Re: eth1 - iptables do not work
Hi,
Yes, I have
internet)----(eth0,x.y.v.z -- eth1, 192.168.15.1)---(192.168.15.0/24
sshd is listening on port 83 (on all interfaces)
I can ssh and imaps to x.y.v.z from the outside world.
I can access the internet from 192.168.15.23
Yes, I think, I screwed up something :-(
The most suspicious is the script I use to set the rules - I downloaded
it from the web and customized.
************************
Below you find:
1. iptables -L -nv
2. the script I set the iptables
- if I move the LOG on ETH1 after the ACCEPT of ETH1 then there is
no log; so it seems the ACCEPT rule applies but does not work
3. tcpdump -i eth1 -v
Thanks for your help,
tamas
_____________________________________________________________________
iptables -L -nv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
43 11505 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- eth1 * 192.168.15.0/24
0.0.0.0/0
0 0 LOG all -- eth1 * 192.168.15.0/24
0.0.0.0/0 LOG flags 0 level 6
3 329 ACCEPT all -- eth0 * 0.0.0.0/0
152.19.83.61 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp dpt:83
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp dpt:993
59 16119 drop-and-log-it all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth1 * 0.0.0.0/0
0.0.0.0/0
0 0 drop-and-log-it all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
43 11505 ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
4 270 ACCEPT all -- * eth0 152.19.83.61
0.0.0.0/0
0 0 ACCEPT all -- * eth0 192.168.15.0/24
0.0.0.0/0
0 0 drop-and-log-it all -- * * 0.0.0.0/0
0.0.0.0/0
Chain drop-and-log-it (3 references)
pkts bytes target prot opt in out source
destination
59 16119 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
_____________________________________________________________________
#!/bin/sh
#iptables-restore < /etc/firewall.conf
echo -e "\n\nSETTING UP IPTABLES FIREWALL..."
EXTIF="eth0"
EXTIP="152.19.83.61"
INTIF="eth1"
INTIP="192.168.15.1"
INTNET="192.168.15.0/24"
UNIVERSE="0.0.0.0/0"
echo "Loading required stateful/NAT kernel modules..."
#/sbin/depmod -a
#/sbin/modprobe ip_tables
#/sbin/modprobe ip_conntrack
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe iptable_nat
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc
echo " Enabling IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo " External interface: $EXTIF ($EXTIP)"
echo " Loading firewall server rules..."
#************************************************************
# Clear any existing rules and setting default policy to DROP
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -F -t nat
iptables -F -t mangle
# Flush the user chain.. if it exists
if [ "`iptables -L | grep drop-and-log-it`" ]; then
iptables -F drop-and-log-it
fi
# Delete all User-specified chains
iptables -X
# Reset all IPTABLES counters
iptables -Z
# Creating a DROP chain
iptables -N drop-and-log-it
#iptables -A drop-and-log-it -j LOG --log-level info
iptables -A drop-and-log-it -j REJECT
#************************************************************
echo -e " - Loading INPUT rulesets"
# loopback and local interfaces are valid.
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $INTIF -s $INTNET -j LOG --log-level info
iptables -A INPUT -i $INTIF -s $INTNET -j ACCEPT
# no log if LOG is after the prev rule:
#iptables -A INPUT -i $INTIF -s $INTNET -j LOG --log-level info
# Allow any related traffic coming back to the MASQ server in
iptables -A INPUT -i $EXTIF -d $EXTIP -m state --state
ESTABLISHED,RELATED -j ACCEPT
# Allow services
iptables -A INPUT -s $UNIVERSE -m state --state NEW,ESTABLISHED,RELATED
-p tcp --dport 83 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -m state --state NEW,ESTABLISHED,RELATED
-p tcp --dport 993 -j ACCEPT
iptables -A INPUT -j drop-and-log-it
#######################################################################
# OUTPUT: Outgoing traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
echo -e " - Loading OUTPUT rulesets"
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o $EXTIF -s $EXTIP -j ACCEPT
iptables -A OUTPUT -o $EXTIF -s $INTNET -j ACCEPT
iptables -A OUTPUT -j drop-and-log-it
#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
# Allow all connections OUT and only existing/related IN
echo -e " - Loading FORWARD rulesets"
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -j ACCEPT
iptables -A FORWARD -j drop-and-log-it
# Enable SNAT (MASQUERADE) functionality on $EXTIF
iptables -t nat -A POSTROUTING -s $INTNET -o $EXTIF -j SNAT --to $EXTIP
echo -e " Firewall server rule loading complete\n\n"
_____________________________________________________________________
tcpdump -i eth1 -v
#SSH to eth0 or eth1
08:01:56.500123 IP (tos 0x0, ttl 128, id 26273, offset 0, flags [DF],
proto TCP (6), length 48) 192.168.15.23.1521 > 192.168.15.1.83: S, cksum
0xea65 (correct), 2327603280:2327603280(0) win 65535 <mss
1460,nop,nop,sackOK>
08:01:42.709319 IP (tos 0x0, ttl 128, id 26262, offset 0, flags [DF],
proto TCP (6), length 48) 192.168.15.23.1520 > its-sav4.ad.unc.edu.2967:
S, cksum 0x1a67 (correct), 3351369879:3351369879(0) win 65535 <mss
1460,nop,nop,sackOK>
#IMAPS
08:00:26.208833 IP (tos 0x0, ttl 128, id 26236, offset 0, flags [DF],
proto TCP (6), length 48) 192.168.15.23.1518 > violin.imaps: S, cksum
0xdc0e (correct), 2557561280:2557561280(0) win 65535 <mss
1460,nop,nop,sackOK>
Paolo wrote:
On Wed, Oct 08, 2008 at 07:33:50PM -0400, Tamas Hegedus wrote:
Hi,
I am new to debian. My box has eth0 - x.y.v.z and eth1 - 192.168.15.1
so you have
internet)----(eth0,x.y.v.z -- eth1, 192.168.15.1)---(192.168.15.0/24
My problem is that I can not connect to my linux box from 192.168.15.x
so you screwed iptables :)
iptables -L -n -v (I simplified the output)
don't simplify, pls post _full_ output from iptables-save.
SPT=4576 DPT=83 WINDOW=655
what service are you running on port 83?
Reply to: