[nmglug] iptables / routing question,
Ed Brown
ebrown at lanl.gov
Wed Dec 13 12:19:51 PST 2006
Andres Paglayan wrote:
> I'll re do that with /24,
> but there is already a DMZHOLES definition that is working, (from there
> to here)
> I get the pings from 50 to 1 with no problems,
Is that what you expect/want to be able to do? If it is, I'm
confused. I thought the .50 is your DMZ, on eth2, which you wanted to
restrict to only what is allowed in DMZHOLES...
> I also cheched that at the 50 network there's no other routing rules
> rather than
> forwarding 1.1 to my 1.1 subnet. (in case packets were getting lost)
>
>
> On Dec 13, 2006, at 12:33 PM, Ed Brown wrote:
>
>> Also Andres, for the DMZHOLES rules, you probably do want to redefine
>> the source and destination with the /24 mask.
>>
>> -Ed
>>
>>
>> Andres Paglayan wrote:
>>> thx for the comment
>>> basically I want packets destined to 192.168.50.0/24 incoming on eth0
>>> (192.168.1.1)
>>> to be forwarded to eth2 (192.168.50.1)
>>> currently the subnet at 192.168.50 can ping 192.168.1. ,
>>> but 1.1 cant go the other way
>>> routing table is
>>> Kernel IP routing table
>>> Destination Gateway Genmask Flags Metric Ref
>>> Use Iface
>>> 10.12.223.2 0.0.0.0 255.255.255.255 UH 0 0
>>> 0 tun0
>>> 192.168.50.0 0.0.0.0 255.255.255.0 U 0 0
>>> 0 eth2
>>> 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0
>>> 0 eth1
>>> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0
>>> 0 eth0
>>> 65.19.28.0 0.0.0.0 255.255.255.0 U 0 0
>>> 0 eth3
>>> 10.12.223.0 10.12.223.2 255.255.255.0 UG 0 0
>>> 0 tun0
>>> 0.0.0.0 65.19.28.1 0.0.0.0 UG 0 0
>>> 0 eth3
>>> and iptables with eth* info it is
>>> root at ipcop:~ # iptables -vL
>>> Chain BADTCP (2 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 0 0 PSCAN tcp -- any any anywhere
>>> anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
>>> 0 0 PSCAN tcp -- any any anywhere
>>> anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
>>> 0 0 PSCAN tcp -- any any anywhere
>>> anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
>>> 0 0 PSCAN tcp -- any any anywhere
>>> anywhere tcp flags:SYN,RST/SYN,RST
>>> 0 0 PSCAN tcp -- any any anywhere
>>> anywhere tcp flags:FIN,SYN/FIN,SYN
>>> 63 32929 NEWNOTSYN tcp -- any any anywhere
>>> anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
>>> Chain CUSTOMFORWARD (1 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 0 0 REJECT tcp -- eth0 eth3 anywhere
>>> anywhere tcp dpt:http reject-with icmp-port-unreachable
>>> 0 0 REJECT tcp -- eth1 eth3 anywhere
>>> anywhere tcp dpt:http reject-with icmp-port-unreachable
>>> Chain CUSTOMINPUT (1 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 0 0 REJECT tcp -- any any !localhost
>>> anywhere tcp dpt:mdbs_daemon reject-with
>>> icmp-port-unreachable
>>> Chain CUSTOMOUTPUT (1 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>> Chain DHCPBLUEINPUT (1 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 0 0 ACCEPT tcp -- eth1 any anywhere
>>> anywhere tcp spt:bootpc dpt:bootps
>>> 0 0 ACCEPT udp -- eth1 any anywhere
>>> anywhere udp spt:bootpc dpt:bootps
>>> Chain DMZHOLES (1 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 0 0 ACCEPT tcp -- eth2 eth0 192.168.50.0
>>> 192.168.1.0 tcp dpt:http
>>> 0 0 ACCEPT tcp -- eth2 eth0 192.168.50.0
>>> 192.168.1.0 tcp dpt:microsoft-ds
>>> 0 0 ACCEPT tcp -- eth2 eth0 192.168.50.0
>>> 192.168.1.0 tcp dpt:citriximaclient
>>> 0 0 ACCEPT tcp -- eth2 eth0 192.168.50.0
>>> 192.168.1.0 tcp dpt:4994
>>> Chain GUIINPUT (1 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 63 3841 ACCEPT icmp -- any any anywhere
>>> anywhere icmp echo-request
>>> Chain INPUT (policy DROP 56 packets, 10996 bytes)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 171K 113M ipac~o all -- any any anywhere
>>> anywhere
>>> 171K 113M BADTCP all -- any any anywhere
>>> anywhere
>>> 4885 228K tcp -- any any anywhere
>>> anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 10/sec burst 5
>>> 171K 113M CUSTOMINPUT all -- any any anywhere
>>> anywhere
>>> 171K 113M GUIINPUT all -- any any anywhere
>>> anywhere
>>> 151K 111M ACCEPT all -- any any anywhere
>>> anywhere state RELATED,ESTABLISHED
>>> 3126 140K ACCEPT all -- lo any anywhere
>>> anywhere state NEW
>>> 0 0 DROP all -- any any 127.0.0.0/8
>>> anywhere state NEW
>>> 0 0 DROP all -- any any anywhere
>>> 127.0.0.0/8 state NEW
>>> 16432 1654K ACCEPT !icmp -- eth0 any anywhere
>>> anywhere state NEW
>>> 0 0 ACCEPT all -- ipsec+ any anywhere
>>> anywhere
>>> 56 10996 DHCPBLUEINPUT all -- any any
>>> anywhere anywhere
>>> 56 10996 IPSECRED all -- any any anywhere
>>> anywhere
>>> 56 10996 OVPNINPUT all -- any any anywhere
>>> anywhere
>>> 56 10996 IPSECBLUE all -- any any anywhere
>>> anywhere
>>> 50 9620 WIRELESSINPUT all -- any any
>>> anywhere anywhere state NEW
>>> 56 10996 REDINPUT all -- any any anywhere
>>> anywhere
>>> 50 9620 XTACCESS all -- any any anywhere
>>> anywhere state NEW
>>> 56 10996 LOG all -- any any anywhere
>>> anywhere limit: avg 10/min burst 5 LOG level warning
>>> prefix `INPUT '
>>> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 71512 42M ipac~fi all -- any any anywhere
>>> anywhere
>>> 71512 42M ipac~fo all -- any any anywhere
>>> anywhere
>>> 71512 42M BADTCP all -- any any anywhere
>>> anywhere
>>> 2013 98252 TCPMSS tcp -- any any anywhere
>>> anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
>>> 71512 42M CUSTOMFORWARD all -- any any
>>> anywhere anywhere
>>> 69990 42M ACCEPT all -- any any anywhere
>>> anywhere state RELATED,ESTABLISHED
>>> 0 0 ACCEPT all -- lo any anywhere
>>> anywhere state NEW
>>> 0 0 DROP all -- any any 127.0.0.0/8
>>> anywhere state NEW
>>> 0 0 DROP all -- any any anywhere
>>> 127.0.0.0/8 state NEW
>>> 1516 90576 ACCEPT all -- eth0 any anywhere
>>> anywhere state NEW
>>> 0 0 ACCEPT all -- eth2 eth2 anywhere
>>> anywhere state NEW
>>> 6 336 OVPNFORWARD all -- any any anywhere
>>> anywhere
>>> 0 0 ACCEPT all -- ipsec+ any anywhere
>>> anywhere
>>> 6 336 WIRELESSFORWARD all -- any any
>>> anywhere anywhere state NEW
>>> 6 336 REDFORWARD all -- any any anywhere
>>> anywhere
>>> 0 0 DMZHOLES all -- eth2 any anywhere
>>> anywhere state NEW
>>> 6 336 PORTFWACCESS all -- any any
>>> anywhere anywhere state NEW
>>> 0 0 LOG all -- any any anywhere
>>> anywhere limit: avg 10/min burst 5 LOG level warning
>>> prefix `OUTPUT '
>>> Chain IPSECBLUE (1 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>> Chain IPSECRED (1 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>> Chain LOG_DROP (2 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 0 0 LOG all -- any any anywhere
>>> anywhere limit: avg 10/min burst 5 LOG level warning
>>> 0 0 DROP all -- any any anywhere
>>> anywhere
>>> Chain LOG_REJECT (0 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 0 0 LOG all -- any any anywhere
>>> anywhere limit: avg 10/min burst 5 LOG level warning
>>> 0 0 REJECT all -- any any anywhere
>>> anywhere reject-with icmp-port-unreachable
>>> Chain NEWNOTSYN (1 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 45 17560 LOG all -- any any anywhere
>>> anywhere limit: avg 10/min burst 5 LOG level warning
>>> prefix `NEW not SYN? '
>>> 63 32929 DROP all -- any any anywhere
>>> anywhere
>>> Chain OUTPUT (policy ACCEPT 165K packets, 110M bytes)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 165K 110M ipac~i all -- any any anywhere
>>> anywhere
>>> 165K 110M CUSTOMOUTPUT all -- any any anywhere
>>> anywhere
>>> Chain OVPNFORWARD (1 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 0 0 ACCEPT all -- tun+ any anywhere
>>> anywhere
>>> Chain OVPNINPUT (1 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 0 0 ACCEPT udp -- eth3 any anywhere
>>> anywhere udp dpt:openvpn
>>> 0 0 ACCEPT all -- tun+ any anywhere
>>> anywhere
>>> Chain PORTFWACCESS (1 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 6 336 ACCEPT tcp -- eth3 any anywhere
>>> whs.localdomain tcp dpt:ssh
>>> Chain PSCAN (5 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 0 0 LOG tcp -- any any anywhere
>>> anywhere limit: avg 10/min burst 5 LOG level warning
>>> prefix `TCP Scan? '
>>> 0 0 LOG udp -- any any anywhere
>>> anywhere limit: avg 10/min burst 5 LOG level warning
>>> prefix `UDP Scan? '
>>> 0 0 LOG icmp -- any any anywhere
>>> anywhere limit: avg 10/min burst 5 LOG level warning
>>> prefix `ICMP Scan? '
>>> 0 0 LOG all -f any any anywhere
>>> anywhere limit: avg 10/min burst 5 LOG level warning
>>> prefix `FRAG Scan? '
>>> 0 0 DROP all -- any any anywhere
>>> anywhere
>>> Chain REDFORWARD (1 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 0 0 ACCEPT tcp -- eth2 eth3 anywhere
>>> anywhere
>>> 0 0 ACCEPT udp -- eth2 eth3 anywhere
>>> anywhere
>>> Chain REDINPUT (1 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>> Chain WIRELESSFORWARD (1 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 0 0 LOG_DROP all -- eth1 any anywhere
>>> anywhere
>>> Chain WIRELESSINPUT (1 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 0 0 LOG_DROP all -- eth1 any anywhere
>>> anywhere
>>> Chain XTACCESS (1 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 0 0 ACCEPT tcp -- eth3 any anywhere
>>> 65.19.28.123 tcp dpt:ident
>>> Chain ipac~fi (1 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 130 11693 all -- eth0 any anywhere
>>> anywhere
>>> 0 0 all -- eth2 any anywhere
>>> anywhere
>>> 0 0 all -- eth1 any anywhere
>>> anywhere
>>> 129 87740 all -- eth3 any anywhere
>>> anywhere
>>> Chain ipac~fo (1 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 129 87740 all -- any eth0 anywhere
>>> anywhere
>>> 0 0 all -- any eth2 anywhere
>>> anywhere
>>> 0 0 all -- any eth1 anywhere
>>> anywhere
>>> 130 11693 all -- any eth3 anywhere
>>> anywhere
>>> Chain ipac~i (1 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 231 157K all -- any eth0 anywhere
>>> anywhere
>>> 0 0 all -- any eth2 anywhere
>>> anywhere
>>> 0 0 all -- any eth1 anywhere
>>> anywhere
>>> 144 19966 all -- any eth3 anywhere
>>> anywhere
>>> Chain ipac~o (1 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 293 31279 all -- eth0 any anywhere
>>> anywhere
>>> 0 0 all -- eth2 any anywhere
>>> anywhere
>>> 0 0 all -- eth1 any anywhere
>>> anywhere
>>> 133 130K all -- eth3 any anywhere
>>> anywhere
>>> On Dec 13, 2006, at 10:24 AM, Ed Brown wrote:
>>>> Andres Paglayan wrote:
>>>>> the output of iptables -L
>>>>
>>>> Try 'iptables -vL' (or -nvL). Without the interface info in the
>>>> rules, it's hard to tell very much from them.
>>>>
>>>> -Ed
>>>>
>>>> _______________________________________________
>>>> nmglug mailing list
>>>> nmglug at nmglug.org
>>>> http://www.nmglug.org/mailman/listinfo/nmglug
>>> _______________________________________________
>>> nmglug mailing list
>>> nmglug at nmglug.org
>>> http://www.nmglug.org/mailman/listinfo/nmglug
>>
>> _______________________________________________
>> nmglug mailing list
>> nmglug at nmglug.org
>> http://www.nmglug.org/mailman/listinfo/nmglug
>
>
> _______________________________________________
> nmglug mailing list
> nmglug at nmglug.org
> http://www.nmglug.org/mailman/listinfo/nmglug
More information about the nmglug
mailing list