[nmglug] iptables / routing question,
Andres Paglayan
andres at paglayan.com
Wed Dec 13 07:58:51 PST 2006
ip_forward was already 1 as in
root at ipcop:~ # cat /proc/sys/net/ipv4/ip_forward
1
this is an ipcop firewall,
has snort and dansguardian plugged in,
I placed the pinholes for the outside network to access mine in
certain ports
as in Chain DMZHOLES I will try with the bit notation /24 too,
by default, packets originating on the "green" (own inside subnet)
shouldn't be dropped,
I can't see any drop instruction for those,
that's why I was wondering whether to put a top iptables rule to
forward all packets
the output of iptables -L
is only:
root at ipcop:~ # iptables -L
Chain BADTCP (2 references)
target prot opt source destination
PSCAN tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
PSCAN tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
PSCAN tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN
PSCAN tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN,RST
PSCAN tcp -- anywhere anywhere tcp
flags:FIN,SYN/FIN,SYN
NEWNOTSYN tcp -- anywhere anywhere tcp
flags:!FIN,SYN,RST,ACK/SYN state NEW
Chain CUSTOMFORWARD (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp
dpt:http reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:http reject-with icmp-port-unreachable
Chain CUSTOMINPUT (1 references)
target prot opt source destination
REJECT tcp -- !localhost anywhere tcp
dpt:mdbs_daemon reject-with icmp-port-unreachable
Chain CUSTOMOUTPUT (1 references)
target prot opt source destination
Chain DHCPBLUEINPUT (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp
spt:bootpc dpt:bootps
ACCEPT udp -- anywhere anywhere udp
spt:bootpc dpt:bootps
Chain DMZHOLES (1 references)
target prot opt source destination
ACCEPT tcp -- 192.168.50.0 192.168.1.0 tcp
dpt:http
ACCEPT tcp -- 192.168.50.0 192.168.1.0 tcp
dpt:microsoft-ds
ACCEPT tcp -- 192.168.50.0 192.168.1.0 tcp
dpt:citriximaclient
ACCEPT tcp -- 192.168.50.0 192.168.1.0 tcp dpt:
4994
Chain GUIINPUT (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp
echo-request
Chain INPUT (policy DROP)
target prot opt source destination
ipac~o all -- anywhere anywhere
BADTCP all -- anywhere anywhere
tcp -- anywhere anywhere tcp
flags:SYN,RST,ACK/SYN limit: avg 10/sec burst 5
CUSTOMINPUT all -- anywhere anywhere
GUIINPUT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
DROP all -- 127.0.0.0/8 anywhere state NEW
DROP all -- anywhere 127.0.0.0/8 state NEW
ACCEPT !icmp -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere
DHCPBLUEINPUT all -- anywhere anywhere
IPSECRED all -- anywhere anywhere
OVPNINPUT all -- anywhere anywhere
IPSECBLUE all -- anywhere anywhere
WIRELESSINPUT all -- anywhere anywhere
state NEW
REDINPUT all -- anywhere anywhere
XTACCESS all -- anywhere anywhere state NEW
LOG all -- anywhere anywhere limit:
avg 10/min burst 5 LOG level warning prefix `INPUT '
Chain FORWARD (policy DROP)
target prot opt source destination
ipac~fi all -- anywhere anywhere
ipac~fo all -- anywhere anywhere
BADTCP all -- anywhere anywhere
TCPMSS tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN TCPMSS clamp to PMTU
CUSTOMFORWARD all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
DROP all -- 127.0.0.0/8 anywhere state NEW
DROP all -- anywhere 127.0.0.0/8 state NEW
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
OVPNFORWARD all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
WIRELESSFORWARD all -- anywhere anywhere
state NEW
REDFORWARD all -- anywhere anywhere
DMZHOLES all -- anywhere anywhere state NEW
PORTFWACCESS all -- anywhere anywhere state
NEW
LOG all -- anywhere anywhere limit:
avg 10/min burst 5 LOG level warning prefix `OUTPUT '
Chain IPSECBLUE (1 references)
target prot opt source destination
Chain IPSECRED (1 references)
target prot opt source destination
Chain LOG_DROP (2 references)
target prot opt source destination
LOG all -- anywhere anywhere limit:
avg 10/min burst 5 LOG level warning
DROP all -- anywhere anywhere
Chain LOG_REJECT (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit:
avg 10/min burst 5 LOG level warning
REJECT all -- anywhere anywhere reject-
with icmp-port-unreachable
Chain NEWNOTSYN (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit:
avg 10/min burst 5 LOG level warning prefix `NEW not SYN? '
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ipac~i all -- anywhere anywhere
CUSTOMOUTPUT all -- anywhere anywhere
Chain OVPNFORWARD (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain OVPNINPUT (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp
dpt:openvpn
ACCEPT all -- anywhere anywhere
Chain PORTFWACCESS (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere whs.localdomain tcp dpt:ssh
Chain PSCAN (5 references)
target prot opt source destination
LOG tcp -- anywhere anywhere limit:
avg 10/min burst 5 LOG level warning prefix `TCP Scan? '
LOG udp -- anywhere anywhere limit:
avg 10/min burst 5 LOG level warning prefix `UDP Scan? '
LOG icmp -- anywhere anywhere limit:
avg 10/min burst 5 LOG level warning prefix `ICMP Scan? '
LOG all -f anywhere anywhere limit:
avg 10/min burst 5 LOG level warning prefix `FRAG Scan? '
DROP all -- anywhere anywhere
Chain REDFORWARD (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere
Chain REDINPUT (1 references)
target prot opt source destination
Chain WIRELESSFORWARD (1 references)
target prot opt source destination
LOG_DROP all -- anywhere anywhere
Chain WIRELESSINPUT (1 references)
target prot opt source destination
LOG_DROP all -- anywhere anywhere
Chain XTACCESS (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 65.19.28.123 tcp
dpt:ident
Chain ipac~fi (1 references)
target prot opt source destination
all -- anywhere anywhere
all -- anywhere anywhere
all -- anywhere anywhere
all -- anywhere anywhere
Chain ipac~fo (1 references)
target prot opt source destination
all -- anywhere anywhere
all -- anywhere anywhere
all -- anywhere anywhere
all -- anywhere anywhere
Chain ipac~i (1 references)
target prot opt source destination
all -- anywhere anywhere
all -- anywhere anywhere
all -- anywhere anywhere
all -- anywhere anywhere
Chain ipac~o (1 references)
target prot opt source destination
all -- anywhere anywhere
all -- anywhere anywhere
all -- anywhere anywhere
all -- anywhere anywhere
On Dec 12, 2006, at 10:53 PM, Gary Sandine wrote:
> On Tue, 2006-12-12 at 11:05 -0700, Andres Paglayan wrote:
>> I am trying to route all incoming trafic in eth0 (192.168.1.1)
>> directed to 192.168.50.0/24 through eth2 (192.168.50.1)
>>
>>
>> I did:
>>
>> route add -net 192.168.50.0/24 gw 192.168.50.1
>>
>> and my route -n looks like
>>
>> Kernel IP routing table
>> Destination Gateway Genmask Flags Metric Ref
>> Use Iface
>> 10.12.223.2 0.0.0.0 255.255.255.255 UH 0 0
>> 0 tun0
>> 192.168.50.0 192.168.50.1 255.255.255.0 UG 0 0
>> 0 eth2
>> 192.168.50.0 0.0.0.0 255.255.255.0 U 0 0
>> 0 eth2
>> 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0
>> 0 eth1
>> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0
>> 0 eth0
>> 65.19.28.0 0.0.0.0 255.255.255.0 U 0 0
>> 0 eth3
>> 10.12.223.0 10.12.223.2 255.255.255.0 UG 0 0
>> 0 tun0
>> 0.0.0.0 65.19.28.1 0.0.0.0 UG 0 0
>> 0 eth3
>
> Whoa.
>
> [..]
>> I can ping 192.168.50.254 host from within the router,
>> but I cannot from any other pc in the subnet.
>>
>> I think I should add an iptables fordwarding
>> (the iptables at this host is fairly complex and my guess is the
>> traffic is being dropped somewhere)
>
> If there's no iptables rule prohibiting this, maybe this will be
> enough:
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> I'd like to know... :)
>
> What's there before you do that?
>
> cat /proc/sys/net/ipv4/ip_forward
>
>
>
> _______________________________________________
> nmglug mailing list
> nmglug at nmglug.org
> http://www.nmglug.org/mailman/listinfo/nmglug
More information about the nmglug
mailing list