Vá: home network behind a firewall/router
2007/11/4, Raj Kiran Grandhi <grajkiran@gmail.com>:
>
> You did enable IP masquerading on your gateway machine, didn't you?
No, I did not.
> Also output of "iptaples --list" on your gateway
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
eth3_in 0 -- anywhere anywhere
eth1_in 0 -- anywhere anywhere
eth2_in 0 -- anywhere anywhere
Reject 0 -- anywhere anywhere
LOG 0 -- anywhere anywhere LOG level
info prefix
`Shorewall:INPU
T:REJECT:'
reject 0 -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
eth3_fwd 0 -- anywhere anywhere
eth1_fwd 0 -- anywhere anywhere
eth2_fwd 0 -- anywhere anywhere
Reject 0 -- anywhere anywhere
LOG 0 -- anywhere anywhere LOG level
info prefix
`Shorewall:FORW
ARD:REJECT:'
reject 0 -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp
dpts:bootps:bootpc
ACCEPT udp -- anywhere anywhere udp
dpts:bootps:bootpc
ACCEPT udp -- anywhere anywhere udp
dpts:bootps:bootpc
fw2stc 0 -- anywhere anywhere policy
match dir out pol none
fw2loc 0 -- anywhere anywhere policy
match dir out pol none
fw2dmz 0 -- anywhere anywhere policy
match dir out pol none
Reject 0 -- anywhere anywhere
LOG 0 -- anywhere anywhere LOG level
info prefix
`Shorewall:OUTP
UT:REJECT:'
reject 0 -- anywhere anywhere
Chain Drop (1 references)
target prot opt source destination
reject tcp -- anywhere anywhere tcp dpt:auth
dropBcast 0 -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp
fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
dropInvalid 0 -- anywhere anywhere
DROP udp -- anywhere anywhere multiport dports
loc-srv,microsoft-ds
DROP udp -- anywhere anywhere udp
dpts:netbios-ns:netbios-ssn
DROP udp -- anywhere anywhere udp spt:netbios-ns
dpts:1024:65535
DROP tcp -- anywhere anywhere multiport dports
loc-srv,netbios-ssn,
microsoft-ds
DROP udp -- anywhere anywhere udp dpt:1900
dropNotSyn tcp -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:domain
Chain Reject (4 references)
target prot opt source destination
reject tcp -- anywhere anywhere tcp dpt:auth
dropBcast 0 -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp
fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
dropInvalid 0 -- anywhere anywhere
reject udp -- anywhere anywhere multiport dports
loc-srv,microsoft-ds
reject udp -- anywhere anywhere udp
dpts:netbios-ns:netbios-ssn
reject udp -- anywhere anywhere udp spt:netbios-ns
dpts:1024:65535
reject tcp -- anywhere anywhere multiport dports
loc-srv,netbios-ssn,
microsoft-ds
DROP udp -- anywhere anywhere udp dpt:1900
dropNotSyn tcp -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:domain
Chain all2all (2 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state
RELATED,ESTABLISHED
Reject 0 -- anywhere anywhere
LOG 0 -- anywhere anywhere LOG level
info prefix
`Shorewall:all2
all:REJECT:'
reject 0 -- anywhere anywhere
Chain dmz2all (3 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT 0 -- anywhere anywhere
Chain dmz2fw (1 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- debian-szerver anywhere multiport
dports 9999,www
dmz2all 0 -- anywhere anywhere
Chain dmz2loc (1 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- debian-szerver debian-asztal tcp dpt:9999
dmz2all 0 -- anywhere anywhere
Chain dropBcast (2 references)
target prot opt source destination
DROP 0 -- anywhere anywhere PKTTYPE =
broadcast
DROP 0 -- anywhere anywhere PKTTYPE =
multicast
Chain dropInvalid (2 references)
target prot opt source destination
DROP 0 -- anywhere anywhere state INVALID
Chain dropNotSyn (2 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp
flags:!FIN,SYN,RST,ACK/SYN
Chain dynamic (6 references)
target prot opt source destination
Chain eth1_fwd (1 references)
target prot opt source destination
dynamic 0 -- anywhere anywhere state INVALID,NEW
loc2stc 0 -- anywhere anywhere policy
match dir out pol none
loc2dmz 0 -- anywhere anywhere policy
match dir out pol none
Chain eth1_in (1 references)
target prot opt source destination
dynamic 0 -- anywhere anywhere state INVALID,NEW
ACCEPT udp -- anywhere anywhere udp
dpts:bootps:bootpc
loc2fw 0 -- anywhere anywhere policy
match dir in pol none
Chain eth2_fwd (1 references)
target prot opt source destination
dynamic 0 -- anywhere anywhere state INVALID,NEW
dmz2all 0 -- anywhere anywhere policy
match dir out pol none
dmz2loc 0 -- anywhere anywhere policy
match dir out pol none
Chain eth2_in (1 references)
target prot opt source destination
dynamic 0 -- anywhere anywhere state INVALID,NEW
ACCEPT udp -- anywhere anywhere udp
dpts:bootps:bootpc
dmz2fw 0 -- anywhere anywhere policy
match dir in pol none
Chain eth3_fwd (1 references)
target prot opt source destination
dynamic 0 -- anywhere anywhere state INVALID,NEW
stc2loc 0 -- anywhere anywhere policy
match dir out pol none
stc2dmz 0 -- anywhere anywhere policy
match dir out pol none
Chain eth3_in (1 references)
target prot opt source destination
dynamic 0 -- anywhere anywhere state INVALID,NEW
ACCEPT udp -- anywhere anywhere udp
dpts:bootps:bootpc
stc2fw 0 -- anywhere anywhere policy
match dir in pol none
Chain fw2dmz (1 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- anywhere debian-szerver tcp dpt:9999
all2all 0 -- anywhere anywhere
Chain fw2loc (1 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request
all2all 0 -- anywhere anywhere
Chain fw2stc (1 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT 0 -- anywhere anywhere
Chain loc2all (3 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT 0 -- anywhere anywhere
Chain loc2dmz (1 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere debian-szerver tcp dpt:www
ACCEPT tcp -- anywhere debian-szerver tcp dpt:ipp
ACCEPT tcp -- anywhere debian-szerver tcp dpt:https
ACCEPT tcp -- anywhere debian-szerver tcp
dpt:microsoft-ds
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- anywhere debian-szerver tcp dpt:ssh
ACCEPT tcp -- debian-asztal debian-szerver tcp dpt:9999
loc2all 0 -- anywhere anywhere
Chain loc2fw (1 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- debian-asztal anywhere tcp dpt:ssh
loc2all 0 -- anywhere anywhere
Chain loc2stc (1 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:www
loc2all 0 -- anywhere anywhere
Chain logdrop (0 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level
info prefix `Shorewall:logdrop:DROP:'
DROP 0 -- anywhere anywhere
Chain logreject (0 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level
info prefix `Shorewall:logreject:REJECT:'
reject 0 -- anywhere anywhere
Chain reject (11 references)
target prot opt source destination
DROP 0 -- 255.255.255.255 anywhere
DROP 0 -- BASE-ADDRESS.MCAST.NET/4 anywhere
DROP 0 -- anywhere anywhere PKTTYPE =
broadcast
DROP 0 -- anywhere anywhere PKTTYPE =
multicast
DROP 0 -- 255.255.255.255 anywhere
DROP 0 -- BASE-ADDRESS.MCAST.NET/4 anywhere
REJECT tcp -- anywhere anywhere
reject-with tcp-reset
REJECT udp -- anywhere anywhere
reject-with icmp-port-unreachable
REJECT icmp -- anywhere anywhere
reject-with icmp-host-unreachable
REJECT 0 -- anywhere anywhere
reject-with icmp-host-prohibited
Chain shorewall (0 references)
target prot opt source destination
Chain smurfs (0 references)
target prot opt source destination
LOG 0 -- 10.91.255.255 anywhere LOG level
info prefix `Shorewall:smurfs:DROP:'
DROP 0 -- 10.91.255.255 anywhere
LOG 0 -- 192.168.1.255 anywhere LOG level
info prefix `Shorewall:smurfs:DROP:'
DROP 0 -- 192.168.1.255 anywhere
LOG 0 -- 192.168.2.255 anywhere LOG level
info prefix `Shorewall:smurfs:DROP:'
DROP 0 -- 192.168.2.255 anywhere
LOG 0 -- 255.255.255.255 anywhere LOG level
info prefix `Shorewall:smurfs:DROP:'
DROP 0 -- 255.255.255.255 anywhere
LOG 0 -- BASE-ADDRESS.MCAST.NET/4 anywhere LOG
level info prefix `Shorewall:smurfs:DROP:'
DROP 0 -- BASE-ADDRESS.MCAST.NET/4 anywhere
Chain stc2all (3 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state
RELATED,ESTABLISHED
Drop 0 -- anywhere anywhere
LOG 0 -- anywhere anywhere LOG level
info prefix `Shorewall:stc2all:DROP:'
DROP 0 -- anywhere anywhere
Chain stc2dmz (1 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere debian-szerver tcp dpt:www
stc2all 0 -- anywhere anywhere
Chain stc2fw (1 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request
DROP udp -- anywhere anywhere udp dpts:1026:1029
stc2all 0 -- anywhere anywhere
Chain stc2loc (1 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:www
stc2all 0 -- anywhere anywhere
> and "route" on your lan clients would help.
route on box-3
--------------
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0
route on box-2
--------------
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
--
Regards, Paul Csanyi
http://www.freewebs.com/csanyi-pal/index.htm
Reply to: