Search This Blog

Monday, October 10, 2005

Re: Masquerade doesn't work

This are my iptables rules.
-----------------------------------------------------------------------------------------------------------

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
eth0_in all -- 0.0.0.0/0 0.0.0.0/0
eth1_in all -- 0.0.0.0/0 0.0.0.0/0
Reject all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 6 prefix `Shorewall:INPUT:REJECT:'
reject all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination
eth0_fwd all -- 0.0.0.0/0 0.0.0.0/0
eth1_fwd all -- 0.0.0.0/0 0.0.0.0/0
Reject all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 6 prefix `Shorewall:FORWARD:REJECT:'
reject all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
fw2net all -- 0.0.0.0/0 0.0.0.0/0
fw2loc all -- 0.0.0.0/0 0.0.0.0/0
Reject all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 6 prefix `Shorewall:OUTPUT:REJECT:'
reject all -- 0.0.0.0/0 0.0.0.0/0

Chain AllowICMPs (2 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
code 4
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11

Chain Drop (1 references)
target prot opt source destination
RejectAuth all -- 0.0.0.0/0 0.0.0.0/0
dropBcast all -- 0.0.0.0/0 0.0.0.0/0
AllowICMPs icmp -- 0.0.0.0/0 0.0.0.0/0
dropInvalid all -- 0.0.0.0/0 0.0.0.0/0
DropSMB all -- 0.0.0.0/0 0.0.0.0/0
DropUPnP all -- 0.0.0.0/0 0.0.0.0/0
dropNotSyn tcp -- 0.0.0.0/0 0.0.0.0/0
DropDNSrep all -- 0.0.0.0/0 0.0.0.0/0

Chain DropDNSrep (2 references)
target prot opt source destination
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53

Chain DropSMB (1 references)
target prot opt source destination
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:135
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp
dpts:137:139
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:445
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:135
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445

Chain DropUPnP (2 references)
target prot opt source destination
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1900

Chain Reject (5 references)
target prot opt source destination
RejectAuth all -- 0.0.0.0/0 0.0.0.0/0
dropBcast all -- 0.0.0.0/0 0.0.0.0/0
AllowICMPs icmp -- 0.0.0.0/0 0.0.0.0/0
dropInvalid all -- 0.0.0.0/0 0.0.0.0/0
RejectSMB all -- 0.0.0.0/0 0.0.0.0/0
DropUPnP all -- 0.0.0.0/0 0.0.0.0/0
dropNotSyn tcp -- 0.0.0.0/0 0.0.0.0/0
DropDNSrep all -- 0.0.0.0/0 0.0.0.0/0

Chain RejectAuth (2 references)
target prot opt source destination
reject tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113

Chain RejectSMB (1 references)
target prot opt source destination
reject udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:135
reject udp -- 0.0.0.0/0 0.0.0.0/0 udp
dpts:137:139
reject udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:445
reject tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:135
reject tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
reject tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445

Chain all2all (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
Reject all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 6 prefix `Shorewall:all2all:REJECT:'
reject all -- 0.0.0.0/0 0.0.0.0/0

Chain all2fw (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
Reject all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 6 prefix `Shorewall:all2fw:REJECT:'
reject all -- 0.0.0.0/0 0.0.0.0/0

Chain dropBcast (2 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE =
broadcast
DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE =
multicast

Chain dropInvalid (2 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID

Chain dropNotSyn (2 references)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:!0x16/0x02

Chain dynamic (4 references)
target prot opt source destination

Chain eth0_fwd (1 references)
target prot opt source destination
dynamic all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID,NEW
smurfs all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID,NEW
norfc1918 all -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcpflags tcp -- 0.0.0.0/0 0.0.0.0/0
net2loc all -- 0.0.0.0/0 0.0.0.0/0

Chain eth0_in (1 references)
target prot opt source destination
dynamic all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID,NEW
smurfs all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID,NEW
norfc1918 all -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcpflags tcp -- 0.0.0.0/0 0.0.0.0/0
net2fw all -- 0.0.0.0/0 0.0.0.0/0

Chain eth1_fwd (1 references)
target prot opt source destination
dynamic all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID,NEW
tcpflags tcp -- 0.0.0.0/0 0.0.0.0/0
loc2net all -- 0.0.0.0/0 0.0.0.0/0

Chain eth1_in (1 references)
target prot opt source destination
dynamic all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID,NEW
tcpflags tcp -- 0.0.0.0/0 0.0.0.0/0
loc2fw all -- 0.0.0.0/0 0.0.0.0/0

Chain fw2loc (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain fw2net (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
all2all all -- 0.0.0.0/0 0.0.0.0/0

Chain icmpdef (0 references)
target prot opt source destination

Chain loc2fw (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
all2fw all -- 0.0.0.0/0 0.0.0.0/0

Chain loc2net (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
all2all all -- 0.0.0.0/0 0.0.0.0/0

Chain logflags (5 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 4
level 6 prefix `Shorewall:logflags:DROP:'
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain net2all (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
Drop all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 6 prefix `Shorewall:net2all:DROP:'
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain net2fw (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
net2all all -- 0.0.0.0/0 0.0.0.0/0

Chain net2loc (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
net2all all -- 0.0.0.0/0 0.0.0.0/0

Chain norfc1918 (2 references)
target prot opt source destination
rfc1918 all -- 172.16.0.0/12 0.0.0.0/0
rfc1918 all -- 0.0.0.0/0 0.0.0.0/0 ctorigdst
172.16.0.0/12
rfc1918 all -- 192.168.0.0/16 0.0.0.0/0
rfc1918 all -- 0.0.0.0/0 0.0.0.0/0 ctorigdst
192.168.0.0/16
rfc1918 all -- 10.0.0.0/8 0.0.0.0/0
rfc1918 all -- 0.0.0.0/0 0.0.0.0/0 ctorigdst
10.0.0.0/8

Chain reject (12 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE =
broadcast
DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE =
multicast
DROP all -- 117.13.10.255 0.0.0.0/0
DROP all -- 192.168.61.255 0.0.0.0/0
DROP all -- 255.255.255.255 0.0.0.0/0
DROP all -- 224.0.0.0/4 0.0.0.0/0
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with
tcp-reset
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable
REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-host-unreachable
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-host-prohibited

Chain rfc1918 (6 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 6 prefix `Shorewall:rfc1918:DROP:'
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain shorewall (0 references)
target prot opt source destination

Chain smurfs (2 references)
target prot opt source destination
LOG all -- 117.13.10.255 0.0.0.0/0 LOG flags 0
level 6 prefix `Shorewall:smurfs:DROP:'
DROP all -- 117.13.10.255 0.0.0.0/0
LOG all -- 192.168.61.255 0.0.0.0/0 LOG flags 0
level 6 prefix `Shorewall:smurfs:DROP:'
DROP all -- 192.168.61.255 0.0.0.0/0
LOG all -- 255.255.255.255 0.0.0.0/0 LOG flags 0
level 6 prefix `Shorewall:smurfs:DROP:'
DROP all -- 255.255.255.255 0.0.0.0/0
LOG all -- 224.0.0.0/4 0.0.0.0/0 LOG flags 0
level 6 prefix `Shorewall:smurfs:DROP:'
DROP all -- 224.0.0.0/4 0.0.0.0/0

Chain tcpflags (4 references)
target prot opt source destination
logflags tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x29
logflags tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x00
logflags tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x06/0x06
logflags tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x03/0x03
logflags tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:0
flags:0x16/0x02

-----------------------------------------------------------------------------------------------------------------------------

Robert Buchinger wrote:

>hmm maybe its better to tell us what iptables -t nat -L says if you use
>masquerading
>
>rb
>
>
>Dexter wrote:
>
>
>
>>#cat /proc/sys/net/ipv4/ip_forward
>>1
>>
>>I'm not seting remote access to firewall, so I can't past output of
>>iptables -nL command. Do you know, what should I look for?
>>
>>Dexter
>>
>>
>>
>>
>>
>>>-----Original Message-----
>>>From: Dexter [mailto:dexter@madalbal.sk]
>>>Sent: Monday, October 10, 2005 7:31 PM
>>>To: 'debian-firewall@lists.debian.org'
>>>Subject: Masquerade doesn't work
>>>
>>>Hello,
>>>I've installed Debian Sarge (just basic system packages). I'm
>>>trying to setup Shorewall firewall on it. My problem is, that
>>>Masquerade is not working. That is:
>>>-I can ping from local system to firewall -I can ping from
>>>firewall to Internet -I can NOT ping from local system to
>>>Internet When I run:
>>>#tcpdump -i eth0 icmp
>>>which will listen for icmp packed on my external interface.
>>>And I ping from local system to internet.
>>>I can see outgoing echo request packages, BUT with source
>>>address of local system. So no reply can come back to me. Now
>>>it's clear, that problem is masquerading.
>>>I've set up also /etc/shorewall/masq:
>>>----------
>>>eth0 eth1
>>>---------
>>>What did I miss? I have no idea, what is wrong.
>>>Thanks for reply.
>>> Dexter
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>
>
>
>

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)