Re: Masquerade doesn't work

To: debian-firewall@lists.debian.org
Subject: Re: Masquerade doesn't work
From: Dexter <dexter@madalbal.sk>
Date: Mon, 10 Oct 2005 21:31:41 +0200
Message-id: <[🔎] 434AC19D.8020605@madalbal.sk>
In-reply-to: <[🔎] 434AAFB1.9080600@gmx.ch>
References: <[🔎] 20051010180433.0D3C82DDD2@murphy.debian.org> <[🔎] 434AAFB1.9080600@gmx.ch>

This are my iptables rules.
-----------------------------------------------------------------------------------------------------------


Chain INPUT (policy DROP)

target prot opt source destinationACCEPT all -- 0.0.0.0/0 0.0.0.0/0eth0_in all -- 0.0.0.0/0 0.0.0.0/0eth1_in all -- 0.0.0.0/0 0.0.0.0/0Reject all -- 0.0.0.0/0 0.0.0.0/0LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0level 6 prefix `Shorewall:INPUT:REJECT:'reject all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)

target prot opt source destinationeth0_fwd all -- 0.0.0.0/0 0.0.0.0/0eth1_fwd all -- 0.0.0.0/0 0.0.0.0/0Reject all -- 0.0.0.0/0 0.0.0.0/0LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0level 6 prefix `Shorewall:FORWARD:REJECT:'reject all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy DROP)

target prot opt source destinationACCEPT all -- 0.0.0.0/0 0.0.0.0/0fw2net all -- 0.0.0.0/0 0.0.0.0/0fw2loc all -- 0.0.0.0/0 0.0.0.0/0Reject all -- 0.0.0.0/0 0.0.0.0/0LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0level 6 prefix `Shorewall:OUTPUT:REJECT:'reject all -- 0.0.0.0/0 0.0.0.0/0

Chain AllowICMPs (2 references)

target prot opt source destinationACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3code 4

ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 11

Chain Drop (1 references)

target prot opt source destinationRejectAuth all -- 0.0.0.0/0 0.0.0.0/0dropBcast all -- 0.0.0.0/0 0.0.0.0/0AllowICMPs icmp -- 0.0.0.0/0 0.0.0.0/0dropInvalid all -- 0.0.0.0/0 0.0.0.0/0DropSMB all -- 0.0.0.0/0 0.0.0.0/0DropUPnP all -- 0.0.0.0/0 0.0.0.0/0dropNotSyn tcp -- 0.0.0.0/0 0.0.0.0/0DropDNSrep all -- 0.0.0.0/0 0.0.0.0/0

Chain DropDNSrep (2 references)

target prot opt source destinationDROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53


Chain DropSMB (1 references)

target prot opt source destinationDROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:135DROP udp -- 0.0.0.0/0 0.0.0.0/0 udpdpts:137:139

DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:445
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:135
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:139
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:445

Chain DropUPnP (2 references)

target prot opt source destinationDROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1900


Chain Reject (5 references)

target prot opt source destinationRejectAuth all -- 0.0.0.0/0 0.0.0.0/0dropBcast all -- 0.0.0.0/0 0.0.0.0/0AllowICMPs icmp -- 0.0.0.0/0 0.0.0.0/0dropInvalid all -- 0.0.0.0/0 0.0.0.0/0RejectSMB all -- 0.0.0.0/0 0.0.0.0/0DropUPnP all -- 0.0.0.0/0 0.0.0.0/0dropNotSyn tcp -- 0.0.0.0/0 0.0.0.0/0DropDNSrep all -- 0.0.0.0/0 0.0.0.0/0

Chain RejectAuth (2 references)

target prot opt source destinationreject tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113


Chain RejectSMB (1 references)

target prot opt source destinationreject udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:135reject udp -- 0.0.0.0/0 0.0.0.0/0 udpdpts:137:139

reject     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:445
reject     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:135
reject     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:139
reject     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:445

Chain all2all (2 references)

target prot opt source destinationACCEPT all -- 0.0.0.0/0 0.0.0.0/0 stateRELATED,ESTABLISHEDReject all -- 0.0.0.0/0 0.0.0.0/0LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0level 6 prefix `Shorewall:all2all:REJECT:'reject all -- 0.0.0.0/0 0.0.0.0/0

Chain all2fw (1 references)

Chain dropBcast (2 references)

target prot opt source destinationDROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE =broadcastDROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE =multicast


Chain dropInvalid (2 references)

target prot opt source destinationDROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID


Chain dropNotSyn (2 references)

target prot opt source destinationDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags:!0x16/0x02


Chain dynamic (4 references)

target prot opt source destination

Chain eth0_fwd (1 references)

target prot opt source destinationdynamic all -- 0.0.0.0/0 0.0.0.0/0 stateINVALID,NEWsmurfs all -- 0.0.0.0/0 0.0.0.0/0 stateINVALID,NEW

norfc1918  all  --  0.0.0.0/0            0.0.0.0/0           state NEW

tcpflags tcp -- 0.0.0.0/0 0.0.0.0/0net2loc all -- 0.0.0.0/0 0.0.0.0/0

Chain eth0_in (1 references)

target prot opt source destinationdynamic all -- 0.0.0.0/0 0.0.0.0/0 stateINVALID,NEWsmurfs all -- 0.0.0.0/0 0.0.0.0/0 stateINVALID,NEW

norfc1918  all  --  0.0.0.0/0            0.0.0.0/0           state NEW

tcpflags tcp -- 0.0.0.0/0 0.0.0.0/0net2fw all -- 0.0.0.0/0 0.0.0.0/0

Chain eth1_fwd (1 references)

target prot opt source destinationdynamic all -- 0.0.0.0/0 0.0.0.0/0 stateINVALID,NEWtcpflags tcp -- 0.0.0.0/0 0.0.0.0/0loc2net all -- 0.0.0.0/0 0.0.0.0/0

Chain eth1_in (1 references)

target prot opt source destinationdynamic all -- 0.0.0.0/0 0.0.0.0/0 stateINVALID,NEWtcpflags tcp -- 0.0.0.0/0 0.0.0.0/0loc2fw all -- 0.0.0.0/0 0.0.0.0/0

Chain fw2loc (1 references)

target prot opt source destinationACCEPT all -- 0.0.0.0/0 0.0.0.0/0 stateRELATED,ESTABLISHED

ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain fw2net (1 references)

target prot opt source destinationACCEPT all -- 0.0.0.0/0 0.0.0.0/0 stateRELATED,ESTABLISHED

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:110
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:995

all2all all -- 0.0.0.0/0 0.0.0.0/0

Chain icmpdef (0 references)

target prot opt source destination

Chain loc2fw (1 references)

target prot opt source destinationACCEPT all -- 0.0.0.0/0 0.0.0.0/0 stateRELATED,ESTABLISHED

ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0

all2fw all -- 0.0.0.0/0 0.0.0.0/0

Chain loc2net (1 references)

target prot opt source destinationACCEPT all -- 0.0.0.0/0 0.0.0.0/0 stateRELATED,ESTABLISHED

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:110
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:995

all2all all -- 0.0.0.0/0 0.0.0.0/0

Chain logflags (5 references)

target prot opt source destinationLOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 4level 6 prefix `Shorewall:logflags:DROP:'DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain net2all (2 references)

target prot opt source destinationACCEPT all -- 0.0.0.0/0 0.0.0.0/0 stateRELATED,ESTABLISHEDDrop all -- 0.0.0.0/0 0.0.0.0/0LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0level 6 prefix `Shorewall:net2all:DROP:'DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain net2fw (1 references)

target prot opt source destinationACCEPT all -- 0.0.0.0/0 0.0.0.0/0 stateRELATED,ESTABLISHED

ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0

net2all all -- 0.0.0.0/0 0.0.0.0/0

Chain net2loc (1 references)

target prot opt source destinationACCEPT all -- 0.0.0.0/0 0.0.0.0/0 stateRELATED,ESTABLISHED

ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0

net2all all -- 0.0.0.0/0 0.0.0.0/0

Chain norfc1918 (2 references)

target prot opt source destinationrfc1918 all -- 172.16.0.0/12 0.0.0.0/0rfc1918 all -- 0.0.0.0/0 0.0.0.0/0 ctorigdst172.16.0.0/12rfc1918 all -- 192.168.0.0/16 0.0.0.0/0rfc1918 all -- 0.0.0.0/0 0.0.0.0/0 ctorigdst192.168.0.0/16rfc1918 all -- 10.0.0.0/8 0.0.0.0/0rfc1918 all -- 0.0.0.0/0 0.0.0.0/0 ctorigdst10.0.0.0/8


Chain reject (12 references)

target prot opt source destinationDROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE =broadcastDROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE =multicastDROP all -- 117.13.10.255 0.0.0.0/0DROP all -- 192.168.61.255 0.0.0.0/0DROP all -- 255.255.255.255 0.0.0.0/0DROP all -- 224.0.0.0/4 0.0.0.0/0REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-withtcp-resetREJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-withicmp-port-unreachableREJECT icmp -- 0.0.0.0/0 0.0.0.0/0 reject-withicmp-host-unreachableREJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-withicmp-host-prohibited


Chain rfc1918 (6 references)

target prot opt source destinationLOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0level 6 prefix `Shorewall:rfc1918:DROP:'DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain shorewall (0 references)

target prot opt source destination

Chain smurfs (2 references)

target prot opt source destinationLOG all -- 117.13.10.255 0.0.0.0/0 LOG flags 0level 6 prefix `Shorewall:smurfs:DROP:'DROP all -- 117.13.10.255 0.0.0.0/0LOG all -- 192.168.61.255 0.0.0.0/0 LOG flags 0level 6 prefix `Shorewall:smurfs:DROP:'DROP all -- 192.168.61.255 0.0.0.0/0LOG all -- 255.255.255.255 0.0.0.0/0 LOG flags 0level 6 prefix `Shorewall:smurfs:DROP:'DROP all -- 255.255.255.255 0.0.0.0/0LOG all -- 224.0.0.0/4 0.0.0.0/0 LOG flags 0level 6 prefix `Shorewall:smurfs:DROP:'DROP all -- 224.0.0.0/4 0.0.0.0/0

Chain tcpflags (4 references)

target prot opt source destinationlogflags tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags:0x3F/0x29logflags tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags:0x3F/0x00logflags tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags:0x06/0x06logflags tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags:0x03/0x03logflags tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:0flags:0x16/0x02-----------------------------------------------------------------------------------------------------------------------------



Robert Buchinger wrote:

hmm maybe its better to tell us what iptables -t nat -L says if you use
masquerading

rb


Dexter wrote:
#cat /proc/sys/net/ipv4/ip_forward
1

I'm not seting remote access to firewall, so I can't past output of
iptables -nL command. Do you know, what should I look for?
Dexter
-----Original Message-----
From: Dexter [mailto:dexter@madalbal.sk]Sent: Monday, October 10, 2005 7:31 PM
To: 'debian-firewall@lists.debian.org'
Subject: Masquerade doesn't work

Hello,
I've installed Debian Sarge (just basic system packages). I'mtrying to setup Shorewall firewall on it. My problem is, thatMasquerade is not working. That is:-I can ping from local system to firewall -I can ping fromfirewall to Internet -I can NOT ping from local system toInternet When I run:
#tcpdump -i eth0 icmp
which will listen for icmp packed on my external interface.And I ping from local system to internet.I can see outgoing echo request packages, BUT with sourceaddress of local system. So no reply can come back to me. Nowit's clear, that problem is masquerading.
I've set up also /etc/shorewall/masq:
----------
eth0 eth1
---------
What did I miss? I have no idea, what is wrong.
Thanks for reply.
  Dexter

Reply to:

Follow-Ups:
- Re: Masquerade doesn't work
  - From: Miroslaw Kwasniak <mirek@zind.ikem.pwr.wroc.pl>

References:
- RE: Masquerade doesn't work
  - From: "Dexter" <dexter@madalbal.sk>
- Re: Masquerade doesn't work
  - From: Robert Buchinger <robert_buchinger@gmx.ch>

Prev by Date: Re: Masquerade doesn't work
Next by Date: Re: Masquerade doesn't work
Previous by thread: Re: Masquerade doesn't work
Next by thread: Re: Masquerade doesn't work
Index(es):
- Date
- Thread