[nmglug] iptables / routing question,
Ed Brown
ebrown at lanl.gov
Wed Dec 13 11:33:18 PST 2006
Also Andres, for the DMZHOLES rules, you probably do want to redefine
the source and destination with the /24 mask.
-Ed
Andres Paglayan wrote:
> thx for the comment
>
> basically I want packets destined to 192.168.50.0/24 incoming on eth0
> (192.168.1.1)
> to be forwarded to eth2 (192.168.50.1)
>
> currently the subnet at 192.168.50 can ping 192.168.1. ,
> but 1.1 cant go the other way
>
> routing table is
>
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 10.12.223.2 0.0.0.0 255.255.255.255 UH 0 0 0
> tun0
> 192.168.50.0 0.0.0.0 255.255.255.0 U 0 0 0
> eth2
> 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0
> eth1
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
> eth0
> 65.19.28.0 0.0.0.0 255.255.255.0 U 0 0 0
> eth3
> 10.12.223.0 10.12.223.2 255.255.255.0 UG 0 0 0
> tun0
> 0.0.0.0 65.19.28.1 0.0.0.0 UG 0 0 0
> eth3
>
> and iptables with eth* info it is
> root at ipcop:~ # iptables -vL
> Chain BADTCP (2 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 PSCAN tcp -- any any anywhere
> anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
> 0 0 PSCAN tcp -- any any anywhere
> anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
> 0 0 PSCAN tcp -- any any anywhere
> anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
> 0 0 PSCAN tcp -- any any anywhere
> anywhere tcp flags:SYN,RST/SYN,RST
> 0 0 PSCAN tcp -- any any anywhere
> anywhere tcp flags:FIN,SYN/FIN,SYN
> 63 32929 NEWNOTSYN tcp -- any any anywhere
> anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
>
> Chain CUSTOMFORWARD (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 REJECT tcp -- eth0 eth3 anywhere
> anywhere tcp dpt:http reject-with icmp-port-unreachable
> 0 0 REJECT tcp -- eth1 eth3 anywhere
> anywhere tcp dpt:http reject-with icmp-port-unreachable
>
> Chain CUSTOMINPUT (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 REJECT tcp -- any any !localhost
> anywhere tcp dpt:mdbs_daemon reject-with icmp-port-unreachable
>
> Chain CUSTOMOUTPUT (1 references)
> pkts bytes target prot opt in out source
> destination
>
> Chain DHCPBLUEINPUT (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT tcp -- eth1 any anywhere
> anywhere tcp spt:bootpc dpt:bootps
> 0 0 ACCEPT udp -- eth1 any anywhere
> anywhere udp spt:bootpc dpt:bootps
>
> Chain DMZHOLES (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT tcp -- eth2 eth0 192.168.50.0
> 192.168.1.0 tcp dpt:http
> 0 0 ACCEPT tcp -- eth2 eth0 192.168.50.0
> 192.168.1.0 tcp dpt:microsoft-ds
> 0 0 ACCEPT tcp -- eth2 eth0 192.168.50.0
> 192.168.1.0 tcp dpt:citriximaclient
> 0 0 ACCEPT tcp -- eth2 eth0 192.168.50.0
> 192.168.1.0 tcp dpt:4994
>
> Chain GUIINPUT (1 references)
> pkts bytes target prot opt in out source
> destination
> 63 3841 ACCEPT icmp -- any any anywhere
> anywhere icmp echo-request
>
> Chain INPUT (policy DROP 56 packets, 10996 bytes)
> pkts bytes target prot opt in out source
> destination
> 171K 113M ipac~o all -- any any anywhere anywhere
> 171K 113M BADTCP all -- any any anywhere anywhere
> 4885 228K tcp -- any any anywhere
> anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 10/sec burst 5
> 171K 113M CUSTOMINPUT all -- any any anywhere
> anywhere
> 171K 113M GUIINPUT all -- any any anywhere anywhere
> 151K 111M ACCEPT all -- any any anywhere
> anywhere state RELATED,ESTABLISHED
> 3126 140K ACCEPT all -- lo any anywhere
> anywhere state NEW
> 0 0 DROP all -- any any 127.0.0.0/8
> anywhere state NEW
> 0 0 DROP all -- any any anywhere
> 127.0.0.0/8 state NEW
> 16432 1654K ACCEPT !icmp -- eth0 any anywhere
> anywhere state NEW
> 0 0 ACCEPT all -- ipsec+ any anywhere
> anywhere
> 56 10996 DHCPBLUEINPUT all -- any any anywhere
> anywhere
> 56 10996 IPSECRED all -- any any anywhere
> anywhere
> 56 10996 OVPNINPUT all -- any any anywhere
> anywhere
> 56 10996 IPSECBLUE all -- any any anywhere
> anywhere
> 50 9620 WIRELESSINPUT all -- any any anywhere
> anywhere state NEW
> 56 10996 REDINPUT all -- any any anywhere
> anywhere
> 50 9620 XTACCESS all -- any any anywhere
> anywhere state NEW
> 56 10996 LOG all -- any any anywhere
> anywhere limit: avg 10/min burst 5 LOG level warning prefix
> `INPUT '
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 71512 42M ipac~fi all -- any any anywhere
> anywhere
> 71512 42M ipac~fo all -- any any anywhere
> anywhere
> 71512 42M BADTCP all -- any any anywhere
> anywhere
> 2013 98252 TCPMSS tcp -- any any anywhere
> anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
> 71512 42M CUSTOMFORWARD all -- any any anywhere
> anywhere
> 69990 42M ACCEPT all -- any any anywhere
> anywhere state RELATED,ESTABLISHED
> 0 0 ACCEPT all -- lo any anywhere
> anywhere state NEW
> 0 0 DROP all -- any any 127.0.0.0/8
> anywhere state NEW
> 0 0 DROP all -- any any anywhere
> 127.0.0.0/8 state NEW
> 1516 90576 ACCEPT all -- eth0 any anywhere
> anywhere state NEW
> 0 0 ACCEPT all -- eth2 eth2 anywhere
> anywhere state NEW
> 6 336 OVPNFORWARD all -- any any anywhere
> anywhere
> 0 0 ACCEPT all -- ipsec+ any anywhere
> anywhere
> 6 336 WIRELESSFORWARD all -- any any
> anywhere anywhere state NEW
> 6 336 REDFORWARD all -- any any anywhere
> anywhere
> 0 0 DMZHOLES all -- eth2 any anywhere
> anywhere state NEW
> 6 336 PORTFWACCESS all -- any any anywhere
> anywhere state NEW
> 0 0 LOG all -- any any anywhere
> anywhere limit: avg 10/min burst 5 LOG level warning prefix
> `OUTPUT '
>
> Chain IPSECBLUE (1 references)
> pkts bytes target prot opt in out source
> destination
>
> Chain IPSECRED (1 references)
> pkts bytes target prot opt in out source
> destination
>
> Chain LOG_DROP (2 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 LOG all -- any any anywhere
> anywhere limit: avg 10/min burst 5 LOG level warning
> 0 0 DROP all -- any any anywhere
> anywhere
>
> Chain LOG_REJECT (0 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 LOG all -- any any anywhere
> anywhere limit: avg 10/min burst 5 LOG level warning
> 0 0 REJECT all -- any any anywhere
> anywhere reject-with icmp-port-unreachable
>
> Chain NEWNOTSYN (1 references)
> pkts bytes target prot opt in out source
> destination
> 45 17560 LOG all -- any any anywhere
> anywhere limit: avg 10/min burst 5 LOG level warning prefix
> `NEW not SYN? '
> 63 32929 DROP all -- any any anywhere
> anywhere
>
> Chain OUTPUT (policy ACCEPT 165K packets, 110M bytes)
> pkts bytes target prot opt in out source
> destination
> 165K 110M ipac~i all -- any any anywhere anywhere
> 165K 110M CUSTOMOUTPUT all -- any any anywhere
> anywhere
>
> Chain OVPNFORWARD (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- tun+ any anywhere
> anywhere
>
> Chain OVPNINPUT (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT udp -- eth3 any anywhere
> anywhere udp dpt:openvpn
> 0 0 ACCEPT all -- tun+ any anywhere
> anywhere
>
> Chain PORTFWACCESS (1 references)
> pkts bytes target prot opt in out source
> destination
> 6 336 ACCEPT tcp -- eth3 any anywhere
> whs.localdomain tcp dpt:ssh
>
> Chain PSCAN (5 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 LOG tcp -- any any anywhere
> anywhere limit: avg 10/min burst 5 LOG level warning prefix
> `TCP Scan? '
> 0 0 LOG udp -- any any anywhere
> anywhere limit: avg 10/min burst 5 LOG level warning prefix
> `UDP Scan? '
> 0 0 LOG icmp -- any any anywhere
> anywhere limit: avg 10/min burst 5 LOG level warning prefix
> `ICMP Scan? '
> 0 0 LOG all -f any any anywhere
> anywhere limit: avg 10/min burst 5 LOG level warning prefix
> `FRAG Scan? '
> 0 0 DROP all -- any any anywhere
> anywhere
>
> Chain REDFORWARD (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT tcp -- eth2 eth3 anywhere
> anywhere
> 0 0 ACCEPT udp -- eth2 eth3 anywhere
> anywhere
>
> Chain REDINPUT (1 references)
> pkts bytes target prot opt in out source
> destination
>
> Chain WIRELESSFORWARD (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 LOG_DROP all -- eth1 any anywhere
> anywhere
>
> Chain WIRELESSINPUT (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 LOG_DROP all -- eth1 any anywhere
> anywhere
>
> Chain XTACCESS (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT tcp -- eth3 any anywhere
> 65.19.28.123 tcp dpt:ident
>
> Chain ipac~fi (1 references)
> pkts bytes target prot opt in out source
> destination
> 130 11693 all -- eth0 any anywhere
> anywhere
> 0 0 all -- eth2 any anywhere
> anywhere
> 0 0 all -- eth1 any anywhere
> anywhere
> 129 87740 all -- eth3 any anywhere
> anywhere
>
> Chain ipac~fo (1 references)
> pkts bytes target prot opt in out source
> destination
> 129 87740 all -- any eth0 anywhere
> anywhere
> 0 0 all -- any eth2 anywhere
> anywhere
> 0 0 all -- any eth1 anywhere
> anywhere
> 130 11693 all -- any eth3 anywhere
> anywhere
>
> Chain ipac~i (1 references)
> pkts bytes target prot opt in out source
> destination
> 231 157K all -- any eth0 anywhere
> anywhere
> 0 0 all -- any eth2 anywhere
> anywhere
> 0 0 all -- any eth1 anywhere
> anywhere
> 144 19966 all -- any eth3 anywhere
> anywhere
>
> Chain ipac~o (1 references)
> pkts bytes target prot opt in out source
> destination
> 293 31279 all -- eth0 any anywhere
> anywhere
> 0 0 all -- eth2 any anywhere
> anywhere
> 0 0 all -- eth1 any anywhere
> anywhere
> 133 130K all -- eth3 any anywhere
> anywhere
>
>
>
>
> On Dec 13, 2006, at 10:24 AM, Ed Brown wrote:
>
>> Andres Paglayan wrote:
>>> the output of iptables -L
>>
>> Try 'iptables -vL' (or -nvL). Without the interface info in the
>> rules, it's hard to tell very much from them.
>>
>> -Ed
>>
>> _______________________________________________
>> nmglug mailing list
>> nmglug at nmglug.org
>> http://www.nmglug.org/mailman/listinfo/nmglug
>
>
> _______________________________________________
> nmglug mailing list
> nmglug at nmglug.org
> http://www.nmglug.org/mailman/listinfo/nmglug
More information about the nmglug
mailing list