[nmglug] iptables / routing question,
Ed Brown
ebrown at lanl.gov
Wed Dec 13 11:06:46 PST 2006
Andres Paglayan wrote:
> thx for the comment
>
> basically I want packets destined to 192.168.50.0/24 incoming on eth0
> (192.168.1.1)
> to be forwarded to eth2 (192.168.50.1)
>
> currently the subnet at 192.168.50 can ping 192.168.1. ,
> but 1.1 cant go the other way
Are you sure you don't mean to say the opposite: that you are able to
ping the 192.168.50 subnet from the 192.168.1 subnet, but not vice
versa? To be able to ping from the .50, you'd need to allow it in
DMZHOLES, which you don't. Also, the packet counts below show no
traffic even hitting the DMZHOLES table. If you really can do what
you say, then possibly the interface names / ip addresses / and/or
cable connections don't line up. Doublecheck ifconfig output, and
maybe try pinging a system on each subnet from ipcop...
> routing table is
>
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 10.12.223.2 0.0.0.0 255.255.255.255 UH 0 0 0
> tun0
> 192.168.50.0 0.0.0.0 255.255.255.0 U 0 0 0
> eth2
> 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0
> eth1
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
> eth0
> 65.19.28.0 0.0.0.0 255.255.255.0 U 0 0 0
> eth3
> 10.12.223.0 10.12.223.2 255.255.255.0 UG 0 0 0
> tun0
> 0.0.0.0 65.19.28.1 0.0.0.0 UG 0 0 0
> eth3
>
> and iptables with eth* info it is
> root at ipcop:~ # iptables -vL
> Chain BADTCP (2 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 PSCAN tcp -- any any anywhere
> anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
> 0 0 PSCAN tcp -- any any anywhere
> anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
> 0 0 PSCAN tcp -- any any anywhere
> anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
> 0 0 PSCAN tcp -- any any anywhere
> anywhere tcp flags:SYN,RST/SYN,RST
> 0 0 PSCAN tcp -- any any anywhere
> anywhere tcp flags:FIN,SYN/FIN,SYN
> 63 32929 NEWNOTSYN tcp -- any any anywhere
> anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
>
> Chain CUSTOMFORWARD (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 REJECT tcp -- eth0 eth3 anywhere
> anywhere tcp dpt:http reject-with icmp-port-unreachable
> 0 0 REJECT tcp -- eth1 eth3 anywhere
> anywhere tcp dpt:http reject-with icmp-port-unreachable
>
> Chain CUSTOMINPUT (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 REJECT tcp -- any any !localhost
> anywhere tcp dpt:mdbs_daemon reject-with icmp-port-unreachable
>
> Chain CUSTOMOUTPUT (1 references)
> pkts bytes target prot opt in out source
> destination
>
> Chain DHCPBLUEINPUT (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT tcp -- eth1 any anywhere
> anywhere tcp spt:bootpc dpt:bootps
> 0 0 ACCEPT udp -- eth1 any anywhere
> anywhere udp spt:bootpc dpt:bootps
>
> Chain DMZHOLES (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT tcp -- eth2 eth0 192.168.50.0
> 192.168.1.0 tcp dpt:http
> 0 0 ACCEPT tcp -- eth2 eth0 192.168.50.0
> 192.168.1.0 tcp dpt:microsoft-ds
> 0 0 ACCEPT tcp -- eth2 eth0 192.168.50.0
> 192.168.1.0 tcp dpt:citriximaclient
> 0 0 ACCEPT tcp -- eth2 eth0 192.168.50.0
> 192.168.1.0 tcp dpt:4994
>
> Chain GUIINPUT (1 references)
> pkts bytes target prot opt in out source
> destination
> 63 3841 ACCEPT icmp -- any any anywhere
> anywhere icmp echo-request
>
> Chain INPUT (policy DROP 56 packets, 10996 bytes)
> pkts bytes target prot opt in out source
> destination
> 171K 113M ipac~o all -- any any anywhere anywhere
> 171K 113M BADTCP all -- any any anywhere anywhere
> 4885 228K tcp -- any any anywhere
> anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 10/sec burst 5
> 171K 113M CUSTOMINPUT all -- any any anywhere
> anywhere
> 171K 113M GUIINPUT all -- any any anywhere anywhere
> 151K 111M ACCEPT all -- any any anywhere
> anywhere state RELATED,ESTABLISHED
> 3126 140K ACCEPT all -- lo any anywhere
> anywhere state NEW
> 0 0 DROP all -- any any 127.0.0.0/8
> anywhere state NEW
> 0 0 DROP all -- any any anywhere
> 127.0.0.0/8 state NEW
> 16432 1654K ACCEPT !icmp -- eth0 any anywhere
> anywhere state NEW
> 0 0 ACCEPT all -- ipsec+ any anywhere
> anywhere
> 56 10996 DHCPBLUEINPUT all -- any any anywhere
> anywhere
> 56 10996 IPSECRED all -- any any anywhere
> anywhere
> 56 10996 OVPNINPUT all -- any any anywhere
> anywhere
> 56 10996 IPSECBLUE all -- any any anywhere
> anywhere
> 50 9620 WIRELESSINPUT all -- any any anywhere
> anywhere state NEW
> 56 10996 REDINPUT all -- any any anywhere
> anywhere
> 50 9620 XTACCESS all -- any any anywhere
> anywhere state NEW
> 56 10996 LOG all -- any any anywhere
> anywhere limit: avg 10/min burst 5 LOG level warning prefix
> `INPUT '
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 71512 42M ipac~fi all -- any any anywhere
> anywhere
> 71512 42M ipac~fo all -- any any anywhere
> anywhere
> 71512 42M BADTCP all -- any any anywhere
> anywhere
> 2013 98252 TCPMSS tcp -- any any anywhere
> anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
> 71512 42M CUSTOMFORWARD all -- any any anywhere
> anywhere
> 69990 42M ACCEPT all -- any any anywhere
> anywhere state RELATED,ESTABLISHED
> 0 0 ACCEPT all -- lo any anywhere
> anywhere state NEW
> 0 0 DROP all -- any any 127.0.0.0/8
> anywhere state NEW
> 0 0 DROP all -- any any anywhere
> 127.0.0.0/8 state NEW
> 1516 90576 ACCEPT all -- eth0 any anywhere
> anywhere state NEW
> 0 0 ACCEPT all -- eth2 eth2 anywhere
> anywhere state NEW
> 6 336 OVPNFORWARD all -- any any anywhere
> anywhere
> 0 0 ACCEPT all -- ipsec+ any anywhere
> anywhere
> 6 336 WIRELESSFORWARD all -- any any
> anywhere anywhere state NEW
> 6 336 REDFORWARD all -- any any anywhere
> anywhere
> 0 0 DMZHOLES all -- eth2 any anywhere
> anywhere state NEW
> 6 336 PORTFWACCESS all -- any any anywhere
> anywhere state NEW
> 0 0 LOG all -- any any anywhere
> anywhere limit: avg 10/min burst 5 LOG level warning prefix
> `OUTPUT '
>
> Chain IPSECBLUE (1 references)
> pkts bytes target prot opt in out source
> destination
>
> Chain IPSECRED (1 references)
> pkts bytes target prot opt in out source
> destination
>
> Chain LOG_DROP (2 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 LOG all -- any any anywhere
> anywhere limit: avg 10/min burst 5 LOG level warning
> 0 0 DROP all -- any any anywhere
> anywhere
>
> Chain LOG_REJECT (0 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 LOG all -- any any anywhere
> anywhere limit: avg 10/min burst 5 LOG level warning
> 0 0 REJECT all -- any any anywhere
> anywhere reject-with icmp-port-unreachable
>
> Chain NEWNOTSYN (1 references)
> pkts bytes target prot opt in out source
> destination
> 45 17560 LOG all -- any any anywhere
> anywhere limit: avg 10/min burst 5 LOG level warning prefix
> `NEW not SYN? '
> 63 32929 DROP all -- any any anywhere
> anywhere
>
> Chain OUTPUT (policy ACCEPT 165K packets, 110M bytes)
> pkts bytes target prot opt in out source
> destination
> 165K 110M ipac~i all -- any any anywhere anywhere
> 165K 110M CUSTOMOUTPUT all -- any any anywhere
> anywhere
>
> Chain OVPNFORWARD (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- tun+ any anywhere
> anywhere
>
> Chain OVPNINPUT (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT udp -- eth3 any anywhere
> anywhere udp dpt:openvpn
> 0 0 ACCEPT all -- tun+ any anywhere
> anywhere
>
> Chain PORTFWACCESS (1 references)
> pkts bytes target prot opt in out source
> destination
> 6 336 ACCEPT tcp -- eth3 any anywhere
> whs.localdomain tcp dpt:ssh
>
> Chain PSCAN (5 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 LOG tcp -- any any anywhere
> anywhere limit: avg 10/min burst 5 LOG level warning prefix
> `TCP Scan? '
> 0 0 LOG udp -- any any anywhere
> anywhere limit: avg 10/min burst 5 LOG level warning prefix
> `UDP Scan? '
> 0 0 LOG icmp -- any any anywhere
> anywhere limit: avg 10/min burst 5 LOG level warning prefix
> `ICMP Scan? '
> 0 0 LOG all -f any any anywhere
> anywhere limit: avg 10/min burst 5 LOG level warning prefix
> `FRAG Scan? '
> 0 0 DROP all -- any any anywhere
> anywhere
>
> Chain REDFORWARD (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT tcp -- eth2 eth3 anywhere
> anywhere
> 0 0 ACCEPT udp -- eth2 eth3 anywhere
> anywhere
>
> Chain REDINPUT (1 references)
> pkts bytes target prot opt in out source
> destination
>
> Chain WIRELESSFORWARD (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 LOG_DROP all -- eth1 any anywhere
> anywhere
>
> Chain WIRELESSINPUT (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 LOG_DROP all -- eth1 any anywhere
> anywhere
>
> Chain XTACCESS (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT tcp -- eth3 any anywhere
> 65.19.28.123 tcp dpt:ident
>
> Chain ipac~fi (1 references)
> pkts bytes target prot opt in out source
> destination
> 130 11693 all -- eth0 any anywhere
> anywhere
> 0 0 all -- eth2 any anywhere
> anywhere
> 0 0 all -- eth1 any anywhere
> anywhere
> 129 87740 all -- eth3 any anywhere
> anywhere
>
> Chain ipac~fo (1 references)
> pkts bytes target prot opt in out source
> destination
> 129 87740 all -- any eth0 anywhere
> anywhere
> 0 0 all -- any eth2 anywhere
> anywhere
> 0 0 all -- any eth1 anywhere
> anywhere
> 130 11693 all -- any eth3 anywhere
> anywhere
>
> Chain ipac~i (1 references)
> pkts bytes target prot opt in out source
> destination
> 231 157K all -- any eth0 anywhere
> anywhere
> 0 0 all -- any eth2 anywhere
> anywhere
> 0 0 all -- any eth1 anywhere
> anywhere
> 144 19966 all -- any eth3 anywhere
> anywhere
>
> Chain ipac~o (1 references)
> pkts bytes target prot opt in out source
> destination
> 293 31279 all -- eth0 any anywhere
> anywhere
> 0 0 all -- eth2 any anywhere
> anywhere
> 0 0 all -- eth1 any anywhere
> anywhere
> 133 130K all -- eth3 any anywhere
> anywhere
>
>
>
>
> On Dec 13, 2006, at 10:24 AM, Ed Brown wrote:
>
>> Andres Paglayan wrote:
>>> the output of iptables -L
>>
>> Try 'iptables -vL' (or -nvL). Without the interface info in the
>> rules, it's hard to tell very much from them.
>>
>> -Ed
>>
>> _______________________________________________
>> nmglug mailing list
>> nmglug at nmglug.org
>> http://www.nmglug.org/mailman/listinfo/nmglug
>
>
> _______________________________________________
> nmglug mailing list
> nmglug at nmglug.org
> http://www.nmglug.org/mailman/listinfo/nmglug
More information about the nmglug
mailing list