Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I can ping my devices from the firewall and talk to all my devices from the firewall(eth1). Now the issue is when I am on my laptop(on the LAN), oddly I can only talk to a few devices on my LAN(the firewall interface(eth1) and only the AP) but nothing else. I know it has to be something that I changed inadvertently by accident in my iptables ruleset that I cannot pinpoint out. Its a bit long but here it is:
Code:
#! /bin/sh
IPTABLES="/sbin/iptables"
case "$1" in
stop)
echo "Shutting down firewall..."
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
echo "...done"
;;
status)
echo $"Table: filter"
iptables --list
echo $"Table: nat"
iptables -t nat --list
echo $"Table: mangle"
iptables -t mangle --list
;;
restart|reload)
$0 stop
$0 start
;;
start)
echo "Starting Firewall..."
echo ""
##--------------------------Begin Firewall---------------------------------##
#----Default-Interfaces-----#
EXTIF="eth0"
INTIF="eth1"
#DMZ_IFACE="eth2"
INTLAN="192.168.3.0/27"
#DMZ_LAN="192.168.2.0/27"
#VONAGE="192.168.2.10"
#DMZ_VOIP_SERVER="192.168.2.2"
VPNIF="tun0"
VPNNET="192.168.4.0/27"
#VPNIP="192.168.4.1"
SQUID_BOX="127.0.0.1"
DG_PORT="8080"
#----Special Variables-----#
# IP Mask for all IP addresses
UNIVERSE="0.0.0.0/0"
# Specification of the high unprivileged IP ports.
UNPRIVPORTS="1024:65535"
# Specification of X Window System (TCP) ports.
#XWINPORTS="6000:6063"
# Ports for IRC-Connection-Tracking
#IRCPORTS="6665,6666,6667,6668,6669,7000"
# DMZ UDP ports
#DMZUDP="1024:1030,5060:5065,10000:20000"
####PS2 PORTS####
#----Flood Variables-----#
# Overall Limit for TCP-SYN-Flood detection
TCPSYNLIMIT="5/s"
# Burst Limit for TCP-SYN-Flood detection
TCPSYNLIMITBURST="10"
# Overall Limit for Loggging in Logging-Chains
LOGLIMIT="2/s"
# Burst Limit for Logging in Logging-Chains
LOGLIMITBURST="10"
# Overall Limit for Ping-Flood-Detection
PINGLIMIT="5/s"
# Burst Limit for Ping-Flood-Detection
PINGLIMITBURST="10"
echo "Loading IPTABLES modules"
dmesg -n 1 #Kill copyright display on module load
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
#/sbin/modprobe ip_conntrack_sip
#/sbin/modprobe ip_nat_sip
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_conntrack_irc ports=$IRCPORTS
#/sbin/modprobe ip_nat_irc ports=$IRCPORTS
dmesg -n 6
echo " --- "
#----Clear/Reset all chains-----#
#Clear all IPTABLES-chains
#Flush everything, start from scratch
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat
#Set default policies to DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#----Set network sysctl options-----#
echo "Setting sysctl options"
#Enable forwarding in kernel
echo 1 > /proc/sys/net/ipv4/ip_forward
#Disabling IP Spoofing attacks.
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#Block source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#Kill redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#Log martians (packets with impossible addresses)
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#Set out local port range
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo " --- "
echo "Creating user-chains"
#----Create logging chains-----#
#Invalid packets (not ESTABLISHED,RELATED or NEW)
$IPTABLES -N LINVALID
$IPTABLES -A LINVALID -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=INVALID:1 a=DROP " --log-level 4
$IPTABLES -A LINVALID -j DROP
#TCP-Packets with one ore more bad flags
$IPTABLES -N LBADFLAG
$IPTABLES -A LBADFLAG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=BADFLAG:1 a=DROP " --log-level 4
$IPTABLES -A LBADFLAG -j DROP
#Logging of connection attempts on special ports (Trojan portscans, special services, etc.)
$IPTABLES -N LSPECIALPORT
$IPTABLES -A LSPECIALPORT -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SPECIALPORT:1 a=DROP " --log-level 4
$IPTABLES -A LSPECIALPORT -j DROP
#Logging of possible TCP-SYN-Floods
$IPTABLES -N LSYNFLOOD
$IPTABLES -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SYNFLOOD:1 a=DROP " --log-level 4
$IPTABLES -A LSYNFLOOD -j DROP
#Logging of possible Ping-Floods
$IPTABLES -N LPINGFLOOD
$IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=PINGFLOOD:1 a=DROP " --log-level 4
$IPTABLES -A LPINGFLOOD -j DROP
#All other dropped packets
$IPTABLES -N LDROP
$IPTABLES -A LDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=DROP " --log-level 4
$IPTABLES -A LDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=DROP " --log-level 4
$IPTABLES -A LDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=DROP " --log-level 4
$IPTABLES -A LDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=DROP " --log-level 4
$IPTABLES -A LDROP -j DROP
#All other rejected packets
$IPTABLES -N LREJECT
$IPTABLES -A LREJECT -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=REJECT " --log-level 4
$IPTABLES -A LREJECT -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=REJECT " --log-level 4
$IPTABLES -A LREJECT -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=REJECT " --log-level 4
$IPTABLES -A LREJECT -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=REJECT " --log-level 4
$IPTABLES -A LREJECT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A LREJECT -j REJECT
#----Create Accept-Chains-----#
#TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in
$IPTABLES -N TCPACCEPT
$IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT
$IPTABLES -A TCPACCEPT -p tcp --syn -j LSYNFLOOD
$IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT
#----Create special User-Chains-----#
#CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with impossible flag-combinations (Some port-scanners use these, eg. nmap Xmas,Null,etc.-scan)
$IPTABLES -N CHECKBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL NONE -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,RST SYN,RST -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j LBADFLAG
#Inbound/Outbound SILENTDROPS/REJECTS (Things we don't want in our Logs)
#SMB-Traffic
$IPTABLES -N SMB
$IPTABLES -A SMB -p tcp --dport 137 -j DROP
$IPTABLES -A SMB -p tcp --dport 138 -j DROP
$IPTABLES -A SMB -p tcp --dport 139 -j DROP
$IPTABLES -A SMB -p tcp --dport 445 -j DROP
$IPTABLES -A SMB -p udp --dport 137 -j DROP
$IPTABLES -A SMB -p udp --dport 138 -j DROP
$IPTABLES -A SMB -p udp --dport 139 -j DROP
$IPTABLES -A SMB -p udp --dport 445 -j DROP
$IPTABLES -A SMB -p tcp --sport 137 -j DROP
$IPTABLES -A SMB -p tcp --sport 138 -j DROP
$IPTABLES -A SMB -p tcp --sport 139 -j DROP
$IPTABLES -A SMB -p tcp --sport 445 -j DROP
$IPTABLES -A SMB -p udp --sport 137 -j DROP
$IPTABLES -A SMB -p udp --sport 138 -j DROP
$IPTABLES -A SMB -p udp --sport 139 -j DROP
$IPTABLES -A SMB -p udp --sport 445 -j DROP
#Inbound Special Ports
$IPTABLES -N SPECIALPORTS
#Deepthroat Scan
$IPTABLES -A SPECIALPORTS -p tcp --dport 6670 -j LSPECIALPORT
#Subseven Scan
$IPTABLES -A SPECIALPORTS -p tcp --dport 1243 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p udp --dport 1243 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p tcp --dport 27374 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p udp --dport 27374 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p tcp --dport 6711:6713 -j LSPECIALPORT
#Netbus Scan
$IPTABLES -A SPECIALPORTS -p tcp --dport 12345:12346 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p tcp --dport 20034 -j LSPECIALPORT
#Back Orifice scan
$IPTABLES -A SPECIALPORTS -p udp --dport 31337:31338 -j LSPECIALPORT
#X-Win
#$IPTABLES -A SPECIALPORTS -p tcp --dport $XWINPORTS -j LSPECIALPORT
#Hack'a'Tack 2000
$IPTABLES -A SPECIALPORTS -p udp --dport 28431 -j LSPECIALPORT
#ICMP/TRACEROUTE FILTERING
#Inbound ICMP/Traceroute
$IPTABLES -N ICMPINBOUND
#Ping Flood protection. Accept $PINGLIMIT echo-requests/sec, rest will be logged/dropped
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -m limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -j LPINGFLOOD
##Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled)
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type redirect -j LDROP
#Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled)
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j LDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-reply -j LDROP
#Block ICMP-address-mask (can help to prevent OS-fingerprinting)
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j LDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j LDROP
#Allow all other ICMP in
$IPTABLES -A ICMPINBOUND -p icmp -j ACCEPT
#Outbound ICMP/Traceroute
$IPTABLES -N ICMPOUTBOUND
#Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type redirect -j LDROP
#Block ICMP-TTL-Expired
#MS Traceroute (MS uses ICMP instead of UDp for tracert)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-transit -j LDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-reassembly -j LDROP
#Block ICMP-Parameter-Problem
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type parameter-problem -j LDROP
#Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-request -j LDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-reply -j LDROP
#Block ICMP-address-mask (can help to prevent OS-fingerprinting)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-request -j LDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-reply -j LDROP
##Accept all other ICMP going out
$IPTABLES -A ICMPOUTBOUND -p icmp -j ACCEPT
#----End User-Chains-----#
echo " --- "
#----Start Ruleset-----#
echo "Implementing firewall rules..."
#################
## INPUT-Chain ## (everything that is addressed to the firewall itself)
#################
##GENERAL Filtering
# Kill INVALID packets (not ESTABLISHED, RELATED or NEW)
$IPTABLES -A INPUT -m state --state INVALID -j LINVALID
# Check TCP-Packets for Bad Flags
$IPTABLES -A INPUT -p tcp -j CHECKBADFLAG
##Packets FROM FIREWALL-BOX ITSELF
#Local IF
$IPTABLES -A INPUT -i lo -j ACCEPT
#Kill connections to the local interface from the outside world (--> Should be already catched by kernel/rp_filter)
$IPTABLES -A INPUT -d 127.0.0.0 -j LREJECT
#Tranparent proxy settings
#$IPTABLES -A INPUT -m tcp -p tcp -s ! 127.0.0.1 --dport 3128 -j DROP
##Packets FROM INTERNAL NET
##Allow unlimited traffic from internal network using legit addresses to firewall-box
##If protection from the internal interface is needed, alter it
$IPTABLES -A INPUT -i $INTIF -s $INTLAN -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 12022 -m state --state NEW -j ACCEPT
###################################VPN############################################################
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE --dport 1723 -j ACCEPT
# Allow TUN interface connections to OpenVPN server
$IPTABLES -A INPUT -i $VPNIF -j ACCEPT
$IPTABLES -A INPUT -i $VPNIF -j DROP
##ICMP & Traceroute filtering
#Block UDP-Traceroute
$IPTABLES -A INPUT -p udp --dport 33434:33523 -j LDROP
#Drop all SMB-Traffic
$IPTABLES -A INPUT -i $EXTIF -j SMB
#Silently reject Ident (Don't DROP ident, because of possible delays when establishing an outbound connection)
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -j REJECT --reject-with tcp-reset
############Separate logging of special portscans/connection attempts #######################
$IPTABLES -A INPUT -i $EXTIF -j SPECIALPORTS
##Allow ESTABLISHED/RELATED connections in
$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED,ESTABLISHED -j TCPACCEPT
#Transparent/Danguardian
#$IPTABLES -A INPUT -i $INTIF -p tcp -s $INTLAN --dport $DG_PORT -m state --state NEW -j ACCEPT
##Catch all rule
$IPTABLES -A INPUT -j LDROP
##################
## Output-Chain ## (everything that comes directly from the Firewall-Box)
##################
##Packets TO FIREWALL-BOX ITSELF
#Local IF
$IPTABLES -A OUTPUT -o lo -j ACCEPT
##Packets TO INTERNAL NET
#Allow unlimited traffic to internal network using legit addresses
$IPTABLES -A OUTPUT -o $INTIF -s $INTLAN -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -p ALL -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -p ALL -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -s $INTLAN -j ACCEPT
######################################## VPN #####################################################
$IPTABLES -A OUTPUT -o $EXTIF -s $VPNNET -j ACCEPT
$IPTABLES -A OUTPUT -o $VPNIF -s $VPNNET -j ACCEPT
$IPTABLES -A OUTPUT -o $VPNIF -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -j ACCEPT
$IPTABLES -A OUTPUT -j LDROP
####################
## FORWARD-Chain ## (everything that passes the firewall, incoming)
####################
##GENERAL Filtering
#Kill invalid packets (not ESTABLISHED, RELATED or NEW)
$IPTABLES -A FORWARD -m state --state INVALID -j LINVALID
# Check TCP-Packets for Bad Flags
$IPTABLES -A FORWARD -p tcp -j CHECKBADFLAG
##Silent Drops/Rejects (Things we don't want in our logs)
#SMB
$IPTABLES -A FORWARD -o $EXTIF -j SMB
##Port-Forwarding from Ports < 1024 [outbound] (--> Also see chain PREROUTING)
#HTTP-Forwarding
##Allow all other forwarding (from Ports > 1024) from Internal Net to External Net
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p tcp --sport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p udp --sport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p icmp -j ACCEPT
######################################## VPN ##################################################################
$IPTABLES -A FORWARD -i $VPNIF -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $VPNIF -s $VPNNET -j ACCEPT
$IPTABLES -A FORWARD -o $VPNIF -s $INTLAN -j ACCEPT
$IPTABLES -A FORWARD -i $VPNIF -j ACCEPT
$IPTABLES -A FORWARD -o $VPNIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -j SMB
##Allow replies coming in
$IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT
########################################## DMZ #########################################################################
#$IPTABLES -A FORWARD -i $DMZ_IFACE -o $EXTIF -j ACCEPT
#$IPTABLES -A FORWARD -i $EXTIF -o $DMZ_IFACE -m state --state NEW -j ACCEPT
#$IPTABLES -A FORWARD -i $INTIF -o $DMZ_IFACE -j ACCEPT
#$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -p tcp -i $INTIF -o $DMZ_IFACE -d $DMZ_VOIP_SERVER --dport 12444 -m state --state NEW -j ACCEPT
#$IPTABLES -A FORWARD -p udp -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_SERVER --dport 5050:5065 -m state --state NEW -j ACCEPT
#$IPTABLES -A FORWARD -p udp -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_SERVER --dport 10000:20000 -m state --state NEW -j ACCEPT
#$IPTABLES -A FORWARD -p udp -i $EXTIF -o $DMZ_IFACE -d $VONAGE --dport 5050:5065 -m state --state NEW -j ACCEPT
#$IPTABLES -A FORWARD -p udp -i $EXTIF -o $DMZ_IFACE -d $VONAGE --dport 10000:20000 -m state --state NEW -j ACCEPT
################################################## Zoneminder WEB Interface ##############################################################################3
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF -d 192.168.3.22 --dport 8080 -m state --state NEW -j ACCEPT
################################################## VOIP ASTERISK WEB Interface ##############################################################################3
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_SERVER --dport 80 -m state --state NEW -j ACCEPT
##Catch all rule/Deny every other forwarding
$IPTABLES -A FORWARD -j LDROP
################
## PREROUTING ##
################
##Port-Forwarding (--> Also see chain FORWARD)
######################################################## SSH ################################################################
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 5900 -j DNAT --to-destination 192.168.3.30
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 12022 -j DNAT --to-destination $DMZ_SSH_SERVER
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 8080 -j DNAT --to-destination 192.168.3.22
######################################################### HTTP ############################################################
#$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 3128 -j DNAT --to $WEB_FILTER:8080
#$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 3128 -j REDIRECT --to $WEB_FILTER:8080
#$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 3128 -j REDIRECT --to $DG_PORT
#Transparent Proxy crap
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp -d ! $SQUID_BOX --dport 80 -j REDIRECT --to-ports $DG_PORT
######################################### ASTERISK VOIP SERVER####################################################################################################
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 513 -j DNAT --to-destination $DMZ_VOIP_SERVER
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 12444 -j DNAT --to-destination $DMZ_VOIP_SERVER
#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 5050:5065 -j DNAT --to-destination $DMZ_VOIP_SERVER
#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF -d $DMZ_HTTPIP --dport 53 -j DNAT --to-destination $DMZ_PC_IP
#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 5050:5065 -j DNAT --to-destination $VONAGE
#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 10000:20000 -j DNAT --to-destination $VONAGE
###################
## POSTROUTING ##
###################
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $INTLAN -d $SQUID_FILTER -j MASQUERADE
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $DMZ_LAN -d $DMZ_IP -j MASQUERADE
#Masquerade from Internal Net to External Net
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
#------End Ruleset------#
echo "...done"
echo ""
echo "--> IPTABLES firewall loaded/activated <--"
##--------------------------------End Firewall---------------------------------##
;;
*)
echo "Usage: firewall (start|stop|restart|status) EXTIF INTIF"
exit 1
esac
exit 0
I believe it would be an OUTPUT rule that is missing or wrong. ??
To paint a better picture, here is a nmap scan from my laptop looking for port 80 that is definately open that can be seen from the firewall itself
from the laptop sitting on the 192.168.3.0/27 subnet
Code:
Nmap scan report for 192.168.3.16
Host is up.
PORT STATE SERVICE
80/tcp filtered http
and respectively from the firewall
Code:
Nmap scan report for 192.168.3.16
Host is up (0.013s latency).
PORT STATE SERVICE
80/tcp open http
What is so weird is that there are some targets that I can see from both sides. I will have to run a sniffer and see what I can come up with.
Last edited by unSpawn; 06-19-2013 at 08:06 PM.
Reason: //merge posts, retain 0-reply status before move to /Networking
Your 27-bit subnet mask looks a little conspicuous. Are you sure your unreachable devices are within the restrictive 5-bit address range that this imposes (i.e 192.168.3.0 - 192.168.3.31)? And are they all configured as such? The firewall rules should have no effect on LAN traffic, except into, out of, and through the firewall. You should be able to disconnect the firewall host with no effect on LAN traffic (unless it is a DHCP server, or some other service required by the LAN hosts).
I think the subnetting is ok. I am using dhcpd to distribute the ip's in my small LAN. I used a subnet calculator(lazy) and it appears ok. It says that I can use 30 ip's for a limit of 8 subnets beginning with 192.168.3.1-30 with a broadcast address of 192.168.3.31. Let me dig. What is so odd is that when I do a scan from a laptop on the LAN, I can see a few host. Thanks for the reply.
Last edited by metallica1973; 06-21-2013 at 01:46 PM.
and I still cannot communicate but with only certain ips within my LAN:
From my firewall:
Code:
Starting Nmap 5.51 ( http://nmap.org ) at 2013-06-27 15:04 EDT
Initiating ARP Ping Scan at 15:04
Scanning 192.168.3.0 [1 port]
Completed ARP Ping Scan at 15:04, 0.42s elapsed (1 total hosts)
Nmap scan report for 192.168.3.0 [host down]
Initiating Parallel DNS resolution of 1 host. at 15:04
Completed Parallel DNS resolution of 1 host. at 15:04, 0.03s elapsed
Initiating ARP Ping Scan at 15:04
Scanning 30 hosts [1 port/host]
Completed ARP Ping Scan at 15:04, 1.35s elapsed (30 total hosts)
Initiating Parallel DNS resolution of 30 hosts. at 15:04
Completed Parallel DNS resolution of 30 hosts. at 15:04, 0.04s elapsed
Nmap scan report for 192.168.3.2 [host down]
Nmap scan report for 192.168.3.3 [host down]
Nmap scan report for 192.168.3.4 [host down]
Nmap scan report for 192.168.3.5 [host down]
Nmap scan report for 192.168.3.6 [host down]
Nmap scan report for 192.168.3.7 [host down]
Nmap scan report for 192.168.3.8 [host down]
Nmap scan report for 192.168.3.9 [host down]
Nmap scan report for 192.168.3.10 [host down]
Initiating Connect Scan at 15:04
Scanning 192.168.3.1 [1 port]
Completed Connect Scan at 15:04, 0.00s elapsed (1 total ports)
Nmap scan report for 192.168.3.1
Host is up (0.00013s latency).
PORT STATE SERVICE
80/tcp closed http
Nmap scan report for 192.168.3.12 [host down]
Nmap scan report for 192.168.3.13 [host down]
Nmap scan report for 192.168.3.15 [host down]
Nmap scan report for 192.168.3.16 [host down]
Nmap scan report for 192.168.3.17 [host down]
Nmap scan report for 192.168.3.19 [host down]
Nmap scan report for 192.168.3.21 [host down]
Nmap scan report for 192.168.3.22 [host down]
Nmap scan report for 192.168.3.23 [host down]
Nmap scan report for 192.168.3.24 [host down]
Nmap scan report for 192.168.3.25 [host down]
Nmap scan report for 192.168.3.26 [host down]
Nmap scan report for 192.168.3.27 [host down]
Nmap scan report for 192.168.3.28 [host down]
Nmap scan report for 192.168.3.29 [host down]
Nmap scan report for 192.168.3.30 [host down]
Nmap scan report for 192.168.3.31 [host down]
Initiating Connect Scan at 15:04
Scanning 4 hosts [1 port/host]
Discovered open port 80/tcp on 192.168.3.20
Completed Connect Scan at 15:04, 0.00s elapsed (4 total ports)
Nmap scan report for 192.168.3.11
Host is up (0.00068s latency).
PORT STATE SERVICE
80/tcp closed http
MAC Address: 02:03:05:CD:06:04 (ZyXEL Communications)
Nmap scan report for 192.168.3.14
Host is up (0.32s latency).
PORT STATE SERVICE
80/tcp closed http
MAC Address: A9:54:C2:0B:D1:70 (Unknown)
Nmap scan report for 192.168.3.18
Host is up (0.41s latency).
PORT STATE SERVICE
80/tcp closed http
MAC Address: C8:32:CA:DF:1B:79 (Unknown)
Nmap scan report for 192.168.3.20
Host is up (0.25s latency).
PORT STATE SERVICE
80/tcp open http
MAC Address: 7C:DD:90:39:65:3C (Unknown)
Read data files from: /usr/share/nmap
Nmap done: 32 IP addresses (5 hosts up) scanned in 1.96 seconds
Raw packets sent: 61 (1.708KB) | Rcvd: 7 (196B)
and from a laptop within my LAN:
Code:
Starting Nmap 6.00 ( http://nmap.org ) at 2013-06-27 15:04 EDT
Initiating ARP Ping Scan at 15:04
Scanning 14 hosts [1 port/host]
Completed ARP Ping Scan at 15:04, 0.43s elapsed (14 total hosts)
Initiating Parallel DNS resolution of 14 hosts. at 15:04
Completed Parallel DNS resolution of 14 hosts. at 15:04, 0.03s elapsed
Nmap scan report for 192.168.3.0 [host down]
Nmap scan report for 192.168.3.2 [host down]
Nmap scan report for 192.168.3.3 [host down]
Nmap scan report for 192.168.3.4 [host down]
Nmap scan report for 192.168.3.5 [host down]
Nmap scan report for 192.168.3.6 [host down]
Nmap scan report for 192.168.3.7 [host down]
Nmap scan report for 192.168.3.8 [host down]
Nmap scan report for 192.168.3.9 [host down]
Nmap scan report for 192.168.3.10 [host down]
Nmap scan report for 192.168.3.12 [host down]
Nmap scan report for 192.168.3.13 [host down]
Initiating Parallel DNS resolution of 1 host. at 15:04
Completed Parallel DNS resolution of 1 host. at 15:04, 0.02s elapsed
Initiating Connect Scan at 15:04
Scanning 2 hosts [1 port/host]
Completed Connect Scan at 15:04, 0.00s elapsed (2 total ports)
Nmap scan report for 192.168.3.1
Host is up (0.0038s latency).
PORT STATE SERVICE
80/tcp closed http
MAC Address: 00:19:5B:69:C3:B1 (D-Link)
Nmap scan report for 192.168.3.11
Host is up (0.0020s latency).
PORT STATE SERVICE
80/tcp closed http
MAC Address: 02:03:05:CD:06:04 (ZyXEL Communications)
Initiating ARP Ping Scan at 15:04
Scanning 17 hosts [1 port/host]
Completed ARP Ping Scan at 15:04, 0.81s elapsed (17 total hosts)
Nmap scan report for 192.168.3.15 [host down]
Nmap scan report for 192.168.3.16 [host down]
Nmap scan report for 192.168.3.17 [host down]
Nmap scan report for 192.168.3.18 [host down]
Nmap scan report for 192.168.3.19 [host down]
Nmap scan report for 192.168.3.20 [host down]
Nmap scan report for 192.168.3.21 [host down]
Nmap scan report for 192.168.3.22 [host down]
Nmap scan report for 192.168.3.23 [host down]
Nmap scan report for 192.168.3.24 [host down]
Nmap scan report for 192.168.3.25 [host down]
Nmap scan report for 192.168.3.26 [host down]
Nmap scan report for 192.168.3.27 [host down]
Nmap scan report for 192.168.3.28 [host down]
Nmap scan report for 192.168.3.29 [host down]
Nmap scan report for 192.168.3.30 [host down]
Nmap scan report for 192.168.3.31 [host down]
Initiating Connect Scan at 15:04
Scanning 192.168.3.14 [1 port]
Completed Connect Scan at 15:04, 0.00s elapsed (1 total ports)
Nmap scan report for 192.168.3.14
Host is up (0.00015s latency).
PORT STATE SERVICE
80/tcp closed http
Read data files from: /usr/bin/../share/nmap
Nmap done: 32 IP addresses (3 hosts up) scanned in 1.36 seconds
Raw packets sent: 60 (1.680KB) | Rcvd: 2 (56B)
unreal, I finally figured out why there wasnt any icmp and anything else showing up in my wireshark packet. I have a Zyxel AP that connected all of my wireless devices and it had a setting:
Code:
Enable Intra-BSS Traffic Intra-BSS traffic is traffic between wireless stations in the same BSS. Select this check box to enable Intra-BSS traffic.
which was unchecked and without that enabled you cant route any traffic between workstations within the same subnet. Crazy but that is what is was. I guess it would be used for situation where only strict route rules would be set to enforce greater security protocols in place in a network that would use these type of AP. I would imagine Cisco and other corporate AP would have the same type of security features. Wow I truly learned something new.
Last edited by metallica1973; 07-01-2013 at 09:30 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.