Board index Linux Networking

Arno Firewall question: Internal PC's can't get to IP forwarded service/webserver

Arno Firewall question: Internal PC's can't get to IP forwarded service/webserver

Post by Stephen Hurrel » Thu, 01 May 2003 06:13:52



Hello.

I use arno's iptables firewall on a Debian 2.4.20 (woody) firewall PC.
See: http://freshmeat.net/projects/iptables-firewall/?topic_id=151
      http://rocky.molphys.leidenuniv.nl/

This system works great except for internal network PCs that want to
access ip forwarded services (e.g. an internal webserver) on another
internal server in the same subnet. From the outside everything is
great, firewalling, ip forwarding, masq'ing, etc is all perfect except
for this one problem on the inside.

I am runnning Arno's 173RC2 and had no luck running the 180 (latest)
release.

More Detail:

I have a firewall/Debian box that is the gateway for my internal network
192.168.0.0/21 that connects to a DSL line. From the outside or the
firewall I can get to an internal web server at 192.168.1.254 or
http://<my site>:8081. But if I attempt to browse this URL from within
my network on some other IP (e.g 192.168.1.123) it fails with a
"connection refused" message. Eth0 is the external interface and eth1 is
the internal.

I understand that this is a D/SNAT issue or perhaps something
interesting with DNS can be done to fix this but I can't seen to figure
it out. I am in contact with the author Arno but he is also busy and I
need help with this last small problem a.s.a.p.

iptables -L follows only the external IP & domain name has been removed.
Other details upon request.

Thanks Folks
Stephen

prd1:/tmp# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
LOG        all  --  192.168.0.0/24       anywhere           limit: avg
3/min burst 5 LOG level info prefix `Spoofed (modem) packet: '
DROP       all  --  192.168.0.0/24       anywhere
ACCEPT     all  --  anywhere             192.168.0.1
LOG        all  --  anywhere             anywhere           limit: avg
1/sec burst 5 LOG level info prefix `Dropped MODEM packet: '
DROP       all  --  anywhere             anywhere
LOG        all  --  192.168.0.0/21       anywhere           limit: avg
3/min burst 5 LOG level info prefix `Spoofed packet: '
DROP       all  --  192.168.0.0/21       anywhere
LOG        icmp --  anywhere             anywhere           state
INVALID limit: avg 3/min burst 2 LOG level info prefix `INVALID INPUT
packet: '
LOG       !icmp --  anywhere             anywhere           state
INVALID limit: avg 3/min burst 2 LOG level info prefix `INVALID INPUT
packet: '
DROP       all  --  anywhere             anywhere           state INVALID
HOST_BLOCK  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state
ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
DROP       udp  --  0.0.0.0              255.255.255.255    udp
spt:bootpc dpt:bootps
VALID_CHECK  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state RELATED
EXTIF_CHECK !icmp --  anywhere             anywhere           state NEW
EXTIF_CHECK  icmp --  anywhere             anywhere           state NEW
limit: avg 10/sec burst 50
LOG        icmp --  anywhere             anywhere           icmp
echo-request limit: avg 12/hour burst 1 LOG level info prefix `ICMP
flood: '
LOG        all  --  anywhere             anywhere           limit: avg
1/sec burst 5 LOG level info prefix `Dropped INPUT packet: '
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere           tcp
flags:SYN,RST/SYN TCPMSS clamp to PMTU
LOG        icmp --  anywhere             anywhere           state
INVALID limit: avg 3/min burst 2 LOG level info prefix `INVALID FORWARD
packet: '
LOG       !icmp --  anywhere             anywhere           state
INVALID limit: avg 3/min burst 2 LOG level info prefix `INVALID FORWARD
packet: '
DROP       all  --  anywhere             anywhere           state INVALID
HOST_BLOCK  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state
ESTABLISHED
VALID_CHECK  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state RELATED
RESERVED_NET_CHECK  all  --  anywhere             anywhere
ACCEPT     all  --  192.168.0.0/21       anywhere           state NEW
DROP       tcp  --  anywhere             anywhere           tcp dpt:www
flags:!SYN,RST,ACK/SYN state NEW
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:www
flags:SYN,RST,ACK/SYN state NEW
DROP       tcp  --  anywhere             anywhere           tcp dpt:www
flags:!SYN,RST,ACK/SYN state NEW
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:www
flags:SYN,RST,ACK/SYN state NEW
DROP       tcp  --  anywhere             anywhere           tcp
dpt:z3950 flags:!SYN,RST,ACK/SYN state NEW
ACCEPT     tcp  --  anywhere             anywhere           tcp
dpt:z3950 flags:SYN,RST,ACK/SYN state NEW
LOG        all  --  anywhere             anywhere           limit: avg
1/sec burst 5 LOG level info prefix `Dropped FORWARD packet: '
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere           tcp
flags:SYN,RST/SYN TCPMSS clamp to PMTU
HOST_BLOCK  all  --  anywhere             anywhere
LOG        all  -f  anywhere             anywhere           limit: avg
3/min burst 5 LOG level info prefix `FRAGMENTED PACKET (OUT): '
DROP       all  -f  anywhere             anywhere

Chain EXTIF_CHECK (2 references)
target     prot opt source               destination
LOG        tcp  --  anywhere             anywhere           tcp dpt:0
limit: avg 1/hour burst 1 LOG level info prefix `TCP port 0 OS
fingerprint: '
LOG        udp  --  anywhere             anywhere           udp dpt:0
limit: avg 1/hour burst 1 LOG level info prefix `UDP port 0 OS
fingerprint: '
DROP       tcp  --  anywhere             anywhere           tcp dpt:0
DROP       udp  --  anywhere             anywhere           udp dpt:0
ACCEPT    !icmp --  localnet/24          anywhere
ACCEPT     icmp --  localnet/24          anywhere           icmp
destination-unreachable limit: avg 10/sec burst 5
ACCEPT     icmp --  localnet/24          anywhere           icmp
source-quench limit: avg 10/sec burst 5
ACCEPT     icmp --  localnet/24          anywhere           icmp
time-exceeded limit: avg 10/sec burst 5
ACCEPT     icmp --  localnet/24          anywhere           icmp
parameter-problem limit: avg 10/sec burst 5
ACCEPT     icmp --  localnet/24          anywhere           icmp
echo-request limit: avg 5/sec burst 5
ACCEPT     icmp --  localnet/24          anywhere           icmp
echo-reply limit: avg 5/sec burst 5
ACCEPT     udp  --  prd1.tbpl.org        anywhere           udp
spt:domain dpt:domain
ACCEPT     udp  --  h.root-servers.net   anywhere           udp
spt:domain dpt:domain
ACCEPT     udp  --  c.root-servers.net   anywhere           udp
spt:domain dpt:domain
ACCEPT     udp  --  G.ROOT-SERVERS.NET   anywhere           udp
spt:domain dpt:domain
ACCEPT     udp  --  f.root-servers.net   anywhere           udp
spt:domain dpt:domain
ACCEPT     udp  --  b.root-servers.net   anywhere           udp
spt:domain dpt:domain
ACCEPT     udp  --  j.root-servers.net   anywhere           udp
spt:domain dpt:domain
ACCEPT     udp  --  k.root-servers.net   anywhere           udp
spt:domain dpt:domain
ACCEPT     udp  --  l.root-servers.net   anywhere           udp
spt:domain dpt:domain
ACCEPT     udp  --  m.root-servers.net   anywhere           udp
spt:domain dpt:domain
ACCEPT     udp  --  i.root-servers.net   anywhere           udp
spt:domain dpt:domain
ACCEPT     udp  --  E.ROOT-SERVERS.NET   anywhere           udp
spt:domain dpt:domain
ACCEPT     udp  --  d.root-servers.net   anywhere           udp
spt:domain dpt:domain
ACCEPT     udp  --  a.root-servers.net   anywhere           udp
spt:domain dpt:domain
LOG        icmp --  anywhere             anywhere           limit: avg
3/min burst 1 LOG level info prefix `Dropped ICMP packet: '
RESERVED_NET_CHECK  all  --  anywhere             anywhere
DROP       tcp  --  anywhere             anywhere           tcp dpt:ssh
flags:!SYN,RST,ACK/SYN
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
flags:SYN,RST,ACK/SYN
DROP       tcp  --  anywhere             anywhere           tcp dpt:smtp
flags:!SYN,RST,ACK/SYN
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:smtp
flags:SYN,RST,ACK/SYN
DROP       tcp  --  anywhere             anywhere           tcp dpt:www
flags:!SYN,RST,ACK/SYN
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:www
flags:SYN,RST,ACK/SYN
DROP       tcp  --  anywhere             anywhere           tcp dpt:pop3
flags:!SYN,RST,ACK/SYN
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:pop3
flags:SYN,RST,ACK/SYN
DROP       tcp  --  anywhere             anywhere           tcp
dpt:imap2 flags:!SYN,RST,ACK/SYN
ACCEPT     tcp  --  anywhere             anywhere           tcp
dpt:imap2 flags:SYN,RST,ACK/SYN
DROP       tcp  --  anywhere             anywhere           tcp
dpt:z3950 flags:!SYN,RST,ACK/SYN
ACCEPT     tcp  --  anywhere             anywhere           tcp
dpt:z3950 flags:SYN,RST,ACK/SYN
DROP       tcp  --  anywhere             anywhere           tcp
dpt:https flags:!SYN,RST,ACK/SYN
ACCEPT     tcp  --  anywhere             anywhere           tcp
dpt:https flags:SYN,RST,ACK/SYN
DROP       tcp  --  anywhere             anywhere           tcp
dpt:10000 flags:!SYN,RST,ACK/SYN
ACCEPT     tcp  --  anywhere             anywhere           tcp
dpt:10000 flags:SYN,RST,ACK/SYN
DROP       tcp  --  anywhere             anywhere           tcp
spts:ftp-data:9999 dpts:1024:65535 flags:!SYN,RST,ACK/SYN limit: avg
10/sec burst 50
DROP       udp  --  anywhere             anywhere           udp
spts:20:9999 dpts:1024:65535 limit: avg 10/sec burst 50
LOG        tcp  --  anywhere             anywhere           tcp
spts:ftp-data:9999 dpts:1024:65535 flags:!SYN,RST,ACK/SYN limit: avg
6/hour burst 1 LOG level info prefix `Lost TCP connection flood?: '
LOG        udp  --  anywhere             anywhere           udp
spts:20:9999 dpts:1024:65535 limit: avg 6/hour burst 1 LOG level info
prefix `Lost UDP connection flood?: '
DROP       tcp  --  anywhere             anywhere           tcp
spts:ftp-data:9999 dpts:1024:65535 flags:!SYN,RST,ACK/SYN
DROP       udp  --  anywhere             anywhere           udp
spts:20:9999 dpts:1024:65535
LOG        tcp  --  anywhere             anywhere           tcp
dpts:1024:65535 flags:!SYN,RST,ACK/SYN limit: avg 3/min burst 5 LOG
level info prefix `Stealth scan (UNPRIV)?: '
LOG        tcp  --  anywhere             anywhere           tcp
dpts:0:1023 flags:!SYN,RST,ACK/SYN limit: avg 3/min burst 5 LOG level
info prefix `Stealth scan (PRIV)?: '
DROP       tcp  --  anywhere             anywhere           tcp
flags:!SYN,RST,ACK/SYN
LOG        tcp  --  anywhere             anywhere           tcp
dpts:0:1023 limit: avg 2/min burst 2 LOG level info prefix `Connection
attempt (PRIV): '
LOG        udp  --  anywhere             anywhere           udp
dpts:0:1023 limit: avg 2/min burst 2 LOG level info prefix `Connection
attempt (PRIV): '
LOG        tcp  --  anywhere             anywhere           tcp
dpts:1024:65535 limit: avg 1/min burst 1 LOG level info prefix
`Connection attempt (UNPRIV): '
LOG        udp  --  anywhere             anywhere           udp
dpts:1024:65535 limit: avg 1/min burst 1 LOG level info prefix
`Connection attempt (UNPRIV): '
DROP       tcp  --  anywhere             anywhere
DROP       udp  --  anywhere             anywhere
DROP       icmp --  anywhere             anywhere
LOG        all  --  anywhere             anywhere           limit: avg
1/min burst 5 LOG level info prefix `Other-IP connection attempt: '
DROP       all  --  anywhere             anywhere

Chain HOST_BLOCK (3 references)
target     prot opt source               destination

Chain RESERVED_NET_CHECK (2 references)
target     prot opt source               destination
LOG        all  --  10.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Class A address: '
LOG        all  --  172.16.0.0/12        anywhere           limit: avg
1/min burst 1 LOG level info prefix `Class B address: '
LOG        all  --  192.168.0.0/16       anywhere           limit: avg
1/min burst 1 LOG level info prefix `Class C address: '
LOG        all  --  169.254.0.0/16       anywhere           limit: avg
1/min burst 1 LOG level info prefix `Class M$ address: '
LOG        all  --  0.0.0.0/8            anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  1.0.0.0/8            anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  2.0.0.0/8            anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  5.0.0.0/8            anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  7.0.0.0/8            anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  23.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  27.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  31.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  36.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  37.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  39.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  41.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  42.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  58.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  59.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  60.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  70.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  71.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  72.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  73.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  74.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  75.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  76.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  77.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  78.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  79.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  83.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  84.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  85.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  86.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  87.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  88.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  89.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  90.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  91.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  92.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  93.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  94.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  95.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  96.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  97.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  98.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  99.0.0.0/8           anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  100.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  101.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  102.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  103.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  104.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  105.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  106.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  107.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  108.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  109.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  110.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  111.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  112.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  113.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  114.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  115.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  116.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  117.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  118.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  119.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  120.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  121.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  122.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  123.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  124.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  125.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  126.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  127.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  197.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  222.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  223.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  BASE-ADDRESS.MCAST.NET/8  anywhere           limit:
avg 1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  225.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  226.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  227.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  reserved-multicast-range-NOT-delegated.example.com/8
  anywhere           limit: avg 1/min burst 1 LOG level info prefix
`Reserved address: '
LOG        all  --  229.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  reserved-multicast-range-NOT-delegated.example.com/8
  anywhere           limit: avg 1/min burst 1 LOG level info prefix
`Reserved address: '
LOG        all  --  reserved-multicast-range-NOT-delegated.example.com/8
  anywhere           limit: avg 1/min burst 1 LOG level info prefix
`Reserved address: '
LOG        all  --  232.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  233.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  234.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  235.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  236.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  237.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  238.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  239.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  240.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  241.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  242.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  243.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  244.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  245.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  246.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  247.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  248.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  249.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  250.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  251.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  252.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  253.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  254.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
LOG        all  --  255.0.0.0/8          anywhere           limit: avg
1/min burst 1 LOG level info prefix `Reserved address: '
DROP       all  --  10.0.0.0/8           anywhere
DROP       all  --  172.16.0.0/12        anywhere
DROP       all  --  192.168.0.0/16       anywhere
DROP       all  --  169.254.0.0/16       anywhere
DROP       all  --  0.0.0.0/8            anywhere
DROP       all  --  1.0.0.0/8            anywhere
DROP       all  --  2.0.0.0/8            anywhere
DROP       all  --  5.0.0.0/8            anywhere
DROP       all  --  7.0.0.0/8            anywhere
DROP       all  --  23.0.0.0/8           anywhere
DROP       all  --  27.0.0.0/8           anywhere
DROP       all  --  31.0.0.0/8           anywhere
DROP       all  --  36.0.0.0/8           anywhere
DROP       all  --  37.0.0.0/8           anywhere
DROP       all  --  39.0.0.0/8           anywhere
DROP       all  --  41.0.0.0/8           anywhere
DROP       all  --  42.0.0.0/8           anywhere
DROP       all  --  58.0.0.0/8           anywhere
DROP       all  --  59.0.0.0/8           anywhere
DROP       all  --  60.0.0.0/8           anywhere
DROP       all  --  70.0.0.0/8           anywhere
DROP       all  --  71.0.0.0/8           anywhere
DROP       all  --  72.0.0.0/8           anywhere
DROP       all  --  73.0.0.0/8           anywhere
DROP       all  --  74.0.0.0/8           anywhere
DROP       all  --  75.0.0.0/8           anywhere
DROP       all  --  76.0.0.0/8           anywhere
DROP       all  --  77.0.0.0/8           anywhere
DROP       all  --  78.0.0.0/8           anywhere
DROP       all  --  79.0.0.0/8           anywhere
DROP       all  --  83.0.0.0/8           anywhere
DROP       all  --  84.0.0.0/8           anywhere
DROP       all  --  85.0.0.0/8           anywhere
DROP       all  --  86.0.0.0/8           anywhere
DROP       all  --  87.0.0.0/8           anywhere
DROP       all  --  88.0.0.0/8           anywhere
DROP       all  --  89.0.0.0/8           anywhere
DROP       all  --  90.0.0.0/8           anywhere
DROP       all  --  91.0.0.0/8           anywhere
DROP       all  --  92.0.0.0/8           anywhere
DROP       all  --  93.0.0.0/8           anywhere
DROP       all  --  94.0.0.0/8           anywhere
DROP       all  --  95.0.0.0/8           anywhere
DROP       all  --  96.0.0.0/8           anywhere
DROP       all  --  97.0.0.0/8           anywhere
DROP       all  --  98.0.0.0/8           anywhere
DROP       all  --  99.0.0.0/8           anywhere
DROP       all  --  100.0.0.0/8          anywhere
DROP       all  --  101.0.0.0/8          anywhere
DROP       all  --  102.0.0.0/8          anywhere
DROP       all  --  103.0.0.0/8          anywhere
DROP       all  --  104.0.0.0/8          anywhere
DROP       all  --  105.0.0.0/8          anywhere
DROP       all  --  106.0.0.0/8          anywhere
DROP       all  --  107.0.0.0/8          anywhere
DROP       all  --  108.0.0.0/8          anywhere
DROP       all  --  109.0.0.0/8          anywhere
DROP       all  --  110.0.0.0/8          anywhere
DROP       all  --  111.0.0.0/8          anywhere
DROP       all  --  112.0.0.0/8          anywhere
DROP       all  --  113.0.0.0/8          anywhere
DROP       all  --  114.0.0.0/8          anywhere
DROP       all  --  115.0.0.0/8          anywhere
DROP       all  --  116.0.0.0/8          anywhere
DROP       all  --  117.0.0.0/8          anywhere
DROP       all  --  118.0.0.0/8          anywhere
DROP       all  --  119.0.0.0/8          anywhere
DROP       all  --  120.0.0.0/8          anywhere
DROP       all  --  121.0.0.0/8          anywhere
DROP       all  --  122.0.0.0/8          anywhere
DROP       all  --  123.0.0.0/8          anywhere
DROP       all  --  124.0.0.0/8          anywhere
DROP       all  --  125.0.0.0/8          anywhere
DROP       all  --  126.0.0.0/8          anywhere
DROP       all  --  127.0.0.0/8          anywhere
DROP       all  --  197.0.0.0/8          anywhere
DROP       all  --  222.0.0.0/8          anywhere
DROP       all  --  223.0.0.0/8          anywhere
DROP       all  --  BASE-ADDRESS.MCAST.NET/8  anywhere
DROP       all  --  225.0.0.0/8          anywhere
DROP       all  --  226.0.0.0/8          anywhere
DROP       all  --  227.0.0.0/8          anywhere
DROP       all  --  reserved-multicast-range-NOT-delegated.example.com/8
  anywhere
DROP       all  --  229.0.0.0/8          anywhere
DROP       all  --  reserved-multicast-range-NOT-delegated.example.com/8
  anywhere
DROP       all  --  reserved-multicast-range-NOT-delegated.example.com/8
  anywhere
DROP       all  --  232.0.0.0/8          anywhere
DROP       all  --  233.0.0.0/8          anywhere
DROP       all  --  234.0.0.0/8          anywhere
DROP       all  --  235.0.0.0/8          anywhere
DROP       all  --  236.0.0.0/8          anywhere
DROP       all  --  237.0.0.0/8          anywhere
DROP       all  --  238.0.0.0/8          anywhere
DROP       all  --  239.0.0.0/8          anywhere
DROP       all  --  240.0.0.0/8          anywhere
DROP       all  --  241.0.0.0/8          anywhere
DROP       all  --  242.0.0.0/8          anywhere
DROP       all  --  243.0.0.0/8          anywhere
DROP       all  --  244.0.0.0/8          anywhere
DROP       all  --  245.0.0.0/8          anywhere
DROP       all  --  246.0.0.0/8          anywhere
DROP       all  --  247.0.0.0/8          anywhere
DROP       all  --  248.0.0.0/8          anywhere
DROP       all  --  249.0.0.0/8          anywhere
DROP       all  --  250.0.0.0/8          anywhere
DROP       all  --  251.0.0.0/8          anywhere
DROP       all  --  252.0.0.0/8          anywhere
DROP       all  --  253.0.0.0/8          anywhere
DROP       all  --  254.0.0.0/8          anywhere
DROP       all  --  255.0.0.0/8          anywhere

Chain VALID_CHECK (2 references)
target     prot opt source               destination
LOG        tcp  --  anywhere             anywhere           tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit: avg 3/min burst 5 LOG
level info prefix `Stealth XMAS scan: '
LOG        tcp  --  anywhere             anywhere           tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG limit: avg 3/min burst
5 LOG level info prefix `Stealth XMAS-PSH scan: '
LOG        tcp  --  anywhere             anywhere           tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 3/min
burst 5 LOG level info prefix `Stealth XMAS-ALL scan: '
LOG        tcp  --  anywhere             anywhere           tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg 3/min burst 5 LOG level
info prefix `Stealth FIN scan: '
LOG        tcp  --  anywhere             anywhere           tcp
flags:SYN,RST/SYN,RST limit: avg 3/min burst 5 LOG level info prefix
`Stealth SYN/RST scan: '
LOG        tcp  --  anywhere             anywhere           tcp
flags:FIN,SYN/FIN,SYN limit: avg 3/min burst 5 LOG level info prefix
`Stealth SYN/FIN scan(?): '
LOG        tcp  --  anywhere             anywhere           tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg 3/min burst 5 LOG level
info prefix `Stealth Null scan: '
DROP       tcp  --  anywhere             anywhere           tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
DROP       tcp  --  anywhere             anywhere           tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
DROP       tcp  --  anywhere             anywhere           tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP       tcp  --  anywhere             anywhere           tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN
DROP       tcp  --  anywhere             anywhere           tcp
flags:SYN,RST/SYN,RST
DROP       tcp  --  anywhere             anywhere           tcp
flags:FIN,SYN/FIN,SYN
DROP       tcp  --  anywhere             anywhere           tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
LOG        tcp  --  anywhere             anywhere           tcp
option=64 limit: avg 3/min burst 1 LOG level info prefix `Bad TCP
flag(64): '
LOG        tcp  --  anywhere             anywhere           tcp
option=128 limit: avg 3/min burst 1 LOG level info prefix `Bad TCP
flag(128): '
DROP       tcp  --  anywhere             anywhere           tcp option=64
DROP       tcp  --  anywhere             anywhere           tcp option=128
LOG        all  -f  anywhere             anywhere           limit: avg
3/min burst 1 LOG level warning prefix `Fragmented packet: '
DROP       all  -f  anywhere             anywhere

 
 
 
Top

1. IP Masq/IP Chains Question (forwarding smtp to 'internal' mail server...)

Hey all.

I was just wondering if this were possible:

I have my cheapo, old Linux box handling ip masq for my internal network (I
have a cable modem).  This works fine.  But, can I have the IP Masq. box
forward all incoming port 25 and 110 to say port 25 and 110 on an internal
IP?  (192.168.0.3)  This way I could practice a few mail servers on the
inside without having to do it on the 'external' machine.

Just curious and hopeful.

Chris

2. /etc/name_to_major not found when moving boot drive

3. Getting Internal IP's translated to 5 External IP's.

4. Think of writing something.. has some1 done this already?

5. Arno's Iptables script - multiple internal i/fs?

6. question on pfctl -vss

7. port forwarding with IPVSADM: help getting to internal masq'd clients

8. xv & gimp problems !

9. Assign IP's to Internal network with Linux firewall.

10. can't connect from internal network to external IP of my firewall

11. ping -g 'gateway-IP' 'host-IP' DOESN'T work!

12. getting IP-Filter to reread it's configuration-files 'on-the-fly'

13. ipfwadm: can't telnet on firewall's internal interface


All times are UTC
Board index