whats wrong???

Linux Netfilter discussions
 help / color / mirror / Atom feed

* whats wrong???
@ 2005-06-28 16:40 Juan Manuel Tato
  2005-06-28 17:32 ` Vlad Janicek
  2005-06-30 10:43 ` Jan Engelhardt
  0 siblings, 2 replies; 5+ messages in thread
From: Juan Manuel Tato @ 2005-06-28 16:40 UTC (permalink / raw)
  To: netfilter

hi, i'm configuring a firewall, and i need some port forwarding
to ip 192.168.100.1 from my public ip.
but isn't working....
where come the output of the chains

fw-new:~# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  192.168.100.1        0.0.0.0/0
ACCEPT     all  --  192.168.100.2        0.0.0.0/0
ACCEPT     all  --  192.168.100.3        0.0.0.0/0
ACCEPT     all  --  192.168.100.4        0.0.0.0/0
ACCEPT     all  --  192.168.100.5        0.0.0.0/0
ACCEPT     all  --  192.168.100.6        0.0.0.0/0
ACCEPT     all  --  192.168.100.7        0.0.0.0/0
ACCEPT     all  --  192.168.100.8        0.0.0.0/0
ACCEPT     all  --  192.168.100.9        0.0.0.0/0

badflags   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp 
flags:0x3F/0x29
badflags   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp 
flags:0x3F/0x3F
badflags   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp 
flags:0x3F/0x37
badflags   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp 
flags:0x3F/0x00
badflags   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp 
flags:0x06/0x06
badflags   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp 
flags:0x03/0x03
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 3
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 11
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 
limit: avg 1/sec burst 5
firewall   icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  192.168.100.0/24     0.0.0.0/0           tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:110
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:110
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:143
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:143
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED
silent     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:137 
dpt:137
dropwall   all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state 
INVALID,NEW
ACCEPT     tcp  --  0.0.0.0/0            192.168.100.1       tcp dpt:80
ACCEPT     udp  --  0.0.0.0/0            192.168.100.1       udp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            192.168.100.1       tcp dpt:25
ACCEPT     udp  --  0.0.0.0/0            192.168.100.1       udp dpt:25

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain badflags (6 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 
15/min burst 5 LOG flags 0 level 4 prefix `Badflags:'
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain dropwall (1 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 
15/min burst 5 LOG flags 0 level 4 prefix `Dropwall:'
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain firewall (1 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 
15/min burst 5 LOG flags 0 level 4 prefix `Firewall:'
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain silent (1 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: whats wrong???
  2005-06-28 16:40 whats wrong??? Juan Manuel Tato
@ 2005-06-28 17:32 ` Vlad Janicek
  2005-06-28 18:04   ` Juan Manuel Tato
  2005-06-30 10:43 ` Jan Engelhardt
  1 sibling, 1 reply; 5+ messages in thread
From: Vlad Janicek @ 2005-06-28 17:32 UTC (permalink / raw)
  To: netfilter

which IP address are you using? could you paste the script you use and your 
nic configurations??

2005/6/28, Juan Manuel Tato <madness@adinet.com.uy>:
> 
> hi, i'm configuring a firewall, and i need some port forwarding
> to ip 192.168.100.1 <http://192.168.100.1> from my public ip.
> but isn't working....
> where come the output of the chains
> 
> fw-new:~# iptables -L -n
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> ACCEPT all -- 192.168.100.1 <http://192.168.100.1> 0.0.0.0/0<http://0.0.0.0/0>
> ACCEPT all -- 192.168.100.2 <http://192.168.100.2> 0.0.0.0/0<http://0.0.0.0/0>
> ACCEPT all -- 192.168.100.3 <http://192.168.100.3> 0.0.0.0/0<http://0.0.0.0/0>
> ACCEPT all -- 192.168.100.4 <http://192.168.100.4> 0.0.0.0/0<http://0.0.0.0/0>
> ACCEPT all -- 192.168.100.5 <http://192.168.100.5> 0.0.0.0/0<http://0.0.0.0/0>
> ACCEPT all -- 192.168.100.6 <http://192.168.100.6> 0.0.0.0/0<http://0.0.0.0/0>
> ACCEPT all -- 192.168.100.7 <http://192.168.100.7> 0.0.0.0/0<http://0.0.0.0/0>
> ACCEPT all -- 192.168.100.8 <http://192.168.100.8> 0.0.0.0/0<http://0.0.0.0/0>
> ACCEPT all -- 192.168.100.9 <http://192.168.100.9> 0.0.0.0/0<http://0.0.0.0/0>
> 
> badflags tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>tcp
> flags:0x3F/0x29
> badflags tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>tcp
> flags:0x3F/0x3F
> badflags tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>tcp
> flags:0x3F/0x37
> badflags tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>tcp
> flags:0x3F/0x00
> badflags tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>tcp
> flags:0x06/0x06
> badflags tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>tcp
> flags:0x03/0x03
> ACCEPT icmp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>icmp type 0
> ACCEPT icmp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>icmp type 3
> ACCEPT icmp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>icmp type 11
> ACCEPT icmp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>icmp type 8
> limit: avg 1/sec burst 5
> firewall icmp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> ACCEPT tcp -- 192.168.100.0/24 <http://192.168.100.0/24> 0.0.0.0/0<http://0.0.0.0/0>tcp dpt:22
> ACCEPT tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>tcp dpt:80
> ACCEPT udp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>udp dpt:80
> ACCEPT tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>tcp dpt:25
> ACCEPT udp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>udp dpt:25
> ACCEPT tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>tcp dpt:110
> ACCEPT udp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>udp dpt:110
> ACCEPT tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>tcp dpt:143
> ACCEPT udp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>udp dpt:143
> ACCEPT tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>tcp dpt:53
> ACCEPT udp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>udp dpt:53
> ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>state
> RELATED,ESTABLISHED
> silent udp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>udp spt:137
> dpt:137
> dropwall all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> 
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> DROP all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>state
> INVALID,NEW
> ACCEPT tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 192.168.100.1<http://192.168.100.1>tcp dpt:80
> ACCEPT udp -- 0.0.0.0/0 <http://0.0.0.0/0> 192.168.100.1<http://192.168.100.1>udp dpt:80
> ACCEPT tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 192.168.100.1<http://192.168.100.1>tcp dpt:25
> ACCEPT udp -- 0.0.0.0/0 <http://0.0.0.0/0> 192.168.100.1<http://192.168.100.1>udp dpt:25
> 
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> 
> Chain badflags (6 references)
> target prot opt source destination
> LOG all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>limit: avg
> 15/min burst 5 LOG flags 0 level 4 prefix `Badflags:'
> DROP all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> 
> Chain dropwall (1 references)
> target prot opt source destination
> LOG all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>limit: avg
> 15/min burst 5 LOG flags 0 level 4 prefix `Dropwall:'
> DROP all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> 
> Chain firewall (1 references)
> target prot opt source destination
> LOG all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>limit: avg
> 15/min burst 5 LOG flags 0 level 4 prefix `Firewall:'
> DROP all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> 
> Chain silent (1 references)
> target prot opt source destination
> DROP all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> 
> 


-- 
Vlad

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: whats wrong???
  2005-06-28 17:32 ` Vlad Janicek
@ 2005-06-28 18:04   ` Juan Manuel Tato
  2005-06-29  1:09     ` Vlad Janicek
  0 siblings, 1 reply; 5+ messages in thread
From: Juan Manuel Tato @ 2005-06-28 18:04 UTC (permalink / raw)
  To: Vlad Janicek, netfilter

Here goes de ifconfig output:

fw-new:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:E0:7D:AD:B4:FF
           inet addr:192.168.100.9  Bcast:192.168.100.255 
Mask:255.255.255.0
           inet6 addr: fe80::2e0:7dff:fead:b4ff/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:636262 errors:0 dropped:0 overruns:0 frame:0
           TX packets:265447 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:187859208 (179.1 MiB)  TX bytes:106784159 (101.8 MiB)
           Interrupt:3 Base address:0xde00

eth1      Link encap:Ethernet  HWaddr 00:D0:09:25:21:DC
           inet addr:pub.blic.ip.addr  Bcast:200.40.86.255 
Mask:255.255.255.252
           inet6 addr: fe80::2d0:9ff:fe25:21dc/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:305065 errors:0 dropped:0 overruns:0 frame:0
           TX packets:511416 errors:0 dropped:0 overruns:0 carrier:0
           collisions:296 txqueuelen:1000
           RX bytes:108708592 (103.6 MiB)  TX bytes:128511858 (122.5 MiB)
           Interrupt:12 Base address:0xd800

Here goes the script:

#!/bin/sh
IPT="/sbin/iptables"
INT="eth1"
#
# flushhhhh
#
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X
#
# Policies.
#
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward

$IPT -t nat -A POSTROUTING -o $INT -j SNAT --to pub.lic.ip.addr

# This rule protects your fowarding rule.
$IPT -A FORWARD -i $INT -m state --state NEW,INVALID -j DROP

# defino la ip de mi servidor interno
SRV="192.168.100.1"


$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 25 -j DNAT --to 
192.168.100.1:25
$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 53 -j DNAT --to $SRV
$IPT -t nat -A PREROUTING -i $INT -p udp --dport 53 -j DNAT --to $SRV
$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 110 -j DNAT --to $SRV
$IPT -t nat -A PREROUTING -i $INT -p udp --dport 110 -j DNAT --to $SRV
$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 80 -j DNAT --to 
192.168.100.1:80
$IPT -t nat -A PREROUTING -i $INT -p udp --dport 80 -j DNAT --to 
192.168.100.1:80
$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 143 -j DNAT --to $SRV
$IPT -t nat -A PREROUTING -i $INT -p udp --dport 143 -j DNAT --to $SRV

# Now, our firewall chain. We use the limit commands to
# cap the rate at which it alerts to 15 log messages per minute.
$IPT -N firewall
$IPT -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
$IPT -A firewall -j DROP

# Now, our dropwall chain, for the final catchall filter.
$IPT -N dropwall
$IPT -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall:
$IPT -A dropwall -j DROP

# Our "hey, them's some bad tcp flags!" chain.
$IPT -N badflags
$IPT -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
$IPT -A badflags -j DROP

# And our silent logging chain.
$IPT -N silent
$IPT -A silent -j DROP

# This rule will accept connections from local machines. If you have
# a home network, enter in the IP's of the machines on the
# network below.
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -s 192.168.100.1 -d 0/0 -p all -j ACCEPT
$IPT -A INPUT -s 192.168.100.2 -d 0/0 -p all -j ACCEPT
$IPT -A INPUT -s 192.168.100.3 -d 0/0 -p all -j ACCEPT
$IPT -A INPUT -s 192.168.100.4 -d 0/0 -p all -j ACCEPT
$IPT -A INPUT -s 192.168.100.5 -d 0/0 -p all -j ACCEPT
$IPT -A INPUT -s 192.168.100.6 -d 0/0 -p all -j ACCEPT
$IPT -A INPUT -s 192.168.100.7 -d 0/0 -p all -j ACCEPT
$IPT -A INPUT -s 192.168.100.8 -d 0/0 -p all -j ACCEPT
$IPT -A INPUT -s 192.168.100.9 -d 0/0 -p all -j ACCEPT

# Drop those nasty packets! These are all TCP flag
# combinations that should never, ever occur in the
# wild. All of these are illegal combinations that
# are used to attack a box in various ways, so we
# just drop them and log them here.
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags

# Drop icmp, but only after letting certain types through.
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewall

# If you would like to open up port 22 (SSH Access) to various IP's
# simply edit the IP's below and uncomment the line. If youw wish to
# enable SSH access from anywhere, uncomment the second line only.
#$IPT -A INPUT -i $INT -s 10.1.1.1 -d 0/0 -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -i $INT -s 192.168.100.0/24 -d 0/0 -p tcp --dport 22 -j ACCEPT

# If you are running a Web Server, uncomment the next line to open
# up port 80 on your machine.
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p udp --dport 80 -j ACCEPT
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 25 -j ACCEPT
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p udp --dport 25 -j ACCEPT
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 110 -j ACCEPT
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p udp --dport 110 -j ACCEPT
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 143 -j ACCEPT
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p udp --dport 143 -j ACCEPT
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 53 -j ACCEPT
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p udp --dport 53 -j ACCEPT


# Lets do some basic state-matching. This allows us
# to accept related and established connections, so
# client-side things like ftp work properly, for example.
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Uncomment to drop port 137 netbios packets silently.
# We don't like that netbios stuff, and it's way too
# spammy with windows machines on the network.
$IPT -A INPUT -p udp --sport 137 --dport 137 -j silent

# Our final trap. Everything on INPUT goes to the dropwall
# so we don't get silent drops.
$IPT -A INPUT -j dropwall


Vlad Janicek wrote:
> which IP address are you using? could you paste the script you use and your 
> nic configurations??
> 
> 2005/6/28, Juan Manuel Tato <madness@adinet.com.uy>:
> 
>>hi, i'm configuring a firewall, and i need some port forwarding
>>to ip 192.168.100.1 <http://192.168.100.1> from my public ip.
>>but isn't working....
>>where come the output of the chains
>>
>>fw-new:~# iptables -L -n
>>Chain INPUT (policy ACCEPT)
>>target prot opt source destination
>>ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>>ACCEPT all -- 192.168.100.1 <http://192.168.100.1> 0.0.0.0/0<http://0.0.0.0/0>
>>ACCEPT all -- 192.168.100.2 <http://192.168.100.2> 0.0.0.0/0<http://0.0.0.0/0>
>>ACCEPT all -- 192.168.100.3 <http://192.168.100.3> 0.0.0.0/0<http://0.0.0.0/0>
>>ACCEPT all -- 192.168.100.4 <http://192.168.100.4> 0.0.0.0/0<http://0.0.0.0/0>
>>ACCEPT all -- 192.168.100.5 <http://192.168.100.5> 0.0.0.0/0<http://0.0.0.0/0>
>>ACCEPT all -- 192.168.100.6 <http://192.168.100.6> 0.0.0.0/0<http://0.0.0.0/0>
>>ACCEPT all -- 192.168.100.7 <http://192.168.100.7> 0.0.0.0/0<http://0.0.0.0/0>
>>ACCEPT all -- 192.168.100.8 <http://192.168.100.8> 0.0.0.0/0<http://0.0.0.0/0>
>>ACCEPT all -- 192.168.100.9 <http://192.168.100.9> 0.0.0.0/0<http://0.0.0.0/0>
>>
>>badflags tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>tcp
>>flags:0x3F/0x29
>>badflags tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>tcp
>>flags:0x3F/0x3F
>>badflags tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>tcp
>>flags:0x3F/0x37
>>badflags tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>tcp
>>flags:0x3F/0x00
>>badflags tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>tcp
>>flags:0x06/0x06
>>badflags tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>tcp
>>flags:0x03/0x03
>>ACCEPT icmp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>icmp type 0
>>ACCEPT icmp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>icmp type 3
>>ACCEPT icmp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>icmp type 11
>>ACCEPT icmp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>icmp type 8
>>limit: avg 1/sec burst 5
>>firewall icmp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>>ACCEPT tcp -- 192.168.100.0/24 <http://192.168.100.0/24> 0.0.0.0/0<http://0.0.0.0/0>tcp dpt:22
>>ACCEPT tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>tcp dpt:80
>>ACCEPT udp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>udp dpt:80
>>ACCEPT tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>tcp dpt:25
>>ACCEPT udp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>udp dpt:25
>>ACCEPT tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>tcp dpt:110
>>ACCEPT udp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>udp dpt:110
>>ACCEPT tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>tcp dpt:143
>>ACCEPT udp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>udp dpt:143
>>ACCEPT tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>tcp dpt:53
>>ACCEPT udp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>udp dpt:53
>>ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>state
>>RELATED,ESTABLISHED
>>silent udp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>udp spt:137
>>dpt:137
>>dropwall all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>>
>>Chain FORWARD (policy ACCEPT)
>>target prot opt source destination
>>DROP all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>state
>>INVALID,NEW
>>ACCEPT tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 192.168.100.1<http://192.168.100.1>tcp dpt:80
>>ACCEPT udp -- 0.0.0.0/0 <http://0.0.0.0/0> 192.168.100.1<http://192.168.100.1>udp dpt:80
>>ACCEPT tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 192.168.100.1<http://192.168.100.1>tcp dpt:25
>>ACCEPT udp -- 0.0.0.0/0 <http://0.0.0.0/0> 192.168.100.1<http://192.168.100.1>udp dpt:25
>>
>>Chain OUTPUT (policy ACCEPT)
>>target prot opt source destination
>>
>>Chain badflags (6 references)
>>target prot opt source destination
>>LOG all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>limit: avg
>>15/min burst 5 LOG flags 0 level 4 prefix `Badflags:'
>>DROP all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>>
>>Chain dropwall (1 references)
>>target prot opt source destination
>>LOG all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>limit: avg
>>15/min burst 5 LOG flags 0 level 4 prefix `Dropwall:'
>>DROP all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>>
>>Chain firewall (1 references)
>>target prot opt source destination
>>LOG all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>limit: avg
>>15/min burst 5 LOG flags 0 level 4 prefix `Firewall:'
>>DROP all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>>
>>Chain silent (1 references)
>>target prot opt source destination
>>DROP all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>>
>>
> 
> 



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: whats wrong???
  2005-06-28 18:04   ` Juan Manuel Tato
@ 2005-06-29  1:09     ` Vlad Janicek
  0 siblings, 0 replies; 5+ messages in thread
From: Vlad Janicek @ 2005-06-29  1:09 UTC (permalink / raw)
  To: netfilter

2005/6/28, Juan Manuel Tato <madness@adinet.com.uy>: 
> 
> # Policies.
> #
> $IPT -P INPUT ACCEPT
> $IPT -P OUTPUT ACCEPT
> $IPT -P FORWARD ACCEPT


You usually drop everything first, then you open each port and service one 
by one
Normalmente cierras todo primero, despues es que abres cada puerto y 
servicio 

echo 1 > /proc/sys/net/ipv4/ip_forward
> 
> $IPT -t nat -A POSTROUTING -o $INT -j SNAT --to pub.lic.ip.addr
> 
> # This rule protects your fowarding rule.
> $IPT -A FORWARD -i $INT -m state --state NEW,INVALID -j DROP


remove this for testing
quita esto para probar

# defino la ip de mi servidor interno
> SRV=" 192.168.100.1 <http://192.168.100.1/>"
> 
> $IPT -t nat -A PREROUTING -i $INT -p tcp --dport 25 -j DNAT --to
> 192.168.100.1:25 <http://192.168.100.1:25/>
> $IPT -t nat -A PREROUTING -i $INT -p tcp --dport 53 -j DNAT --to $SRV 
> $IPT -t nat -A PREROUTING -i $INT -p udp --dport 53 -j DNAT --to $SRV
> $IPT -t nat -A PREROUTING -i $INT -p tcp --dport 110 -j DNAT --to $SRV
> $IPT -t nat -A PREROUTING -i $INT -p udp --dport 110 -j DNAT --to $SRV 
> $IPT -t nat -A PREROUTING -i $INT -p tcp --dport 80 -j DNAT --to
> 192.168.100.1:80 <http://192.168.100.1/>
> $IPT -t nat -A PREROUTING -i $INT -p udp --dport 80 -j DNAT --to
> 192.168.100.1:80 <http://192.168.100.1/>
> $IPT -t nat -A PREROUTING -i $INT -p tcp --dport 143 -j DNAT --to $SRV
> $IPT -t nat -A PREROUTING -i $INT -p udp --dport 143 -j DNAT --to $SRV


 what if you tried something like this for external packets looking for a 
system inside:
que si intentas algo como esto para el ruteo interno de paquetes externos:

iptables -A FORWARD -d your_lans_server_ip -p tcp --dport 110 -j ACCEPT
iptables -t nat -A PREROUTING -d your_external_nic -p tcp --dport 110 \
-j DNAT --to-destination your_lans_server_ip:110

-- 
Vlad

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: whats wrong???
  2005-06-28 16:40 whats wrong??? Juan Manuel Tato
  2005-06-28 17:32 ` Vlad Janicek
@ 2005-06-30 10:43 ` Jan Engelhardt
  1 sibling, 0 replies; 5+ messages in thread
From: Jan Engelhardt @ 2005-06-30 10:43 UTC (permalink / raw)
  To: Juan Manuel Tato; +Cc: netfilter


> where come the output of the chains
>
> fw-new:~# iptables -L -n
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     all  --  192.168.100.1        0.0.0.0/0
> ACCEPT     all  --  192.168.100.2        0.0.0.0/0
> ACCEPT     all  --  192.168.100.3        0.0.0.0/0
> ACCEPT     all  --  192.168.100.4        0.0.0.0/0
> ACCEPT     all  --  192.168.100.5        0.0.0.0/0
> ACCEPT     all  --  192.168.100.6        0.0.0.0/0
> ACCEPT     all  --  192.168.100.7        0.0.0.0/0
> ACCEPT     all  --  192.168.100.8        0.0.0.0/0
> ACCEPT     all  --  192.168.100.9        0.0.0.0/0

Uh you could merge those.

> ACCEPT     tcp  --  192.168.100.0/24     0.0.0.0/0           tcp dpt:22
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:80
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:25
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:110
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:110
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:143
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:143
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53

You can also merge this using -m dport



Jan Engelhardt                                                               
--                                                                            
| Gesellschaft fuer Wissenschaftliche Datenverarbeitung Goettingen,
| Am Fassberg, 37077 Goettingen, www.gwdg.de


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2005-06-30 10:43 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-06-28 16:40 whats wrong??? Juan Manuel Tato
2005-06-28 17:32 ` Vlad Janicek
2005-06-28 18:04   ` Juan Manuel Tato
2005-06-29  1:09     ` Vlad Janicek
2005-06-30 10:43 ` Jan Engelhardt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox