[CentOS] iptables: forwarding on internal device

Sat Feb 7 07:43:04 UTC 2009
Marcus Moeller <mm at gcug.de>

Dear Joshua.

> You are going to have to add rules to both your INPUT and OUTPUT
> chains to allow this traffic through. Could you send on a copy of
> /etc/sysconfig/iptables, if that is how your are loading these rules?
> I could then send you the exact commands to run.
>

I am not sure why I schould add input and output rules if I want to  
forward packages through a device but I can give it a try.

Btw. I am using service iptables save at the bottom of my script to  
store the rules.

Best Regards
Marcus


> Josh
>
>
> On Fri, Feb 6, 2009 at 1:57 PM, Marcus Moeller <mm at gcug.de> wrote:
>> Hi Again.
>>> Iptables -nL
>>>
>>> Show?
>>
>> Here is the complete output (there are a lot of other rules active on
>> that machine):
>>
>> Chain INPUT (policy DROP)
>> target     prot opt source               destination
>> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
>> my_drop    all  --  10.0.0.0/8           0.0.0.0/0
>> my_drop    all  --  172.16.0.0/12        0.0.0.0/0
>> my_drop    all  --  192.168.0.0/16       0.0.0.0/0
>> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
>> RELATED,ESTABLISHED
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:22 state NEW
>> my_drop    tcp  --  0.0.0.0/0            0.0.0.0/0           tcp  
>> flags:0x17/0x02
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:25 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:110 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:22 state NEW
>> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
>> spts:1024:65535 dpt:53 state NEW
>> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
>> spts:1024:65535 dpt:53 state NEW
>> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
>> spts:1024:65535 dpt:37 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:3128 state NEW
>> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp  
>> type 0
>> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp  
>> type 8
>> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp  
>> type 8
>> my_drop    all  --  0.0.0.0/0            0.0.0.0/0
>>
>> Chain FORWARD (policy DROP)
>> target     prot opt source               destination
>> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
>> RELATED,ESTABLISHED
>> ACCEPT     tcp  --  0.0.0.0/0            172.28.0.16         tcp  
>> dpt:1249
>> ACCEPT     tcp  --  0.0.0.0/0            192.168.171.253     tcp  
>> dpt:25
>> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
>> spts:1024:65535 dpt:1194 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:1723 state NEW
>> ACCEPT     47   --  0.0.0.0/0            0.0.0.0/0           state  
>> NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:25 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:443 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:25 state NEW
>> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
>> spts:1024:65535 dpt:6277 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:2703 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:22 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:446 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpts:20:21 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:80 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:443 state NEW
>> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
>> spts:1024:65535 dpt:53 state NEW
>> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
>> spts:1024:65535 dpt:37 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:1494 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:8000 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpts:1000:1004 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:6667 state NEW
>> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state  
>> NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:3000 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:866 state NEW
>> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp  
>> type 0
>> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp  
>> type 8
>> my_drop    all  --  0.0.0.0/0            0.0.0.0/0
>>
>> Chain OUTPUT (policy DROP)
>> target     prot opt source               destination
>> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
>> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
>> RELATED,ESTABLISHED
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:25 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:25 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:25 state NEW
>> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
>> spts:1024:65535 dpt:6277 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:2703 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:110 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:22 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:22 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:22 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:446 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpts:20:21 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:80 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            192.168.100.4       tcp
>> spts:1024:65535 dpt:80 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:443 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            192.168.100.4       tcp
>> spts:1024:65535 dpt:443 state NEW
>> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
>> dpt:53 state NEW
>> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
>> spts:1024:65535 dpt:53 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:53 state NEW
>> ACCEPT     udp  --  0.0.0.0/0            134.130.4.17        udp
>> spts:1024:65535 dpt:37 state NEW
>> ACCEPT     udp  --  0.0.0.0/0            130.149.17.21       udp
>> spts:1024:65535 dpt:37 state NEW
>> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
>> dpt:123 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:43 state NEW
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> spts:1024:65535 dpt:113 state NEW
>> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp  
>> type 8
>> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp  
>> type 0
>> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp  
>> type 0
>> my_drop    all  --  0.0.0.0/0            0.0.0.0/0
>>
>> Chain my_drop (7 references)
>> target     prot opt source               destination
>> REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> dpts:4661:4662 reject-with icmp-port-unreachable
>> REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
>> dpt:4665 reject-with icmp-port-unreachable
>> REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
>> dpt:1214 reject-with icmp-port-unreachable
>> REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> dpts:137:139 reject-with icmp-port-unreachable
>> REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
>> dpts:137:139 reject-with icmp-port-unreachable
>> LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> flags:0x17/0x02 limit: avg 10/min burst 5 LOG flags 0 level 6 prefix
>> `DROP-TCP-SYN '
>> REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
>> flags:0x17/0x02 reject-with tcp-reset
>> DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp  
>> flags:0x17/0x02
>> LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           limit:
>> avg 10/min burst 5 LOG flags 0 level 6 prefix `DROP-TCP '
>> REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0
>> reject-with tcp-reset
>> DROP       tcp  --  0.0.0.0/0            0.0.0.0/0
>> LOG        udp  --  0.0.0.0/0            0.0.0.0/0           limit:
>> avg 10/min burst 5 LOG flags 0 level 6 prefix `DROP-UDP '
>> REJECT     udp  --  0.0.0.0/0            0.0.0.0/0
>> reject-with icmp-port-unreachable
>> DROP       udp  --  0.0.0.0/0            0.0.0.0/0
>> LOG        icmp --  0.0.0.0/0            0.0.0.0/0           LOG  
>> flags
>> 0 level 6 prefix `DROP-ICMP '
>> DROP       icmp --  0.0.0.0/0            0.0.0.0/0
>> LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit:
>> avg 10/min burst 5 LOG flags 0 level 6 prefix `DROP-PROTO-ETC '
>> REJECT     all  --  0.0.0.0/0            0.0.0.0/0
>> reject-with icmp-proto-unreachable
>> DROP       all  --  0.0.0.0/0            0.0.0.0/0
>>
>> Best Regards
>> Marcus
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>
>
>
> -- 
> Thx
> Joshua Gimer
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos