Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
03-19-2013, 09:27 AM
|
#1
|
|
Member
Registered: Mar 2008
Distribution: Slackware, Mint, Raspbian
Posts: 94
Rep: 
|
Maybe a routing problem between subnets?
I have a layer 3 router running Slackware that has 3 NICs. One is for the modem (eth0) , the other wired one (eth1) and wlan0 as you guessed it is the wireless adapter. The internal wired adapter (eth1) is 192.168.1.1 and the wireless is 192.168.10.1. Anything connected to the wireless can ping anything and has no problem seeing the internet but can't ping eth0 which is assigned our external ip address. This isn't the same for anything in the 192.168.1.x subnet. Everything connected to the wired (eth1) adapter can ping our external ip. I need the stuff in the 192.168.10.x subnet to also be able to see eth0 so they can access the web server. They can access apache through 192.168.1.1 but I need some of the wireless things to access our external ip address so this software won't need the address altered every time we change networks.
Here is this routing info and ifconfig.
Code:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 75.137.104.1 0.0.0.0 UG 203 0 0 eth0
75.137.104.0 0.0.0.0 255.255.248.0 U 203 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
Code:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 576 inet xx.xxx.xxx.xx netmask 255.255.248.0 broadcast 255.255.255.255 ether 00:04:4b:05:71:76 txqueuelen 1000 (Ethernet) RX packets 170918610 bytes 94138351848 (87.6 GiB) RX errors 692 dropped 0 overruns 691 frame 1 TX packets 88563286 bytes 11451253674 (10.6 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::204:4bff:fe05:7177 prefixlen 64 scopeid 0x20<link> ether 00:04:4b:05:71:77 txqueuelen 1000 (Ethernet) RX packets 209925911 bytes 15875086157 (14.7 GiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 194650101 bytes 625450136587 (582.4 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 0 (Local Loopback) RX packets 435781 bytes 83564121 (79.6 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 435781 bytes 83564121 (79.6 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.10.1 netmask 255.255.255.0 broadcast 192.168.10.255 inet6 fe80::92f6:52ff:fee5:780a prefixlen 64 scopeid 0x20<link> ether 90:f6:52:e5:78:0a txqueuelen 1000 (Ethernet) RX packets 13699734 bytes 1115473588 (1.0 GiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 14267407 bytes 17026337519 (5.8 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Thanks for you help. |
|
|
|
|
03-20-2013, 03:48 AM
|
#2
|
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
If you run a tcpdump on wlan0 or eth0 can you see the tcp traffic that's failing? could there be somethign in iptables stopping it? Post yoru rulebase - iptables -vnL. Also you'll be needing some NAT / MASQUERADE action for that traffic too.
|
|
|
|
|
03-20-2013, 07:48 AM
|
#3
|
|
Member
Registered: Mar 2008
Distribution: Slackware, Mint, Raspbian
Posts: 94
Original Poster
Rep:
|
Forgive my lack of experience in this area. I'm sure it's probably something I've misconfigured and just don't have the knowledge to setup. Using tcpdump it looks like eth0 is never getting the icmp request. I can see wlan0 on the router trying to send the request to the public ip but eth0 never receives that request.
If I ping it from one of the wired computers that are connected to eth1 then I can see both a send and receive message being passed from and to the public ip address.
dmesg shows this.
Code:
[1175285.803798] OUTPUT packet died: IN= OUT=wlan0 SRC=xx.xxx.xx.xxx DST=192.168.10.100 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=20479 PROTO=ICMP TYPE=0 CODE=0 ID=19631 SEQ=1
[1175288.827183] INPUT packet died: IN=wlan0 OUT= MAC=90:f6:52:e5:78:0a:6c:62:6d:19:64:c0:08:00 SRC=192.168.10.100 DST=xx.xxx.xx.xxx LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=19631 SEQ=4
Here's the ruleset.
Code:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
40 6507 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
13201 700K bad_packets all -- * * 0.0.0.0/0 0.0.0.0/0
2 56 DROP all -- * * 0.0.0.0/0 224.0.0.1
13064 681K ACCEPT all -- eth1 * 192.168.1.0/24 0.0.0.0/0
41 4557 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 tcp_inbound tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
25 8120 udp_inbound udp -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 icmp_packets icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
13 1092 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 4 prefix "INPUT packet died: "
64 5620 ACCEPT all -- * * 192.168.10.0/24 0.0.0.0/0
Chain FORWARD (policy ACCEPT 81 packets, 9265 bytes)
pkts bytes target prot opt in out source destination
352 81311 bad_packets all -- * * 0.0.0.0/0 0.0.0.0/0
88 6054 tcp_outbound tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0
3 190 udp_outbound udp -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
157 63559 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
9 484 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 4 prefix "FORWARD packet died: "
Chain OUTPUT (policy DROP 57 packets, 4788 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
4 848 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
36 5659 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.1.1 0.0.0.0/0
11397 40M ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
55 4914 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
10 840 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 4 prefix "OUTPUT packet died: "
2 904 ACCEPT all -- * * 192.168.10.0/24 0.0.0.0/0
Chain bad_packets (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- eth0 * 192.168.1.0/24 0.0.0.0/0 LOG flags 0 level 4 prefix "Illegal source: "
0 0 DROP all -- eth0 * 192.168.1.0/24 0.0.0.0/0
11 1691 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID LOG flags 0 level 4 prefix "Invalid packet: "
11 1691 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
13426 764K bad_tcp_packets tcp -- * * 0.0.0.0/0 0.0.0.0/0
13542 779K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain bad_tcp_packets (1 references)
pkts bytes target prot opt in out source destination
13148 687K RETURN tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 ctstate NEW LOG flags 0 level 4 prefix "New not syn: "
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 ctstate NEW
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 LOG flags 0 level 4 prefix "Stealth scan: "
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F LOG flags 0 level 4 prefix "Stealth scan: "
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29 LOG flags 0 level 4 prefix "Stealth scan: "
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37 LOG flags 0 level 4 prefix "Stealth scan: "
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06 LOG flags 0 level 4 prefix "Stealth scan: "
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 LOG flags 0 level 4 prefix "Stealth scan: "
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
278 76802 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0
Chain icmp_packets (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG icmp -f * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "ICMP Fragment: "
0 0 DROP icmp -f * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain tcp_inbound (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 reject-with icmp-port-unreachable
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:5000:5100
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:6891:6900
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0
Chain tcp_outbound (1 references)
pkts bytes target prot opt in out source destination
88 6054 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
Chain udp_inbound (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:113 reject-with icmp-port-unreachable
24 8062 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
1 58 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0
Chain udp_outbound (1 references)
pkts bytes target prot opt in out source destination
3 190 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
Thanks for taking your time to help. |
|
|
|
|
03-20-2013, 07:50 AM
|
#4
|
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
right, so as per the dmesg entry, which I hope you cross referenced in the forward table:
Code:
Chain FORWARD (policy ACCEPT 81 packets, 9265 bytes)
pkts bytes target prot opt in out source destination
352 81311 bad_packets all -- * * 0.0.0.0/0 0.0.0.0/0
88 6054 tcp_outbound tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0
3 190 udp_outbound udp -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
157 63559 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
9 484 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 4 prefix "FORWARD packet died: "
there is nothign to allow wlan0 to reach eth0, but eth1 CAN reach eth0. If you're comfortable with the way eth1 is working, duplicate those entries for wlan0 |
|
|
|
|
03-20-2013, 10:20 AM
|
#5
|
|
Member
Registered: Mar 2008
Distribution: Slackware, Mint, Raspbian
Posts: 94
Original Poster
Rep:
|
I made these modifications but it still doesn't work.
Code:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
766 228K bad_packets all -- * * 0.0.0.0/0 0.0.0.0/0
52 3650 tcp_outbound tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0
299 34084 tcp_outbound tcp -- wlan0 * 0.0.0.0/0 0.0.0.0/0
2 136 udp_outbound udp -- eth1 * 0.0.0.0/0 0.0.0.0/0
45 2910 udp_outbound udp -- wlan0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
6 660 ACCEPT all -- wlan0 * 0.0.0.0/0 0.0.0.0/0
362 187K ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 4 prefix "FORWARD packet died: "
|
|
|
|
|
03-20-2013, 10:28 AM
|
#6
|
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
you'll probably need another interface specific entry in the nat table too then... check with "iptables -t nat -vnL"
|
|
|
|
|
03-20-2013, 11:26 AM
|
#7
|
|
Member
Registered: Mar 2008
Distribution: Slackware, Mint, Raspbian
Posts: 94
Original Poster
Rep:
|
I checked iptables -t nat -vnL and have a question. Does this mean all interfaces in and eth0 out?
Code:
pkts bytes target prot opt in out source destination
565 36020 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
Should I do wlan0 to eth0 or would this rule cover that already?
Also I added wlan0 to the nat table but it didn't seem to change anything.
Last edited by orsty9001; 03-20-2013 at 12:44 PM.
|
|
|
|
|
03-20-2013, 12:50 PM
|
#8
|
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
well there are other references to eth1 that aren't matched, I see in the bad_tcp_packets table etc. I can't see any specific reason why icmp isn't working, but there is probably something new in the logs now as traffic is clearly matching the tables by virtue of being from wlan0 that it wasn't before.
|
|
|
|
|
03-20-2013, 01:03 PM
|
#9
|
|
Member
Registered: Mar 2008
Distribution: Slackware, Mint, Raspbian
Posts: 94
Original Poster
Rep:
|
tcpdump is giving me this now.
Code:
14:02:20.252540 IP xx.xxx.xx.xx > 4.2.2.1: ICMP xx.xxx.xx.xxx udp port 42561 unreachable, length 84
I'm not sure if that's a clue or not. |
|
|
|
|
03-20-2013, 02:45 PM
|
#10
|
|
Senior Member
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571
Rep:
|
To: orsty9001
May I ask you to execute in console command "iptables-save" and post it here, if it is possible.
Also I do not understand this one:
..."One is for the modem (eth0) , the other wired one (eth1) and wlan0"..."Anything connected to the wireless can ping anything and has no problem seeing the internet but can't ping eth0 which is assigned our external ip address."
The default outside world GW for Slackware is 75.137.104.1
What is default GW for units connected through wireless?
|
|
|
|
|
03-20-2013, 03:07 PM
|
#11
|
|
Member
Registered: Mar 2008
Distribution: Slackware, Mint, Raspbian
Posts: 94
Original Poster
Rep:
|
Here you go.
Code:
# Generated by iptables-save v1.4.17 on Wed Mar 20 16:00:00 2013
*mangle
:PREROUTING ACCEPT [1529993:96112871]
:INPUT ACCEPT [1495527:79148972]
:FORWARD ACCEPT [34341:16863129]
:OUTPUT ACCEPT [1303849:4630124759]
:POSTROUTING ACCEPT [1337912:4646795332]
COMMIT
# Completed on Wed Mar 20 16:00:00 2013
# Generated by iptables-save v1.4.17 on Wed Mar 20 16:00:00 2013
*nat
:PREROUTING ACCEPT [2122:260055]
:INPUT ACCEPT [308:90587]
:OUTPUT ACCEPT [392:28092]
:POSTROUTING ACCEPT [90:6916]
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o wlan0 -j MASQUERADE
COMMIT
# Completed on Wed Mar 20 16:00:00 2013
# Generated by iptables-save v1.4.17 on Wed Mar 20 16:00:00 2013
*filter
:INPUT DROP [756:44593]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [53:4452]
:bad_packets - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_inbound - [0:0]
:tcp_outbound - [0:0]
:udp_inbound - [0:0]
:udp_outbound - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -j bad_packets
-A INPUT -d 224.0.0.1/32 -j DROP
-A INPUT -s 192.168.1.0/24 -i eth1 -j ACCEPT
-A INPUT -d 192.168.1.255/32 -i eth1 -j ACCEPT
-A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -j tcp_inbound
-A INPUT -i eth0 -p udp -j udp_inbound
-A INPUT -i eth0 -p icmp -j icmp_packets
-A INPUT -m pkttype --pkt-type broadcast -j DROP
-A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "INPUT packet died: "
-A INPUT -s 192.168.10.0/24 -j ACCEPT
-A FORWARD -j bad_packets
-A FORWARD -i eth1 -p tcp -j tcp_outbound
-A FORWARD -i wlan0 -p tcp -j tcp_outbound
-A FORWARD -i eth1 -p udp -j udp_outbound
-A FORWARD -i wlan0 -p udp -j udp_outbound
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i wlan0 -j ACCEPT
-A FORWARD -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "FORWARD packet died: "
-A OUTPUT -p icmp -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -s 127.0.0.1/32 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 192.168.1.1/32 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "OUTPUT packet died: "
-A OUTPUT -s 192.168.10.0/24 -j ACCEPT
-A bad_packets -s 192.168.1.0/24 -i eth0 -j LOG --log-prefix "Illegal source: "
-A bad_packets -s 192.168.1.0/24 -i eth0 -j DROP
-A bad_packets -m conntrack --ctstate INVALID -j LOG --log-prefix "Invalid packet: "
-A bad_packets -m conntrack --ctstate INVALID -j DROP
-A bad_packets -p tcp -j bad_tcp_packets
-A bad_packets -j RETURN
-A bad_tcp_packets -i eth1 -p tcp -j RETURN
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j LOG --log-prefix "New not syn: "
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A bad_tcp_packets -p tcp -j RETURN
-A icmp_packets -p icmp -f -j LOG --log-prefix "ICMP Fragment: "
-A icmp_packets -p icmp -f -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A icmp_packets -p icmp -j RETURN
-A tcp_inbound -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
-A tcp_inbound -p tcp -m tcp --dport 80 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 443 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 25 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 110 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 143 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 995 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 993 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 22 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 5000:5100 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 6891:6900 -j ACCEPT
-A tcp_inbound -p tcp -j RETURN
-A tcp_outbound -p tcp -j ACCEPT
-A udp_inbound -p udp -m udp --dport 137 -j DROP
-A udp_inbound -p udp -m udp --dport 138 -j DROP
-A udp_inbound -p udp -m udp --dport 113 -j REJECT --reject-with icmp-port-unreachable
-A udp_inbound -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 443 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 25 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 110 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 143 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 995 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 993 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 22 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 5000:5100 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 6891:6900 -j ACCEPT
-A tcp_inbound -p tcp -j RETURN
-A tcp_outbound -p tcp -j ACCEPT
-A udp_inbound -p udp -m udp --dport 137 -j DROP
-A udp_inbound -p udp -m udp --dport 138 -j DROP
-A udp_inbound -p udp -m udp --dport 113 -j REJECT --reject-with icmp-port-unreachable
-A udp_inbound -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A udp_inbound -p udp -j RETURN
-A udp_outbound -p udp -j ACCEPT
COMMIT
# Completed on Wed Mar 20 16:00:00 2013
To clarify, I need to access the public ip address (eth0) from everything on the network. Nothing connected to wlan0 can see the public ip address while everything connected to eth1 can see the public ip address.
The default outside gateway is the same for everything.
Last edited by orsty9001; 03-20-2013 at 03:21 PM.
|
|
|
|
|
03-20-2013, 08:30 PM
|
#12
|
|
Member
Registered: Mar 2008
Distribution: Slackware, Mint, Raspbian
Posts: 94
Original Poster
Rep:
|
I figured it out.
Code:
iptables -A OUTPUT -o wlan0 -j ACCEPT
|
|
|
|
All times are GMT -5. The time now is 07:06 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
