Re: Masquerade doesn't work
This are my iptables rules.
-----------------------------------------------------------------------------------------------------------
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
eth0_in all -- 0.0.0.0/0 0.0.0.0/0
eth1_in all -- 0.0.0.0/0 0.0.0.0/0
Reject all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 6 prefix `Shorewall:INPUT:REJECT:'
reject all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
eth0_fwd all -- 0.0.0.0/0 0.0.0.0/0
eth1_fwd all -- 0.0.0.0/0 0.0.0.0/0
Reject all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 6 prefix `Shorewall:FORWARD:REJECT:'
reject all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
fw2net all -- 0.0.0.0/0 0.0.0.0/0
fw2loc all -- 0.0.0.0/0 0.0.0.0/0
Reject all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 6 prefix `Shorewall:OUTPUT:REJECT:'
reject all -- 0.0.0.0/0 0.0.0.0/0
Chain AllowICMPs (2 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
code 4
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
Chain Drop (1 references)
target prot opt source destination
RejectAuth all -- 0.0.0.0/0 0.0.0.0/0
dropBcast all -- 0.0.0.0/0 0.0.0.0/0
AllowICMPs icmp -- 0.0.0.0/0 0.0.0.0/0
dropInvalid all -- 0.0.0.0/0 0.0.0.0/0
DropSMB all -- 0.0.0.0/0 0.0.0.0/0
DropUPnP all -- 0.0.0.0/0 0.0.0.0/0
dropNotSyn tcp -- 0.0.0.0/0 0.0.0.0/0
DropDNSrep all -- 0.0.0.0/0 0.0.0.0/0
Chain DropDNSrep (2 references)
target prot opt source destination
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53
Chain DropSMB (1 references)
target prot opt source destination
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:135
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp
dpts:137:139
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:445
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:135
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
Chain DropUPnP (2 references)
target prot opt source destination
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1900
Chain Reject (5 references)
target prot opt source destination
RejectAuth all -- 0.0.0.0/0 0.0.0.0/0
dropBcast all -- 0.0.0.0/0 0.0.0.0/0
AllowICMPs icmp -- 0.0.0.0/0 0.0.0.0/0
dropInvalid all -- 0.0.0.0/0 0.0.0.0/0
RejectSMB all -- 0.0.0.0/0 0.0.0.0/0
DropUPnP all -- 0.0.0.0/0 0.0.0.0/0
dropNotSyn tcp -- 0.0.0.0/0 0.0.0.0/0
DropDNSrep all -- 0.0.0.0/0 0.0.0.0/0
Chain RejectAuth (2 references)
target prot opt source destination
reject tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
Chain RejectSMB (1 references)
target prot opt source destination
reject udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:135
reject udp -- 0.0.0.0/0 0.0.0.0/0 udp
dpts:137:139
reject udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:445
reject tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:135
reject tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
reject tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
Chain all2all (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
Reject all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 6 prefix `Shorewall:all2all:REJECT:'
reject all -- 0.0.0.0/0 0.0.0.0/0
Chain all2fw (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
Reject all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 6 prefix `Shorewall:all2fw:REJECT:'
reject all -- 0.0.0.0/0 0.0.0.0/0
Chain dropBcast (2 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE =
broadcast
DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE =
multicast
Chain dropInvalid (2 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
Chain dropNotSyn (2 references)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:!0x16/0x02
Chain dynamic (4 references)
target prot opt source destination
Chain eth0_fwd (1 references)
target prot opt source destination
dynamic all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID,NEW
smurfs all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID,NEW
norfc1918 all -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcpflags tcp -- 0.0.0.0/0 0.0.0.0/0
net2loc all -- 0.0.0.0/0 0.0.0.0/0
Chain eth0_in (1 references)
target prot opt source destination
dynamic all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID,NEW
smurfs all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID,NEW
norfc1918 all -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcpflags tcp -- 0.0.0.0/0 0.0.0.0/0
net2fw all -- 0.0.0.0/0 0.0.0.0/0
Chain eth1_fwd (1 references)
target prot opt source destination
dynamic all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID,NEW
tcpflags tcp -- 0.0.0.0/0 0.0.0.0/0
loc2net all -- 0.0.0.0/0 0.0.0.0/0
Chain eth1_in (1 references)
target prot opt source destination
dynamic all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID,NEW
tcpflags tcp -- 0.0.0.0/0 0.0.0.0/0
loc2fw all -- 0.0.0.0/0 0.0.0.0/0
Chain fw2loc (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain fw2net (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
all2all all -- 0.0.0.0/0 0.0.0.0/0
Chain icmpdef (0 references)
target prot opt source destination
Chain loc2fw (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
all2fw all -- 0.0.0.0/0 0.0.0.0/0
Chain loc2net (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
all2all all -- 0.0.0.0/0 0.0.0.0/0
Chain logflags (5 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 4
level 6 prefix `Shorewall:logflags:DROP:'
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain net2all (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
Drop all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 6 prefix `Shorewall:net2all:DROP:'
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain net2fw (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
net2all all -- 0.0.0.0/0 0.0.0.0/0
Chain net2loc (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
net2all all -- 0.0.0.0/0 0.0.0.0/0
Chain norfc1918 (2 references)
target prot opt source destination
rfc1918 all -- 172.16.0.0/12 0.0.0.0/0
rfc1918 all -- 0.0.0.0/0 0.0.0.0/0 ctorigdst
172.16.0.0/12
rfc1918 all -- 192.168.0.0/16 0.0.0.0/0
rfc1918 all -- 0.0.0.0/0 0.0.0.0/0 ctorigdst
192.168.0.0/16
rfc1918 all -- 10.0.0.0/8 0.0.0.0/0
rfc1918 all -- 0.0.0.0/0 0.0.0.0/0 ctorigdst
10.0.0.0/8
Chain reject (12 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE =
broadcast
DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE =
multicast
DROP all -- 117.13.10.255 0.0.0.0/0
DROP all -- 192.168.61.255 0.0.0.0/0
DROP all -- 255.255.255.255 0.0.0.0/0
DROP all -- 224.0.0.0/4 0.0.0.0/0
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with
tcp-reset
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable
REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-host-unreachable
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-host-prohibited
Chain rfc1918 (6 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 6 prefix `Shorewall:rfc1918:DROP:'
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain shorewall (0 references)
target prot opt source destination
Chain smurfs (2 references)
target prot opt source destination
LOG all -- 117.13.10.255 0.0.0.0/0 LOG flags 0
level 6 prefix `Shorewall:smurfs:DROP:'
DROP all -- 117.13.10.255 0.0.0.0/0
LOG all -- 192.168.61.255 0.0.0.0/0 LOG flags 0
level 6 prefix `Shorewall:smurfs:DROP:'
DROP all -- 192.168.61.255 0.0.0.0/0
LOG all -- 255.255.255.255 0.0.0.0/0 LOG flags 0
level 6 prefix `Shorewall:smurfs:DROP:'
DROP all -- 255.255.255.255 0.0.0.0/0
LOG all -- 224.0.0.0/4 0.0.0.0/0 LOG flags 0
level 6 prefix `Shorewall:smurfs:DROP:'
DROP all -- 224.0.0.0/4 0.0.0.0/0
Chain tcpflags (4 references)
target prot opt source destination
logflags tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x29
logflags tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x00
logflags tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x06/0x06
logflags tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x03/0x03
logflags tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:0
flags:0x16/0x02
-----------------------------------------------------------------------------------------------------------------------------
Robert Buchinger wrote:
hmm maybe its better to tell us what iptables -t nat -L says if you use
masquerading
rb
Dexter wrote:
#cat /proc/sys/net/ipv4/ip_forward
1
I'm not seting remote access to firewall, so I can't past output of
iptables -nL command. Do you know, what should I look for?
Dexter
-----Original Message-----
From: Dexter [mailto:dexter@madalbal.sk]
Sent: Monday, October 10, 2005 7:31 PM
To: 'debian-firewall@lists.debian.org'
Subject: Masquerade doesn't work
Hello,
I've installed Debian Sarge (just basic system packages). I'm
trying to setup Shorewall firewall on it. My problem is, that
Masquerade is not working. That is:
-I can ping from local system to firewall -I can ping from
firewall to Internet -I can NOT ping from local system to
Internet When I run:
#tcpdump -i eth0 icmp
which will listen for icmp packed on my external interface.
And I ping from local system to internet.
I can see outgoing echo request packages, BUT with source
address of local system. So no reply can come back to me. Now
it's clear, that problem is masquerading.
I've set up also /etc/shorewall/masq:
----------
eth0 eth1
---------
What did I miss? I have no idea, what is wrong.
Thanks for reply.
Dexter
Reply to: