Hi everyone.. I am using IPTABLES to work as firewall in my network. I have 3 networks from different places in my country connected via MPLS. The thing is that I can ping from 192.168.1.0/24 to 192.168.2.0/24 but cannot connect trough port 11000 or port 8014.
I've tried to write a rule in the input but doesn´t work. I've enabled logging and get this:
Mar 28 20:29:23 mail kernel: IPTables-Dropped: IN=eth0 OUT= MAC=00:0c:29:0f:6d:fd:00:1b:d4:e8:d7:10:08:00 SRC=192.168.3.103 DST=192.168.1.1 LEN=40 TOS=0x00 PREC=0x00 TTL=124 ID=37091 PROTO=TCP SPT=3129 DPT=11000 WINDOW=0 RES=0x00 RST URGP=0
Mar 28 20:29:53 mail kernel: IPTables-Dropped: IN=eth0 OUT= MAC=00:0c:29:0f:6d:fd:00:1b:d4:e8:d7:10:08:00 SRC=192.168.3.103 DST=192.168.1.1 LEN=40 TOS=0x00 PREC=0x00 TTL=124 ID=39163 PROTO=TCP SPT=3135 DPT=8014 WINDOW=0 RES=0x00 RST URGP=0
Mar 28 20:30:31 mail kernel: IPTables-Dropped: IN=eth0 OUT= MAC=00:0c:29:0f:6d:fd:00:1b:d4:e8:d7:10:08:00 SRC=192.168.3.103 DST=192.168.1.1 LEN=48 TOS=0x00 PREC=0x00 TTL=124 ID=42683 DF PROTO=TCP SPT=3140 DPT=3128 WINDOW=47916 RES=0x00 SYN URGP=0
Mar 28 20:30:32 mail kernel: IPTables-Dropped: IN=eth0 OUT= MAC=00:0c:29:0f:6d:fd:00:1b:d4:e8:d7:10:08:00 SRC=192.168.3.103 DST=192.168.1.1 LEN=377 TOS=0x00 PREC=0x00 TTL=124 ID=42693 DF PROTO=TCP SPT=3141 DPT=3128 WINDOW=47596 RES=0x00 ACK PSH URGP=0
Mar 28 20:30:47 mail kernel: IPTables-Dropped: IN=eth0 OUT= MAC=00:0c:29:0f:6d:fd:00:1b:d4:e8:d7:10:08:00 SRC=192.168.3.103 DST=192.168.1.1 LEN=40 TOS=0x00 PREC=0x00 TTL=124 ID=42820 PROTO=TCP SPT=3143 DPT=8014 WINDOW=0 RES=0x00 RST URGP=0
Mar 28 20:30:55 mail kernel: IPTables-Dropped: IN=eth0 OUT= MAC=00:0c:29:0f:6d:fd:00:1b:d4:e8:d7:10:08:00 SRC=192.168.3.103 DST=192.168.1.1 LEN=63 TOS=0x00 PREC=0x00 TTL=124 ID=42847 DF PROTO=TCP SPT=5938 DPT=8860 WINDOW=46627 RES=0x00 ACK PSH URGP=0
I've tried wih -A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.3.103 --dport 11000 --sport 1520 -j ACCEPT but still doesn't work
Do you have any idea I could be doing wrong?
Thanks for your help
This is my IPtables file
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
:LOGGING - [0:0]
-A INPUT -j LOGGING
-A OUTPUT -j LOGGING
-A LOGGING -m limit --limit 2/minute -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
# -A LOGGING -j DROP
-A FORWARD -o eth1 -j LOG --log-level 7 --log-prefix BANDWIDTH_OUT:
-A FORWARD -i eth1 -j LOG --log-level 7 --log-prefix BANDWIDTH_IN:
-A OUTPUT -o eth1 -j LOG --log-level 7 --log-prefix BANDWIDTH_OUT:
-A INPUT -i eth1 -j LOG --log-level 7 --log-prefix BANDWIDTH_IN:
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -p tcp -m tcp -s 192.168.1.101 --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 200.63.212.101 --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 200.63.212.103 --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 76.73.41.82 --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 200.63.192.12 --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 200.63.192.17 --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.1.0/24 ! -d -i eth0 --dport 25 -j REJECT
-A FORWARD -p tcp --dport 1863 -j REJECT
-A FORWARD -p tcp --sport 1863 -j REJECT
-A FORWARD -p tcp -d 64.4.13.0/24 -j REJECT
-A FORWARD -p tcp -m tcp -d 64.13.161.61 -j REJECT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 22 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 10000 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 25 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 443 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 110 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 587 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 80 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 8081 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 81 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 82 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 83 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 84 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 85 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 86 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 87 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 88 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 89 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 90 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 91 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 92 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 93 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 94 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 95 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 9090 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.3.0/24 --dport 3389 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.2.0/24 --dport 3389 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 8080 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 99 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 100 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.2.0/24 -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.3.0/24 -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.1.0/24 --dport 8014 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.3.103 --dport 11000 --sport 1520 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 8014 --state NEW -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.1.150 -d 65.0.0.0/8 --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 71 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp -d --dport 3389 -j DNAT --to-destination 192.168.1.102:3389
-A PREROUTING -p tcp -m tcp -d --dport 80 -j DNAT --to-destination 192.168.1.101
-A PREROUTING -p tcp -m tcp -d --dport 443 -j DNAT --to-destination 192.168.1.101:443
-A PREROUTING -p tcp -m tcp -d --dport 110 -j DNAT --to-destination 192.168.1.101
-A PREROUTING -p tcp -m tcp -d --dport 8081 -j DNAT --to-destination 192.168.1.102:8081
-A PREROUTING -p tcp -m tcp -d --dport 81 -j DNAT --to-destination 192.168.1.30
-A PREROUTING -p tcp -m tcp -d --dport 94 -j DNAT --to-destination
-A PREROUTING -p tcp -m tcp -d --dport 95 -j DNAT --to-destination 192.168.1.44
-A PREROUTING -p tcp -m tcp -d --dport 99 -j DNAT --to-destination 192.168.1.103
-A PREROUTING -p tcp -m tcp -d --dport 8080 -j DNAT --to-destination 192.168.1.105
-A PREROUTING -p tcp -m tcp -d --dport 100 -j DNAT --to-destination 192.168.3.150
-A PREROUTING -p tcp -m tcp -d --dport 70 -j DNAT --to-destination 192.168.2.150
# Forward HTTP connections to Squid proxy
-A PREROUTING -p tcp -m tcp ! -d -i eth0 --dport 99 -j REDIRECT --to-ports 3128
# Forward HTTP connections to Squid proxy
-A PREROUTING -p tcp -m tcp ! -d -i eth0 --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -s 192.168.1.101 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.3.0/24 -j MASQUERADE
COMMIT
IPTABLES ALLOW PORTS
IPTABLES ALLOW PORTS
I don't have time to look through your other rules but this one
[quote]
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.3.103 --dport 11000 --sport 1520 -j ACCEPT
[/quote]
You have specified both the destination port and the source port and the only log message you show that uses that --dport does not originate from the source port that you've given in this rule so it would be denied. I'd remove the source port from your rule entirely since source ports are almost always dynamically allocated and could differ from one packet to the next. Locking it down to a source IP address and a local destination port should be enough.
[quote]
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.3.103 --dport 11000 --sport 1520 -j ACCEPT
[/quote]
You have specified both the destination port and the source port and the only log message you show that uses that --dport does not originate from the source port that you've given in this rule so it would be denied. I'd remove the source port from your rule entirely since source ports are almost always dynamically allocated and could differ from one packet to the next. Locking it down to a source IP address and a local destination port should be enough.
Re: IPTABLES ALLOW PORTS
Thanks.. I've tried this but still doesn't work:
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.3.0/24 --dport 11000 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.3.0/24 --dport 11000 -j ACCEPT
Re: IPTABLES ALLOW PORTS
To me it looks like it should be a FORWARD rule, not an INPUT rule:
From your DENY log:
[quote]
SRC=192.168.3.103 DST=192.168.1.1
[/quote]
imho this is treated as FORWARDING not as INPUT, as it passes the "through" your host (assuming all networks are /24).
From your DENY log:
[quote]
SRC=192.168.3.103 DST=192.168.1.1
[/quote]
imho this is treated as FORWARDING not as INPUT, as it passes the "through" your host (assuming all networks are /24).
Re: IPTABLES ALLOW PORTS
Thanks for your help but still get the same result. I've added -A FORWARD -p tcp -m tcp -s 192.168.3.0/24 --dport 11000 -j ACCEPT. If I turn linux firewall off everything works.
This is how my IPTABLES file is:
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
:LOGGING - [0:0]
-A INPUT -j LOGGING
-A OUTPUT -j LOGGING
-A LOGGING -m limit --limit 2/minute -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
# -A LOGGING -j DROP
-A FORWARD -o eth1 -j LOG --log-level 7 --log-prefix BANDWIDTH_OUT:
-A FORWARD -i eth1 -j LOG --log-level 7 --log-prefix BANDWIDTH_IN:
-A OUTPUT -o eth1 -j LOG --log-level 7 --log-prefix BANDWIDTH_OUT:
-A INPUT -i eth1 -j LOG --log-level 7 --log-prefix BANDWIDTH_IN:
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -p tcp -m tcp -s 192.168.1.101 --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 200.63.212.101 --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 200.63.212.103 --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 76.73.41.82 --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 200.63.192.12 --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 200.63.192.17 --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.1.0/24 ! -d -i eth0 --dport 25 -j REJECT
-A FORWARD -p tcp --dport 1863 -j REJECT
-A FORWARD -p tcp --sport 1863 -j REJECT
-A FORWARD -p tcp -d 64.4.13.0/24 -j REJECT
-A FORWARD -p tcp -m tcp -d 64.13.161.61 -j REJECT
-A FORWARD -p tcp -m tcp -s 192.168.3.0/24 --dport 11000 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 22 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 10000 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 25 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 443 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 110 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 587 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 80 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 8081 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 81 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 82 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 83 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 84 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 85 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 86 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 87 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 88 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 89 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 90 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 91 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 92 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 93 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 94 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 95 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 9090 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.3.0/24 --dport 3389 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.2.0/24 --dport 3389 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 8080 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 99 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 100 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.2.0/24 -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.3.0/24 -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 8014 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 71 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp -d --dport 3389 -j DNAT --to-destination 192.168.1.102:3389
-A PREROUTING -p tcp -m tcp -d --dport 80 -j DNAT --to-destination 192.168.1.101
-A PREROUTING -p tcp -m tcp -d --dport 443 -j DNAT --to-destination 192.168.1.101:443
-A PREROUTING -p tcp -m tcp -d --dport 110 -j DNAT --to-destination 192.168.1.101
-A PREROUTING -p tcp -m tcp -d --dport 8081 -j DNAT --to-destination 192.168.1.102:8081
-A PREROUTING -p tcp -m tcp -d --dport 81 -j DNAT --to-destination 192.168.1.30
-A PREROUTING -p tcp -m tcp -d --dport 82 -j DNAT --to-destination 192.168.1.31
-A PREROUTING -p tcp -m tcp -d --dport 83 -j DNAT --to-destination 192.168.1.32
-A PREROUTING -p tcp -m tcp -d --dport 84 -j DNAT --to-destination 192.168.1.33
-A PREROUTING -p tcp -m tcp -d --dport 85 -j DNAT --to-destination 192.168.1.34
-A PREROUTING -p tcp -m tcp -d --dport 86 -j DNAT --to-destination 192.168.1.35
-A PREROUTING -p tcp -m tcp -d --dport 87 -j DNAT --to-destination 192.168.1.36
-A PREROUTING -p tcp -m tcp -d --dport 88 -j DNAT --to-destination 192.168.1.37
-A PREROUTING -p tcp -m tcp -d --dport 89 -j DNAT --to-destination 192.168.1.38
-A PREROUTING -p tcp -m tcp -d --dport 90 -j DNAT --to-destination 192.168.1.39
-A PREROUTING -p tcp -m tcp -d --dport 91 -j DNAT --to-destination 192.168.1.40
-A PREROUTING -p tcp -m tcp -d --dport 92 -j DNAT --to-destination 192.168.1.41
-A PREROUTING -p tcp -m tcp -d --dport 93 -j DNAT --to-destination 192.168.1.42
-A PREROUTING -p tcp -m tcp -d --dport 94 -j DNAT --to-destination
-A PREROUTING -p tcp -m tcp -d --dport 95 -j DNAT --to-destination 192.168.1.44
-A PREROUTING -p tcp -m tcp -d --dport 99 -j DNAT --to-destination 192.168.1.103
-A PREROUTING -p tcp -m tcp -d --dport 8080 -j DNAT --to-destination 192.168.1.105
-A PREROUTING -p tcp -m tcp -d --dport 100 -j DNAT --to-destination 192.168.3.150
-A PREROUTING -p tcp -m tcp -d --dport 70 -j DNAT --to-destination 192.168.2.150
# Forward HTTP connections to Squid proxy
-A PREROUTING -p tcp -m tcp ! -d -i eth0 --dport 99 -j REDIRECT --to-ports 3128
# Forward HTTP connections to Squid proxy
-A PREROUTING -p tcp -m tcp ! -d -i eth0 --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -s 192.168.1.101 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.3.0/24 -j MASQUERADE
COMMIT
This is how my IPTABLES file is:
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
:LOGGING - [0:0]
-A INPUT -j LOGGING
-A OUTPUT -j LOGGING
-A LOGGING -m limit --limit 2/minute -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
# -A LOGGING -j DROP
-A FORWARD -o eth1 -j LOG --log-level 7 --log-prefix BANDWIDTH_OUT:
-A FORWARD -i eth1 -j LOG --log-level 7 --log-prefix BANDWIDTH_IN:
-A OUTPUT -o eth1 -j LOG --log-level 7 --log-prefix BANDWIDTH_OUT:
-A INPUT -i eth1 -j LOG --log-level 7 --log-prefix BANDWIDTH_IN:
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -p tcp -m tcp -s 192.168.1.101 --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 200.63.212.101 --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 200.63.212.103 --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 76.73.41.82 --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 200.63.192.12 --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 200.63.192.17 --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.1.0/24 ! -d -i eth0 --dport 25 -j REJECT
-A FORWARD -p tcp --dport 1863 -j REJECT
-A FORWARD -p tcp --sport 1863 -j REJECT
-A FORWARD -p tcp -d 64.4.13.0/24 -j REJECT
-A FORWARD -p tcp -m tcp -d 64.13.161.61 -j REJECT
-A FORWARD -p tcp -m tcp -s 192.168.3.0/24 --dport 11000 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 22 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 10000 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 25 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 443 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 110 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 587 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 80 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 8081 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 81 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 82 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 83 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 84 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 85 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 86 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 87 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 88 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 89 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 90 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 91 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 92 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 93 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 94 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 95 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 9090 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.3.0/24 --dport 3389 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.2.0/24 --dport 3389 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 8080 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 99 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 100 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.2.0/24 -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.3.0/24 -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 8014 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 71 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp -d --dport 3389 -j DNAT --to-destination 192.168.1.102:3389
-A PREROUTING -p tcp -m tcp -d --dport 80 -j DNAT --to-destination 192.168.1.101
-A PREROUTING -p tcp -m tcp -d --dport 443 -j DNAT --to-destination 192.168.1.101:443
-A PREROUTING -p tcp -m tcp -d --dport 110 -j DNAT --to-destination 192.168.1.101
-A PREROUTING -p tcp -m tcp -d --dport 8081 -j DNAT --to-destination 192.168.1.102:8081
-A PREROUTING -p tcp -m tcp -d --dport 81 -j DNAT --to-destination 192.168.1.30
-A PREROUTING -p tcp -m tcp -d --dport 82 -j DNAT --to-destination 192.168.1.31
-A PREROUTING -p tcp -m tcp -d --dport 83 -j DNAT --to-destination 192.168.1.32
-A PREROUTING -p tcp -m tcp -d --dport 84 -j DNAT --to-destination 192.168.1.33
-A PREROUTING -p tcp -m tcp -d --dport 85 -j DNAT --to-destination 192.168.1.34
-A PREROUTING -p tcp -m tcp -d --dport 86 -j DNAT --to-destination 192.168.1.35
-A PREROUTING -p tcp -m tcp -d --dport 87 -j DNAT --to-destination 192.168.1.36
-A PREROUTING -p tcp -m tcp -d --dport 88 -j DNAT --to-destination 192.168.1.37
-A PREROUTING -p tcp -m tcp -d --dport 89 -j DNAT --to-destination 192.168.1.38
-A PREROUTING -p tcp -m tcp -d --dport 90 -j DNAT --to-destination 192.168.1.39
-A PREROUTING -p tcp -m tcp -d --dport 91 -j DNAT --to-destination 192.168.1.40
-A PREROUTING -p tcp -m tcp -d --dport 92 -j DNAT --to-destination 192.168.1.41
-A PREROUTING -p tcp -m tcp -d --dport 93 -j DNAT --to-destination 192.168.1.42
-A PREROUTING -p tcp -m tcp -d --dport 94 -j DNAT --to-destination
-A PREROUTING -p tcp -m tcp -d --dport 95 -j DNAT --to-destination 192.168.1.44
-A PREROUTING -p tcp -m tcp -d --dport 99 -j DNAT --to-destination 192.168.1.103
-A PREROUTING -p tcp -m tcp -d --dport 8080 -j DNAT --to-destination 192.168.1.105
-A PREROUTING -p tcp -m tcp -d --dport 100 -j DNAT --to-destination 192.168.3.150
-A PREROUTING -p tcp -m tcp -d --dport 70 -j DNAT --to-destination 192.168.2.150
# Forward HTTP connections to Squid proxy
-A PREROUTING -p tcp -m tcp ! -d -i eth0 --dport 99 -j REDIRECT --to-ports 3128
# Forward HTTP connections to Squid proxy
-A PREROUTING -p tcp -m tcp ! -d -i eth0 --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -s 192.168.1.101 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.3.0/24 -j MASQUERADE
COMMIT
Re: IPTABLES ALLOW PORTS
I've found something else in your log:
For DPT=11000 and 8014 i can only see TCP-packets with the RST Flag. A new connection being blocked this way sould have a SYN Flag. RST usually is the end of a conversation.
Two suggestions:
- (if possible) remove the logging limit (or increase to 1/sec) for testing purposes to see what else hits the Firewall.
- instead of adding the rule "-A FORWARD -p tcp -m tcp -s 192.168.3.0/24 --dport 11000 -j ACCEPT" could you please insert it on top of the other rules (-I FORWARD -p tcp -m tcp -s 192.168.3.0/24 --dport 11000 -j ACCEPT should be enough to accomplish this).
Then retry.
For DPT=11000 and 8014 i can only see TCP-packets with the RST Flag. A new connection being blocked this way sould have a SYN Flag. RST usually is the end of a conversation.
Two suggestions:
- (if possible) remove the logging limit (or increase to 1/sec) for testing purposes to see what else hits the Firewall.
- instead of adding the rule "-A FORWARD -p tcp -m tcp -s 192.168.3.0/24 --dport 11000 -j ACCEPT" could you please insert it on top of the other rules (-I FORWARD -p tcp -m tcp -s 192.168.3.0/24 --dport 11000 -j ACCEPT should be enough to accomplish this).
Then retry.
Re: IPTABLES ALLOW PORTS
Thanks for your reply. I've added the rules like this, and changed the loggíng:
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
:LOGGING - [0:0]
-A FORWARD -p tcp -m tcp -s 192.168.3.0/24 --dport 8014 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.3.0/24 --dport 11000 -j ACCEPT
-A INPUT -j LOGGING
-A OUTPUT -j LOGGING
-A LOGGING -m limit --limit 1/second -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
# -A LOGGING -j DROP
-A FORWARD -o eth1 -j LOG --log-level 7 --log-prefix BANDWIDTH_OUT:
-A FORWARD -i eth1 -j LOG --log-level 7 --log-prefix BANDWIDTH_IN:
-A OUTPUT -o eth1 -j LOG --log-level 7 --log-prefix BANDWIDTH_OUT:
-A INPUT -i eth1 -j LOG --log-level 7 --log-prefix BANDWIDTH_IN:
-A INPUT -j RH-Firewall-1-INPUT
But I still see this in the log:
Apr 8 12:50:52 mail kernel: IPTables-Dropped: IN=eth0 OUT= MAC=00:0c:29:0f:6d:fd:00:1b:d4:e8:d7:10:08:00 SRC=192.168.3.103 DST=192.168.1.1 LEN=40 TOS=0x00 PREC=0x00 TTL=124 ID=49087 PROTO=TCP SPT=2475 DPT=11000 WINDOW=0 RES=0x00 RST URGP=0
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
:LOGGING - [0:0]
-A FORWARD -p tcp -m tcp -s 192.168.3.0/24 --dport 8014 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.3.0/24 --dport 11000 -j ACCEPT
-A INPUT -j LOGGING
-A OUTPUT -j LOGGING
-A LOGGING -m limit --limit 1/second -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
# -A LOGGING -j DROP
-A FORWARD -o eth1 -j LOG --log-level 7 --log-prefix BANDWIDTH_OUT:
-A FORWARD -i eth1 -j LOG --log-level 7 --log-prefix BANDWIDTH_IN:
-A OUTPUT -o eth1 -j LOG --log-level 7 --log-prefix BANDWIDTH_OUT:
-A INPUT -i eth1 -j LOG --log-level 7 --log-prefix BANDWIDTH_IN:
-A INPUT -j RH-Firewall-1-INPUT
But I still see this in the log:
Apr 8 12:50:52 mail kernel: IPTables-Dropped: IN=eth0 OUT= MAC=00:0c:29:0f:6d:fd:00:1b:d4:e8:d7:10:08:00 SRC=192.168.3.103 DST=192.168.1.1 LEN=40 TOS=0x00 PREC=0x00 TTL=124 ID=49087 PROTO=TCP SPT=2475 DPT=11000 WINDOW=0 RES=0x00 RST URGP=0
Re: IPTABLES ALLOW PORTS
I only see TCP-RST packets being dropped, nothing else.
Also I'm confused: Your initial post states networks 192.168.1.0/24 and 192.168.2.0/24, while all examples are about 192.168.3.0/24. Anyhow, will you please post the output of 'iptables-save' and 'ip addr list' and 'ip route list'.
Also I'm confused: Your initial post states networks 192.168.1.0/24 and 192.168.2.0/24, while all examples are about 192.168.3.0/24. Anyhow, will you please post the output of 'iptables-save' and 'ip addr list' and 'ip route list'.