[CentOS] iptables: forwarding on internal device
Joshua Gimer
jgimer at gmail.com
Fri Feb 6 23:49:11 UTC 2009
You are going to have to add rules to both your INPUT and OUTPUT
chains to allow this traffic through. Could you send on a copy of
/etc/sysconfig/iptables, if that is how your are loading these rules?
I could then send you the exact commands to run.
Josh
On Fri, Feb 6, 2009 at 1:57 PM, Marcus Moeller <mm at gcug.de> wrote:
> Hi Again.
>> Iptables -nL
>>
>> Show?
>
> Here is the complete output (there are a lot of other rules active on
> that machine):
>
> Chain INPUT (policy DROP)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> my_drop all -- 10.0.0.0/8 0.0.0.0/0
> my_drop all -- 172.16.0.0/12 0.0.0.0/0
> my_drop all -- 192.168.0.0/16 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:22 state NEW
> my_drop tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:25 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:110 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:22 state NEW
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> spts:1024:65535 dpt:53 state NEW
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> spts:1024:65535 dpt:53 state NEW
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> spts:1024:65535 dpt:37 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:3128 state NEW
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
> my_drop all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> ACCEPT tcp -- 0.0.0.0/0 172.28.0.16 tcp dpt:1249
> ACCEPT tcp -- 0.0.0.0/0 192.168.171.253 tcp dpt:25
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> spts:1024:65535 dpt:1194 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:1723 state NEW
> ACCEPT 47 -- 0.0.0.0/0 0.0.0.0/0 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:25 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:443 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:25 state NEW
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> spts:1024:65535 dpt:6277 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:2703 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:22 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:446 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpts:20:21 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:80 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:443 state NEW
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> spts:1024:65535 dpt:53 state NEW
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> spts:1024:65535 dpt:37 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:1494 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:8000 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpts:1000:1004 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:6667 state NEW
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:3000 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:866 state NEW
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
> my_drop all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain OUTPUT (policy DROP)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:25 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:25 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:25 state NEW
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> spts:1024:65535 dpt:6277 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:2703 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:110 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:22 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:22 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:22 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:446 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpts:20:21 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:80 state NEW
> ACCEPT tcp -- 0.0.0.0/0 192.168.100.4 tcp
> spts:1024:65535 dpt:80 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:443 state NEW
> ACCEPT tcp -- 0.0.0.0/0 192.168.100.4 tcp
> spts:1024:65535 dpt:443 state NEW
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> dpt:53 state NEW
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> spts:1024:65535 dpt:53 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:53 state NEW
> ACCEPT udp -- 0.0.0.0/0 134.130.4.17 udp
> spts:1024:65535 dpt:37 state NEW
> ACCEPT udp -- 0.0.0.0/0 130.149.17.21 udp
> spts:1024:65535 dpt:37 state NEW
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> dpt:123 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:43 state NEW
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spts:1024:65535 dpt:113 state NEW
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
> my_drop all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain my_drop (7 references)
> target prot opt source destination
> REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> dpts:4661:4662 reject-with icmp-port-unreachable
> REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> dpt:4665 reject-with icmp-port-unreachable
> REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> dpt:1214 reject-with icmp-port-unreachable
> REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> dpts:137:139 reject-with icmp-port-unreachable
> REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> dpts:137:139 reject-with icmp-port-unreachable
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> flags:0x17/0x02 limit: avg 10/min burst 5 LOG flags 0 level 6 prefix
> `DROP-TCP-SYN '
> REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> flags:0x17/0x02 reject-with tcp-reset
> DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg 10/min burst 5 LOG flags 0 level 6 prefix `DROP-TCP '
> REJECT tcp -- 0.0.0.0/0 0.0.0.0/0
> reject-with tcp-reset
> DROP tcp -- 0.0.0.0/0 0.0.0.0/0
> LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg 10/min burst 5 LOG flags 0 level 6 prefix `DROP-UDP '
> REJECT udp -- 0.0.0.0/0 0.0.0.0/0
> reject-with icmp-port-unreachable
> DROP udp -- 0.0.0.0/0 0.0.0.0/0
> LOG icmp -- 0.0.0.0/0 0.0.0.0/0 LOG flags
> 0 level 6 prefix `DROP-ICMP '
> DROP icmp -- 0.0.0.0/0 0.0.0.0/0
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg 10/min burst 5 LOG flags 0 level 6 prefix `DROP-PROTO-ETC '
> REJECT all -- 0.0.0.0/0 0.0.0.0/0
> reject-with icmp-proto-unreachable
> DROP all -- 0.0.0.0/0 0.0.0.0/0
>
> Best Regards
> Marcus
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
--
Thx
Joshua Gimer
More information about the CentOS
mailing list