reject-with icmp-port-unreachable

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  192.168.2.0/24       192.168.0.0/16
ACCEPT     all  --  192.168.0.0/16       192.168.2.0/24
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          multiport dports 
6881,6882,6883,6884,6885,6886,6887,6888,6889,1214 reject-with 
icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0          multiport dports 
6881,6882,6883,6884,6885,6886,6887,6888,6889,1214 reject-with 
icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          multiport dports 
6346,6347 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0          multiport dports 
6346,6347 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0          multiport dports 
4711,4665,4661,4672,4662,8080,9955 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpts:4242:4299 
reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0          udp dpts:4242:4299 
reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpts:6881:6999 
reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0          udp dpts:6881:6999 
reject-with icmp-port-unreachable
ACCEPT     tcp  --  192.168.2.0/24       0.0.0.0/0          tcp dpt:54681
ACCEPT     udp  --  192.168.2.0/24       0.0.0.0/0          udp dpt:54681
ACCEPT     tcp  --  192.168.2.0/24       192.168.4.0/24
ACCEPT     udp  --  192.168.2.0/24       192.168.4.0/24
ACCEPT     tcp  --  192.168.2.0/24       217.55.134.22      tcp dpt:21
ACCEPT     tcp  --  192.168.2.0/24       192.106.77.78
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state 
RELATED,ESTABLISHED
ACCEPT     all  --  192.168.2.7          0.0.0.0/0
ACCEPT     tcp  --  192.168.2.0/24       212.97.32.2        tcp dpt:53
ACCEPT     udp  --  192.168.2.0/24       212.97.32.2        udp dpt:53
ACCEPT     tcp  --  192.168.2.0/24       151.99.250.2       tcp dpt:53
ACCEPT     udp  --  192.168.2.0/24       151.99.250.2       udp dpt:53
ACCEPT     udp  --  192.168.2.0/24       195.223.145.5      udp dpt:53
ACCEPT     tcp  --  192.168.2.0/24       195.223.145.5      tcp dpt:53
ACCEPT     tcp  --  192.168.2.0/24       192.106.77.15      tcp dpt:110
ACCEPT     udp  --  192.168.2.0/24       192.106.77.15      udp dpt:110
ACCEPT     tcp  --  192.168.2.0/24       192.106.77.15      tcp dpt:25
ACCEPT     udp  --  192.168.2.0/24       192.106.77.15      udp dpt:25
ACCEPT     tcp  --  192.168.2.0/24       85.33.98.138       tcp dpt:110
ACCEPT     udp  --  192.168.2.0/24       85.33.98.138       udp dpt:110
ACCEPT     tcp  --  192.168.2.0/24       85.33.98.138       tcp dpt:25
ACCEPT     udp  --  192.168.2.0/24       85.33.98.138       udp dpt:25
ACCEPT     tcp  --  192.168.2.0/24       85.33.98.138       tcp dpt:25
ACCEPT     udp  --  192.168.2.0/24       85.33.98.138       udp dpt:25
ACCEPT     tcp  --  192.168.2.0/24       151.4.29.163       tcp dpt:110
ACCEPT     udp  --  192.168.2.0/24       151.4.29.163       udp dpt:110
ACCEPT     tcp  --  192.168.2.0/24       151.4.29.163       tcp dpt:25
ACCEPT     udp  --  192.168.2.0/24       151.4.29.163       udp dpt:25
drop-and-log-it  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  192.168.2.0/24       192.168.0.0/16
ACCEPT     all  --  192.168.0.0/16       192.168.2.0/24
ACCEPT     tcp  --  0.0.0.0/0            192.168.4.0/24
ACCEPT     udp  --  0.0.0.0/0            192.168.4.0/24
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  192.168.2.7          192.168.2.0/24
ACCEPT     all  --  192.168.2.7          192.168.2.0/24
drop-and-log-it  all  --  0.0.0.0/0            192.168.2.0/24
ACCEPT     all  --  192.168.2.7          0.0.0.0/0
drop-and-log-it  all  --  0.0.0.0/0            0.0.0.0/0

Chain drop-and-log-it (5 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 
6 prefix `PUPPUFIREWALL'
DROP       all  --  0.0.0.0/0            0.0.0.0/0
firewall:~ #


Any idea?

Luca

-- 
Luca Ferrari,
fluca1978@infinito.it

Re: iptables problem

[Your Name]

> I'm not sure of what you're saying, since the machine goes on the
internet 
> thru an ADSL router, that performs NAT by itself, so the firewall, as
far as 
> I'll use eth1 both as internal and external interface, will only forward 
> requests to the ADSL router. However, here there's the output of the
iptables 
> -L -n:
> 

ip_forwarding shall only work with two lan cards, no set up shall work
as a firewall with one network interface.

never tried aliasing either (eth1:0 eth1:1) but sence would it make even
if it works, the firewall should be between two networks.

Regards
Yayati.

Re: iptables problem

[Adam Lang]

That isn't exactly true.  If he is just trying to firewall traffic from the
firewall box, then you would only have one ethernet card.

Meaning, he has one computer hooked up to the ASDL line and that computer he
has the firewall setup on.  There are no other computers on the network.

----- Original Message ----- 
From: "Your Name" <yayati@skinternational.com>
To: <fluca1978@infinito.it>; <linux-admin@vger.kernel.org>
Sent: Thursday, February 17, 2005 1:45 PM
Subject: Re: iptables problem


>
> ip_forwarding shall only work with two lan cards, no set up shall work
> as a firewall with one network interface.
>
> never tried aliasing either (eth1:0 eth1:1) but sence would it make even
> if it works, the firewall should be between two networks.
>
> Regards
> Yayati.
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: iptables problem

[Luca Ferrari]

On Thursday 17 February 2005 19:45 Your Name's cat walking on the keyboard  
wrote:

> > I'm not sure of what you're saying, since the machine goes on the
>
> internet
>
> > thru an ADSL router, that performs NAT by itself, so the firewall, as
>
> far as
>
> > I'll use eth1 both as internal and external interface, will only forward
> > requests to the ADSL router. However, here there's the output of the
>
> iptables
>
> > -L -n:
>
> ip_forwarding shall only work with two lan cards, no set up shall work
> as a firewall with one network interface.
>

That's not true,since I was working (thanks to suggestions of this mailing 
list) with a single network interface. Now that I tried it, it's working in 
the right way (i.e., with two network cards), but even with one it was 
working.

Luca
-- 
Luca Ferrari,
fluca1978@infinito.it