[nmglug] iptables / routing question,

Andres Paglayan andres at paglayan.com
Wed Dec 13 12:04:29 PST 2006


I'll re do that with /24,
but there is already a DMZHOLES definition that is working, (from  
there to here)
I get the pings from 50 to 1 with no problems,

I also cheched that at the 50 network there's no other routing rules  
rather than
forwarding 1.1 to my 1.1 subnet. (in case packets were getting lost)


On Dec 13, 2006, at 12:33 PM, Ed Brown wrote:

> Also Andres, for the DMZHOLES rules, you probably do want to  
> redefine the source and destination with the /24 mask.
>
> -Ed
>
>
> Andres Paglayan wrote:
>> thx for the comment
>> basically I want packets destined to 192.168.50.0/24 incoming on  
>> eth0 (192.168.1.1)
>> to be forwarded to eth2 (192.168.50.1)
>> currently the subnet at 192.168.50 can ping 192.168.1. ,
>> but 1.1 cant go the other way
>> routing table is
>> Kernel IP routing table
>> Destination     Gateway         Genmask         Flags Metric  
>> Ref    Use Iface
>> 10.12.223.2     0.0.0.0         255.255.255.255 UH    0       
>> 0        0 tun0
>> 192.168.50.0    0.0.0.0         255.255.255.0   U     0       
>> 0        0 eth2
>> 192.168.2.0     0.0.0.0         255.255.255.0   U     0       
>> 0        0 eth1
>> 192.168.1.0     0.0.0.0         255.255.255.0   U     0       
>> 0        0 eth0
>> 65.19.28.0      0.0.0.0         255.255.255.0   U     0       
>> 0        0 eth3
>> 10.12.223.0     10.12.223.2     255.255.255.0   UG    0       
>> 0        0 tun0
>> 0.0.0.0         65.19.28.1      0.0.0.0         UG    0       
>> 0        0 eth3
>> and iptables with eth* info it is
>> root at ipcop:~ # iptables -vL
>> Chain BADTCP (2 references)
>> pkts bytes target     prot opt in     out     source                
>> destination
>>     0     0 PSCAN      tcp  --  any    any      
>> anywhere             anywhere            tcp  
>> flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
>>     0     0 PSCAN      tcp  --  any    any      
>> anywhere             anywhere            tcp  
>> flags:FIN,SYN,RST,PSH,ACK,URG/NONE
>>     0     0 PSCAN      tcp  --  any    any      
>> anywhere             anywhere            tcp  
>> flags:FIN,SYN,RST,PSH,ACK,URG/FIN
>>     0     0 PSCAN      tcp  --  any    any      
>> anywhere             anywhere            tcp flags:SYN,RST/SYN,RST
>>     0     0 PSCAN      tcp  --  any    any      
>> anywhere             anywhere            tcp flags:FIN,SYN/FIN,SYN
>>    63 32929 NEWNOTSYN  tcp  --  any    any      
>> anywhere             anywhere            tcp flags:! 
>> FIN,SYN,RST,ACK/SYN state NEW
>> Chain CUSTOMFORWARD (1 references)
>> pkts bytes target     prot opt in     out     source                
>> destination
>>     0     0 REJECT     tcp  --  eth0   eth3     
>> anywhere             anywhere            tcp dpt:http reject-with  
>> icmp-port-unreachable
>>     0     0 REJECT     tcp  --  eth1   eth3     
>> anywhere             anywhere            tcp dpt:http reject-with  
>> icmp-port-unreachable
>> Chain CUSTOMINPUT (1 references)
>> pkts bytes target     prot opt in     out     source                
>> destination
>>     0     0 REJECT     tcp  --  any    any    ! 
>> localhost            anywhere            tcp dpt:mdbs_daemon  
>> reject-with icmp-port-unreachable
>> Chain CUSTOMOUTPUT (1 references)
>> pkts bytes target     prot opt in     out     source                
>> destination
>> Chain DHCPBLUEINPUT (1 references)
>> pkts bytes target     prot opt in     out     source                
>> destination
>>     0     0 ACCEPT     tcp  --  eth1   any      
>> anywhere             anywhere            tcp spt:bootpc dpt:bootps
>>     0     0 ACCEPT     udp  --  eth1   any      
>> anywhere             anywhere            udp spt:bootpc dpt:bootps
>> Chain DMZHOLES (1 references)
>> pkts bytes target     prot opt in     out     source                
>> destination
>>     0     0 ACCEPT     tcp  --  eth2   eth0     
>> 192.168.50.0         192.168.1.0         tcp dpt:http
>>     0     0 ACCEPT     tcp  --  eth2   eth0     
>> 192.168.50.0         192.168.1.0         tcp dpt:microsoft-ds
>>     0     0 ACCEPT     tcp  --  eth2   eth0     
>> 192.168.50.0         192.168.1.0         tcp dpt:citriximaclient
>>     0     0 ACCEPT     tcp  --  eth2   eth0     
>> 192.168.50.0         192.168.1.0         tcp dpt:4994
>> Chain GUIINPUT (1 references)
>> pkts bytes target     prot opt in     out     source                
>> destination
>>    63  3841 ACCEPT     icmp --  any    any      
>> anywhere             anywhere            icmp echo-request
>> Chain INPUT (policy DROP 56 packets, 10996 bytes)
>> pkts bytes target     prot opt in     out     source                
>> destination
>> 171K  113M ipac~o     all  --  any    any     anywhere              
>> anywhere
>> 171K  113M BADTCP     all  --  any    any     anywhere              
>> anywhere
>> 4885  228K            tcp  --  any    any     anywhere              
>> anywhere            tcp flags:SYN,RST,ACK/SYN limit: avg 10/sec  
>> burst 5
>> 171K  113M CUSTOMINPUT  all  --  any    any      
>> anywhere             anywhere
>> 171K  113M GUIINPUT   all  --  any    any     anywhere              
>> anywhere
>> 151K  111M ACCEPT     all  --  any    any     anywhere              
>> anywhere            state RELATED,ESTABLISHED
>> 3126  140K ACCEPT     all  --  lo     any     anywhere              
>> anywhere            state NEW
>>     0     0 DROP       all  --  any    any      
>> 127.0.0.0/8          anywhere            state NEW
>>     0     0 DROP       all  --  any    any      
>> anywhere             127.0.0.0/8         state NEW
>> 16432 1654K ACCEPT    !icmp --  eth0   any      
>> anywhere             anywhere            state NEW
>>     0     0 ACCEPT     all  --  ipsec+ any      
>> anywhere             anywhere
>>    56 10996 DHCPBLUEINPUT  all  --  any    any      
>> anywhere             anywhere
>>    56 10996 IPSECRED   all  --  any    any      
>> anywhere             anywhere
>>    56 10996 OVPNINPUT  all  --  any    any      
>> anywhere             anywhere
>>    56 10996 IPSECBLUE  all  --  any    any      
>> anywhere             anywhere
>>    50  9620 WIRELESSINPUT  all  --  any    any      
>> anywhere             anywhere            state NEW
>>    56 10996 REDINPUT   all  --  any    any      
>> anywhere             anywhere
>>    50  9620 XTACCESS   all  --  any    any      
>> anywhere             anywhere            state NEW
>>    56 10996 LOG        all  --  any    any      
>> anywhere             anywhere            limit: avg 10/min burst 5  
>> LOG level warning prefix `INPUT '
>> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>> pkts bytes target     prot opt in     out     source                
>> destination
>> 71512   42M ipac~fi    all  --  any    any      
>> anywhere             anywhere
>> 71512   42M ipac~fo    all  --  any    any      
>> anywhere             anywhere
>> 71512   42M BADTCP     all  --  any    any      
>> anywhere             anywhere
>> 2013 98252 TCPMSS     tcp  --  any    any     anywhere              
>> anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
>> 71512   42M CUSTOMFORWARD  all  --  any    any      
>> anywhere             anywhere
>> 69990   42M ACCEPT     all  --  any    any      
>> anywhere             anywhere            state RELATED,ESTABLISHED
>>     0     0 ACCEPT     all  --  lo     any      
>> anywhere             anywhere            state NEW
>>     0     0 DROP       all  --  any    any      
>> 127.0.0.0/8          anywhere            state NEW
>>     0     0 DROP       all  --  any    any      
>> anywhere             127.0.0.0/8         state NEW
>> 1516 90576 ACCEPT     all  --  eth0   any     anywhere              
>> anywhere            state NEW
>>     0     0 ACCEPT     all  --  eth2   eth2     
>> anywhere             anywhere            state NEW
>>     6   336 OVPNFORWARD  all  --  any    any      
>> anywhere             anywhere
>>     0     0 ACCEPT     all  --  ipsec+ any      
>> anywhere             anywhere
>>     6   336 WIRELESSFORWARD  all  --  any    any      
>> anywhere             anywhere            state NEW
>>     6   336 REDFORWARD  all  --  any    any      
>> anywhere             anywhere
>>     0     0 DMZHOLES   all  --  eth2   any      
>> anywhere             anywhere            state NEW
>>     6   336 PORTFWACCESS  all  --  any    any      
>> anywhere             anywhere            state NEW
>>     0     0 LOG        all  --  any    any      
>> anywhere             anywhere            limit: avg 10/min burst 5  
>> LOG level warning prefix `OUTPUT '
>> Chain IPSECBLUE (1 references)
>> pkts bytes target     prot opt in     out     source                
>> destination
>> Chain IPSECRED (1 references)
>> pkts bytes target     prot opt in     out     source                
>> destination
>> Chain LOG_DROP (2 references)
>> pkts bytes target     prot opt in     out     source                
>> destination
>>     0     0 LOG        all  --  any    any      
>> anywhere             anywhere            limit: avg 10/min burst 5  
>> LOG level warning
>>     0     0 DROP       all  --  any    any      
>> anywhere             anywhere
>> Chain LOG_REJECT (0 references)
>> pkts bytes target     prot opt in     out     source                
>> destination
>>     0     0 LOG        all  --  any    any      
>> anywhere             anywhere            limit: avg 10/min burst 5  
>> LOG level warning
>>     0     0 REJECT     all  --  any    any      
>> anywhere             anywhere            reject-with icmp-port- 
>> unreachable
>> Chain NEWNOTSYN (1 references)
>> pkts bytes target     prot opt in     out     source                
>> destination
>>    45 17560 LOG        all  --  any    any      
>> anywhere             anywhere            limit: avg 10/min burst 5  
>> LOG level warning prefix `NEW not SYN? '
>>    63 32929 DROP       all  --  any    any      
>> anywhere             anywhere
>> Chain OUTPUT (policy ACCEPT 165K packets, 110M bytes)
>> pkts bytes target     prot opt in     out     source                
>> destination
>> 165K  110M ipac~i     all  --  any    any     anywhere              
>> anywhere
>> 165K  110M CUSTOMOUTPUT  all  --  any    any      
>> anywhere             anywhere
>> Chain OVPNFORWARD (1 references)
>> pkts bytes target     prot opt in     out     source                
>> destination
>>     0     0 ACCEPT     all  --  tun+   any      
>> anywhere             anywhere
>> Chain OVPNINPUT (1 references)
>> pkts bytes target     prot opt in     out     source                
>> destination
>>     0     0 ACCEPT     udp  --  eth3   any      
>> anywhere             anywhere            udp dpt:openvpn
>>     0     0 ACCEPT     all  --  tun+   any      
>> anywhere             anywhere
>> Chain PORTFWACCESS (1 references)
>> pkts bytes target     prot opt in     out     source                
>> destination
>>     6   336 ACCEPT     tcp  --  eth3   any      
>> anywhere             whs.localdomain     tcp dpt:ssh
>> Chain PSCAN (5 references)
>> pkts bytes target     prot opt in     out     source                
>> destination
>>     0     0 LOG        tcp  --  any    any      
>> anywhere             anywhere            limit: avg 10/min burst 5  
>> LOG level warning prefix `TCP Scan? '
>>     0     0 LOG        udp  --  any    any      
>> anywhere             anywhere            limit: avg 10/min burst 5  
>> LOG level warning prefix `UDP Scan? '
>>     0     0 LOG        icmp --  any    any      
>> anywhere             anywhere            limit: avg 10/min burst 5  
>> LOG level warning prefix `ICMP Scan? '
>>     0     0 LOG        all  -f  any    any      
>> anywhere             anywhere            limit: avg 10/min burst 5  
>> LOG level warning prefix `FRAG Scan? '
>>     0     0 DROP       all  --  any    any      
>> anywhere             anywhere
>> Chain REDFORWARD (1 references)
>> pkts bytes target     prot opt in     out     source                
>> destination
>>     0     0 ACCEPT     tcp  --  eth2   eth3     
>> anywhere             anywhere
>>     0     0 ACCEPT     udp  --  eth2   eth3     
>> anywhere             anywhere
>> Chain REDINPUT (1 references)
>> pkts bytes target     prot opt in     out     source                
>> destination
>> Chain WIRELESSFORWARD (1 references)
>> pkts bytes target     prot opt in     out     source                
>> destination
>>     0     0 LOG_DROP   all  --  eth1   any      
>> anywhere             anywhere
>> Chain WIRELESSINPUT (1 references)
>> pkts bytes target     prot opt in     out     source                
>> destination
>>     0     0 LOG_DROP   all  --  eth1   any      
>> anywhere             anywhere
>> Chain XTACCESS (1 references)
>> pkts bytes target     prot opt in     out     source                
>> destination
>>     0     0 ACCEPT     tcp  --  eth3   any      
>> anywhere             65.19.28.123        tcp dpt:ident
>> Chain ipac~fi (1 references)
>> pkts bytes target     prot opt in     out     source                
>> destination
>>   130 11693            all  --  eth0   any      
>> anywhere             anywhere
>>     0     0            all  --  eth2   any      
>> anywhere             anywhere
>>     0     0            all  --  eth1   any      
>> anywhere             anywhere
>>   129 87740            all  --  eth3   any      
>> anywhere             anywhere
>> Chain ipac~fo (1 references)
>> pkts bytes target     prot opt in     out     source                
>> destination
>>   129 87740            all  --  any    eth0     
>> anywhere             anywhere
>>     0     0            all  --  any    eth2     
>> anywhere             anywhere
>>     0     0            all  --  any    eth1     
>> anywhere             anywhere
>>   130 11693            all  --  any    eth3     
>> anywhere             anywhere
>> Chain ipac~i (1 references)
>> pkts bytes target     prot opt in     out     source                
>> destination
>>   231  157K            all  --  any    eth0     
>> anywhere             anywhere
>>     0     0            all  --  any    eth2     
>> anywhere             anywhere
>>     0     0            all  --  any    eth1     
>> anywhere             anywhere
>>   144 19966            all  --  any    eth3     
>> anywhere             anywhere
>> Chain ipac~o (1 references)
>> pkts bytes target     prot opt in     out     source                
>> destination
>>   293 31279            all  --  eth0   any      
>> anywhere             anywhere
>>     0     0            all  --  eth2   any      
>> anywhere             anywhere
>>     0     0            all  --  eth1   any      
>> anywhere             anywhere
>>   133  130K            all  --  eth3   any      
>> anywhere             anywhere
>> On Dec 13, 2006, at 10:24 AM, Ed Brown wrote:
>>> Andres Paglayan wrote:
>>>> the output of iptables -L
>>>
>>> Try 'iptables -vL' (or -nvL).  Without the interface info in the  
>>> rules, it's hard to tell very much from them.
>>>
>>> -Ed
>>>
>>> _______________________________________________
>>> nmglug mailing list
>>> nmglug at nmglug.org
>>> http://www.nmglug.org/mailman/listinfo/nmglug
>> _______________________________________________
>> nmglug mailing list
>> nmglug at nmglug.org
>> http://www.nmglug.org/mailman/listinfo/nmglug
>
> _______________________________________________
> nmglug mailing list
> nmglug at nmglug.org
> http://www.nmglug.org/mailman/listinfo/nmglug





More information about the nmglug mailing list