Iptables problem

Iptables problem

Post by Carsten Kelle » Tue, 07 Oct 2003 15:35:34



Hello group.
Vi have a firewall running iptables. Behind it is our main network, and som
smaller private ones behind other gateways.

Internet ==firewall==130.225.184.0/22==gw==172.21.184.0/22

My problem is as follows:
Host1 on 172.* can't ping host2 on 130.*. A look in the firewalllog tells me
the packets  returning from host2 are denied:

Oct  3 14:13:07 ihafw kernel: RULE 38 -- DENY IN=eth0 OUT=eth0
SRC=130.225.184.44 DST=172.21.185.220 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=49790 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=42496
Oct  3 14:13:08 ihafw kernel: RULE 38 -- DENY IN=eth0 OUT=eth0
SRC=130.225.184.44 DST=172.21.185.220 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=49792 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=42752

There is no problem in pinging the other direction. After a succesfull ping
host2==>host1 it works both ways, probably because host2 has learned it must
go directly to the gw when going to 172.21.184.0/22. But for some reason
packets can't go from 130.* to 172.* if passing the firewall. I have this
rule among others in iptables. Shouldn't it allow the traffic pass?

iptables -L:

$IPTABLES -N Cid3F2E7AEB.0
$IPTABLES -A OUTPUT  -s 130.225.184.0/22  -m state --state NEW  -j
Cid3F2E7AEB.0
$IPTABLES -A OUTPUT  -s 172.20.184.0/22  -m state --state NEW  -j
Cid3F2E7AEB.0
$IPTABLES -A OUTPUT  -s 172.21.184.0/22  -m state --state NEW  -j
Cid3F2E7AEB.0
$IPTABLES -A OUTPUT  -s 192.168.0.0/24  -m state --state NEW  -j
Cid3F2E7AEB.0
$IPTABLES -A Cid3F2E7AEB.0  -d 130.225.184.0/22  -m state --state NEW  -j
ACCEPT
$IPTABLES -A Cid3F2E7AEB.0  -d 172.20.184.0/22  -m state --state NEW  -j
ACCEPT
$IPTABLES -A Cid3F2E7AEB.0  -d 172.21.184.0/22  -m state --state NEW  -j
ACCEPT
$IPTABLES -A Cid3F2E7AEB.0  -d 192.168.0.0/24  -m state --state NEW  -j
ACCEPT
$IPTABLES -N Cid3F2E7AEB.1
$IPTABLES -A INPUT  -s 130.225.184.0/22  -m state --state NEW  -j
Cid3F2E7AEB.1
$IPTABLES -A INPUT  -s 172.20.184.0/22  -m state --state NEW  -j
Cid3F2E7AEB.1
$IPTABLES -A INPUT  -s 172.21.184.0/22  -m state --state NEW  -j
Cid3F2E7AEB.1
$IPTABLES -A INPUT  -s 192.168.0.0/24  -m state --state NEW  -j
Cid3F2E7AEB.1
$IPTABLES -A Cid3F2E7AEB.1  -d 130.225.184.0/22  -m state --state NEW  -j
ACCEPT
$IPTABLES -A Cid3F2E7AEB.1  -d 172.20.184.0/22  -m state --state NEW  -j
ACCEPT
$IPTABLES -A Cid3F2E7AEB.1  -d 172.21.184.0/22  -m state --state NEW  -j
ACCEPT
$IPTABLES -A Cid3F2E7AEB.1  -d 192.168.0.0/24  -m state --state NEW  -j
ACCEPT
$IPTABLES -N Cid3F2E7AEB.2
$IPTABLES -A FORWARD  -s 130.225.184.0/22  -m state --state NEW  -j
Cid3F2E7AEB.2
$IPTABLES -A FORWARD  -s 172.20.184.0/22  -m state --state NEW  -j
Cid3F2E7AEB.2
$IPTABLES -A FORWARD  -s 172.21.184.0/22  -m state --state NEW  -j
Cid3F2E7AEB.2
$IPTABLES -A FORWARD  -s 192.168.0.0/24  -m state --state NEW  -j
Cid3F2E7AEB.2
$IPTABLES -A Cid3F2E7AEB.2  -d 130.225.184.0/22  -m state --state NEW  -j
ACCEPT
$IPTABLES -A Cid3F2E7AEB.2  -d 172.20.184.0/22  -m state --state NEW  -j
ACCEPT
$IPTABLES -A Cid3F2E7AEB.2  -d 172.21.184.0/22  -m state --state NEW  -j
ACCEPT
$IPTABLES -A Cid3F2E7AEB.2  -d 192.168.0.0/24  -m state --state NEW  -j
ACCEPT

The rules are build with fwbuilder, but they look allright to me. Can anyone
spot what I've missed?
?

OS: RH 8.0
Kernel: 2.4.20-19.8smp
IPtables: iptables-1.2.6a-2

Tanks in advance
Keller

 
 
 

Iptables problem

Post by Carsten Kelle » Wed, 08 Oct 2003 20:36:43



Quote:> Hello group.
> Vi have a firewall running iptables. Behind it is our main network, and
som
> smaller private ones behind other gateways.

> Internet ==firewall==130.225.184.0/22==gw==172.21.184.0/22

> My problem is as follows:
> Host1 on 172.* can't ping host2 on 130.*. A look in the firewalllog tells
me
> the packets  returning from host2 are denied:

> Oct  3 14:13:07 ihafw kernel: RULE 38 -- DENY IN=eth0 OUT=eth0
> SRC=130.225.184.44 DST=172.21.185.220 LEN=60 TOS=0x00 PREC=0x00 TTL=127
> ID=49790 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=42496
> Oct  3 14:13:08 ihafw kernel: RULE 38 -- DENY IN=eth0 OUT=eth0
> SRC=130.225.184.44 DST=172.21.185.220 LEN=60 TOS=0x00 PREC=0x00 TTL=127
> ID=49792 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=42752

> There is no problem in pinging the other direction. After a succesfull
ping
> host2==>host1 it works both ways, probably because host2 has learned it
must
> go directly to the gw when going to 172.21.184.0/22. But for some reason
> packets can't go from 130.* to 172.* if passing the firewall. I have this
> rule among others in iptables. Shouldn't it allow the traffic pass?

Hmm, I removed the statefullness, and now it works. Why is it that it didn't
work before????

iptables -L:

$IPTABLES -N Cid3F2E7AEB.0
$IPTABLES -A OUTPUT  -s 130.225.184.0/22  -j Cid3F2E7AEB.0
$IPTABLES -A OUTPUT  -s 172.20.184.0/22  -j Cid3F2E7AEB.0
$IPTABLES -A OUTPUT  -s 172.21.184.0/22  -j Cid3F2E7AEB.0
$IPTABLES -A OUTPUT  -s 192.168.0.0/24  -j Cid3F2E7AEB.0
$IPTABLES -A OUTPUT  -s 172.16.0.0/12  -j Cid3F2E7AEB.0
$IPTABLES -A Cid3F2E7AEB.0  -d 130.225.184.0/22  -j ACCEPT
$IPTABLES -A Cid3F2E7AEB.0  -d 172.20.184.0/22  -j ACCEPT
$IPTABLES -A Cid3F2E7AEB.0  -d 172.21.184.0/22  -j ACCEPT
$IPTABLES -A Cid3F2E7AEB.0  -d 192.168.0.0/24  -j ACCEPT
$IPTABLES -A Cid3F2E7AEB.0  -d 172.16.0.0/12  -j ACCEPT
$IPTABLES -N Cid3F2E7AEB.1
$IPTABLES -A INPUT  -s 130.225.184.0/22  -j Cid3F2E7AEB.1
$IPTABLES -A INPUT  -s 172.20.184.0/22  -j Cid3F2E7AEB.1
$IPTABLES -A INPUT  -s 172.21.184.0/22  -j Cid3F2E7AEB.1
$IPTABLES -A INPUT  -s 192.168.0.0/24  -j Cid3F2E7AEB.1
$IPTABLES -A INPUT  -s 172.16.0.0/12  -j Cid3F2E7AEB.1
$IPTABLES -A Cid3F2E7AEB.1  -d 130.225.184.0/22  -j ACCEPT
$IPTABLES -A Cid3F2E7AEB.1  -d 172.20.184.0/22  -j ACCEPT
$IPTABLES -A Cid3F2E7AEB.1  -d 172.21.184.0/22  -j ACCEPT
$IPTABLES -A Cid3F2E7AEB.1  -d 192.168.0.0/24  -j ACCEPT
$IPTABLES -A Cid3F2E7AEB.1  -d 172.16.0.0/12  -j ACCEPT
$IPTABLES -N Cid3F2E7AEB.2
$IPTABLES -A FORWARD  -s 130.225.184.0/22  -j Cid3F2E7AEB.2
$IPTABLES -A FORWARD  -s 172.20.184.0/22  -j Cid3F2E7AEB.2
$IPTABLES -A FORWARD  -s 172.21.184.0/22  -j Cid3F2E7AEB.2
$IPTABLES -A FORWARD  -s 192.168.0.0/24  -j Cid3F2E7AEB.2
$IPTABLES -A FORWARD  -s 172.16.0.0/12  -j Cid3F2E7AEB.2
$IPTABLES -A Cid3F2E7AEB.2  -d 130.225.184.0/22  -j ACCEPT
$IPTABLES -A Cid3F2E7AEB.2  -d 172.20.184.0/22  -j ACCEPT
$IPTABLES -A Cid3F2E7AEB.2  -d 172.21.184.0/22  -j ACCEPT
$IPTABLES -A Cid3F2E7AEB.2  -d 192.168.0.0/24  -j ACCEPT
$IPTABLES -A Cid3F2E7AEB.2  -d 172.16.0.0/12  -j ACCEPT

 Tanks in advance
 Keller