From: Tony Rogers <tony.rogers@erudine.com>
To: Andrew Beverley <andy@andybev.com>
Cc: netfilter@vger.kernel.org
Subject: Re: iptables - external IP address on internal interface?
Date: Tue, 12 Apr 2011 22:37:30 +0100 [thread overview]
Message-ID: <4DA4C61A.4070308@erudine.com> (raw)
In-Reply-To: <1302636161.4938.5.camel@andybev-desktop>
On 12/04/2011 20:22, Andrew Beverley wrote:
> On Tue, 2011-04-12 at 20:12 +0100, Tony Rogers wrote:
>>
>>
>> -----Original Message-----
>> From: Andrew Beverley [mailto:andy@andybev.com]
>> Sent: 12 April 2011 17:36
>> To: Tony Rogers
>> Subject: RE: iptables - external IP address on internal interface?
>>
>> On Tue, 2011-04-12 at 10:20 +0100, Tony Rogers wrote:
>>> As requested - output of "iptables -nL"
>>>
>>
>> Any chance that you can re-post that without the line wrapping please?
>> It's almost impossible to read. A bottom-post would be nice as well :-)
>>
>> Thanks,
>>
>> Andy
>>
>>
>> Hi Andy,
>>
>> Let me try this again then!
>
> Hmmm, still a mess I'm afraid, I think you should try a different email
> client that is list friendly...
>
>> (only replying to you directly rather than
>> the entire list this time)
>>
>
> However, having skimmed through the rules, I cannot see any NAT targets
> in there? If so, the behaviour you are seeing is to be expected.
>
> I'll reply the same to the list.
>
> Andy
>
>
>
> ------------------------
> This email was scanned by BitDefender.
Ok, trying with Thunderbird this time... (and it too seems to be
wrapping the text) <sigh>
*** NAT rules ***
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT udp -- 0.0.0.0/0 <EXT_IP> udp dpt:5060
to:192.168.0.2:5060
DNAT udp -- 0.0.0.0/0 <EXT_IP> udp
dpts:1024:65535 to:192.168.0.2:1024-65535
DNAT tcp -- 0.0.0.0/0 <EXT_IP> tcp dpt:80
to:192.168.0.2:80
DNAT tcp -- 0.0.0.0/0 <EXT_IP> tcp dpt:22
to:192.168.0.2:22
DNAT tcp -- 0.0.0.0/0 <EXT_IP> tcp dpt:20
to:192.168.0.2:20
DNAT tcp -- 0.0.0.0/0 <EXT_IP> tcp dpt:21
to:192.168.0.2:21
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
REDNAT all -- 0.0.0.0/0 0.0.0.0/0
SNAT all -- 0.0.0.0/0 0.0.0.0/0 MARK match
0x1 to:192.168.0.1
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain REDNAT (1 references)
target prot opt source destination
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
*** output of iptables -nL ***
Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpts:1026:1028
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp
dpts:1026:1028
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68
BADTCP all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW
DROP all -- 127.0.0.0/8 0.0.0.0/0 state NEW
DROP all -- 0.0.0.0/0 127.0.0.0/8 state NEW
ACCEPT !icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW
XTACCESS all -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 5
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
limit: avg 1/sec burst 5
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
10/min burst 5 LOG flags 0 level 4 prefix `INPUT '
ACCEPT udp -- 0.0.0.0/0 224.0.0.0/4
ACCEPT 2 -- 0.0.0.0/0 224.0.0.0/4
DROP all -- 0.0.0.0/0 224.0.0.0/4
DROP all -- 224.0.0.0/4 0.0.0.0/0
DROP all -- 240.0.0.0/4 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
BADTCP all -- 0.0.0.0/0 0.0.0.0/0
TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x06/0x02 TCPMSS clamp to PMTU
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW
DROP all -- 127.0.0.0/8 0.0.0.0/0 state NEW
DROP all -- 0.0.0.0/0 127.0.0.0/8 state NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW
PORTFWACCESS all -- 0.0.0.0/0 0.0.0.0/0 state NEW
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
10/min burst 5 LOG flags 0 level 4 prefix `OUTPUT '
ACCEPT udp -- <ACCESS_IP_7> 192.168.0.2 udp dpt:5060
ACCEPT udp -- <ACCESS_IP_7> 192.168.0.2 udp
dpts:1024:65535
ACCEPT tcp -- <ACCESS_NET>/28 192.168.0.2 tcp dpt:80
ACCEPT tcp -- <ACCESS_IP_3> 192.168.0.2 tcp dpt:80
ACCEPT tcp -- <ACCESS_IP_4> 192.168.0.2 tcp dpt:80
ACCEPT tcp -- <ACCESS_IP_3> 192.168.0.2 tcp dpt:22
ACCEPT tcp -- <ACCESS_NET>/28 192.168.0.2 tcp dpt:22
ACCEPT tcp -- <ACCESS_IP_4> 192.168.0.2 tcp dpt:22
ACCEPT tcp -- <ACCESS_IP_4> 192.168.0.2 tcp dpt:20
ACCEPT tcp -- <ACCESS_IP_4> 192.168.0.2 tcp dpt:21
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain BADTCP (2 references)
target prot opt source destination
PSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x29
PSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x00
PSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x01
PSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x06/0x06
PSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x03/0x03
NEWNOTSYN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:!0x17/0x02 state NEW
Chain LOG_DROP (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
10/min burst 5 LOG flags 0 level 4
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain LOG_REJECT (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
10/min burst 5 LOG flags 0 level 4
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable
Chain NEWNOTSYN (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
10/min burst 5 LOG flags 0 level 4 prefix `NEW not SYN? '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain PORTFWACCESS (1 references)
target prot opt source destination
Chain PSCAN (5 references)
target prot opt source destination
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
10/min burst 5 LOG flags 0 level 4 prefix `TCP Scan? '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
10/min burst 5 LOG flags 0 level 4 prefix `UDP Scan? '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
10/min burst 5 LOG flags 0 level 4 prefix `ICMP Scan? '
LOG all -f 0.0.0.0/0 0.0.0.0/0 limit: avg
10/min burst 5 LOG flags 0 level 4 prefix `FRAG Scan? '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain XTACCESS (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 <EXT_IP> tcp dpt:20
state NEW
ACCEPT tcp -- 0.0.0.0/0 <EXT_IP> tcp dpt:21
state NEW
ACCEPT tcp -- 0.0.0.0/0 <EXT_IP> tcp dpt:80
state NEW
ACCEPT tcp -- <ACCESS_IP_5> <EXT_IP> tcp dpt:5000
state NEW
ACCEPT udp -- <ACCESS_IP_7> 192.168.0.2 udp
dpts:1024:65535
ACCEPT udp -- <ACCESS_IP_7> 192.168.0.2 udp dpt:5060
ACCEPT tcp -- <ACCESS_IP_3> 192.168.0.2 state NEW
tcp dpt:22
ACCEPT tcp -- <ACCESS_IP_4> 192.168.0.2 state NEW
tcp dpt:22
ACCEPT tcp -- <ACCESS_IP_3> <EXT_IP> state NEW tcp
dpt:223
ACCEPT tcp -- <ACCESS_IP_1> 192.168.0.2 state NEW
tcp dpt:22
ACCEPT tcp -- <ACCESS_IP_1> <EXT_IP> state NEW tcp
dpt:81
ACCEPT tcp -- <ACCESS_IP_1> <EXT_IP> state NEW tcp
dpt:223
ACCEPT tcp -- <ACCESS_IP_2> <EXT_IP> state NEW tcp
dpt:22
ACCEPT tcp -- <ACCESS_IP_3> <EXT_IP> state NEW tcp
dpt:10000
ACCEPT tcp -- <ACCESS_IP_1> <EXT_IP> state NEW tcp
dpt:10000
ACCEPT tcp -- <ACCESS_IP_1> <EXT_IP> state NEW tcp
dpt:5901
ACCEPT tcp -- <ACCESS_IP_3> <EXT_IP> state NEW tcp
dpt:5901
ACCEPT tcp -- <ACCESS_IP_1> <EXT_IP> state NEW tcp
dpt:5900
ACCEPT tcp -- <ACCESS_IP_3> <EXT_IP> state NEW tcp
dpt:5900
next prev parent reply other threads:[~2011-04-12 21:37 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-11 14:04 iptables - external IP address on internal interface? Tony Rogers
2011-04-11 14:42 ` Usuário do Sistema
2011-04-11 14:53 ` Jan Engelhardt
2011-04-11 17:52 ` Andrew Beverley
2011-04-12 9:20 ` Tony Rogers
2011-04-12 19:26 ` Andrew Beverley
2011-04-12 20:31 ` Robert Nichols
[not found] ` <1302626146.4938.1.camel@andybev-desktop>
[not found] ` <054F5B1BB94BD943B243C3B39B4F568D0161B8F7@victory.Erudine.local>
[not found] ` <1302636161.4938.5.camel@andybev-desktop>
2011-04-12 21:37 ` Tony Rogers [this message]
2011-04-14 20:24 ` Andrew Beverley
2011-04-15 13:21 ` Tony Rogers
2011-04-15 15:29 ` Andrew Beverley
2011-04-20 12:19 ` Tony Rogers
2011-04-20 19:41 ` Andrew Beverley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DA4C61A.4070308@erudine.com \
--to=tony.rogers@erudine.com \
--cc=andy@andybev.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox