Linux Netfilter discussions
 help / color / mirror / Atom feed
* IPTABLES PROBLEM
@ 2005-11-08 17:08 Micol lupen
  2005-11-08 18:56 ` Rob Sterenborg
  2005-11-08 19:08 ` /dev/rob0
  0 siblings, 2 replies; 41+ messages in thread
From: Micol lupen @ 2005-11-08 17:08 UTC (permalink / raw)
  To: netfilter

Hi guys, thanks for all.
I have this problem whith iptables:,   
Io gestisco una rete con 10 pc (indirizzo e'
I have a lan whit 10 pc (use win9X) and have ip
10.10.10.2 ecc..)
Tree days ago Telecom build in my farm the adsl (using
router adsl cisco )  
i wont to create a firewall and use natting for pc 
I build a pc whit Slackware 10.1 
and i do this script:
----Information LAN--------
eth0: 10.10.10.50 netmask 255.255.255.0 (ETHO IS
connected to switch ) 
eth1:178.133.80.74 netmask 255.255.255.248 (IP
STATIC,GIVE ME THIS IP FROM TELECOM )
gatway 78.133.80.73 netmask 255.255.255.248
(GATWAY IP, GIVE ME THIS FROM TELECOM )
 DNS 151.99.125.1 (DNS IP, GIVE ME FROM TELECOM )
------SCRIPT FOR ETHERNET
CONFIGURATION----------------


//ETHERNET INTERFACE file conf.ps
!/bin/bash
ifconfig eth0 10.10.10.50 netmask 255.255.255.0
ifconfig eth1 178.133.80.74 netmask 255.255.255.248
route add -net default gw 178.133.80.73 netmask
255.255.255.248 
# END SCRIPT CONF.PS

//--- I WRITE IN /etc/resolv.conf 
NAMESERVER=151.99.125.1

//--------FIREWALL SCRIPT firewall.ps

#!/bin/bash
IPTAB=iptables
NAMESERVER=151.99.125.1  
IPADD=178.133.80.74 


# IMPORTANT UTILITY 
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/ip_forward 
echo 0 >
/proc/sys/net/ipv4/conf/all/accept_source_route 
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 >
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#CLEAR ALL
$IPTAB -F
$IPTAB -X
$IPTAB -Z
$IPTAB -t nat -F
$IPTAB -t nat -X
# DROP ALL
$IPTAB -P INPUT DROP
$IPTAB -P FORWARD DROP
$IPTAB -P OUTPUT  DROP

$IPTAB -A INPUT -i lo -j ACCEPT
$IPTAB -A OUTPUT -o lo -j ACCEPT 

# FROM LAN TO INTERNET  
$IPTAB -A INPUT -s 10.10.10.0/24 -i eth0 -j ACCEPT  
# FORWORDING
$IPTAB -A FORWARD -i eth0 -s 10.10.10.0/24 -j ACCEPT
$IPTAB -A FORWARD -i eth1 -d 10.10.10.0/24 -j ACCEPT
# QUERY DNS (SERVER-> CLIENT)
$IPTAB -A INPUT -i eth1 -p udp -s $NAMESERVER --sport
53 -m state --state ESTABLISHED -j ACCEPT
$IPTAB -A INPUT -i eth1 -p tcp -s $NAMESERVER --sport
53 -m state --state ESTABLISHED
#QUERY DNS (CLIENT-> SERVER)
$IPTAB -A OUTPUT -o eth1 -p udp -d $NAMESERVER --dport
53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTAB -A OUTPUT -o eth1 -p tcp -d $NAMESERVER --dport
53 -m state --state NEW,ESTABLISHED -j ACCEPT    
#HTTP E HTTPS
$IPTAB -A INPUT -i eth1 -p tcp --sport 80 -m state
--state ESTABLISHED -j ACCEPT
$IPTAB -A OUTPUT -o eth1 -p tcp --dport 80 -m state
--state NEW,ESTABLISHED -j ACCEPT 
$IPTAB -A INPUT -i eth1 -p tcp --sport 443 -m state
--state ESTABLISHED -j  ACCEPT
$IPTAB -A OUTPUT -o eth1 -p tcp --dport 443 -m state
--state NEW,ESTABLISHED -j ACCEPT
#NAT
$IPTAB -t nat -A POSTROUTING -o eth1 -s 10.10.10.0/24
-j SNAT --to $IPADD
 #fine

WHEN I START TO FIREWALL THE CLIENT CAN'T TO GO TO
INTERNET, HELP ME !!!!
P.S. excuse me for my bad english 
REGADS 
MICOL  
 

Grazie mille


	

	
		
___________________________________ 
Yahoo! Mail: gratis 1GB per i messaggi e allegati da 10MB 
http://mail.yahoo.it


^ permalink raw reply	[flat|nested] 41+ messages in thread
* iptables problem
@ 2008-09-05 11:12 Cam Bazz
  2008-09-05 12:39 ` Matt Zagrabelny
  2008-09-05 15:35 ` Grant Taylor
  0 siblings, 2 replies; 41+ messages in thread
From: Cam Bazz @ 2008-09-05 11:12 UTC (permalink / raw)
  To: netfilter

Hello

I am running a glassfish server and I need the basic requirement of
forwarding port 80 to port 8080. Here is what I have done: (I put
1.1.1.1 instead of my real ip adress.)

#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT;
iptables -A INPUT --destination 1.1.1.1/32 -p tcp --dport 8080 -m
conntrack --ctstate DNAT -j ACCEPT;
iptables -t nat -A PREROUTING -d 1.1.1.1/32 -p tcp --dport 80 -j
REDIRECT --to-port 8080;
iptables -A INPUT -j DROP;
iptables -I INPUT 1 -i lo -j ACCEPT;
#


it works fine. but here is the problem. I added another ip address
with ip aliasing and now I got eth0:1.

I want to run apache on port 80 on this ip.

but no matter what I tried, I could not modify the rules so packets
coming to eth0:1 port80 do not go to port 8080 on eth0. currently all
packets routed to eth0:1 port80 goes to eth0 port 8080.

any ideas/recomendations/help greatly appreciated.

Best regards,
-C.B.

^ permalink raw reply	[flat|nested] 41+ messages in thread
* IPtables problem
@ 2007-10-06 16:28 Per Jørgensen
  2007-10-06 18:25 ` Pascal Hambourg
  0 siblings, 1 reply; 41+ messages in thread
From: Per Jørgensen @ 2007-10-06 16:28 UTC (permalink / raw)
  To: netfilter

Hej List.

I have a problem wit my Firewall - That is build upon Soekris 4801 with 
Debian Stable and IPTABLES.

I have from my work - been giving a internet connection - with static IP 
- and a range with 2 IP more.

Now I would like to use the extra IP for more cases.
Eth0 = WAN
eth0:0 WAN - extra IP 1
eth0:1 WAN - extra IP 2
eth1 = Lan
eth2 = DMZ
eth3 = testzone ( Pluto system)

I have placed my script here - http://linux.pbj-design.dk/IPTABLES.TXT
so you'll be able to se itt.

The problem is that I cannot get the connection on the extra IP1 to 
forward all request on port 22 & 80 - to the machine that is placed in 
eth3. I only gets a - Cannot display the page. I know the server is 
working OK - caurse when I place my computer on eth3 subnet - and point 
directly - it works.  So don't quite know what I'm doing wrong here - so 
please guide me to the rigth direction.

Thanks a lot!

-- 

Med Venlig Hilsen

Greetings

Per Jørgensen
Linux-user 393221
linux@pbj-design.dk <mailto:linux@pbj-design.dk>
<mailto:linux@pbj-design.dk>http://linux.pbj-design.dk 
<http://linux.pbj-design.dk/>




^ permalink raw reply	[flat|nested] 41+ messages in thread
* Iptables problem
@ 2007-01-26 11:19 Saurabh Mehrotra
  2007-01-26 13:53 ` Ted Phelps
  0 siblings, 1 reply; 41+ messages in thread
From: Saurabh Mehrotra @ 2007-01-26 11:19 UTC (permalink / raw)
  To: netfilter

---------- Forwarded message ----------
From: Saurabh Mehrotra <saurabh1980@gmail.com>
Date: Mon, 22 Jan 2007 21:29:46 +0530
Subject: Iptables problem help required !!!!
To: netfilter@lists.netfilter.org

Hi ,

I am using Red Hat Enterprise Linux AS release 4 (Nahant Update 3) with
Kernel 2.6.9-34.ELsmp #1

I am using Iptables for firewall .

But without firewall I m able to nslookup my own DNS server but whenever I
enabled firewall I am not able to nslookup to my own system.

And log files shows the following entry .

RULE 0 -- ACCEPT IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00
SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=15607 DF
PROTO=TCP SPT=46994 DPT=25 WINDOW=32767 RES=0x00 SYN URGP=0
Jan 22 15:52:01 trench1ams crond(pam_unix)[13126]: session closed for user
root

EVEN This rule 0 is also accept rule for SSH not for deny...


I have added rule to accept my own system  traffic ...to allow any service
but still tje proble, is same ....


root@trench1 ~]# nslookup trench1
Server:         212.165.108.4
Address:        212.165.108.4#53

*** Can't find trench1ams: No answer


Please advice me how can I overcome with this problem .......


Thanks

Saurabh


^ permalink raw reply	[flat|nested] 41+ messages in thread
* Iptables problem
@ 2006-10-19  4:52 tarak
  0 siblings, 0 replies; 41+ messages in thread
From: tarak @ 2006-10-19  4:52 UTC (permalink / raw)
  To: netfilter

hello experts,

              i have a problem in iptables, i want to customize the
firewall. through iptable i want run a shell script which will keep an
watch
on each and every ip addresses in my organization, that how much amount
of
data downloading and uploading from those ip addresses...... seperately..
is
this possible to do,,,, if so please tell me how to do...

thanks in advance

Regards,
Tarak Ranjan



^ permalink raw reply	[flat|nested] 41+ messages in thread
* iptables problem
@ 2005-11-01 18:06 Ashley M. Kirchner
  2005-11-02  0:31 ` Buddy wu
  0 siblings, 1 reply; 41+ messages in thread
From: Ashley M. Kirchner @ 2005-11-01 18:06 UTC (permalink / raw)
  To: netfilter


    I have three machines on our private network that need unrestricted 
access to and from FTP.  These are little photo kiosks that periodically 
connect to the master service machine elsewhere through ftp to send 
files and then receives information back.

    The machine running iptables has eth0 with our public ip and eth2 
with the internal (192.168.x.x) ip (where the three machines are on.) 

    Help anyone?



^ permalink raw reply	[flat|nested] 41+ messages in thread
* RE: Iptables problem
@ 2004-08-25 20:04 Jason Opperisano
  0 siblings, 0 replies; 41+ messages in thread
From: Jason Opperisano @ 2004-08-25 20:04 UTC (permalink / raw)
  To: netfilter

> I use slackware 9.0. I have made the upgrade to the lastest iptables, and nowi want to compile the 2.4.27 kernel and enable nat of pptp. I applied the path-o-matic and actvated the option for it. After compile the kernel, almost everything is funcional, but the targets MASQUERADE and SNAT had a problem.. Show an error: Invalid argument. They are Modules and are loaded at the kernel. A frind had the same problem doing the same thing I wanted to do!
>
> Anyone knows what can i do ?
>
>
> Marcelo

i can tell you "what" you need to do, but i learned this morning that i can't necessarily tell you "how" to do it.

what:  you need to rebuild your userspace "iptables" utility.  the error you're seeing is what happens when you apply patches to the kernel that change the internal structures of netfilter.  in order to interact with the new kernel, you need to compile a new iptables command against that patched kernel source.

this is normally as simple as:

cd /usr/local/src/iptables-x.x.x
make KERNEL_DIR=<<where-you-built-your-kernel>>
make install KERNEL_DIR=<<where-you-built-your-kernel>>

i can only assume that your friend is Paulo Andre, and this is apparently more complicated than i realize.

-j


^ permalink raw reply	[flat|nested] 41+ messages in thread
* Iptables problem
@ 2004-08-25 19:52 Marcelo Sinhorini
  2004-08-26  0:24 ` Jose Maria Lopez
  0 siblings, 1 reply; 41+ messages in thread
From: Marcelo Sinhorini @ 2004-08-25 19:52 UTC (permalink / raw)
  To: netfilter

I use slackware 9.0. I have made the upgrade to the lastest iptables, and now i want to compile the 2.4.27 kernel and enable nat of pptp. I applied the path-o-matic and actvated the option for it. After compile the kernel, almost everything is funcional, but the targets MASQUERADE and SNAT had a problem.. Show an error: Invalid argument. They are Modules and are loaded at the kernel. A frind had the same problem doing the same thing I wanted to do!

Anyone knows what can i do ?


Marcelo

^ permalink raw reply	[flat|nested] 41+ messages in thread
* Iptables problem
@ 2003-08-13 17:09 Glenn Hancock
  2003-08-13 17:36 ` Rob Sterenborg
  0 siblings, 1 reply; 41+ messages in thread
From: Glenn Hancock @ 2003-08-13 17:09 UTC (permalink / raw)
  To: netfilter

[-- Attachment #1: Type: text/plain, Size: 1344 bytes --]

I have the following setup in my /etc/sysconfig/iptables file.  I start
the iptables service and do a --list and see all my rules.  I can attach
to the computer from outside so I know that the incoming rules work,
however, I can not perform any outgoing tasks.  No pings, no ssh no
nothing.

Can someone please explain why this is not working?

*filter
-A INPUT -p tcp --dport 110 --syn -j ACCEPT
-A INPUT -p tcp --dport 42 --syn -j ACCEPT
-A INPUT -p tcp --dport 7777 --syn -j ACCEPT
-A INPUT -p tcp --dport 7775 --syn -j ACCEPT
-A INPUT -p tcp --dport 22 --syn -j ACCEPT
-A INPUT -p tcp --dport 80 --syn -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 42 -j ACCEPT
-A INPUT -p tcp --syn -j REJECT
-A INPUT -p udp -j REJECT
COMMIT


Thanks,

-- 
Glenn Hancock
SofTek Software International, Inc.
813 Pavilion Court
T: 678-583-5720
I: ghancock@softeksoftware.com
www.softeksoftware.com
www.Spambite.com
NOTE: My email address is currently protected by Spambite. If
you send me an email, you will be asked to validate your email
address on the Spambite network AND re-send you original email
to me. Or, you can pro-actively register your email address on
the Spambite network by visiting the website:
www.spambite.com
When visiting the website, please feel free to look around to
learn about this exciting new technology.

[-- Attachment #2: Type: text/html, Size: 1763 bytes --]

^ permalink raw reply	[flat|nested] 41+ messages in thread
* IPTables problem
@ 2003-05-14 11:45 Tech
  0 siblings, 0 replies; 41+ messages in thread
From: Tech @ 2003-05-14 11:45 UTC (permalink / raw)
  To: netfilter


Hopefully someone can help..please.

I have been using a rc.firewall script for quite sometime but now I have
upgraded my system to one way satellite. The problem I am having is that
most scripts are written with one internet interface. What I require is a
script that is capable of two.
The satellite brings in all data and all requests go out via the modem. I
also have an internal network that needs to be able to surf and collect
mail.

Has anyone had experience with this type of setup.
Any advice would be appreciated.

Michael

-- 
Did you know that if you play a Windows 2000 cd backwards, you will hear
the voice of Satan?





^ permalink raw reply	[flat|nested] 41+ messages in thread
* iptables problem
@ 2003-05-13 15:13 hare ram
  2003-05-13 17:02 ` Guilherme Viebig
  0 siblings, 1 reply; 41+ messages in thread
From: hare ram @ 2003-05-13 15:13 UTC (permalink / raw)
  To: netfilter

Hi

i have installed iptables 1.2.8a in RH 9.0
and installed POM tooo
when i do

[root@ root]# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
REDIRECT --to-port 3128
iptables: Invalid argument

what is wrong
i dont see any problem, but iam getting this error
what could be the problem

hare




^ permalink raw reply	[flat|nested] 41+ messages in thread
* Iptables problem
@ 2003-03-13  9:57 De Jager Laubscher
  2003-03-13 10:16 ` Maciej Soltysiak
  0 siblings, 1 reply; 41+ messages in thread
From: De Jager Laubscher @ 2003-03-13  9:57 UTC (permalink / raw)
  To: netfilter

[-- Attachment #1: Type: text/plain, Size: 132 bytes --]

Can anyonne please tell me how to open port 1500 to 1511 on my NAT box using iptable on slackeware ??

please help very urgent !

[-- Attachment #2: Type: text/html, Size: 542 bytes --]

^ permalink raw reply	[flat|nested] 41+ messages in thread
* IPtables Problem
@ 2002-12-12 11:52 Amit Kumar Gupta
  0 siblings, 0 replies; 41+ messages in thread
From: Amit Kumar Gupta @ 2002-12-12 11:52 UTC (permalink / raw)
  To: netfilter


[-- Attachment #1.1: Type: text/plain, Size: 141 bytes --]

Hi List,
 
Can somebody tell me what are all possible ways using IPTables to detect
malicious activities?
 
Thanks & Regards,
Amit
 

[-- Attachment #1.2: Type: text/html, Size: 3649 bytes --]

[-- Attachment #2: Wipro_Disclaimer.txt --]
[-- Type: text/plain, Size: 514 bytes --]

**************************Disclaimer************************************************

Information contained in this E-MAIL being proprietary to Wipro Limited is 
'privileged' and 'confidential' and intended for use only by the individual
 or entity to which it is addressed. You are notified that any use, copying 
or dissemination of the information contained in the E-MAIL in any manner 
whatsoever is strictly prohibited.

***************************************************************************************

^ permalink raw reply	[flat|nested] 41+ messages in thread
* iptables problem
@ 2002-11-27  3:26 김도균
  2003-01-17  5:32 ` Raymond Leach
  2003-01-18  0:35 ` Diego Sarasua
  0 siblings, 2 replies; 41+ messages in thread
From: 김도균 @ 2002-11-27  3:26 UTC (permalink / raw)
  To: netfilter

[-- Attachment #1: Type: text/plain, Size: 304 bytes --]

hi.
I am unskilled english. just understand my mail.

my box : kernel 2.4.18, iptables 1.2.5

i am serching ip_masq_h323 for kernel 2.4.18 but it is too hard to find.

because, in my NAT, I want to use VoIP(Voice over IP).

How to get h323 module or source for iptables 1.2.5 or later?





[-- Attachment #2: Type: text/html, Size: 1130 bytes --]

^ permalink raw reply	[flat|nested] 41+ messages in thread
* IPTables Problem
@ 2002-10-04 17:55 Niel Harper
  0 siblings, 0 replies; 41+ messages in thread
From: Niel Harper @ 2002-10-04 17:55 UTC (permalink / raw)
  To: netfilter

[-- Attachment #1: Type: text/plain, Size: 802 bytes --]

I have IPTables version 1.2.6a running on my VPN (FreeS/Wan 1.98b) gateway.  
I have configured (or so I thought) it to accept incoming and outgoing 
IPSEC, ESP, and AH traffic.  When I try to connect from my remote client, I 
keep getting a "not permitted" error.  Could someone please check my 
iptables chains and tell me exactly what I'm doing wrong.  The IPTables list 
is attached to this document as a text file.

Niel Harper, CISA
Information Security Engineer
Institute of Electrical and Electronic Engineers
IEEE Information Assurance Task Force
Tel: (246) 424-3809
Fax: (246) 425-6076
Email: niel.harper@ieee.org




_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx

[-- Attachment #2: iptables.txt --]
[-- Type: text/plain, Size: 9611 bytes --]

Chain INPUT (policy DROP)
target     prot opt source               destination
loopback_in  all  --  anywhere             anywhere
interface0_in  all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere           udp spt:isakmp 
dpt:isakmp
ACCEPT     ipv6-crypt--  anywhere             anywhere
ACCEPT     ipv6-auth--  anywhere             anywhere
LOG        all  --  anywhere             anywhere           LOG level 
warning prefix `giptables-end-of-firewall: '

Chain FORWARD (policy DROP)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere           LOG level 
warning prefix `giptables-end-of-firewall: '

Chain OUTPUT (policy DROP)
target     prot opt source               destination
loopback_out  all  --  anywhere             anywhere
interface0_out  all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere           udp spt:isakmp 
dpt:isakmp
ACCEPT     ipv6-crypt--  anywhere             anywhere
ACCEPT     ipv6-auth--  anywhere             anywhere
ACCEPT     all  --  192.168.10.1         localhost.localdomain
LOG        all  --  anywhere             anywhere           LOG level 
warning prefix `giptables-end-of-firewall: '

Chain interface0_in (1 references)
target     prot opt source               destination
syn_flood_interface0_in  tcp  --  anywhere             anywhere           
tcp flags:SYN,RST,ACK/SYN
LOG        tcp  --  anywhere             anywhere           tcp 
flags:!SYN,RST,ACK/SYN state NEW limit: avg 5/min burst 7 LOG level warning 
prefix `giptables-new-no-syn: '
DROP       tcp  --  anywhere             anywhere           tcp 
flags:!SYN,RST,ACK/SYN state NEW
LOG        all  -f  anywhere             anywhere           limit: avg 5/min 
burst 7 LOG level warning prefix `giptables-fragments: '
DROP       all  -f  anywhere             anywhere
LOG        tcp  --  anywhere             anywhere           tcp 
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 5/min burst 
7 LOG level warning prefix `giptables-malformed-xmas: '
DROP       tcp  --  anywhere             anywhere           tcp 
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
LOG        tcp  --  anywhere             anywhere           tcp 
flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg 5/min burst 7 LOG level 
warning prefix `giptables-malformed-null: '
DROP       tcp  --  anywhere             anywhere           tcp 
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
LOG        all  --  192.168.10.2         anywhere           limit: avg 5/min 
burst 7 LOG level warning prefix `giptables-drop-src-spoof: '
DROP       all  --  192.168.10.2         anywhere
LOG        all  --  0.0.0.0/8            anywhere           limit: avg 5/min 
burst 7 LOG level warning prefix `giptables-drop-src-spoof: '
DROP       all  --  0.0.0.0/8            anywhere
LOG        all  --  127.0.0.0/8          anywhere           limit: avg 5/min 
burst 7 LOG level warning prefix `giptables-drop-src-spoof: '
DROP       all  --  127.0.0.0/8          anywhere
LOG        all  --  10.0.0.0/8           anywhere           limit: avg 5/min 
burst 7 LOG level warning prefix `giptables-drop-src-spoof: '
DROP       all  --  10.0.0.0/8           anywhere
LOG        all  --  172.16.0.0/12        anywhere           limit: avg 5/min 
burst 7 LOG level warning prefix `giptables-drop-src-spoof: '
DROP       all  --  172.16.0.0/12        anywhere
LOG        all  --  192.168.0.0/16       anywhere           limit: avg 5/min 
burst 7 LOG level warning prefix `giptables-drop-src-spoof: '
DROP       all  --  192.168.0.0/16       anywhere
LOG        all  --  224.0.0.0/3          anywhere           limit: avg 5/min 
burst 7 LOG level warning prefix `giptables-drop-src-spoof: '
DROP       all  --  224.0.0.0/3          anywhere
ACCEPT     udp  --  205.214.192.201      192.168.10.2       udp spt:domain 
dpts:1024:65535 state ESTABLISHED
ACCEPT     tcp  --  205.214.192.201      192.168.10.2       tcp spt:domain 
dpts:1024:65535 state ESTABLISHED
ACCEPT     udp  --  205.214.192.202      192.168.10.2       udp spt:domain 
dpts:1024:65535 state ESTABLISHED
ACCEPT     tcp  --  205.214.192.202      192.168.10.2       tcp spt:domain 
dpts:1024:65535 state ESTABLISHED
ACCEPT     tcp  --  anywhere             192.168.10.2       tcp spt:ftp 
dpts:1024:65535 state ESTABLISHED
ACCEPT     tcp  --  anywhere             192.168.10.2       tcp 
spts:1024:65535 dpts:1024:65535 state ESTABLISHED
ACCEPT     tcp  --  anywhere             192.168.10.2       tcp 
spts:1024:65535 dpt:ftp state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             192.168.10.2       tcp 
spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             192.168.10.2       tcp 
spts:1024:65535 dpt:ftp-data state ESTABLISHED
ACCEPT     tcp  --  anywhere             192.168.10.2       tcp spt:ssh 
dpts:login:65535 state ESTABLISHED
ACCEPT     tcp  --  anywhere             192.168.10.2       tcp 
spts:login:65535 dpt:ssh state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             192.168.10.2       tcp spt:telnet 
dpts:1024:65535 state ESTABLISHED
ACCEPT     tcp  --  anywhere             192.168.10.2       tcp spt:smtp 
dpts:1024:65535 state ESTABLISHED
ACCEPT     tcp  --  anywhere             192.168.10.2       tcp 
spts:1024:65535 dpt:smtp state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             192.168.10.2       tcp spt:pop3 
dpts:1024:65535 state ESTABLISHED
ACCEPT     tcp  --  anywhere             192.168.10.2       tcp spt:imap 
dpts:1024:65535 state ESTABLISHED
ACCEPT     tcp  --  anywhere             192.168.10.2       tcp spt:http 
dpts:1024:65535 state ESTABLISHED
ACCEPT     tcp  --  anywhere             192.168.10.2       tcp spt:https 
dpts:1024:65535 state ESTABLISHED
ACCEPT     tcp  --  anywhere             192.168.10.2       tcp spt:webcache 
dpts:1024:65535 state ESTABLISHED
ACCEPT     tcp  --  anywhere             192.168.10.2       tcp spt:nntp 
dpts:1024:65535 state ESTABLISHED
ACCEPT     udp  --  anywhere             192.168.10.2       udp spt:ldap 
dpts:1024:65535 state ESTABLISHED
ACCEPT     icmp --  anywhere             192.168.10.2       state 
RELATED,ESTABLISHED
LOG        all  --  anywhere             anywhere           limit: avg 5/min 
burst 7 LOG level warning prefix `giptables-drop-src-norule: '
DROP       all  --  anywhere             anywhere

Chain interface0_out (1 references)
target     prot opt source               destination
ACCEPT     udp  --  192.168.10.2         205.214.192.201    udp 
spts:1024:65535 dpt:domain state NEW,ESTABLISHED
ACCEPT     tcp  --  192.168.10.2         205.214.192.201    tcp 
spts:1024:65535 dpt:domain state NEW,ESTABLISHED
ACCEPT     udp  --  192.168.10.2         205.214.192.202    udp 
spts:1024:65535 dpt:domain state NEW,ESTABLISHED
ACCEPT     tcp  --  192.168.10.2         205.214.192.202    tcp 
spts:1024:65535 dpt:domain state NEW,ESTABLISHED
ACCEPT     tcp  --  192.168.10.2         anywhere           tcp 
spts:1024:65535 dpt:ftp state NEW,ESTABLISHED
ACCEPT     tcp  --  192.168.10.2         anywhere           tcp 
spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT     tcp  --  192.168.10.2         anywhere           tcp spt:ftp 
dpts:1024:65535 state ESTABLISHED
ACCEPT     tcp  --  192.168.10.2         anywhere           tcp 
spts:1024:65535 dpts:1024:65535 state ESTABLISHED
ACCEPT     tcp  --  192.168.10.2         anywhere           tcp spt:ftp-data 
dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT     tcp  --  192.168.10.2         anywhere           tcp 
spts:login:65535 dpt:ssh state NEW,ESTABLISHED
ACCEPT     tcp  --  192.168.10.2         anywhere           tcp spt:ssh 
dpts:login:65535 state ESTABLISHED
ACCEPT     tcp  --  192.168.10.2         anywhere           tcp 
spts:1024:65535 dpt:telnet state NEW,ESTABLISHED
ACCEPT     tcp  --  192.168.10.2         anywhere           tcp 
spts:1024:65535 dpt:smtp state NEW,ESTABLISHED
ACCEPT     tcp  --  192.168.10.2         anywhere           tcp spt:smtp 
dpts:1024:65535 state ESTABLISHED
ACCEPT     tcp  --  192.168.10.2         anywhere           tcp 
spts:1024:65535 dpt:pop3 state NEW,ESTABLISHED
ACCEPT     tcp  --  192.168.10.2         anywhere           tcp 
spts:1024:65535 dpt:imap state NEW,ESTABLISHED
ACCEPT     tcp  --  192.168.10.2         anywhere           tcp 
spts:1024:65535 dpt:http state NEW,ESTABLISHED
ACCEPT     tcp  --  192.168.10.2         anywhere           tcp 
spts:1024:65535 dpt:https state NEW,ESTABLISHED
ACCEPT     tcp  --  192.168.10.2         anywhere           tcp 
spts:1024:65535 dpt:webcache state NEW,ESTABLISHED
ACCEPT     tcp  --  192.168.10.2         anywhere           tcp 
spts:1024:65535 dpt:nntp state NEW,ESTABLISHED
ACCEPT     udp  --  192.168.10.2         anywhere           udp 
spts:1024:65535 dpt:ldap state NEW,ESTABLISHED
ACCEPT     udp  --  192.168.10.2         anywhere           udp 
spts:1024:65535 dpts:traceroute:33523 state NEW
ACCEPT     icmp --  192.168.10.2         anywhere           state 
NEW,RELATED,ESTABLISHED

Chain loopback_in (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain loopback_out (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain syn_flood_interface0_in (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere           limit: avg 1/sec 
burst 3
DROP       all  --  anywhere             anywhere


^ permalink raw reply	[flat|nested] 41+ messages in thread
* RE: Iptables problem
@ 2002-06-25 11:55 Paulo Andre
  2002-06-25 11:57 ` Ramin Alidousti
  0 siblings, 1 reply; 41+ messages in thread
From: Paulo Andre @ 2002-06-25 11:55 UTC (permalink / raw)
  To: 'Ramin Alidousti'; +Cc: Netfilter (E-mail)

Sorry, I didn't mention it, but there is a three 'dmz' between gw_fw and
fw1/2
Thanks

Paulo Andre



-----Original Message-----
From: Ramin Alidousti [mailto:ramin@cannon.eng.us.uu.net]
Sent: 25 June 2002 13:52
To: Paulo Andre
Cc: Netfilter (E-mail)
Subject: Re: Iptables problem


On Tue, Jun 25, 2002 at 12:47:04PM +0200, Paulo Andre wrote:

> I have the following setup.
> 
> <fw1>		<fw2>
>    \		/
>     \	     /
>   <gateway_fw>
> 	  |
> 	  |
> 	<LAN>
> 
> 
> My problem is this...
> A request comes in on fw2 DNAT's to server on LAN. The gw_fw uses fw1 as a
> gateway.
> What would be the best way to fix this. Should I get a routing protocol
with
> iproute2...???
> Should I add an extra network card to fw1 and then do away with fw2...???
> Any suggestions / help..???

My suggestion would be to replace fw1, fw2 and gateway_fw with one fw with
three nics.

Ramin

> 
> 
> Paulo Andre
> 
> 
> 


^ permalink raw reply	[flat|nested] 41+ messages in thread
* Iptables problem
@ 2002-06-25 10:47 Paulo Andre
  2002-06-25 11:51 ` Ramin Alidousti
  0 siblings, 1 reply; 41+ messages in thread
From: Paulo Andre @ 2002-06-25 10:47 UTC (permalink / raw)
  To: Netfilter (E-mail)

I have the following setup.

<fw1>		<fw2>
   \		/
    \	     /
  <gateway_fw>
	  |
	  |
	<LAN>


My problem is this...
A request comes in on fw2 DNAT's to server on LAN. The gw_fw uses fw1 as a
gateway.
What would be the best way to fix this. Should I get a routing protocol with
iproute2...???
Should I add an extra network card to fw1 and then do away with fw2...???
Any suggestions / help..???


Paulo Andre





^ permalink raw reply	[flat|nested] 41+ messages in thread
[parent not found: <CC845BB8BC74D6119934000347DD23E87C0C09@jhbmail.autopage.co.za>]
[parent not found: <CC845BB8BC74D6119934000347DD23E87C0C07@jhbmail.autopage.co.za>]
[parent not found: <CC845BB8BC74D6119934000347DD23E87C0C01@jhbmail.autopage.co.za>]
end of thread, other threads:[~2008-09-05 15:35 UTC | newest]

Thread overview: 41+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-11-08 17:08 IPTABLES PROBLEM Micol lupen
2005-11-08 18:56 ` Rob Sterenborg
2005-11-08 19:08 ` /dev/rob0
  -- strict thread matches above, loose matches on Subject: below --
2008-09-05 11:12 iptables problem Cam Bazz
2008-09-05 12:39 ` Matt Zagrabelny
2008-09-05 15:35 ` Grant Taylor
2007-10-06 16:28 IPtables problem Per Jørgensen
2007-10-06 18:25 ` Pascal Hambourg
2007-01-26 11:19 Iptables problem Saurabh Mehrotra
2007-01-26 13:53 ` Ted Phelps
2007-01-26 14:17   ` Saurabh Mehrotra
2007-01-26 15:17     ` Ted Phelps
2007-01-26 15:49       ` Saurabh Mehrotra
2007-01-26 15:55         ` Ted Phelps
2006-10-19  4:52 tarak
2005-11-01 18:06 iptables problem Ashley M. Kirchner
2005-11-02  0:31 ` Buddy wu
2004-08-25 20:04 Iptables problem Jason Opperisano
2004-08-25 19:52 Marcelo Sinhorini
2004-08-26  0:24 ` Jose Maria Lopez
2003-08-13 17:09 Glenn Hancock
2003-08-13 17:36 ` Rob Sterenborg
2003-05-14 11:45 IPTables problem Tech
2003-05-13 15:13 iptables problem hare ram
2003-05-13 17:02 ` Guilherme Viebig
2003-05-14 11:17   ` hare ram
2003-05-14 11:38     ` Bikrant Neupane
2003-03-13  9:57 Iptables problem De Jager Laubscher
2003-03-13 10:16 ` Maciej Soltysiak
2002-12-12 11:52 IPtables Problem Amit Kumar Gupta
2002-11-27  3:26 iptables problem 김도균
2003-01-17  5:32 ` Raymond Leach
2003-01-18  0:35 ` Diego Sarasua
2002-10-04 17:55 IPTables Problem Niel Harper
2002-06-25 11:55 Iptables problem Paulo Andre
2002-06-25 11:57 ` Ramin Alidousti
2002-06-25 10:47 Paulo Andre
2002-06-25 11:51 ` Ramin Alidousti
     [not found] <CC845BB8BC74D6119934000347DD23E87C0C09@jhbmail.autopage.co.za>
2002-06-24 16:03 ` Antony Stone
     [not found] <CC845BB8BC74D6119934000347DD23E87C0C07@jhbmail.autopage.co.za>
2002-06-24 14:26 ` Antony Stone
     [not found] <CC845BB8BC74D6119934000347DD23E87C0C01@jhbmail.autopage.co.za>
2002-06-21 14:44 ` Antony Stone

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox