[CentOS] iptables: forwarding on internal device
Nataraj
incoming-centos at rjl.com
Tue Feb 10 20:22:58 UTC 2009
On Sat, 2009-02-07 at 08:43 +0100, Marcus Moeller wrote:
> Dear Joshua.
>
> > You are going to have to add rules to both your INPUT and OUTPUT
> > chains to allow this traffic through. Could you send on a copy of
> > /etc/sysconfig/iptables, if that is how your are loading these rules?
> > I could then send you the exact commands to run.
One thing I notice is that you call the my_drop chain from INPUT, OUTPUT
and FORWARD chains. Since you are trying to route packets in/out the
same interface, there is no way to tell whether the packets are actually
being dropped on INPUT, OUTPUT or FORWARD. If you were to change
things, at least temporarily so that your DROP printed a different
message for INPUT, OUTPUT and FORWARD, you would at least be able to
tell where the packets are being dropped. The fastest way to do this
might be to duplicate the my_drop chain as my_drop_input, my_drop_output
and my_drop_forward, change the message in each and call the correct one
from each chain. Then you would at least know where the problem was.
Nataraj
> >
>
> I am not sure why I schould add input and output rules if I want to
> forward packages through a device but I can give it a try.
>
> Btw. I am using service iptables save at the bottom of my script to
> store the rules.
>
> Best Regards
> Marcus
>
>
> > Josh
> >
> >
> > On Fri, Feb 6, 2009 at 1:57 PM, Marcus Moeller <mm at gcug.de> wrote:
> >> Hi Again.
> >>> Iptables -nL
> >>>
> >>> Show?
> >>
> >> Here is the complete output (there are a lot of other rules active on
> >> that machine):
> >>
> >> Chain INPUT (policy DROP)
> >> target prot opt source destination
> >> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> >> my_drop all -- 10.0.0.0/8 0.0.0.0/0
> >> my_drop all -- 172.16.0.0/12 0.0.0.0/0
> >> my_drop all -- 192.168.0.0/16 0.0.0.0/0
> >> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> >> RELATED,ESTABLISHED
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:22 state NEW
> >> my_drop tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> flags:0x17/0x02
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:25 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:110 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:22 state NEW
> >> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> >> spts:1024:65535 dpt:53 state NEW
> >> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> >> spts:1024:65535 dpt:53 state NEW
> >> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> >> spts:1024:65535 dpt:37 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:3128 state NEW
> >> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp
> >> type 0
> >> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp
> >> type 8
> >> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp
> >> type 8
> >> my_drop all -- 0.0.0.0/0 0.0.0.0/0
> >>
> >> Chain FORWARD (policy DROP)
> >> target prot opt source destination
> >> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> >> RELATED,ESTABLISHED
> >> ACCEPT tcp -- 0.0.0.0/0 172.28.0.16 tcp
> >> dpt:1249
> >> ACCEPT tcp -- 0.0.0.0/0 192.168.171.253 tcp
> >> dpt:25
> >> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> >> spts:1024:65535 dpt:1194 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:1723 state NEW
> >> ACCEPT 47 -- 0.0.0.0/0 0.0.0.0/0 state
> >> NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:25 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:443 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:25 state NEW
> >> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> >> spts:1024:65535 dpt:6277 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:2703 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:22 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:446 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpts:20:21 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:80 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:443 state NEW
> >> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> >> spts:1024:65535 dpt:53 state NEW
> >> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> >> spts:1024:65535 dpt:37 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:1494 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:8000 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpts:1000:1004 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:6667 state NEW
> >> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> >> NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:3000 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:866 state NEW
> >> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp
> >> type 0
> >> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp
> >> type 8
> >> my_drop all -- 0.0.0.0/0 0.0.0.0/0
> >>
> >> Chain OUTPUT (policy DROP)
> >> target prot opt source destination
> >> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> >> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> >> RELATED,ESTABLISHED
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:25 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:25 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:25 state NEW
> >> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> >> spts:1024:65535 dpt:6277 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:2703 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:110 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:22 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:22 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:22 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:446 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpts:20:21 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:80 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 192.168.100.4 tcp
> >> spts:1024:65535 dpt:80 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:443 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 192.168.100.4 tcp
> >> spts:1024:65535 dpt:443 state NEW
> >> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> >> dpt:53 state NEW
> >> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> >> spts:1024:65535 dpt:53 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:53 state NEW
> >> ACCEPT udp -- 0.0.0.0/0 134.130.4.17 udp
> >> spts:1024:65535 dpt:37 state NEW
> >> ACCEPT udp -- 0.0.0.0/0 130.149.17.21 udp
> >> spts:1024:65535 dpt:37 state NEW
> >> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> >> dpt:123 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:43 state NEW
> >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> spts:1024:65535 dpt:113 state NEW
> >> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp
> >> type 8
> >> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp
> >> type 0
> >> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp
> >> type 0
> >> my_drop all -- 0.0.0.0/0 0.0.0.0/0
> >>
> >> Chain my_drop (7 references)
> >> target prot opt source destination
> >> REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> dpts:4661:4662 reject-with icmp-port-unreachable
> >> REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> >> dpt:4665 reject-with icmp-port-unreachable
> >> REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> >> dpt:1214 reject-with icmp-port-unreachable
> >> REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> dpts:137:139 reject-with icmp-port-unreachable
> >> REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> >> dpts:137:139 reject-with icmp-port-unreachable
> >> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> flags:0x17/0x02 limit: avg 10/min burst 5 LOG flags 0 level 6 prefix
> >> `DROP-TCP-SYN '
> >> REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> flags:0x17/0x02 reject-with tcp-reset
> >> DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> >> flags:0x17/0x02
> >> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit:
> >> avg 10/min burst 5 LOG flags 0 level 6 prefix `DROP-TCP '
> >> REJECT tcp -- 0.0.0.0/0 0.0.0.0/0
> >> reject-with tcp-reset
> >> DROP tcp -- 0.0.0.0/0 0.0.0.0/0
> >> LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit:
> >> avg 10/min burst 5 LOG flags 0 level 6 prefix `DROP-UDP '
> >> REJECT udp -- 0.0.0.0/0 0.0.0.0/0
> >> reject-with icmp-port-unreachable
> >> DROP udp -- 0.0.0.0/0 0.0.0.0/0
> >> LOG icmp -- 0.0.0.0/0 0.0.0.0/0 LOG
> >> flags
> >> 0 level 6 prefix `DROP-ICMP '
> >> DROP icmp -- 0.0.0.0/0 0.0.0.0/0
> >> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
> >> avg 10/min burst 5 LOG flags 0 level 6 prefix `DROP-PROTO-ETC '
> >> REJECT all -- 0.0.0.0/0 0.0.0.0/0
> >> reject-with icmp-proto-unreachable
> >> DROP all -- 0.0.0.0/0 0.0.0.0/0
> >>
> >> Best Regards
> >> Marcus
> >> _______________________________________________
> >> CentOS mailing list
> >> CentOS at centos.org
> >> http://lists.centos.org/mailman/listinfo/centos
> >>
> >
> >
> >
> > --
> > Thx
> > Joshua Gimer
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
More information about the CentOS
mailing list