using NAT on multiple subnets.

Steviepower · 05-09-2010, 01:12 PM

I have been looking for a solution for this problem:
http://www.linuxquestions.org/questi...debian-805534/

I eventually came up with the following solution:
I installed firestarter and started to NAT trough the installation wizard that comes with firestarter. Strangely enough I had to point out a network interface for the internal network and the external network interface instead of IP range.
For this server I used 3 virtual networks,
on eth0 I used 192.168.0.1 in subnet 192.168.0.0/24
on eth0:0 I used 192.168.1.1 in subnet 192.168.1.0/24 and so on...
what I want now is to use nat to provide every node with nat but only the eth0 network had a connection.

does anyone know how to enable routing (nat) on all subnets or how to use the nat on subnet 192.168.0.0/24 for everyone?

because of security reasons I chose for multiple subnets, I preferably want to keep this function.

SuperJediWombat! · 05-09-2010, 08:11 PM

Yes, please post the output of:

Code:

iptables-save
ifconfig
ip route

Right now you probably have a rule which looks like this in your nat table:

Code:

iptables -A POSTROUTING -i eth0 -s 192.168.0.0/24 -o eth1 -j MASQUERADE

What you want is something like this:

Code:

iptables -A POSTROUTING ! -i eth1 -o eth1 -j MASQUERADE

SuperJediWombat! · 05-09-2010, 08:13 PM

Keep in mind that unless your multiple subnets are on separate VLAN's or physical switches, any client who wants to communicate with the other subnet can just add another IP address to it's interface.

jlinkels · 05-09-2010, 08:17 PM

Install the package ipmasq in Debian, and read thru all documentation which is installed, run the installation script and ipmasq produces a nice package to start with.

Debian style is to use a script to configure iptables, so everytime you change this script, run it again and you have a whole freshly configured iptables. That is much better than using the built-in save and restore op iptables.

Open the script produced with the installer with you favorite editor, then define some different networks, like:

Code:

net_mared_internal=192.168.5.0/24

and then for each network, add a MASQUERADE rule and a FORWARD rule:

Code:

$IPTABLES -t nat -A POSTROUTING -o $nic_ext -s $net_mared_internal -j MASQUERADE
$IPTABLES -A FORWARD -i $nic_rnb -o $nic_ext -s $net_mared_internal -j ACCEPT

It shall be clear that net_mared is one of the subnets, nic_ext is the interface looking at internet, and nic_rnb is the internal network card. $IPTABLES is a variable holding the complete path to iptables, /sbin/iptables.

jlinkels

Steviepower · 05-10-2010, 06:57 AM

Quote:

Originally Posted by SuperJediWombat!

Keep in mind that unless your multiple subnets are on separate VLAN's or physical switches, any client who wants to communicate with the other subnet can just add another IP address to it's interface.

it doesn't have to be completely secure, I do not have switches that support vlans and it's mainly about preventing some less secured computers from doing damage to the important ones. it's probably way too advanced for the purpose but I just want to do it this way to learn something.

this does prevent most viruses from spreading to the important machines. I will post the outputs as soon as I get home.

I also already encountered the problem of not being able to adapt the firewall rules remotely (I do this trough the firestarter gui now)

Steviepower · 05-10-2010, 04:05 PM

ok here it goes: iptables-save:

Code:

# Generated by iptables-save v1.4.2 on Mon May 10 21:56:28 2010
*nat
:PREROUTING ACCEPT [83815:5105581]
:POSTROUTING ACCEPT [7148:500248]
:OUTPUT ACCEPT [7240:505402]
-A POSTROUTING -o eth1 -j MASQUERADE 
COMMIT
# Completed on Mon May 10 21:56:28 2010
# Generated by iptables-save v1.4.2 on Mon May 10 21:56:28 2010
*mangle
:PREROUTING ACCEPT [6831719:4057209339]
:INPUT ACCEPT [4531845:2377743989]
:FORWARD ACCEPT [2279108:1678307297]
:OUTPUT ACCEPT [4097990:4503409048]
:POSTROUTING ACCEPT [6377151:6181748865]
COMMIT
# Completed on Mon May 10 21:56:28 2010
# Generated by iptables-save v1.4.2 on Mon May 10 21:56:28 2010
*filter
:INPUT DROP [227:74669]
:FORWARD DROP [7:388]
:OUTPUT DROP [0:0]
:INBOUND - [0:0]
:LOG_FILTER - [0:0]
:LSI - [0:0]
:LSO - [0:0]
:OUTBOUND - [0:0]
-A INPUT -s 88.159.1.200/32 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT 
-A INPUT -s 88.159.1.200/32 -p udp -j ACCEPT 
-A INPUT -s 88.159.1.201/32 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT 
-A INPUT -s 88.159.1.201/32 -p udp -j ACCEPT 
-A INPUT -s 4.2.2.1/32 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT 
-A INPUT -s 4.2.2.1/32 -p udp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p icmp -m limit --limit 10/sec -j ACCEPT 
-A INPUT -d 255.255.255.255/32 -i eth1 -j DROP 
-A INPUT -d 88.159.xxx.xxx/32 -j DROP 
-A INPUT -s 224.0.0.0/8 -j DROP 
-A INPUT -d 224.0.0.0/8 -j DROP 
-A INPUT -s 255.255.255.255/32 -j DROP 
-A INPUT -d 0.0.0.0/32 -j DROP 
-A INPUT -m state --state INVALID -j DROP 
-A INPUT -f -m limit --limit 10/min -j LSI 
-A INPUT -i eth1 -j INBOUND 
-A INPUT -d 192.168.0.1/32 -i eth0 -j INBOUND 
-A INPUT -d 88.159.xxx.xxx/32 -i eth0 -j INBOUND 
-A INPUT -d 192.168.0.255/32 -i eth0 -j INBOUND 
-A INPUT -j LOG_FILTER 
-A INPUT -j LOG --log-prefix "Unknown Input" --log-level 6 
-A FORWARD -p icmp -m limit --limit 10/sec -j ACCEPT 
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
-A FORWARD -i eth0 -j OUTBOUND 
-A FORWARD -d 192.168.0.0/24 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -d 192.168.0.0/24 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -j LOG_FILTER 
-A FORWARD -j LOG --log-prefix "Unknown Forward" --log-level 6 
-A OUTPUT -s 88.159.xxx.xxx/32 -d 88.159.1.200/32 -p tcp -m tcp --dport 53 -j ACCEPT 
-A OUTPUT -s 88.159.xxx.xxx/32 -d 88.159.1.200/32 -p udp -m udp --dport 53 -j ACCEPT 
-A OUTPUT -s 88.159.xxx.xxx/32 -d 88.159.1.201/32 -p tcp -m tcp --dport 53 -j ACCEPT 
-A OUTPUT -s 88.159.xxx.xxx/32 -d 88.159.1.201/32 -p udp -m udp --dport 53 -j ACCEPT 
-A OUTPUT -s 88.159.xxx.xxx/32 -d 4.2.2.1/32 -p tcp -m tcp --dport 53 -j ACCEPT 
-A OUTPUT -s 88.159.xxx.xxx/32 -d 4.2.2.1/32 -p udp -m udp --dport 53 -j ACCEPT 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -s 224.0.0.0/8 -j DROP 
-A OUTPUT -d 224.0.0.0/8 -j DROP 
-A OUTPUT -s 255.255.255.255/32 -j DROP 
-A OUTPUT -d 0.0.0.0/32 -j DROP 
-A OUTPUT -m state --state INVALID -j DROP 
-A OUTPUT -o eth1 -j OUTBOUND 
-A OUTPUT -o eth0 -j OUTBOUND 
-A OUTPUT -j LOG_FILTER 
-A OUTPUT -j LOG --log-prefix "Unknown Output" --log-level 6 
-A INBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INBOUND -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INBOUND -s 192.168.0.0/24 -j ACCEPT 
-A INBOUND -s 192.168.1.0/24 -j ACCEPT 
-A INBOUND -s 192.168.2.0/24 -j ACCEPT 
-A INBOUND -j LSI 
-A LSI -j LOG_FILTER 
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6 
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP 
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6 
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP 
-A LSI -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6 
-A LSI -p icmp -m icmp --icmp-type 8 -j DROP 
-A LSI -m limit --limit 5/sec -j LOG --log-prefix "Inbound " --log-level 6 
-A LSI -j DROP 
-A LSO -j LOG_FILTER 
-A LSO -m limit --limit 5/sec -j LOG --log-prefix "Outbound " --log-level 6 
-A LSO -j REJECT --reject-with icmp-port-unreachable 
-A OUTBOUND -p icmp -j ACCEPT 
-A OUTBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTBOUND -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTBOUND -j ACCEPT 
COMMIT

ifconfig:

Code:

eth0      Link encap:Ethernet  HWaddr 40:61:86:87:ae:6f  
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::4261:86ff:fe87:ae6f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5538468 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5458479 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2709280840 (2.5 GiB)  TX bytes:6071924230 (5.6 GiB)
          Interrupt:254 Base address:0x4000 

eth0:0    Link encap:Ethernet  HWaddr 40:61:86:87:ae:6f  
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:254 Base address:0x4000 

eth0:1    Link encap:Ethernet  HWaddr 40:61:86:87:ae:6f  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:254 Base address:0x4000 

eth1      Link encap:Ethernet  HWaddr 00:14:c1:43:9c:79  
          inet addr:88.159.xxx.xxx  Bcast:88.159.xxx.xxx  Mask:255.255.254.0
          inet6 addr: fe80::214:c1ff:fe43:9c79/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1403782 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1018075 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1515656195 (1.4 GiB)  TX bytes:258966929 (246.9 MiB)
          Interrupt:20 Base address:0x6c00 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:33896 errors:0 dropped:0 overruns:0 frame:0
          TX packets:33896 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:3083622 (2.9 MiB)  TX bytes:3083622 (2.9 MiB)

ip route:

Code:

192.168.2.0/24 dev eth0  proto kernel  scope link  src 192.168.2.1 
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.1 
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.1 
88.159.xxx.xxx/23 dev eth1  proto kernel  scope link  src 88.159.206.149 
default via 88.159.xxx.xxx dev eth1 
default via 192.168.1.1 dev eth0  scope link  src 192.168.1.1 
default via 192.168.2.1 dev eth0  scope link  src 192.168.2.1 
default via 192.168.0.1 dev eth0  scope link

anyone has an idea what to do?
(enable routing for eth0:0 and eth0:1)

SuperJediWombat! · 05-10-2010, 08:07 PM

Your iptables rules are masquerading all traffic going out eth1 which is good, however your forward chain is blocking all traffic not specifically allowed through.

This should fix that:

Code:

iptables -I FORWARD -d 192.168.2.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT 
iptables -I FORWARD -d 192.168.1.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT 
iptables -I FORWARD -o eth1 -j ACCEPT

Try that, if it does not work please repost the output of iptables-save after running the commands above.

You also have three default gateways setup, you should only have one. Assuming that the internet currently works from your main server, don't change that yet -- wait until everything else is fixed.

Steviepower · 05-11-2010, 04:36 AM

how do I change it? is the iptables-save script a text file somewhere?

EDIT: those were commands... but do they survive a reboot?

SuperJediWombat! · 05-11-2010, 09:13 AM

No they do not, you will need to add them to a script which executes on boot after firestarter does it's thing.

Did the above commands fix your issues?

Steviepower · 05-11-2010, 09:55 AM

I ran the commands but still no go. I did discover something else...
I have been experimenting with one of the machines by putting it in different subnets (192.168.0.2 and 192.168.1.2) and if I put the machine on 192.168.0.2 I can connect to it using ssh and I can ping it (I also have an internet connection on the machine this way) but if I put the machine in the 192.168.1.2 network I can ping by ipaddress to 4.2.2.1(opendns or something like that) and to google, but I can't connect to it trough http.

so from the server to the client isn't possible, from the client to the server isn't possible (but ping works like a charm both ways!)

Couldn't this be a firewall related problem?

Steviepower · 05-11-2010, 05:12 PM

OK well I've found the problem!
Because I could ping everywhere I thought it was a firewall problem so I started to read documentation on iptables and I saw the following lines in the config:

Quote:

-A FORWARD -d 192.168.0.0/24 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/24 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT

Because of this I executed the following commands:

Quote:

iptables -A FORWARD -d 192.168.1.0/24 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -d 192.168.1.0/24 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -d 192.168.2.0/24 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -d 192.168.2.0/24 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT

and now it works!

It's quite similar to what SuperJediWombat! said but this actually worked.

only thing left to do is to make them persistent.

Steviepower · 05-11-2010, 05:56 PM

making it persistent:
I made 2 scripts,

/etc/network/if-up.d/my-script

Quote:

#!/bin/bash
[ "${METHOD}" != loopback ] || exit 0
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
/sbin/iptables -A FORWARD -d 192.168.1.0/24 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -d 192.168.1.0/24 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -d 192.168.2.0/24 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -d 192.168.2.0/24 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT

/etc/network/if-up.d/my-script

Quote:

#!/bin/bash
[ "${METHOD}" != loopback ] || exit 0
/sbin/iptables -D INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
/sbin/iptables -D INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
/sbin/iptables -D FORWARD -d 192.168.1.0/24 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -D FORWARD -d 192.168.1.0/24 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -D FORWARD -d 192.168.2.0/24 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -D FORWARD -d 192.168.2.0/24 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT

I did a chmod u+x on both of the files to make them executable.

thanks to: http://kevin.vanzonneveld.net/techbl...with_iptables/

Steviepower · 05-11-2010, 06:52 PM

ok it didn't work exactly as I planned but it eventually worked after putting the script in /etc/firestarter/config/user-post

SuperJediWombat! · 05-11-2010, 08:07 PM

If those commands worked, mine should have. The only difference is that I allowed through all protocols, rather than just tcp and udp.

You should also need the rule accepting all forward traffic out of eth1. because when you initially ran iptables-save the only close rule was accepting all traffic in through eth0.

Can you post the output of these again, while it is working?

Code:

iptables-save
ifconfig
ip route

Steviepower · 05-11-2010, 08:19 PM

ok here you go:

I'm quite the newbie and I don't get what you mean with the last comment on allowing trafic out eth1

iptables-save

Code:

# Generated by iptables-save v1.4.2 on Wed May 12 02:11:48 2010
*nat
:PREROUTING ACCEPT [2624:170515]
:POSTROUTING ACCEPT [231:16536]
:OUTPUT ACCEPT [243:17252]
-A POSTROUTING -o eth1 -j MASQUERADE 
COMMIT
# Completed on Wed May 12 02:11:48 2010
# Generated by iptables-save v1.4.2 on Wed May 12 02:11:48 2010
*mangle
:PREROUTING ACCEPT [62472:38046813]
:INPUT ACCEPT [3958:403128]
:FORWARD ACCEPT [58466:37641081]
:OUTPUT ACCEPT [3929:918857]
:POSTROUTING ACCEPT [62392:38559557]
COMMIT
# Completed on Wed May 12 02:11:48 2010
# Generated by iptables-save v1.4.2 on Wed May 12 02:11:48 2010
*filter
:INPUT DROP [64:6478]
:FORWARD DROP [3:381]
:OUTPUT DROP [0:0]
:INBOUND - [0:0]
:LOG_FILTER - [0:0]
:LSI - [0:0]
:LSO - [0:0]
:OUTBOUND - [0:0]
-A INPUT -s 88.159.1.200/32 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT 
-A INPUT -s 88.159.1.200/32 -p udp -j ACCEPT 
-A INPUT -s 88.159.1.201/32 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT 
-A INPUT -s 88.159.1.201/32 -p udp -j ACCEPT 
-A INPUT -s 4.2.2.1/32 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT 
-A INPUT -s 4.2.2.1/32 -p udp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p icmp -m limit --limit 10/sec -j ACCEPT 
-A INPUT -d 255.255.255.255/32 -i eth1 -j DROP 
-A INPUT -d 88.159.x.x/32 -j DROP 
-A INPUT -s 224.0.0.0/8 -j DROP 
-A INPUT -d 224.0.0.0/8 -j DROP 
-A INPUT -s 255.255.255.255/32 -j DROP 
-A INPUT -d 0.0.0.0/32 -j DROP 
-A INPUT -m state --state INVALID -j DROP 
-A INPUT -f -m limit --limit 10/min -j LSI 
-A INPUT -i eth1 -j INBOUND 
-A INPUT -d 192.168.0.1/32 -i eth0 -j INBOUND 
-A INPUT -d 88.159.x.x/32 -i eth0 -j INBOUND 
-A INPUT -d 192.168.0.255/32 -i eth0 -j INBOUND 
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource 
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH --rsource -j DROP 
-A INPUT -j LOG_FILTER 
-A INPUT -j LOG --log-prefix "Unknown Input" --log-level 6 
-A FORWARD -p icmp -m limit --limit 10/sec -j ACCEPT 
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
-A FORWARD -i eth0 -j OUTBOUND 
-A FORWARD -d 192.168.0.0/24 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -d 192.168.0.0/24 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -d 192.168.1.0/24 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -d 192.168.1.0/24 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -d 192.168.2.0/24 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -d 192.168.2.0/24 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -j LOG_FILTER 
-A FORWARD -j LOG --log-prefix "Unknown Forward" --log-level 6 
-A OUTPUT -s 88.159.x.x/32 -d 88.159.1.200/32 -p tcp -m tcp --dport 53 -j ACCEPT 
-A OUTPUT -s 88.159.x.x/32 -d 88.159.1.200/32 -p udp -m udp --dport 53 -j ACCEPT 
-A OUTPUT -s 88.159.x.x/32 -d 88.159.1.201/32 -p tcp -m tcp --dport 53 -j ACCEPT 
-A OUTPUT -s 88.159.x.x/32 -d 88.159.1.201/32 -p udp -m udp --dport 53 -j ACCEPT 
-A OUTPUT -s 88.159.x.x/32 -d 4.2.2.1/32 -p tcp -m tcp --dport 53 -j ACCEPT 
-A OUTPUT -s 88.159.x.x/32 -d 4.2.2.1/32 -p udp -m udp --dport 53 -j ACCEPT 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -s 224.0.0.0/8 -j DROP 
-A OUTPUT -d 224.0.0.0/8 -j DROP 
-A OUTPUT -s 255.255.255.255/32 -j DROP 
-A OUTPUT -d 0.0.0.0/32 -j DROP 
-A OUTPUT -m state --state INVALID -j DROP 
-A OUTPUT -o eth1 -j OUTBOUND 
-A OUTPUT -o eth0 -j OUTBOUND 
-A OUTPUT -j LOG_FILTER 
-A OUTPUT -j LOG --log-prefix "Unknown Output" --log-level 6 
-A INBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INBOUND -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INBOUND -s 192.168.0.0/24 -j ACCEPT 
-A INBOUND -s 192.168.1.0/24 -j ACCEPT 
-A INBOUND -s 192.168.2.0/24 -j ACCEPT 
-A INBOUND -p tcp -m tcp --dport 22 -j ACCEPT 
-A INBOUND -p udp -m udp --dport 22 -j ACCEPT 
-A INBOUND -p tcp -m tcp --dport 80 -j ACCEPT 
-A INBOUND -p udp -m udp --dport 80 -j ACCEPT 
-A INBOUND -j LSI 
-A LSI -j LOG_FILTER 
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6 
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP 
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6 
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP 
-A LSI -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6 
-A LSI -p icmp -m icmp --icmp-type 8 -j DROP 
-A LSI -m limit --limit 5/sec -j LOG --log-prefix "Inbound " --log-level 6 
-A LSI -j DROP 
-A LSO -j LOG_FILTER 
-A LSO -m limit --limit 5/sec -j LOG --log-prefix "Outbound " --log-level 6 
-A LSO -j REJECT --reject-with icmp-port-unreachable 
-A OUTBOUND -p icmp -j ACCEPT 
-A OUTBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTBOUND -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTBOUND -j ACCEPT 
COMMIT
# Completed on Wed May 12 02:11:48 2010

ifconfig

Code:

eth0      Link encap:Ethernet  HWaddr 40:61:86:87:ae:6f  
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::4261:86ff:fe87:ae6f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:29332 errors:0 dropped:0 overruns:0 frame:0
          TX packets:35721 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:5814369 (5.5 MiB)  TX bytes:33910024 (32.3 MiB)
          Interrupt:254 Base address:0x4000 

eth0:0    Link encap:Ethernet  HWaddr 40:61:86:87:ae:6f  
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:254 Base address:0x4000 

eth0:1    Link encap:Ethernet  HWaddr 40:61:86:87:ae:6f  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:254 Base address:0x4000 

eth1      Link encap:Ethernet  HWaddr 00:14:c1:43:9c:79  
          inet addr:88.159.xxx.xxx Bcast:88.159.207.255  Mask:255.255.254.0
          inet6 addr: fe80::214:c1ff:fe43:9c79/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:33075 errors:0 dropped:0 overruns:0 frame:0
          TX packets:26306 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:33090961 (31.5 MiB)  TX bytes:5453536 (5.2 MiB)
          Interrupt:20 Base address:0x6c00 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:851 errors:0 dropped:0 overruns:0 frame:0
          TX packets:851 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:84359 (82.3 KiB)  TX bytes:84359 (82.3 KiB)

ip route

Code:

192.168.2.0/24 dev eth0  proto kernel  scope link  src 192.168.2.1 
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.1 
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.1 
88.159.x.x/23 dev eth1  proto kernel  scope link  src 88.159.x.x 
default via 88.159.x.x dev eth1 
default via 192.168.1.1 dev eth0  scope link  src 192.168.1.1 
default via 192.168.2.1 dev eth0  scope link  src 192.168.2.1 
default via 192.168.0.1 dev eth0  scope link