LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 03-19-2013, 09:27 AM   #1
orsty9001
Member
 
Registered: Mar 2008
Distribution: Slackware, Mint, Raspbian
Posts: 47

Rep: Reputation: 0
Maybe a routing problem between subnets?


I have a layer 3 router running Slackware that has 3 NICs. One is for the modem (eth0) , the other wired one (eth1) and wlan0 as you guessed it is the wireless adapter. The internal wired adapter (eth1) is 192.168.1.1 and the wireless is 192.168.10.1. Anything connected to the wireless can ping anything and has no problem seeing the internet but can't ping eth0 which is assigned our external ip address. This isn't the same for anything in the 192.168.1.x subnet. Everything connected to the wired (eth1) adapter can ping our external ip. I need the stuff in the 192.168.10.x subnet to also be able to see eth0 so they can access the web server. They can access apache through 192.168.1.1 but I need some of the wireless things to access our external ip address so this software won't need the address altered every time we change networks.

Here is this routing info and ifconfig.

Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         75.137.104.1    0.0.0.0         UG    203    0        0 eth0
75.137.104.0    0.0.0.0         255.255.248.0   U     203    0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 wlan0

Code:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 576 inet xx.xxx.xxx.xx netmask 255.255.248.0 broadcast 255.255.255.255 ether 00:04:4b:05:71:76 txqueuelen 1000 (Ethernet) RX packets 170918610 bytes 94138351848 (87.6 GiB) RX errors 692 dropped 0 overruns 691 frame 1 TX packets 88563286 bytes 11451253674 (10.6 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::204:4bff:fe05:7177 prefixlen 64 scopeid 0x20<link> ether 00:04:4b:05:71:77 txqueuelen 1000 (Ethernet) RX packets 209925911 bytes 15875086157 (14.7 GiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 194650101 bytes 625450136587 (582.4 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 0 (Local Loopback) RX packets 435781 bytes 83564121 (79.6 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 435781 bytes 83564121 (79.6 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.10.1 netmask 255.255.255.0 broadcast 192.168.10.255 inet6 fe80::92f6:52ff:fee5:780a prefixlen 64 scopeid 0x20<link> ether 90:f6:52:e5:78:0a txqueuelen 1000 (Ethernet) RX packets 13699734 bytes 1115473588 (1.0 GiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 14267407 bytes 17026337519 (5.8 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Thanks for you help.
 
Old 03-20-2013, 03:48 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,344

Rep: Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945
If you run a tcpdump on wlan0 or eth0 can you see the tcp traffic that's failing? could there be somethign in iptables stopping it? Post yoru rulebase - iptables -vnL. Also you'll be needing some NAT / MASQUERADE action for that traffic too.
 
Old 03-20-2013, 07:48 AM   #3
orsty9001
Member
 
Registered: Mar 2008
Distribution: Slackware, Mint, Raspbian
Posts: 47

Original Poster
Rep: Reputation: 0
Forgive my lack of experience in this area. I'm sure it's probably something I've misconfigured and just don't have the knowledge to setup. Using tcpdump it looks like eth0 is never getting the icmp request. I can see wlan0 on the router trying to send the request to the public ip but eth0 never receives that request.

If I ping it from one of the wired computers that are connected to eth1 then I can see both a send and receive message being passed from and to the public ip address.

dmesg shows this.

Code:
[1175285.803798] OUTPUT packet died: IN= OUT=wlan0 SRC=xx.xxx.xx.xxx DST=192.168.10.100 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=20479 PROTO=ICMP TYPE=0 CODE=0 ID=19631 SEQ=1 
[1175288.827183] INPUT packet died: IN=wlan0 OUT= MAC=90:f6:52:e5:78:0a:6c:62:6d:19:64:c0:08:00 SRC=192.168.10.100 DST=xx.xxx.xx.xxx LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=19631 SEQ=4
Here's the ruleset.

Code:
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   40  6507 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
13201  700K bad_packets  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    2    56 DROP       all  --  *      *       0.0.0.0/0            224.0.0.1           
13064  681K ACCEPT     all  --  eth1   *       192.168.1.0/24       0.0.0.0/0                     
   41  4557 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 tcp_inbound  tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
   25  8120 udp_inbound  udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 icmp_packets  icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            PKTTYPE = broadcast
   13  1092 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 3 LOG flags 0 level 4 prefix "INPUT packet died: "
   64  5620 ACCEPT     all  --  *      *       192.168.10.0/24      0.0.0.0/0           

Chain FORWARD (policy ACCEPT 81 packets, 9265 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  352 81311 bad_packets  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   88  6054 tcp_outbound  tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
    3   190 udp_outbound  udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
  157 63559 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    9   484 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 3 LOG flags 0 level 4 prefix "FORWARD packet died: "

Chain OUTPUT (policy DROP 57 packets, 4788 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    4   848 ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0           
   36  5659 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       192.168.1.1          0.0.0.0/0           
11397   40M ACCEPT     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           
   55  4914 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
   10   840 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 3 LOG flags 0 level 4 prefix "OUTPUT packet died: "
    2   904 ACCEPT     all  --  *      *       192.168.10.0/24      0.0.0.0/0           

Chain bad_packets (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  eth0   *       192.168.1.0/24       0.0.0.0/0            LOG flags 0 level 4 prefix "Illegal source: "
    0     0 DROP       all  --  eth0   *       192.168.1.0/24       0.0.0.0/0           
   11  1691 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID LOG flags 0 level 4 prefix "Invalid packet: "
   11  1691 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
13426  764K bad_tcp_packets  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
13542  779K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain bad_tcp_packets (1 references)
 pkts bytes target     prot opt in     out     source               destination         
13148  687K RETURN     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:!0x17/0x02 ctstate NEW LOG flags 0 level 4 prefix "New not syn: "
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:!0x17/0x02 ctstate NEW
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x00 LOG flags 0 level 4 prefix "Stealth scan: "
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x00
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x3F LOG flags 0 level 4 prefix "Stealth scan: "
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x3F
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x29 LOG flags 0 level 4 prefix "Stealth scan: "
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x29
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x37 LOG flags 0 level 4 prefix "Stealth scan: "
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x37
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x06 LOG flags 0 level 4 prefix "Stealth scan: "
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x06
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x03/0x03 LOG flags 0 level 4 prefix "Stealth scan: "
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x03/0x03
  278 76802 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain icmp_packets (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        icmp -f  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4 prefix "ICMP Fragment: "
    0     0 DROP       icmp -f  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain tcp_inbound (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:113 reject-with icmp-port-unreachable
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:5000:5100
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:6891:6900
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain tcp_outbound (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   88  6054 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain udp_inbound (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:138
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:113 reject-with icmp-port-unreachable
   24  8062 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
    1    58 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain udp_outbound (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    3   190 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0

Thanks for taking your time to help.
 
Old 03-20-2013, 07:50 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,344

Rep: Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945
right, so as per the dmesg entry, which I hope you cross referenced in the forward table:

Code:
Chain FORWARD (policy ACCEPT 81 packets, 9265 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  352 81311 bad_packets  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   88  6054 tcp_outbound  tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
    3   190 udp_outbound  udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
  157 63559 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    9   484 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 3 LOG flags 0 level 4 prefix "FORWARD packet died: "
there is nothign to allow wlan0 to reach eth0, but eth1 CAN reach eth0. If you're comfortable with the way eth1 is working, duplicate those entries for wlan0
 
Old 03-20-2013, 10:20 AM   #5
orsty9001
Member
 
Registered: Mar 2008
Distribution: Slackware, Mint, Raspbian
Posts: 47

Original Poster
Rep: Reputation: 0
I made these modifications but it still doesn't work.

Code:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  766  228K bad_packets  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   52  3650 tcp_outbound  tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
  299 34084 tcp_outbound  tcp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           
    2   136 udp_outbound  udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
   45  2910 udp_outbound  udp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
    6   660 ACCEPT     all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           
  362  187K ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 3 LOG flags 0 level 4 prefix "FORWARD packet died: "
 
Old 03-20-2013, 10:28 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,344

Rep: Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945
you'll probably need another interface specific entry in the nat table too then... check with "iptables -t nat -vnL"
 
Old 03-20-2013, 11:26 AM   #7
orsty9001
Member
 
Registered: Mar 2008
Distribution: Slackware, Mint, Raspbian
Posts: 47

Original Poster
Rep: Reputation: 0
I checked iptables -t nat -vnL and have a question. Does this mean all interfaces in and eth0 out?

Code:
 pkts bytes target     prot opt in     out     source               destination
  565 36020 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
Should I do wlan0 to eth0 or would this rule cover that already?

Also I added wlan0 to the nat table but it didn't seem to change anything.

Last edited by orsty9001; 03-20-2013 at 12:44 PM.
 
Old 03-20-2013, 12:50 PM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,344

Rep: Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945
well there are other references to eth1 that aren't matched, I see in the bad_tcp_packets table etc. I can't see any specific reason why icmp isn't working, but there is probably something new in the logs now as traffic is clearly matching the tables by virtue of being from wlan0 that it wasn't before.
 
Old 03-20-2013, 01:03 PM   #9
orsty9001
Member
 
Registered: Mar 2008
Distribution: Slackware, Mint, Raspbian
Posts: 47

Original Poster
Rep: Reputation: 0
tcpdump is giving me this now.

Code:
14:02:20.252540 IP xx.xxx.xx.xx > 4.2.2.1: ICMP xx.xxx.xx.xxx udp port 42561 unreachable, length 84
I'm not sure if that's a clue or not.
 
Old 03-20-2013, 02:45 PM   #10
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
To: orsty9001

May I ask you to execute in console command "iptables-save" and post it here, if it is possible.

Also I do not understand this one:
..."One is for the modem (eth0) , the other wired one (eth1) and wlan0"..."Anything connected to the wireless can ping anything and has no problem seeing the internet but can't ping eth0 which is assigned our external ip address."

The default outside world GW for Slackware is 75.137.104.1
What is default GW for units connected through wireless?
 
Old 03-20-2013, 03:07 PM   #11
orsty9001
Member
 
Registered: Mar 2008
Distribution: Slackware, Mint, Raspbian
Posts: 47

Original Poster
Rep: Reputation: 0
Here you go.

Code:
# Generated by iptables-save v1.4.17 on Wed Mar 20 16:00:00 2013
*mangle
:PREROUTING ACCEPT [1529993:96112871]
:INPUT ACCEPT [1495527:79148972]
:FORWARD ACCEPT [34341:16863129]
:OUTPUT ACCEPT [1303849:4630124759]
:POSTROUTING ACCEPT [1337912:4646795332]
COMMIT
# Completed on Wed Mar 20 16:00:00 2013
# Generated by iptables-save v1.4.17 on Wed Mar 20 16:00:00 2013
*nat
:PREROUTING ACCEPT [2122:260055]
:INPUT ACCEPT [308:90587]
:OUTPUT ACCEPT [392:28092]
:POSTROUTING ACCEPT [90:6916]
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o wlan0 -j MASQUERADE
COMMIT
# Completed on Wed Mar 20 16:00:00 2013
# Generated by iptables-save v1.4.17 on Wed Mar 20 16:00:00 2013
*filter
:INPUT DROP [756:44593]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [53:4452]
:bad_packets - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_inbound - [0:0]
:tcp_outbound - [0:0]
:udp_inbound - [0:0]
:udp_outbound - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -j bad_packets
-A INPUT -d 224.0.0.1/32 -j DROP
-A INPUT -s 192.168.1.0/24 -i eth1 -j ACCEPT
-A INPUT -d 192.168.1.255/32 -i eth1 -j ACCEPT
-A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -j tcp_inbound
-A INPUT -i eth0 -p udp -j udp_inbound
-A INPUT -i eth0 -p icmp -j icmp_packets
-A INPUT -m pkttype --pkt-type broadcast -j DROP
-A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "INPUT packet died: "
-A INPUT -s 192.168.10.0/24 -j ACCEPT
-A FORWARD -j bad_packets
-A FORWARD -i eth1 -p tcp -j tcp_outbound
-A FORWARD -i wlan0 -p tcp -j tcp_outbound
-A FORWARD -i eth1 -p udp -j udp_outbound
-A FORWARD -i wlan0 -p udp -j udp_outbound
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i wlan0 -j ACCEPT
-A FORWARD -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "FORWARD packet died: "
-A OUTPUT -p icmp -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -s 127.0.0.1/32 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 192.168.1.1/32 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "OUTPUT packet died: "
-A OUTPUT -s 192.168.10.0/24 -j ACCEPT
-A bad_packets -s 192.168.1.0/24 -i eth0 -j LOG --log-prefix "Illegal source: "
-A bad_packets -s 192.168.1.0/24 -i eth0 -j DROP
-A bad_packets -m conntrack --ctstate INVALID -j LOG --log-prefix "Invalid packet: "
-A bad_packets -m conntrack --ctstate INVALID -j DROP
-A bad_packets -p tcp -j bad_tcp_packets
-A bad_packets -j RETURN
-A bad_tcp_packets -i eth1 -p tcp -j RETURN
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j LOG --log-prefix "New not syn: "
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A bad_tcp_packets -p tcp -j RETURN
-A icmp_packets -p icmp -f -j LOG --log-prefix "ICMP Fragment: "
-A icmp_packets -p icmp -f -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A icmp_packets -p icmp -j RETURN
-A tcp_inbound -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
-A tcp_inbound -p tcp -m tcp --dport 80 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 443 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 25 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 110 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 143 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 995 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 993 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 22 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 5000:5100 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 6891:6900 -j ACCEPT
-A tcp_inbound -p tcp -j RETURN
-A tcp_outbound -p tcp -j ACCEPT
-A udp_inbound -p udp -m udp --dport 137 -j DROP
-A udp_inbound -p udp -m udp --dport 138 -j DROP
-A udp_inbound -p udp -m udp --dport 113 -j REJECT --reject-with icmp-port-unreachable
-A udp_inbound -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 443 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 25 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 110 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 143 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 995 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 993 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 22 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 5000:5100 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 6891:6900 -j ACCEPT
-A tcp_inbound -p tcp -j RETURN
-A tcp_outbound -p tcp -j ACCEPT
-A udp_inbound -p udp -m udp --dport 137 -j DROP
-A udp_inbound -p udp -m udp --dport 138 -j DROP
-A udp_inbound -p udp -m udp --dport 113 -j REJECT --reject-with icmp-port-unreachable
-A udp_inbound -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A udp_inbound -p udp -j RETURN
-A udp_outbound -p udp -j ACCEPT
COMMIT
# Completed on Wed Mar 20 16:00:00 2013
To clarify, I need to access the public ip address (eth0) from everything on the network. Nothing connected to wlan0 can see the public ip address while everything connected to eth1 can see the public ip address.

The default outside gateway is the same for everything.

Last edited by orsty9001; 03-20-2013 at 03:21 PM.
 
Old 03-20-2013, 08:30 PM   #12
orsty9001
Member
 
Registered: Mar 2008
Distribution: Slackware, Mint, Raspbian
Posts: 47

Original Poster
Rep: Reputation: 0
I figured it out.

Code:
iptables -A OUTPUT -o wlan0 -j ACCEPT
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Routing two Subnets Lord_Devi Linux - Networking 5 07-10-2010 02:54 PM
subnets and routing evilted Linux - Networking 19 08-20-2009 05:16 AM
Routing between two subnets ScottReed Linux - Networking 22 10-24-2006 10:32 PM
Routing problem with subnets G-Fox Linux - Networking 3 01-24-2006 05:20 AM
Routing between different subnets ... suvajit Linux - Networking 1 05-15-2003 07:07 AM


All times are GMT -5. The time now is 11:33 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration