Debian Sid (Unstable) with Bastille won't masq my internal ip
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Debian Sid (Unstable) with Bastille won't masq my internal ip
I have been using Bastille firewall all the days until today I cannot access Internet services like POP3/ICQ except those sent over a proxy like this web connection I'm currently using.
Attached is my iptables.rules file generated with "iptables -S > iptables.rules". eth0 is external ("DSL modem") device, eth1 is internal device where my computers are connected to.
From the router e.g. pinging is working contacting my server via SSH. But from client only resolving the hostname in an IP and vise-versa does work.
Any ideas?
Thanks in advance.
This is my routing table on client:
route -n output on client
Code:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 br0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 br0
And this is the one on my router:
route -n output on router
Code:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
84.62.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.20.0 0.0.0.0 255.255.255.0 U 0 0 0 dummy0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0
These are the current firewall rules:
iptables -S output
Code:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N INT_IN
-N INT_OUT
-N PAROLE
-N PUB_IN
-N PUB_OUT
-A INPUT -d 127.0.0.0/8 -i ! lo -p tcp -j LOG --log-prefix "INPUT DROP 0" --log-level 6
-A INPUT -d 127.0.0.0/8 -i ! lo -p tcp -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -f -j LOG --log-prefix "INPUT DROP 1 " --log-level 6
-A INPUT -f -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -s 224.0.0.0/4 -j LOG --log-prefix "INPUT DROP 2 " --log-level 6
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -d 192.168.1.0/24 -i eth0 -j LOG --log-prefix "INPUT DROP 3 " --log-level 6
-A INPUT -d 192.168.1.0/24 -i eth0 -j DROP
-A INPUT -s 192.168.1.0/24 -i eth0 -j LOG --log-prefix "INPUT DROP 4 " --log-level 6
-A INPUT -s 192.168.1.0/24 -i eth0 -j DROP
-A INPUT -i eth0 -j PUB_IN
-A INPUT -i eth1 -j INT_IN
-A INPUT -p tcp -m tcp --dport 137:139 -j DROP
-A INPUT -p udp -m udp --dport 137:139 -j DROP
-A INPUT -d 224.0.0.0/8 -j DROP
-A INPUT -j LOG --log-prefix "INPUT DROP 10 " --log-level 6
-A INPUT -j DROP
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 31017 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 31017 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.1.0/24 -d 0.0.0.255/0.0.0.255 -o eth0 -p tcp -m tcp --dport 137:139 -j LOG --log-prefix "FORWARD DROP 5 " --log-level 6
-A FORWARD -s 192.168.1.0/24 -d 0.0.0.255/0.0.0.255 -o eth0 -p tcp -m tcp --dport 137:139 -j DROP
-A FORWARD -s 192.168.1.0/24 -d 0.0.0.255/0.0.0.255 -o eth0 -p udp -m udp --dport 137:139 -j LOG --log-prefix "FORWARD DROP 6 " --log-level 6
-A FORWARD -s 192.168.1.0/24 -d 0.0.0.255/0.0.0.255 -o eth0 -p udp -m udp --dport 137:139 -j DROP
-A FORWARD -s 192.168.1.0/24 -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j PUB_OUT
-A OUTPUT -o eth1 -j INT_OUT
-A INT_IN -p tcp -m tcp --dport 22 -j PAROLE
-A INT_IN -p tcp -m tcp --dport 53 -j PAROLE
-A INT_IN -p tcp -m tcp --dport 4001 -j PAROLE
-A INT_IN -p tcp -m tcp --dport 80 -j PAROLE
-A INT_IN -p tcp -m tcp --dport 7792 -j PAROLE
-A INT_IN -p tcp -m tcp --dport 8118 -j PAROLE
-A INT_IN -p tcp -m tcp --dport 110 -j PAROLE
-A INT_IN -p tcp -m tcp --dport 31017 -j PAROLE
-A INT_IN -p tcp -m tcp --dport 2064 -j PAROLE
-A INT_IN -p tcp -m tcp --dport 3064 -j PAROLE
-A INT_IN -p udp -m udp --dport 53 -j ACCEPT
-A INT_IN -p udp -m udp --dport 631 -j ACCEPT
-A INT_IN -p udp -m udp --dport 67 -j ACCEPT
-A INT_IN -p udp -m udp --dport 31017 -j ACCEPT
-A INT_IN -p udp -m udp --dport 2064 -j ACCEPT
-A INT_IN -p udp -m udp --dport 3064 -j ACCEPT
-A INT_IN -p icmp -j ACCEPT
-A INT_IN -p tcp -m tcp --dport 137:139 -j DROP
-A INT_IN -p udp -m udp --dport 137:139 -j DROP
-A INT_IN -d 224.0.0.0/8 -j DROP
-A INT_IN -j LOG --log-prefix "INT_IN DROP 12 " --log-level 6
-A INT_IN -j DROP
-A INT_OUT -p icmp -j ACCEPT
-A INT_OUT -j ACCEPT
-A PAROLE -j ACCEPT
-A PUB_IN -s 0.0.0.0/8 -j DROP
-A PUB_IN -s 1.0.0.0/8 -j DROP
-A PUB_IN -s 2.0.0.0/8 -j DROP
-A PUB_IN -s 5.0.0.0/8 -j DROP
-A PUB_IN -s 10.0.0.0/8 -j DROP
-A PUB_IN -s 14.0.0.0/8 -j DROP
-A PUB_IN -s 23.0.0.0/8 -j DROP
-A PUB_IN -s 27.0.0.0/8 -j DROP
-A PUB_IN -s 31.0.0.0/8 -j DROP
-A PUB_IN -s 36.0.0.0/8 -j DROP
-A PUB_IN -s 37.0.0.0/8 -j DROP
-A PUB_IN -s 39.0.0.0/8 -j DROP
-A PUB_IN -s 42.0.0.0/8 -j DROP
-A PUB_IN -s 46.0.0.0/8 -j DROP
-A PUB_IN -s 49.0.0.0/8 -j DROP
-A PUB_IN -s 50.0.0.0/8 -j DROP
-A PUB_IN -s 100.0.0.0/8 -j DROP
-A PUB_IN -s 101.0.0.0/8 -j DROP
-A PUB_IN -s 102.0.0.0/8 -j DROP
-A PUB_IN -s 103.0.0.0/8 -j DROP
-A PUB_IN -s 104.0.0.0/8 -j DROP
-A PUB_IN -s 105.0.0.0/8 -j DROP
-A PUB_IN -s 106.0.0.0/8 -j DROP
-A PUB_IN -s 107.0.0.0/8 -j DROP
-A PUB_IN -s 108.0.0.0/8 -j DROP
-A PUB_IN -s 109.0.0.0/8 -j DROP
-A PUB_IN -s 110.0.0.0/8 -j DROP
-A PUB_IN -s 111.0.0.0/8 -j DROP
-A PUB_IN -s 127.0.0.0/8 -j DROP
-A PUB_IN -s 169.254.0.0/16 -j DROP
-A PUB_IN -s 172.16.0.0/12 -j DROP
-A PUB_IN -s 175.0.0.0/8 -j DROP
-A PUB_IN -s 176.0.0.0/8 -j DROP
-A PUB_IN -s 177.0.0.0/8 -j DROP
-A PUB_IN -s 178.0.0.0/8 -j DROP
-A PUB_IN -s 179.0.0.0/8 -j DROP
-A PUB_IN -s 180.0.0.0/8 -j DROP
-A PUB_IN -s 181.0.0.0/8 -j DROP
-A PUB_IN -s 182.0.0.0/8 -j DROP
-A PUB_IN -s 183.0.0.0/8 -j DROP
-A PUB_IN -s 184.0.0.0/8 -j DROP
-A PUB_IN -s 185.0.0.0/8 -j DROP
-A PUB_IN -s 192.0.2.0/24 -j DROP
-A PUB_IN -s 192.168.0.0/16 -j DROP
-A PUB_IN -s 197.0.0.0/8 -j DROP
-A PUB_IN -s 198.18.0.0/15 -j DROP
-A PUB_IN -s 223.0.0.0/8 -j DROP
-A PUB_IN -s 224.0.0.0/3 -j DROP
-A PUB_IN -d 192.168.1.0/24 -j LOG --log-prefix "PUB_IN DROP 7 " --log-level 6
-A PUB_IN -d 192.168.1.0/24 -j DROP
-A PUB_IN -s 192.168.1.0/24 -j LOG --log-prefix "PUB_IN DROP 8 " --log-level 6
-A PUB_IN -s 192.168.1.0/24 -j DROP
-A PUB_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PUB_IN -p tcp -m tcp --dport 31017 -j PAROLE
-A PUB_IN -p udp -m udp --dport 31017 -j ACCEPT
-A PUB_IN -p tcp -m tcp --dport 137:139 -j DROP
-A PUB_IN -p udp -m udp --dport 137:139 -j DROP
-A PUB_IN -d 224.0.0.0/8 -j DROP
-A PUB_IN -p tcp -m tcp --dport 23 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" --log-level 6
-A PUB_IN -p tcp -m tcp --dport 21 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" --log-level 6
-A PUB_IN -p tcp -m tcp --dport 143 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" --log-level 6
-A PUB_IN -p tcp -m tcp --dport 110 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" --log-level 6
-A PUB_IN -p tcp -m tcp --dport 79 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" --log-level 6
-A PUB_IN -p tcp -m tcp --dport 111 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" --log-level 6
-A PUB_IN -p tcp -m tcp --dport 512 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" --log-level 6
-A PUB_IN -p tcp -m tcp --dport 513 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" --log-level 6
-A PUB_IN -p tcp -m tcp --dport 98 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" --log-level 6
-A PUB_IN -p tcp -m tcp --dport 22 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" --log-level 6
-A PUB_IN -p udp -m udp --dport 31337 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" --log-level 6
-A PUB_IN -p icmp -m icmp --icmp-type 8 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" --log-level 6
-A PUB_IN -p icmp -j LOG --log-prefix "PUB_IN DROP 9" --log-level 6
-A PUB_IN -p icmp -j DROP
-A PUB_IN -j LOG --log-prefix "PUB_IN DROP 11 " --log-level 6
-A PUB_IN -j DROP
-A PUB_OUT -s 0.0.0.0/8 -j DROP
-A PUB_OUT -s 1.0.0.0/8 -j DROP
-A PUB_OUT -s 2.0.0.0/8 -j DROP
-A PUB_OUT -s 5.0.0.0/8 -j DROP
-A PUB_OUT -s 10.0.0.0/8 -j DROP
-A PUB_OUT -s 14.0.0.0/8 -j DROP
-A PUB_OUT -s 23.0.0.0/8 -j DROP
-A PUB_OUT -s 27.0.0.0/8 -j DROP
-A PUB_OUT -s 31.0.0.0/8 -j DROP
-A PUB_OUT -s 36.0.0.0/8 -j DROP
-A PUB_OUT -s 37.0.0.0/8 -j DROP
-A PUB_OUT -s 39.0.0.0/8 -j DROP
-A PUB_OUT -s 42.0.0.0/8 -j DROP
-A PUB_OUT -s 46.0.0.0/8 -j DROP
-A PUB_OUT -s 49.0.0.0/8 -j DROP
-A PUB_OUT -s 50.0.0.0/8 -j DROP
-A PUB_OUT -s 100.0.0.0/8 -j DROP
-A PUB_OUT -s 101.0.0.0/8 -j DROP
-A PUB_OUT -s 102.0.0.0/8 -j DROP
-A PUB_OUT -s 103.0.0.0/8 -j DROP
-A PUB_OUT -s 104.0.0.0/8 -j DROP
-A PUB_OUT -s 105.0.0.0/8 -j DROP
-A PUB_OUT -s 106.0.0.0/8 -j DROP
-A PUB_OUT -s 107.0.0.0/8 -j DROP
-A PUB_OUT -s 108.0.0.0/8 -j DROP
-A PUB_OUT -s 109.0.0.0/8 -j DROP
-A PUB_OUT -s 110.0.0.0/8 -j DROP
-A PUB_OUT -s 111.0.0.0/8 -j DROP
-A PUB_OUT -s 127.0.0.0/8 -j DROP
-A PUB_OUT -s 169.254.0.0/16 -j DROP
-A PUB_OUT -s 172.16.0.0/12 -j DROP
-A PUB_OUT -s 175.0.0.0/8 -j DROP
-A PUB_OUT -s 176.0.0.0/8 -j DROP
-A PUB_OUT -s 177.0.0.0/8 -j DROP
-A PUB_OUT -s 178.0.0.0/8 -j DROP
-A PUB_OUT -s 179.0.0.0/8 -j DROP
-A PUB_OUT -s 180.0.0.0/8 -j DROP
-A PUB_OUT -s 181.0.0.0/8 -j DROP
-A PUB_OUT -s 182.0.0.0/8 -j DROP
-A PUB_OUT -s 183.0.0.0/8 -j DROP
-A PUB_OUT -s 184.0.0.0/8 -j DROP
-A PUB_OUT -s 185.0.0.0/8 -j DROP
-A PUB_OUT -s 192.0.2.0/24 -j DROP
-A PUB_OUT -s 192.168.0.0/16 -j DROP
-A PUB_OUT -s 197.0.0.0/8 -j DROP
-A PUB_OUT -s 198.18.0.0/15 -j DROP
-A PUB_OUT -s 223.0.0.0/8 -j DROP
-A PUB_OUT -s 224.0.0.0/3 -j DROP
-A PUB_OUT -j ACCEPT
And yes, I block the bogons.
Last edited by quixy; 08-22-2008 at 03:32 AM.
Reason: Added more informations
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.