[CentOS] iptables: forwarding on internal device

Fri Feb 6 20:57:42 UTC 2009
Marcus Moeller <mm at gcug.de>

Hi Again.
> Iptables -nL
>
> Show?

Here is the complete output (there are a lot of other rules active on
that machine):

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
my_drop    all  --  10.0.0.0/8           0.0.0.0/0
my_drop    all  --  172.16.0.0/12        0.0.0.0/0
my_drop    all  --  192.168.0.0/16       0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:22 state NEW
my_drop    tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:25 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:110 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:22 state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
spts:1024:65535 dpt:53 state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
spts:1024:65535 dpt:53 state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
spts:1024:65535 dpt:37 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:3128 state NEW
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8
my_drop    all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            172.28.0.16         tcp dpt:1249
ACCEPT     tcp  --  0.0.0.0/0            192.168.171.253     tcp dpt:25
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
spts:1024:65535 dpt:1194 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:1723 state NEW
ACCEPT     47   --  0.0.0.0/0            0.0.0.0/0           state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:25 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:443 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:25 state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
spts:1024:65535 dpt:6277 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:2703 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:22 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:446 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpts:20:21 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:80 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:443 state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
spts:1024:65535 dpt:53 state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
spts:1024:65535 dpt:37 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:1494 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:8000 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpts:1000:1004 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:6667 state NEW
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:3000 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:866 state NEW
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8
my_drop    all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:25 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:25 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:25 state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
spts:1024:65535 dpt:6277 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:2703 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:110 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:22 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:22 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:22 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:446 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpts:20:21 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:80 state NEW
ACCEPT     tcp  --  0.0.0.0/0            192.168.100.4       tcp
spts:1024:65535 dpt:80 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:443 state NEW
ACCEPT     tcp  --  0.0.0.0/0            192.168.100.4       tcp
spts:1024:65535 dpt:443 state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
dpt:53 state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
spts:1024:65535 dpt:53 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:53 state NEW
ACCEPT     udp  --  0.0.0.0/0            134.130.4.17        udp
spts:1024:65535 dpt:37 state NEW
ACCEPT     udp  --  0.0.0.0/0            130.149.17.21       udp
spts:1024:65535 dpt:37 state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
dpt:123 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:43 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spts:1024:65535 dpt:113 state NEW
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0
my_drop    all  --  0.0.0.0/0            0.0.0.0/0

Chain my_drop (7 references)
target     prot opt source               destination
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
dpts:4661:4662 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
dpt:4665 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
dpt:1214 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
dpts:137:139 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
dpts:137:139 reject-with icmp-port-unreachable
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
flags:0x17/0x02 limit: avg 10/min burst 5 LOG flags 0 level 6 prefix
`DROP-TCP-SYN '
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
flags:0x17/0x02 reject-with tcp-reset
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           limit:
avg 10/min burst 5 LOG flags 0 level 6 prefix `DROP-TCP '
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0
reject-with tcp-reset
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0
LOG        udp  --  0.0.0.0/0            0.0.0.0/0           limit:
avg 10/min burst 5 LOG flags 0 level 6 prefix `DROP-UDP '
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0
reject-with icmp-port-unreachable
DROP       udp  --  0.0.0.0/0            0.0.0.0/0
LOG        icmp --  0.0.0.0/0            0.0.0.0/0           LOG flags
0 level 6 prefix `DROP-ICMP '
DROP       icmp --  0.0.0.0/0            0.0.0.0/0
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit:
avg 10/min burst 5 LOG flags 0 level 6 prefix `DROP-PROTO-ETC '
REJECT     all  --  0.0.0.0/0            0.0.0.0/0
reject-with icmp-proto-unreachable
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Best Regards
Marcus