[nmglug] iptables / routing question,
Andres Paglayan
andres at paglayan.com
Wed Dec 13 10:11:53 PST 2006
thx for the comment
basically I want packets destined to 192.168.50.0/24 incoming on eth0
(192.168.1.1)
to be forwarded to eth2 (192.168.50.1)
currently the subnet at 192.168.50 can ping 192.168.1. ,
but 1.1 cant go the other way
routing table is
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref
Use Iface
10.12.223.2 0.0.0.0 255.255.255.255 UH 0 0
0 tun0
192.168.50.0 0.0.0.0 255.255.255.0 U 0 0
0 eth2
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0
0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0
0 eth0
65.19.28.0 0.0.0.0 255.255.255.0 U 0 0
0 eth3
10.12.223.0 10.12.223.2 255.255.255.0 UG 0 0
0 tun0
0.0.0.0 65.19.28.1 0.0.0.0 UG 0 0
0 eth3
and iptables with eth* info it is
root at ipcop:~ # iptables -vL
Chain BADTCP (2 references)
pkts bytes target prot opt in out source
destination
0 0 PSCAN tcp -- any any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
0 0 PSCAN tcp -- any any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
0 0 PSCAN tcp -- any any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
0 0 PSCAN tcp -- any any anywhere
anywhere tcp flags:SYN,RST/SYN,RST
0 0 PSCAN tcp -- any any anywhere
anywhere tcp flags:FIN,SYN/FIN,SYN
63 32929 NEWNOTSYN tcp -- any any anywhere
anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
Chain CUSTOMFORWARD (1 references)
pkts bytes target prot opt in out source
destination
0 0 REJECT tcp -- eth0 eth3 anywhere
anywhere tcp dpt:http reject-with icmp-port-unreachable
0 0 REJECT tcp -- eth1 eth3 anywhere
anywhere tcp dpt:http reject-with icmp-port-unreachable
Chain CUSTOMINPUT (1 references)
pkts bytes target prot opt in out source
destination
0 0 REJECT tcp -- any any !localhost
anywhere tcp dpt:mdbs_daemon reject-with icmp-port-
unreachable
Chain CUSTOMOUTPUT (1 references)
pkts bytes target prot opt in out source
destination
Chain DHCPBLUEINPUT (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT tcp -- eth1 any anywhere
anywhere tcp spt:bootpc dpt:bootps
0 0 ACCEPT udp -- eth1 any anywhere
anywhere udp spt:bootpc dpt:bootps
Chain DMZHOLES (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT tcp -- eth2 eth0 192.168.50.0
192.168.1.0 tcp dpt:http
0 0 ACCEPT tcp -- eth2 eth0 192.168.50.0
192.168.1.0 tcp dpt:microsoft-ds
0 0 ACCEPT tcp -- eth2 eth0 192.168.50.0
192.168.1.0 tcp dpt:citriximaclient
0 0 ACCEPT tcp -- eth2 eth0 192.168.50.0
192.168.1.0 tcp dpt:4994
Chain GUIINPUT (1 references)
pkts bytes target prot opt in out source
destination
63 3841 ACCEPT icmp -- any any anywhere
anywhere icmp echo-request
Chain INPUT (policy DROP 56 packets, 10996 bytes)
pkts bytes target prot opt in out source
destination
171K 113M ipac~o all -- any any anywhere
anywhere
171K 113M BADTCP all -- any any anywhere
anywhere
4885 228K tcp -- any any anywhere
anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 10/sec burst 5
171K 113M CUSTOMINPUT all -- any any anywhere
anywhere
171K 113M GUIINPUT all -- any any anywhere
anywhere
151K 111M ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
3126 140K ACCEPT all -- lo any anywhere
anywhere state NEW
0 0 DROP all -- any any 127.0.0.0/8
anywhere state NEW
0 0 DROP all -- any any anywhere
127.0.0.0/8 state NEW
16432 1654K ACCEPT !icmp -- eth0 any anywhere
anywhere state NEW
0 0 ACCEPT all -- ipsec+ any anywhere
anywhere
56 10996 DHCPBLUEINPUT all -- any any
anywhere anywhere
56 10996 IPSECRED all -- any any anywhere
anywhere
56 10996 OVPNINPUT all -- any any anywhere
anywhere
56 10996 IPSECBLUE all -- any any anywhere
anywhere
50 9620 WIRELESSINPUT all -- any any
anywhere anywhere state NEW
56 10996 REDINPUT all -- any any anywhere
anywhere
50 9620 XTACCESS all -- any any anywhere
anywhere state NEW
56 10996 LOG all -- any any anywhere
anywhere limit: avg 10/min burst 5 LOG level warning
prefix `INPUT '
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
71512 42M ipac~fi all -- any any anywhere
anywhere
71512 42M ipac~fo all -- any any anywhere
anywhere
71512 42M BADTCP all -- any any anywhere
anywhere
2013 98252 TCPMSS tcp -- any any anywhere
anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
71512 42M CUSTOMFORWARD all -- any any
anywhere anywhere
69990 42M ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- lo any anywhere
anywhere state NEW
0 0 DROP all -- any any 127.0.0.0/8
anywhere state NEW
0 0 DROP all -- any any anywhere
127.0.0.0/8 state NEW
1516 90576 ACCEPT all -- eth0 any anywhere
anywhere state NEW
0 0 ACCEPT all -- eth2 eth2 anywhere
anywhere state NEW
6 336 OVPNFORWARD all -- any any
anywhere anywhere
0 0 ACCEPT all -- ipsec+ any anywhere
anywhere
6 336 WIRELESSFORWARD all -- any any
anywhere anywhere state NEW
6 336 REDFORWARD all -- any any anywhere
anywhere
0 0 DMZHOLES all -- eth2 any anywhere
anywhere state NEW
6 336 PORTFWACCESS all -- any any
anywhere anywhere state NEW
0 0 LOG all -- any any anywhere
anywhere limit: avg 10/min burst 5 LOG level warning
prefix `OUTPUT '
Chain IPSECBLUE (1 references)
pkts bytes target prot opt in out source
destination
Chain IPSECRED (1 references)
pkts bytes target prot opt in out source
destination
Chain LOG_DROP (2 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- any any anywhere
anywhere limit: avg 10/min burst 5 LOG level warning
0 0 DROP all -- any any anywhere
anywhere
Chain LOG_REJECT (0 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- any any anywhere
anywhere limit: avg 10/min burst 5 LOG level warning
0 0 REJECT all -- any any anywhere
anywhere reject-with icmp-port-unreachable
Chain NEWNOTSYN (1 references)
pkts bytes target prot opt in out source
destination
45 17560 LOG all -- any any anywhere
anywhere limit: avg 10/min burst 5 LOG level warning
prefix `NEW not SYN? '
63 32929 DROP all -- any any anywhere
anywhere
Chain OUTPUT (policy ACCEPT 165K packets, 110M bytes)
pkts bytes target prot opt in out source
destination
165K 110M ipac~i all -- any any anywhere
anywhere
165K 110M CUSTOMOUTPUT all -- any any anywhere
anywhere
Chain OVPNFORWARD (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- tun+ any anywhere
anywhere
Chain OVPNINPUT (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT udp -- eth3 any anywhere
anywhere udp dpt:openvpn
0 0 ACCEPT all -- tun+ any anywhere
anywhere
Chain PORTFWACCESS (1 references)
pkts bytes target prot opt in out source
destination
6 336 ACCEPT tcp -- eth3 any anywhere
whs.localdomain tcp dpt:ssh
Chain PSCAN (5 references)
pkts bytes target prot opt in out source
destination
0 0 LOG tcp -- any any anywhere
anywhere limit: avg 10/min burst 5 LOG level warning
prefix `TCP Scan? '
0 0 LOG udp -- any any anywhere
anywhere limit: avg 10/min burst 5 LOG level warning
prefix `UDP Scan? '
0 0 LOG icmp -- any any anywhere
anywhere limit: avg 10/min burst 5 LOG level warning
prefix `ICMP Scan? '
0 0 LOG all -f any any anywhere
anywhere limit: avg 10/min burst 5 LOG level warning
prefix `FRAG Scan? '
0 0 DROP all -- any any anywhere
anywhere
Chain REDFORWARD (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT tcp -- eth2 eth3 anywhere
anywhere
0 0 ACCEPT udp -- eth2 eth3 anywhere
anywhere
Chain REDINPUT (1 references)
pkts bytes target prot opt in out source
destination
Chain WIRELESSFORWARD (1 references)
pkts bytes target prot opt in out source
destination
0 0 LOG_DROP all -- eth1 any anywhere
anywhere
Chain WIRELESSINPUT (1 references)
pkts bytes target prot opt in out source
destination
0 0 LOG_DROP all -- eth1 any anywhere
anywhere
Chain XTACCESS (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT tcp -- eth3 any anywhere
65.19.28.123 tcp dpt:ident
Chain ipac~fi (1 references)
pkts bytes target prot opt in out source
destination
130 11693 all -- eth0 any anywhere
anywhere
0 0 all -- eth2 any anywhere
anywhere
0 0 all -- eth1 any anywhere
anywhere
129 87740 all -- eth3 any anywhere
anywhere
Chain ipac~fo (1 references)
pkts bytes target prot opt in out source
destination
129 87740 all -- any eth0 anywhere
anywhere
0 0 all -- any eth2 anywhere
anywhere
0 0 all -- any eth1 anywhere
anywhere
130 11693 all -- any eth3 anywhere
anywhere
Chain ipac~i (1 references)
pkts bytes target prot opt in out source
destination
231 157K all -- any eth0 anywhere
anywhere
0 0 all -- any eth2 anywhere
anywhere
0 0 all -- any eth1 anywhere
anywhere
144 19966 all -- any eth3 anywhere
anywhere
Chain ipac~o (1 references)
pkts bytes target prot opt in out source
destination
293 31279 all -- eth0 any anywhere
anywhere
0 0 all -- eth2 any anywhere
anywhere
0 0 all -- eth1 any anywhere
anywhere
133 130K all -- eth3 any anywhere
anywhere
On Dec 13, 2006, at 10:24 AM, Ed Brown wrote:
> Andres Paglayan wrote:
>> the output of iptables -L
>
> Try 'iptables -vL' (or -nvL). Without the interface info in the
> rules, it's hard to tell very much from them.
>
> -Ed
>
> _______________________________________________
> nmglug mailing list
> nmglug at nmglug.org
> http://www.nmglug.org/mailman/listinfo/nmglug
More information about the nmglug
mailing list