iptables problem

Hi,
I've a problem with iptables on a machine which is a firewall. The logs
reports the following thing:

firewall:~ # grep 192.168.2.200 /var/log/messages | grep DPT=53
Feb 14 11:45:52 firewall kernel: PUPPUFIREWALLIN=eth1 OUT=eth1
SRC=192.168.2.200 DST=217.97.32.2 LEN=50 TOS=0x00 PREC=0x00 TTL=126 ID=9
PROTO=UDP SPT=1025 DPT=53 LEN=30
Feb 14 11:47:40 firewall kernel: PUPPUFIREWALLIN=eth1 OUT=eth1
SRC=192.168.2.200 DST=217.97.32.2 LEN=72 TOS=0x00 PREC=0x00 TTL=126 ID=812
PROTO=UDP SPT=1025 DPT=53 LEN=52

where the machine 192.168.2.200 is locked and cannot work with the DNS (port
53) specified. But if I try to do an iptables-save, I got the following:

-A FORWARD -s 192.168.2.0/255.255.255.0 -d 212.97.32.2 -i eth1 -o eth1 -p tcp
-m tcp --dport 53 -j ACCEPT

that should accept each connection from an host of the 192.168.2.0 network to
the specified DNS server. The same thing occur for other machines.

The following is a complete dump of the iptables-save command, do you have any
idea about how to fix this problem?

firewall:~ # iptables-save
# Generated by iptables-save v1.2.8 on Tue Feb 15 12:08:25 2005
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [160:11248]
:drop-and-log-it - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.0.0/255.255.0.0 -i eth1 -j
ACCEPT
-A INPUT -s 192.168.0.0/255.255.0.0 -d 192.168.2.0/255.255.255.0 -i eth1 -j
ACCEPT
-A INPUT -s 192.168.2.7 -i eth1 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 212.97.32.2 -i eth1 -p tcp -m tcp
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 212.97.32.2 -i eth1 -p udp -m udp
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 151.99.250.2 -i eth1 -p tcp -m tcp
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 151.99.250.2 -i eth1 -p udp -m udp
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 195.223.145.5 -i eth1 -p tcp -m tcp
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 195.223.145.5 -i eth1 -p udp -m udp
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -p tcp -m tcp
--dport 110 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -p udp -m udp
--dport 110 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -p tcp -m tcp
--dport 25 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -p udp -m udp
--dport 25 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 54681 -j
ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -i eth1 -p udp -m udp --dport 54681 -j
ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 217.55.134.22 -i eth1 -p tcp -m tcp
--dport 21 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.106.77.78 -i eth1 -p tcp -j
ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p tcp -m tcp
--dport 8080 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p udp -m udp
--dport 8080 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p tcp -m tcp
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p udp -m udp
--dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p tcp -m tcp
--dport 137:139 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p udp -m udp
--dport 137:139 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p tcp -m tcp
--dport 445 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -d 192.168.2.7 -i eth1 -p udp -m udp
--dport 445 -j ACCEPT
-A INPUT -s 192.168.2.2 -d 192.168.2.7 -i eth1 -p tcp -m tcp --dport 23 -j
ACCEPT
-A INPUT -d 217.58.77.224/255.255.255.240 -i eth1 -p tcp -m tcp --dport 23 -j
REJECT --reject-with icmp-port-unreachable
-A INPUT -d 217.58.77.224/255.255.255.240 -i eth1 -p udp -m udp --dport 23 -j
REJECT --reject-with icmp-port-unreachable
-A INPUT -s 192.168.84.1 -d 192.168.2.7 -i eth1 -p tcp -m tcp --dport 23 -j
ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -i eth1 -j drop-and-log-it
-A INPUT -d 192.168.2.7 -i eth1 -p icmp -j ACCEPT
-A INPUT -d 192.168.2.7 -i eth1 -p tcp -m state --state
NEW,RELATED,ESTABLISHED -m tcp --dport 80 -j ACCEPT
-A INPUT -d 192.168.2.7 -i eth1 -p tcp -m tcp --sport 1024:65535 --dport 21 -j
ACCEPT
-A INPUT -s 192.168.2.7 -i eth1 -p tcp -m tcp --sport 21 --dport 1024:65535 -j
ACCEPT
-A INPUT -d 192.168.2.7 -i eth1 -p tcp -m tcp --sport 1024:65535 --dport 20 -j
ACCEPT
-A INPUT -s 192.168.2.7 -i eth1 -p tcp -m tcp --sport 20 --dport 1024:65535 -j
ACCEPT
-A INPUT -d 192.168.2.7 -i eth1 -p udp -m udp --sport 1024:65535 --dport 21 -j
ACCEPT
-A INPUT -s 192.168.2.7 -i eth1 -p udp -m udp --sport 21 --dport 1024:65535 -j
ACCEPT
-A INPUT -d 192.168.2.7 -i eth1 -p udp -m udp --sport 1024:65535 --dport 20 -j
ACCEPT
-A INPUT -s 192.168.2.7 -i eth1 -p udp -m udp --sport 20 --dport 1024:65535 -j
ACCEPT
-A INPUT -i eth1 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp
--dport 22 -j ACCEPT
-A INPUT -i eth1 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp
--dport 22 -j ACCEPT
-A INPUT -d 192.168.2.7 -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j drop-and-log-it
-A INPUT -i eth1 -p tcp -m tcp --dport 53 -j REJECT --reject-with
icmp-port-unreachable
-A INPUT -i eth1 -p udp -m udp --dport 53 -j REJECT --reject-with
icmp-port-unreachable
-A INPUT -i eth1 -p tcp -m tcp --dport 111 -j REJECT --reject-with
icmp-port-unreachable
-A INPUT -i eth1 -p udp -m udp --dport 111 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.0.0/255.255.0.0 -i eth1 -j
ACCEPT
-A FORWARD -s 192.168.0.0/255.255.0.0 -d 192.168.2.0/255.255.255.0 -i eth1 -j
ACCEPT
-A FORWARD -p tcp -m multiport --dports
6881,6882,6883,6884,6885,6886,6887,muse,6889,kazaa -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -p udp -m multiport --dports
6881,6882,6883,6884,6885,6886,6887,muse,6889,kazaa -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -p tcp -m multiport --dports gnutella-svc,gnutella-rtr -j REJECT
--reject-with icmp-port-unreachable
-A FORWARD -p udp -m multiport --dports gnutella-svc,gnutella-rtr -j REJECT
--reject-with icmp-port-unreachable
-A FORWARD -p udp -m multiport --dports
4711,4665,kar2ouche,rfa,4662,http-alt,9955 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -p tcp -m tcp --dport 4242:4299 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -p udp -m udp --dport 4242:4299 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -p tcp -m tcp --dport 6881:6999 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -p udp -m udp --dport 6881:6999 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -s 192.168.2.0/255.255.255.0 -i eth1 -o eth1 -p tcp -m tcp --dport
54681 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -i eth1 -o eth1 -p udp -m udp --dport
54681 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.4.0/255.255.255.0 -i eth1
-o eth1 -p tcp -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.4.0/255.255.255.0 -i eth1
-o eth1 -p udp -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 217.55.134.22 -i eth1 -o eth1 -p
tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.106.77.78 -i eth1 -o eth1 -p
tcp -j ACCEPT
-A FORWARD -i eth1 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.2.7 -i eth1 -o eth1 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 212.97.32.2 -i eth1 -o eth1 -p tcp
-m tcp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 212.97.32.2 -i eth1 -o eth1 -p udp
-m udp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 151.99.250.2 -i eth1 -o eth1 -p tcp
-m tcp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 151.99.250.2 -i eth1 -o eth1 -p udp
-m udp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 195.223.145.5 -i eth1 -o eth1 -p
udp -m udp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 195.223.145.5 -i eth1 -o eth1 -p
tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -o eth1 -p
tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -o eth1 -p
udp -m udp --dport 110 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -o eth1 -p
tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.106.77.15 -i eth1 -o eth1 -p
udp -m udp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 85.33.98.138 -i eth1 -o eth1 -p tcp
-m tcp --dport 110 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 85.33.98.138 -i eth1 -o eth1 -p udp
-m udp --dport 110 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 85.33.98.138 -i eth1 -o eth1 -p tcp
-m tcp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 85.33.98.138 -i eth1 -o eth1 -p udp
-m udp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 85.33.98.138 -i eth1 -o eth1 -p tcp
-m tcp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 85.33.98.138 -i eth1 -o eth1 -p udp
-m udp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 151.4.29.163 -i eth1 -o eth1 -p tcp
-m tcp --dport 110 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 151.4.29.163 -i eth1 -o eth1 -p udp
-m udp --dport 110 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 151.4.29.163 -i eth1 -o eth1 -p tcp
-m tcp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 151.4.29.163 -i eth1 -o eth1 -p udp
-m udp --dport 25 -j ACCEPT
-A FORWARD -j drop-and-log-it
-A OUTPUT -s 192.168.2.0/255.255.255.0 -d 192.168.0.0/255.255.0.0 -o eth1 -j
ACCEPT
-A OUTPUT -s 192.168.0.0/255.255.0.0 -d 192.168.2.0/255.255.255.0 -o eth1 -j
ACCEPT
-A OUTPUT -d 192.168.4.0/255.255.255.0 -p tcp -j ACCEPT
-A OUTPUT -d 192.168.4.0/255.255.255.0 -p udp -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 192.168.2.7 -d 192.168.2.0/255.255.255.0 -o eth1 -j ACCEPT
-A OUTPUT -s 192.168.2.7 -d 192.168.2.0/255.255.255.0 -o eth1 -j ACCEPT
-A OUTPUT -d 192.168.2.0/255.255.255.0 -o eth1 -j drop-and-log-it
-A OUTPUT -s 192.168.2.7 -o eth1 -j ACCEPT
-A OUTPUT -j drop-and-log-it
-A drop-and-log-it -j LOG --log-prefix "PUPPUFIREWALL" --log-level info
-A drop-and-log-it -j DROP
COMMIT
# Completed on Tue Feb 15 12:08:26 2005
# Generated by iptables-save v1.2.8 on Tue Feb 15 12:08:26 2005
*nat
:PREROUTING ACCEPT [132819:9929714]
:POSTROUTING ACCEPT [366:23571]
:OUTPUT ACCEPT [574:72057]
-A PREROUTING -s 192.168.2.0/255.255.255.0 -d ! 192.168.2.7 -i eth1 -p tcp -m
tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.2.7
COMMIT
# Completed on Tue Feb 15 12:08:26 2005


Luca

--
Luca Ferrari,
fluca1978@infinito.it
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: iptables problem

> Hi,
> I've a problem with iptables on a machine which is a firewall. The
logs
> reports the following thing:
>
> firewall:~ # grep 192.168.2.200 /var/log/messages | grep DPT=53
> Feb 14 11:45:52 firewall kernel: PUPPUFIREWALLIN=eth1 OUT=eth1
> SRC=192.168.2.200 DST=217.97.32.2 LEN=50 TOS=0x00 PREC=0x00 TTL=126
ID=9
> PROTO=UDP SPT=1025 DPT=53 LEN=30
> Feb 14 11:47:40 firewall kernel: PUPPUFIREWALLIN=eth1 OUT=eth1
> SRC=192.168.2.200 DST=217.97.32.2 LEN=72 TOS=0x00 PREC=0x00 TTL=126
ID=812
> PROTO=UDP SPT=1025 DPT=53 LEN=52
>
> where the machine 192.168.2.200 is locked and cannot work with the
DNS (port
> 53) specified. But if I try to do an iptables-save, I got the
following:
>
> -A FORWARD -s 192.168.2.0/255.255.255.0 -d 212.97.32.2 -i eth1 -o
eth1 -p tcp
> -m tcp --dport 53 -j ACCEPT
>


The Input interface and output Interface are the same eth1, where as it
should have been -i eth0 -o eth1. Match ur interface numbers and it
should work.

Regards

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: iptables problem

On Tuesday 15 February 2005 11:30 Your Name's cat walking on the keyboard
wrote:

>
> The Input interface and output Interface are the same eth1, where as it
> should have been -i eth0 -o eth1. Match ur interface numbers and it
> should work.
>

No, that's right since the machine is, temporarily. working with a single
interface. In other words, eth1 is now the incoming/outgoing interface.

Luca


--
Luca Ferrari,
fluca1978@infinito.it
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: iptables problem

As far as I can see and unterstand your intend, you are only forwarding
(FORWARD-Chain) the internal request to the external interfaces.
Since private networks (10/8, 172.16/16, 192.168/24) are not routed in
the public internet you have to masquerade (NAT) the outgoing
request, so it doesn't contain the internal ips anymore:

-A POSTROUTING -s 192.168.2.0/255.255.255.0 -d 212.97.32.2 -i eth1 -o eth1 -p tcp
-m tcp --dport 53 -j SNAT --to $YOUR_EXTERNAL_IP_IN_THE_INTERNET


Luca Ferrari wrote:

>On Tuesday 15 February 2005 11:30 Your Name's cat walking on the keyboard
>wrote:
>
>
>
>>The Input interface and output Interface are the same eth1, where as it
>>should have been -i eth0 -o eth1. Match ur interface numbers and it
>>should work.
>>
>>
>>
>
>No, that's right since the machine is, temporarily. working with a single
>interface. In other words, eth1 is now the incoming/outgoing interface.
>
>Luca
>
>
>
>
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: iptables problem

Luca, please paste your iptables -L -n output here. It's much easier to follow.

--Adrian.


On Tue, 15 Feb 2005 21:09:45 +0100, Andreas Unterkircher
wrote:
> As far as I can see and unterstand your intend, you are only forwarding
> (FORWARD-Chain) the internal request to the external interfaces.
> Since private networks (10/8, 172.16/16, 192.168/24) are not routed in
> the public internet you have to masquerade (NAT) the outgoing
> request, so it doesn't contain the internal ips anymore:
>
> -A POSTROUTING -s 192.168.2.0/255.255.255.0 -d 212.97.32.2 -i eth1 -o eth1 -p tcp
> -m tcp --dport 53 -j SNAT --to $YOUR_EXTERNAL_IP_IN_THE_INTERNET
>
>
> Luca Ferrari wrote:
>
> >On Tuesday 15 February 2005 11:30 Your Name's cat walking on the keyboard
> >wrote:
> >
> >
> >
> >>The Input interface and output Interface are the same eth1, where as it
> >>should have been -i eth0 -o eth1. Match ur interface numbers and it
> >>should work.
> >>
> >>
> >>
> >
> >No, that's right since the machine is, temporarily. working with a single
> >interface. In other words, eth1 is now the incoming/outgoing interface.
> >
> >Luca
> >
> >
> >
> >
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: iptables problem

On Tuesday 15 February 2005 21:09 Andreas Unterkircher's cat walking on the
keyboard wrote:

> As far as I can see and unterstand your intend, you are only forwarding
> (FORWARD-Chain) the internal request to the external interfaces.
> Since private networks (10/8, 172.16/16, 192.168/24) are not routed in
> the public internet you have to masquerade (NAT) the outgoing
> request, so it doesn't contain the internal ips anymore:
>
> -A POSTROUTING -s 192.168.2.0/255.255.255.0 -d 212.97.32.2 -i eth1 -o eth1
> -p tcp -m tcp --dport 53 -j SNAT --to $YOUR_EXTERNAL_IP_IN_THE_INTERNET
>

I'm not sure of what you're saying, since the machine goes on the internet
thru an ADSL router, that performs NAT by itself, so the firewall, as far as
I'll use eth1 both as internal and external interface, will only forward
requests to the ADSL router. However, here there's the output of the iptables
-L -n:

firewall:~ # iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 192.168.2.0/24 192.168.0.0/16
ACCEPT all -- 192.168.0.0/16 192.168.2.0/24
ACCEPT all -- 192.168.2.7 0.0.0.0/0
ACCEPT tcp -- 192.168.2.0/24 212.97.32.2 tcp dpt:53
ACCEPT udp -- 192.168.2.0/24 212.97.32.2 udp dpt:53
ACCEPT tcp -- 192.168.2.0/24 151.99.250.2 tcp dpt:53
ACCEPT udp -- 192.168.2.0/24 151.99.250.2 udp dpt:53
ACCEPT tcp -- 192.168.2.0/24 195.223.145.5 tcp dpt:53
ACCEPT udp -- 192.168.2.0/24 195.223.145.5 udp dpt:53
ACCEPT tcp -- 192.168.2.0/24 192.106.77.15 tcp dpt:110
ACCEPT udp -- 192.168.2.0/24 192.106.77.15 udp dpt:110
ACCEPT tcp -- 192.168.2.0/24 192.106.77.15 tcp dpt:25
ACCEPT udp -- 192.168.2.0/24 192.106.77.15 udp dpt:25
ACCEPT tcp -- 192.168.2.0/24 0.0.0.0/0 tcp dpt:54681
ACCEPT udp -- 192.168.2.0/24 0.0.0.0/0 udp dpt:54681
ACCEPT tcp -- 192.168.2.0/24 217.55.134.22 tcp dpt:21
ACCEPT tcp -- 192.168.2.0/24 192.106.77.78
ACCEPT tcp -- 192.168.2.0/24 192.168.2.7 tcp dpt:8080
ACCEPT udp -- 192.168.2.0/24 192.168.2.7 udp dpt:8080
ACCEPT tcp -- 192.168.2.0/24 192.168.2.7 tcp dpt:53
ACCEPT udp -- 192.168.2.0/24 192.168.2.7 udp dpt:53
ACCEPT tcp -- 192.168.2.0/24 192.168.2.7 tcp dpts:137:139
ACCEPT udp -- 192.168.2.0/24 192.168.2.7 udp dpts:137:139
ACCEPT tcp -- 192.168.2.0/24 192.168.2.7 tcp dpt:445
ACCEPT udp -- 192.168.2.0/24 192.168.2.7 udp dpt:445
ACCEPT tcp -- 192.168.2.2 192.168.2.7 tcp dpt:23
REJECT tcp -- 0.0.0.0/0 217.58.77.224/28 tcp dpt:23
reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 217.58.77.224/28 udp dpt:23
reject-with icmp-port-unreachable
ACCEPT tcp -- 192.168.84.1 192.168.2.7 tcp dpt:23
drop-and-log-it all -- 192.168.2.0/24 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 192.168.2.7
ACCEPT tcp -- 0.0.0.0/0 192.168.2.7 state
NEW,RELATED,ESTABLISHED tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 192.168.2.7 tcp
spts:1024:65535 dpt:21
ACCEPT tcp -- 192.168.2.7 0.0.0.0/0 tcp spt:21
dpts:1024:65535
ACCEPT tcp -- 0.0.0.0/0 192.168.2.7 tcp
spts:1024:65535 dpt:20
ACCEPT tcp -- 192.168.2.7 0.0.0.0/0 tcp spt:20
dpts:1024:65535
ACCEPT udp -- 0.0.0.0/0 192.168.2.7 udp
spts:1024:65535 dpt:21
ACCEPT udp -- 192.168.2.7 0.0.0.0/0 udp spt:21
dpts:1024:65535
ACCEPT udp -- 0.0.0.0/0 192.168.2.7 udp
spts:1024:65535 dpt:20
ACCEPT udp -- 192.168.2.7 0.0.0.0/0 udp spt:20
dpts:1024:65535
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
NEW,RELATED,ESTABLISHED tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
NEW,RELATED,ESTABLISHED tcp dpt:22
ACCEPT all -- 0.0.0.0/0 192.168.2.7 state
RELATED,ESTABLISHED
drop-and-log-it all -- 0.0.0.0/0 0.0.0.0/0
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:111
reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:111
reject-with icmp-port-unreachable

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.2.0/24 192.168.0.0/16
ACCEPT all -- 192.168.0.0/16 192.168.2.0/24
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports
6881,6882,6883,6884,6885,6886,6887,6888,6889,1214 reject-with
icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports
6881,6882,6883,6884,6885,6886,6887,6888,6889,1214 reject-with
icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports
6346,6347 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports
6346,6347 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports
4711,4665,4661,4672,4662,8080,9955 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:4242:4299
reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:4242:4299
reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:6881:6999
reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:6881:6999
reject-with icmp-port-unreachable
ACCEPT tcp -- 192.168.2.0/24 0.0.0.0/0 tcp dpt:54681
ACCEPT udp -- 192.168.2.0/24 0.0.0.0/0 udp dpt:54681
ACCEPT tcp -- 192.168.2.0/24 192.168.4.0/24
ACCEPT udp -- 192.168.2.0/24 192.168.4.0/24
ACCEPT tcp -- 192.168.2.0/24 217.55.134.22 tcp dpt:21
ACCEPT tcp -- 192.168.2.0/24 192.106.77.78
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT all -- 192.168.2.7 0.0.0.0/0
ACCEPT tcp -- 192.168.2.0/24 212.97.32.2 tcp dpt:53
ACCEPT udp -- 192.168.2.0/24 212.97.32.2 udp dpt:53
ACCEPT tcp -- 192.168.2.0/24 151.99.250.2 tcp dpt:53
ACCEPT udp -- 192.168.2.0/24 151.99.250.2 udp dpt:53
ACCEPT udp -- 192.168.2.0/24 195.223.145.5 udp dpt:53
ACCEPT tcp -- 192.168.2.0/24 195.223.145.5 tcp dpt:53
ACCEPT tcp -- 192.168.2.0/24 192.106.77.15 tcp dpt:110
ACCEPT udp -- 192.168.2.0/24 192.106.77.15 udp dpt:110
ACCEPT tcp -- 192.168.2.0/24 192.106.77.15 tcp dpt:25
ACCEPT udp -- 192.168.2.0/24 192.106.77.15 udp dpt:25
ACCEPT tcp -- 192.168.2.0/24 85.33.98.138 tcp dpt:110
ACCEPT udp -- 192.168.2.0/24 85.33.98.138 udp dpt:110
ACCEPT tcp -- 192.168.2.0/24 85.33.98.138 tcp dpt:25
ACCEPT udp -- 192.168.2.0/24 85.33.98.138 udp dpt:25
ACCEPT tcp -- 192.168.2.0/24 85.33.98.138 tcp dpt:25
ACCEPT udp -- 192.168.2.0/24 85.33.98.138 udp dpt:25
ACCEPT tcp -- 192.168.2.0/24 151.4.29.163 tcp dpt:110
ACCEPT udp -- 192.168.2.0/24 151.4.29.163 udp dpt:110
ACCEPT tcp -- 192.168.2.0/24 151.4.29.163 tcp dpt:25
ACCEPT udp -- 192.168.2.0/24 151.4.29.163 udp dpt:25
drop-and-log-it all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.2.0/24 192.168.0.0/16
ACCEPT all -- 192.168.0.0/16 192.168.2.0/24
ACCEPT tcp -- 0.0.0.0/0 192.168.4.0/24
ACCEPT udp -- 0.0.0.0/0 192.168.4.0/24
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 192.168.2.7 192.168.2.0/24
ACCEPT all -- 192.168.2.7 192.168.2.0/24
drop-and-log-it all -- 0.0.0.0/0 192.168.2.0/24
ACCEPT all -- 192.168.2.7 0.0.0.0/0
drop-and-log-it all -- 0.0.0.0/0 0.0.0.0/0

Chain drop-and-log-it (5 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level
6 prefix `PUPPUFIREWALL'
DROP all -- 0.0.0.0/0 0.0.0.0/0
firewall:~ #


Any idea?

Luca

--
Luca Ferrari,
fluca1978@infinito.it
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: iptables problem

> I'm not sure of what you're saying, since the machine goes on the
internet
> thru an ADSL router, that performs NAT by itself, so the firewall, as
far as
> I'll use eth1 both as internal and external interface, will only forward
> requests to the ADSL router. However, here there's the output of the
iptables
> -L -n:
>

ip_forwarding shall only work with two lan cards, no set up shall work
as a firewall with one network interface.

never tried aliasing either (eth1:0 eth1:1) but sence would it make even
if it works, the firewall should be between two networks.

Regards
Yayati.

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: iptables problem

That isn't exactly true. If he is just trying to firewall traffic from the
firewall box, then you would only have one ethernet card.

Meaning, he has one computer hooked up to the ASDL line and that computer he
has the firewall setup on. There are no other computers on the network.

----- Original Message -----
From: "Your Name"
To: ;
Sent: Thursday, February 17, 2005 1:45 PM
Subject: Re: iptables problem


>
> ip_forwarding shall only work with two lan cards, no set up shall work
> as a firewall with one network interface.
>
> never tried aliasing either (eth1:0 eth1:1) but sence would it make even
> if it works, the firewall should be between two networks.
>
> Regards
> Yayati.
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: iptables problem

On Thursday 17 February 2005 19:45 Your Name's cat walking on the keyboard
wrote:

> > I'm not sure of what you're saying, since the machine goes on the
>
> internet
>
> > thru an ADSL router, that performs NAT by itself, so the firewall, as
>
> far as
>
> > I'll use eth1 both as internal and external interface, will only forward
> > requests to the ADSL router. However, here there's the output of the
>
> iptables
>
> > -L -n:
>
> ip_forwarding shall only work with two lan cards, no set up shall work
> as a firewall with one network interface.
>

That's not true,since I was working (thanks to suggestions of this mailing
list) with a single network interface. Now that I tried it, it's working in
the right way (i.e., with two network cards), but even with one it was
working.

Luca
--
Luca Ferrari,
fluca1978@infinito.it
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html