[nmglug] iptables / routing question,
Andres Paglayan
andres at paglayan.com
Wed Dec 13 12:04:29 PST 2006
I'll re do that with /24,
but there is already a DMZHOLES definition that is working, (from
there to here)
I get the pings from 50 to 1 with no problems,
I also cheched that at the 50 network there's no other routing rules
rather than
forwarding 1.1 to my 1.1 subnet. (in case packets were getting lost)
On Dec 13, 2006, at 12:33 PM, Ed Brown wrote:
> Also Andres, for the DMZHOLES rules, you probably do want to
> redefine the source and destination with the /24 mask.
>
> -Ed
>
>
> Andres Paglayan wrote:
>> thx for the comment
>> basically I want packets destined to 192.168.50.0/24 incoming on
>> eth0 (192.168.1.1)
>> to be forwarded to eth2 (192.168.50.1)
>> currently the subnet at 192.168.50 can ping 192.168.1. ,
>> but 1.1 cant go the other way
>> routing table is
>> Kernel IP routing table
>> Destination Gateway Genmask Flags Metric
>> Ref Use Iface
>> 10.12.223.2 0.0.0.0 255.255.255.255 UH 0
>> 0 0 tun0
>> 192.168.50.0 0.0.0.0 255.255.255.0 U 0
>> 0 0 eth2
>> 192.168.2.0 0.0.0.0 255.255.255.0 U 0
>> 0 0 eth1
>> 192.168.1.0 0.0.0.0 255.255.255.0 U 0
>> 0 0 eth0
>> 65.19.28.0 0.0.0.0 255.255.255.0 U 0
>> 0 0 eth3
>> 10.12.223.0 10.12.223.2 255.255.255.0 UG 0
>> 0 0 tun0
>> 0.0.0.0 65.19.28.1 0.0.0.0 UG 0
>> 0 0 eth3
>> and iptables with eth* info it is
>> root at ipcop:~ # iptables -vL
>> Chain BADTCP (2 references)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 PSCAN tcp -- any any
>> anywhere anywhere tcp
>> flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
>> 0 0 PSCAN tcp -- any any
>> anywhere anywhere tcp
>> flags:FIN,SYN,RST,PSH,ACK,URG/NONE
>> 0 0 PSCAN tcp -- any any
>> anywhere anywhere tcp
>> flags:FIN,SYN,RST,PSH,ACK,URG/FIN
>> 0 0 PSCAN tcp -- any any
>> anywhere anywhere tcp flags:SYN,RST/SYN,RST
>> 0 0 PSCAN tcp -- any any
>> anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
>> 63 32929 NEWNOTSYN tcp -- any any
>> anywhere anywhere tcp flags:!
>> FIN,SYN,RST,ACK/SYN state NEW
>> Chain CUSTOMFORWARD (1 references)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 REJECT tcp -- eth0 eth3
>> anywhere anywhere tcp dpt:http reject-with
>> icmp-port-unreachable
>> 0 0 REJECT tcp -- eth1 eth3
>> anywhere anywhere tcp dpt:http reject-with
>> icmp-port-unreachable
>> Chain CUSTOMINPUT (1 references)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 REJECT tcp -- any any !
>> localhost anywhere tcp dpt:mdbs_daemon
>> reject-with icmp-port-unreachable
>> Chain CUSTOMOUTPUT (1 references)
>> pkts bytes target prot opt in out source
>> destination
>> Chain DHCPBLUEINPUT (1 references)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 ACCEPT tcp -- eth1 any
>> anywhere anywhere tcp spt:bootpc dpt:bootps
>> 0 0 ACCEPT udp -- eth1 any
>> anywhere anywhere udp spt:bootpc dpt:bootps
>> Chain DMZHOLES (1 references)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 ACCEPT tcp -- eth2 eth0
>> 192.168.50.0 192.168.1.0 tcp dpt:http
>> 0 0 ACCEPT tcp -- eth2 eth0
>> 192.168.50.0 192.168.1.0 tcp dpt:microsoft-ds
>> 0 0 ACCEPT tcp -- eth2 eth0
>> 192.168.50.0 192.168.1.0 tcp dpt:citriximaclient
>> 0 0 ACCEPT tcp -- eth2 eth0
>> 192.168.50.0 192.168.1.0 tcp dpt:4994
>> Chain GUIINPUT (1 references)
>> pkts bytes target prot opt in out source
>> destination
>> 63 3841 ACCEPT icmp -- any any
>> anywhere anywhere icmp echo-request
>> Chain INPUT (policy DROP 56 packets, 10996 bytes)
>> pkts bytes target prot opt in out source
>> destination
>> 171K 113M ipac~o all -- any any anywhere
>> anywhere
>> 171K 113M BADTCP all -- any any anywhere
>> anywhere
>> 4885 228K tcp -- any any anywhere
>> anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 10/sec
>> burst 5
>> 171K 113M CUSTOMINPUT all -- any any
>> anywhere anywhere
>> 171K 113M GUIINPUT all -- any any anywhere
>> anywhere
>> 151K 111M ACCEPT all -- any any anywhere
>> anywhere state RELATED,ESTABLISHED
>> 3126 140K ACCEPT all -- lo any anywhere
>> anywhere state NEW
>> 0 0 DROP all -- any any
>> 127.0.0.0/8 anywhere state NEW
>> 0 0 DROP all -- any any
>> anywhere 127.0.0.0/8 state NEW
>> 16432 1654K ACCEPT !icmp -- eth0 any
>> anywhere anywhere state NEW
>> 0 0 ACCEPT all -- ipsec+ any
>> anywhere anywhere
>> 56 10996 DHCPBLUEINPUT all -- any any
>> anywhere anywhere
>> 56 10996 IPSECRED all -- any any
>> anywhere anywhere
>> 56 10996 OVPNINPUT all -- any any
>> anywhere anywhere
>> 56 10996 IPSECBLUE all -- any any
>> anywhere anywhere
>> 50 9620 WIRELESSINPUT all -- any any
>> anywhere anywhere state NEW
>> 56 10996 REDINPUT all -- any any
>> anywhere anywhere
>> 50 9620 XTACCESS all -- any any
>> anywhere anywhere state NEW
>> 56 10996 LOG all -- any any
>> anywhere anywhere limit: avg 10/min burst 5
>> LOG level warning prefix `INPUT '
>> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>> pkts bytes target prot opt in out source
>> destination
>> 71512 42M ipac~fi all -- any any
>> anywhere anywhere
>> 71512 42M ipac~fo all -- any any
>> anywhere anywhere
>> 71512 42M BADTCP all -- any any
>> anywhere anywhere
>> 2013 98252 TCPMSS tcp -- any any anywhere
>> anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
>> 71512 42M CUSTOMFORWARD all -- any any
>> anywhere anywhere
>> 69990 42M ACCEPT all -- any any
>> anywhere anywhere state RELATED,ESTABLISHED
>> 0 0 ACCEPT all -- lo any
>> anywhere anywhere state NEW
>> 0 0 DROP all -- any any
>> 127.0.0.0/8 anywhere state NEW
>> 0 0 DROP all -- any any
>> anywhere 127.0.0.0/8 state NEW
>> 1516 90576 ACCEPT all -- eth0 any anywhere
>> anywhere state NEW
>> 0 0 ACCEPT all -- eth2 eth2
>> anywhere anywhere state NEW
>> 6 336 OVPNFORWARD all -- any any
>> anywhere anywhere
>> 0 0 ACCEPT all -- ipsec+ any
>> anywhere anywhere
>> 6 336 WIRELESSFORWARD all -- any any
>> anywhere anywhere state NEW
>> 6 336 REDFORWARD all -- any any
>> anywhere anywhere
>> 0 0 DMZHOLES all -- eth2 any
>> anywhere anywhere state NEW
>> 6 336 PORTFWACCESS all -- any any
>> anywhere anywhere state NEW
>> 0 0 LOG all -- any any
>> anywhere anywhere limit: avg 10/min burst 5
>> LOG level warning prefix `OUTPUT '
>> Chain IPSECBLUE (1 references)
>> pkts bytes target prot opt in out source
>> destination
>> Chain IPSECRED (1 references)
>> pkts bytes target prot opt in out source
>> destination
>> Chain LOG_DROP (2 references)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 LOG all -- any any
>> anywhere anywhere limit: avg 10/min burst 5
>> LOG level warning
>> 0 0 DROP all -- any any
>> anywhere anywhere
>> Chain LOG_REJECT (0 references)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 LOG all -- any any
>> anywhere anywhere limit: avg 10/min burst 5
>> LOG level warning
>> 0 0 REJECT all -- any any
>> anywhere anywhere reject-with icmp-port-
>> unreachable
>> Chain NEWNOTSYN (1 references)
>> pkts bytes target prot opt in out source
>> destination
>> 45 17560 LOG all -- any any
>> anywhere anywhere limit: avg 10/min burst 5
>> LOG level warning prefix `NEW not SYN? '
>> 63 32929 DROP all -- any any
>> anywhere anywhere
>> Chain OUTPUT (policy ACCEPT 165K packets, 110M bytes)
>> pkts bytes target prot opt in out source
>> destination
>> 165K 110M ipac~i all -- any any anywhere
>> anywhere
>> 165K 110M CUSTOMOUTPUT all -- any any
>> anywhere anywhere
>> Chain OVPNFORWARD (1 references)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 ACCEPT all -- tun+ any
>> anywhere anywhere
>> Chain OVPNINPUT (1 references)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 ACCEPT udp -- eth3 any
>> anywhere anywhere udp dpt:openvpn
>> 0 0 ACCEPT all -- tun+ any
>> anywhere anywhere
>> Chain PORTFWACCESS (1 references)
>> pkts bytes target prot opt in out source
>> destination
>> 6 336 ACCEPT tcp -- eth3 any
>> anywhere whs.localdomain tcp dpt:ssh
>> Chain PSCAN (5 references)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 LOG tcp -- any any
>> anywhere anywhere limit: avg 10/min burst 5
>> LOG level warning prefix `TCP Scan? '
>> 0 0 LOG udp -- any any
>> anywhere anywhere limit: avg 10/min burst 5
>> LOG level warning prefix `UDP Scan? '
>> 0 0 LOG icmp -- any any
>> anywhere anywhere limit: avg 10/min burst 5
>> LOG level warning prefix `ICMP Scan? '
>> 0 0 LOG all -f any any
>> anywhere anywhere limit: avg 10/min burst 5
>> LOG level warning prefix `FRAG Scan? '
>> 0 0 DROP all -- any any
>> anywhere anywhere
>> Chain REDFORWARD (1 references)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 ACCEPT tcp -- eth2 eth3
>> anywhere anywhere
>> 0 0 ACCEPT udp -- eth2 eth3
>> anywhere anywhere
>> Chain REDINPUT (1 references)
>> pkts bytes target prot opt in out source
>> destination
>> Chain WIRELESSFORWARD (1 references)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 LOG_DROP all -- eth1 any
>> anywhere anywhere
>> Chain WIRELESSINPUT (1 references)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 LOG_DROP all -- eth1 any
>> anywhere anywhere
>> Chain XTACCESS (1 references)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 ACCEPT tcp -- eth3 any
>> anywhere 65.19.28.123 tcp dpt:ident
>> Chain ipac~fi (1 references)
>> pkts bytes target prot opt in out source
>> destination
>> 130 11693 all -- eth0 any
>> anywhere anywhere
>> 0 0 all -- eth2 any
>> anywhere anywhere
>> 0 0 all -- eth1 any
>> anywhere anywhere
>> 129 87740 all -- eth3 any
>> anywhere anywhere
>> Chain ipac~fo (1 references)
>> pkts bytes target prot opt in out source
>> destination
>> 129 87740 all -- any eth0
>> anywhere anywhere
>> 0 0 all -- any eth2
>> anywhere anywhere
>> 0 0 all -- any eth1
>> anywhere anywhere
>> 130 11693 all -- any eth3
>> anywhere anywhere
>> Chain ipac~i (1 references)
>> pkts bytes target prot opt in out source
>> destination
>> 231 157K all -- any eth0
>> anywhere anywhere
>> 0 0 all -- any eth2
>> anywhere anywhere
>> 0 0 all -- any eth1
>> anywhere anywhere
>> 144 19966 all -- any eth3
>> anywhere anywhere
>> Chain ipac~o (1 references)
>> pkts bytes target prot opt in out source
>> destination
>> 293 31279 all -- eth0 any
>> anywhere anywhere
>> 0 0 all -- eth2 any
>> anywhere anywhere
>> 0 0 all -- eth1 any
>> anywhere anywhere
>> 133 130K all -- eth3 any
>> anywhere anywhere
>> On Dec 13, 2006, at 10:24 AM, Ed Brown wrote:
>>> Andres Paglayan wrote:
>>>> the output of iptables -L
>>>
>>> Try 'iptables -vL' (or -nvL). Without the interface info in the
>>> rules, it's hard to tell very much from them.
>>>
>>> -Ed
>>>
>>> _______________________________________________
>>> nmglug mailing list
>>> nmglug at nmglug.org
>>> http://www.nmglug.org/mailman/listinfo/nmglug
>> _______________________________________________
>> nmglug mailing list
>> nmglug at nmglug.org
>> http://www.nmglug.org/mailman/listinfo/nmglug
>
> _______________________________________________
> nmglug mailing list
> nmglug at nmglug.org
> http://www.nmglug.org/mailman/listinfo/nmglug
More information about the nmglug
mailing list