LinuxQuestions.org
Review your favorite Linux distribution.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
Reload this Page Debian Sid (Unstable) with Bastille won't masq my internal ip
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-21-2008, 05:35 PM   #1
quixy
LQ Newbie
 
Registered: Oct 2001
Location: Germany
Distribution: Debian Sid (Unstable)
Posts: 19

Rep: Reputation: 0
Debian Sid (Unstable) with Bastille won't masq my internal ip

I have been using Bastille firewall all the days until today I cannot access Internet services like POP3/ICQ except those sent over a proxy like this web connection I'm currently using.

Attached is my iptables.rules file generated with "iptables -S > iptables.rules". eth0 is external ("DSL modem") device, eth1 is internal device where my computers are connected to.

From the router e.g. pinging is working contacting my server via SSH. But from client only resolving the hostname in an IP and vise-versa does work.

Any ideas?

Thanks in advance.

This is my routing table on client:

route -n output on client
Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 br0
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 br0
And this is the one on my router:

route -n output on router
Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
84.62.0.1       0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
192.168.20.0    0.0.0.0         255.255.255.0   U     0      0        0 dummy0
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 ppp0
These are the current firewall rules:

iptables -S output
Code:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N INT_IN
-N INT_OUT
-N PAROLE
-N PUB_IN
-N PUB_OUT
-A INPUT -d 127.0.0.0/8 -i ! lo -p tcp -j LOG --log-prefix "INPUT DROP 0" --log-level 6 
-A INPUT -d 127.0.0.0/8 -i ! lo -p tcp -j DROP 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -f -j LOG --log-prefix "INPUT DROP 1 " --log-level 6 
-A INPUT -f -j DROP 
-A INPUT -i lo -j ACCEPT 
-A INPUT -s 224.0.0.0/4 -j LOG --log-prefix "INPUT DROP 2 " --log-level 6 
-A INPUT -s 224.0.0.0/4 -j DROP 
-A INPUT -d 192.168.1.0/24 -i eth0 -j LOG --log-prefix "INPUT DROP 3 " --log-level 6 
-A INPUT -d 192.168.1.0/24 -i eth0 -j DROP 
-A INPUT -s 192.168.1.0/24 -i eth0 -j LOG --log-prefix "INPUT DROP 4 " --log-level 6 
-A INPUT -s 192.168.1.0/24 -i eth0 -j DROP 
-A INPUT -i eth0 -j PUB_IN 
-A INPUT -i eth1 -j INT_IN 
-A INPUT -p tcp -m tcp --dport 137:139 -j DROP 
-A INPUT -p udp -m udp --dport 137:139 -j DROP 
-A INPUT -d 224.0.0.0/8 -j DROP 
-A INPUT -j LOG --log-prefix "INPUT DROP 10 " --log-level 6 
-A INPUT -j DROP 
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 31017 -j ACCEPT 
-A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 31017 -j ACCEPT 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -s 192.168.1.0/24 -d 0.0.0.255/0.0.0.255 -o eth0 -p tcp -m tcp --dport 137:139 -j LOG --log-prefix "FORWARD DROP 5 " --log-level 6 
-A FORWARD -s 192.168.1.0/24 -d 0.0.0.255/0.0.0.255 -o eth0 -p tcp -m tcp --dport 137:139 -j DROP 
-A FORWARD -s 192.168.1.0/24 -d 0.0.0.255/0.0.0.255 -o eth0 -p udp -m udp --dport 137:139 -j LOG --log-prefix "FORWARD DROP 6 " --log-level 6 
-A FORWARD -s 192.168.1.0/24 -d 0.0.0.255/0.0.0.255 -o eth0 -p udp -m udp --dport 137:139 -j DROP 
-A FORWARD -s 192.168.1.0/24 -o eth0 -j ACCEPT 
-A OUTPUT -o eth0 -j PUB_OUT 
-A OUTPUT -o eth1 -j INT_OUT 
-A INT_IN -p tcp -m tcp --dport 22 -j PAROLE 
-A INT_IN -p tcp -m tcp --dport 53 -j PAROLE 
-A INT_IN -p tcp -m tcp --dport 4001 -j PAROLE 
-A INT_IN -p tcp -m tcp --dport 80 -j PAROLE 
-A INT_IN -p tcp -m tcp --dport 7792 -j PAROLE 
-A INT_IN -p tcp -m tcp --dport 8118 -j PAROLE 
-A INT_IN -p tcp -m tcp --dport 110 -j PAROLE 
-A INT_IN -p tcp -m tcp --dport 31017 -j PAROLE 
-A INT_IN -p tcp -m tcp --dport 2064 -j PAROLE 
-A INT_IN -p tcp -m tcp --dport 3064 -j PAROLE 
-A INT_IN -p udp -m udp --dport 53 -j ACCEPT 
-A INT_IN -p udp -m udp --dport 631 -j ACCEPT 
-A INT_IN -p udp -m udp --dport 67 -j ACCEPT 
-A INT_IN -p udp -m udp --dport 31017 -j ACCEPT 
-A INT_IN -p udp -m udp --dport 2064 -j ACCEPT 
-A INT_IN -p udp -m udp --dport 3064 -j ACCEPT 
-A INT_IN -p icmp -j ACCEPT 
-A INT_IN -p tcp -m tcp --dport 137:139 -j DROP 
-A INT_IN -p udp -m udp --dport 137:139 -j DROP 
-A INT_IN -d 224.0.0.0/8 -j DROP 
-A INT_IN -j LOG --log-prefix "INT_IN DROP 12 " --log-level 6 
-A INT_IN -j DROP 
-A INT_OUT -p icmp -j ACCEPT 
-A INT_OUT -j ACCEPT 
-A PAROLE -j ACCEPT 
-A PUB_IN -s 0.0.0.0/8 -j DROP 
-A PUB_IN -s 1.0.0.0/8 -j DROP 
-A PUB_IN -s 2.0.0.0/8 -j DROP 
-A PUB_IN -s 5.0.0.0/8 -j DROP 
-A PUB_IN -s 10.0.0.0/8 -j DROP 
-A PUB_IN -s 14.0.0.0/8 -j DROP 
-A PUB_IN -s 23.0.0.0/8 -j DROP 
-A PUB_IN -s 27.0.0.0/8 -j DROP 
-A PUB_IN -s 31.0.0.0/8 -j DROP 
-A PUB_IN -s 36.0.0.0/8 -j DROP 
-A PUB_IN -s 37.0.0.0/8 -j DROP 
-A PUB_IN -s 39.0.0.0/8 -j DROP 
-A PUB_IN -s 42.0.0.0/8 -j DROP 
-A PUB_IN -s 46.0.0.0/8 -j DROP 
-A PUB_IN -s 49.0.0.0/8 -j DROP 
-A PUB_IN -s 50.0.0.0/8 -j DROP 
-A PUB_IN -s 100.0.0.0/8 -j DROP 
-A PUB_IN -s 101.0.0.0/8 -j DROP 
-A PUB_IN -s 102.0.0.0/8 -j DROP 
-A PUB_IN -s 103.0.0.0/8 -j DROP 
-A PUB_IN -s 104.0.0.0/8 -j DROP 
-A PUB_IN -s 105.0.0.0/8 -j DROP 
-A PUB_IN -s 106.0.0.0/8 -j DROP 
-A PUB_IN -s 107.0.0.0/8 -j DROP 

-A PUB_IN -s 108.0.0.0/8 -j DROP 
-A PUB_IN -s 109.0.0.0/8 -j DROP 
-A PUB_IN -s 110.0.0.0/8 -j DROP 
-A PUB_IN -s 111.0.0.0/8 -j DROP 
-A PUB_IN -s 127.0.0.0/8 -j DROP 
-A PUB_IN -s 169.254.0.0/16 -j DROP 
-A PUB_IN -s 172.16.0.0/12 -j DROP 
-A PUB_IN -s 175.0.0.0/8 -j DROP 
-A PUB_IN -s 176.0.0.0/8 -j DROP 
-A PUB_IN -s 177.0.0.0/8 -j DROP 
-A PUB_IN -s 178.0.0.0/8 -j DROP 
-A PUB_IN -s 179.0.0.0/8 -j DROP 
-A PUB_IN -s 180.0.0.0/8 -j DROP 
-A PUB_IN -s 181.0.0.0/8 -j DROP 
-A PUB_IN -s 182.0.0.0/8 -j DROP 
-A PUB_IN -s 183.0.0.0/8 -j DROP 
-A PUB_IN -s 184.0.0.0/8 -j DROP 
-A PUB_IN -s 185.0.0.0/8 -j DROP 
-A PUB_IN -s 192.0.2.0/24 -j DROP 
-A PUB_IN -s 192.168.0.0/16 -j DROP 
-A PUB_IN -s 197.0.0.0/8 -j DROP 
-A PUB_IN -s 198.18.0.0/15 -j DROP 
-A PUB_IN -s 223.0.0.0/8 -j DROP 
-A PUB_IN -s 224.0.0.0/3 -j DROP 
-A PUB_IN -d 192.168.1.0/24 -j LOG --log-prefix "PUB_IN DROP 7 " --log-level 6 
-A PUB_IN -d 192.168.1.0/24 -j DROP 
-A PUB_IN -s 192.168.1.0/24 -j LOG --log-prefix "PUB_IN DROP 8 " --log-level 6 
-A PUB_IN -s 192.168.1.0/24 -j DROP 
-A PUB_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT 
-A PUB_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT 
-A PUB_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A PUB_IN -p tcp -m tcp --dport 31017 -j PAROLE 
-A PUB_IN -p udp -m udp --dport 31017 -j ACCEPT 
-A PUB_IN -p tcp -m tcp --dport 137:139 -j DROP 
-A PUB_IN -p udp -m udp --dport 137:139 -j DROP 
-A PUB_IN -d 224.0.0.0/8 -j DROP 
-A PUB_IN -p tcp -m tcp --dport 23 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" --log-level 6 
-A PUB_IN -p tcp -m tcp --dport 21 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" --log-level 6 
-A PUB_IN -p tcp -m tcp --dport 143 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" --log-level 6 
-A PUB_IN -p tcp -m tcp --dport 110 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" --log-level 6 
-A PUB_IN -p tcp -m tcp --dport 79 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" --log-level 6 
-A PUB_IN -p tcp -m tcp --dport 111 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" --log-level 6 
-A PUB_IN -p tcp -m tcp --dport 512 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" --log-level 6 
-A PUB_IN -p tcp -m tcp --dport 513 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" --log-level 6 
-A PUB_IN -p tcp -m tcp --dport 98 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" --log-level 6 
-A PUB_IN -p tcp -m tcp --dport 22 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" --log-level 6 
-A PUB_IN -p udp -m udp --dport 31337 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" --log-level 6 
-A PUB_IN -p icmp -m icmp --icmp-type 8 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" --log-level 6 
-A PUB_IN -p icmp -j LOG --log-prefix "PUB_IN DROP 9" --log-level 6 
-A PUB_IN -p icmp -j DROP 
-A PUB_IN -j LOG --log-prefix "PUB_IN DROP 11 " --log-level 6 
-A PUB_IN -j DROP 
-A PUB_OUT -s 0.0.0.0/8 -j DROP 
-A PUB_OUT -s 1.0.0.0/8 -j DROP 
-A PUB_OUT -s 2.0.0.0/8 -j DROP 
-A PUB_OUT -s 5.0.0.0/8 -j DROP 
-A PUB_OUT -s 10.0.0.0/8 -j DROP 
-A PUB_OUT -s 14.0.0.0/8 -j DROP 
-A PUB_OUT -s 23.0.0.0/8 -j DROP 
-A PUB_OUT -s 27.0.0.0/8 -j DROP 
-A PUB_OUT -s 31.0.0.0/8 -j DROP 
-A PUB_OUT -s 36.0.0.0/8 -j DROP 
-A PUB_OUT -s 37.0.0.0/8 -j DROP 
-A PUB_OUT -s 39.0.0.0/8 -j DROP 
-A PUB_OUT -s 42.0.0.0/8 -j DROP 
-A PUB_OUT -s 46.0.0.0/8 -j DROP 
-A PUB_OUT -s 49.0.0.0/8 -j DROP 
-A PUB_OUT -s 50.0.0.0/8 -j DROP 
-A PUB_OUT -s 100.0.0.0/8 -j DROP 
-A PUB_OUT -s 101.0.0.0/8 -j DROP 
-A PUB_OUT -s 102.0.0.0/8 -j DROP 
-A PUB_OUT -s 103.0.0.0/8 -j DROP 
-A PUB_OUT -s 104.0.0.0/8 -j DROP 
-A PUB_OUT -s 105.0.0.0/8 -j DROP 
-A PUB_OUT -s 106.0.0.0/8 -j DROP 
-A PUB_OUT -s 107.0.0.0/8 -j DROP 
-A PUB_OUT -s 108.0.0.0/8 -j DROP 
-A PUB_OUT -s 109.0.0.0/8 -j DROP 
-A PUB_OUT -s 110.0.0.0/8 -j DROP 
-A PUB_OUT -s 111.0.0.0/8 -j DROP 
-A PUB_OUT -s 127.0.0.0/8 -j DROP 
-A PUB_OUT -s 169.254.0.0/16 -j DROP 
-A PUB_OUT -s 172.16.0.0/12 -j DROP 
-A PUB_OUT -s 175.0.0.0/8 -j DROP 
-A PUB_OUT -s 176.0.0.0/8 -j DROP 
-A PUB_OUT -s 177.0.0.0/8 -j DROP 
-A PUB_OUT -s 178.0.0.0/8 -j DROP 
-A PUB_OUT -s 179.0.0.0/8 -j DROP 
-A PUB_OUT -s 180.0.0.0/8 -j DROP 
-A PUB_OUT -s 181.0.0.0/8 -j DROP 
-A PUB_OUT -s 182.0.0.0/8 -j DROP 
-A PUB_OUT -s 183.0.0.0/8 -j DROP 
-A PUB_OUT -s 184.0.0.0/8 -j DROP 
-A PUB_OUT -s 185.0.0.0/8 -j DROP 
-A PUB_OUT -s 192.0.2.0/24 -j DROP 
-A PUB_OUT -s 192.168.0.0/16 -j DROP 
-A PUB_OUT -s 197.0.0.0/8 -j DROP 
-A PUB_OUT -s 198.18.0.0/15 -j DROP 
-A PUB_OUT -s 223.0.0.0/8 -j DROP 
-A PUB_OUT -s 224.0.0.0/3 -j DROP 
-A PUB_OUT -j ACCEPT
And yes, I block the bogons.
Last edited by quixy; 08-22-2008 at 03:32 AM. Reason: Added more informations
 
Old 08-23-2008, 05:53 AM   #2
quixy
LQ Newbie
 
Registered: Oct 2001
Location: Germany
Distribution: Debian Sid (Unstable)
Posts: 19

Original Poster
Rep: Reputation: 0
*push* I still need to get it fixed.
 
Old 09-24-2008, 12:43 PM   #3
quixy
LQ Newbie
 
Registered: Oct 2001
Location: Germany
Distribution: Debian Sid (Unstable)
Posts: 19

Original Poster
Rep: Reputation: 0
I give it another try to get your attension.

Here is output of lsmod:

Code:
pppoe                  13120  2 
pppox                   4108  1 pppoe
ppp_generic            27716  6 pppoe,pppox
ipt_ULOG                8964  1 
nf_nat_h323             7296  0 
nf_conntrack_h323      46648  1 nf_nat_h323
nf_nat_sip              4992  0 
nf_conntrack_sip        9236  1 nf_nat_sip
nf_nat_irc              3072  0 
nf_conntrack_irc        7064  1 nf_nat_irc
capability              5128  0 
commoncap               7424  1 capability
xt_TCPMSS               4864  9 
xt_tcpmss               2432  9 
slhc                    6016  1 ppp_generic
dummy                   3712  0 
ipv6                  249048  19 nf_conntrack_h323
af_packet              21648  4 
xt_limit                2944  12 
nf_nat_ftp              3584  0 
ipt_MASQUERADE          3968  1 
xt_state                2816  14 
ipt_LOG                 6272  25 
nf_conntrack_ftp        8992  1 nf_nat_ftp
xt_tcpudp               3328  52 
iptable_mangle          3072  0 
iptable_nat             7172  1 
nf_nat                 18972  6 nf_nat_h323,nf_nat_sip,nf_nat_irc,nf_nat_ftp,ipt_MASQUERADE,iptable_nat
nf_conntrack_ipv4      17288  16 iptable_nat
nf_conntrack           61836  13 nf_nat_h323,nf_conntrack_h323,nf_nat_sip,nf_conntrack_sip,nf_nat_irc,nf_conntrack_irc,nf_nat_ftp,ipt_MASQUERADE,xt_state,nf_conntrack_ftp,iptable_nat,nf_nat,nf_conntrack_ipv4
nfnetlink               6168  3 nf_nat,nf_conntrack_ipv4,nf_conntrack
iptable_filter          3200  1 
ip_tables              12872  3 iptable_mangle,iptable_nat,iptable_filter
x_tables               14484  10 ipt_ULOG,xt_TCPMSS,xt_tcpmss,xt_limit,ipt_MASQUERADE,xt_state,ipt_LOG,xt_tcpudp,iptable_nat,ip_tables
unix                   27956  22
Last edited by quixy; 09-24-2008 at 12:44 PM. Reason: Code style
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[Debian - Sid]Firestarter isnt masq/routing my internal traffic DeFiAnCeNL Linux - Networking 1 03-25-2005 05:35 PM
evolution-exchange for debian sid (unstable) problems scottie4442 Debian 3 09-02-2004 02:16 PM
Debian unstable(sid) install papa0822 Linux - Distributions 5 05-14-2003 01:20 PM
debian: woody,sid,unstable,testing snow Linux - Distributions 2 02-05-2003 09:47 AM
Gnome 2 for debian sid (unstable) aliensub Linux - Distributions 1 10-29-2002 05:49 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:14 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration