Re: [CentOS] iptables: forwarding on internal device

Hi Again.

Iptables -nL

Show?

Here is the complete output (there are a lot of other rules active on that machine):

Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 my_drop all -- 10.0.0.0/8 0.0.0.0/0 my_drop all -- 172.16.0.0/12 0.0.0.0/0 my_drop all -- 192.168.0.0/16 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:22 state NEW my_drop tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:25 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:110 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:22 state NEW ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53 state NEW ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53 state NEW ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:37 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:3128 state NEW ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 my_drop all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 172.28.0.16 tcp dpt:1249 ACCEPT tcp -- 0.0.0.0/0 192.168.171.253 tcp dpt:25 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:1194 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:1723 state NEW ACCEPT 47 -- 0.0.0.0/0 0.0.0.0/0 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:25 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:443 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:25 state NEW ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:6277 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:2703 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:22 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:446 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpts:20:21 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:80 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:443 state NEW ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53 state NEW ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:37 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:1494 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:8000 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpts:1000:1004 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:6667 state NEW ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:3000 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:866 state NEW ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 my_drop all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:25 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:25 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:25 state NEW ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:6277 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:2703 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:110 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:22 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:22 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:22 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:446 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpts:20:21 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:80 state NEW ACCEPT tcp -- 0.0.0.0/0 192.168.100.4 tcp spts:1024:65535 dpt:80 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:443 state NEW ACCEPT tcp -- 0.0.0.0/0 192.168.100.4 tcp spts:1024:65535 dpt:443 state NEW ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:53 state NEW ACCEPT udp -- 0.0.0.0/0 134.130.4.17 udp spts:1024:65535 dpt:37 state NEW ACCEPT udp -- 0.0.0.0/0 130.149.17.21 udp spts:1024:65535 dpt:37 state NEW ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:43 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:113 state NEW ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 my_drop all -- 0.0.0.0/0 0.0.0.0/0

Chain my_drop (7 references) target prot opt source destination REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:4661:4662 reject-with icmp-port-unreachable REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4665 reject-with icmp-port-unreachable REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1214 reject-with icmp-port-unreachable REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:137:139 reject-with icmp-port-unreachable REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 reject-with icmp-port-unreachable LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 10/min burst 5 LOG flags 0 level 6 prefix `DROP-TCP-SYN ' REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 reject-with tcp-reset DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 6 prefix `DROP-TCP ' REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset DROP tcp -- 0.0.0.0/0 0.0.0.0/0 LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 6 prefix `DROP-UDP ' REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable DROP udp -- 0.0.0.0/0 0.0.0.0/0 LOG icmp -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `DROP-ICMP ' DROP icmp -- 0.0.0.0/0 0.0.0.0/0 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 6 prefix `DROP-PROTO-ETC ' REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable DROP all -- 0.0.0.0/0 0.0.0.0/0

Best Regards Marcus