|
simple Iptables. Linux receives internet but can reroute to computer in router
Hi
i have the following scenario.
I have an Isp which provides me internet which I receive on my ubuntu 11 box on my eth0. I share internet to my router using eth1 which has 10.10.10.1 / 255.255.255.0 with gateway 0.0.0.0 So far so good. All computers in my lan have internet. I have my svn working on my linux and all of my computers can reach to it. The problem. My pcs are on 192.168.1.0 and I can't get to redirect http 8080 to one of them. It was working with firestarter until I had to reinstall my former ubuntu 10 to ubuntu 11. I tried a lot of stuff with no luck.
Please take a pick at my iptables:
# Generated by iptables-save v1.4.10 on Mon Oct 31 18:41:48 2011
*nat
:PREROUTING ACCEPT [34:2544]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [4:197]
:POSTROUTING ACCEPT [3:132]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.1.5:80
-A PREROUTING -i eth0 -p tcp -m tcp --dport 3690 -j DNAT --to-destination 10.10.10.1:3690
-A PREROUTING -i eth0 -p udp -m udp --dport 3690 -j DNAT --to-destination 10.10.10.1:3690
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Oct 31 18:41:48 2011
# Generated by iptables-save v1.4.10 on Mon Oct 31 18:41:48 2011
*mangle
:PREROUTING ACCEPT [122:9281]
:INPUT ACCEPT [33:2279]
:FORWARD ACCEPT [85:6758]
:OUTPUT ACCEPT [29:2121]
:POSTROUTING ACCEPT [93:7115]
COMMIT
# Completed on Mon Oct 31 18:41:48 2011
# Generated by iptables-save v1.4.10 on Mon Oct 31 18:41:48 2011
*filter
:INPUT DROP [22:1716]
:FORWARD DROP [0:0]
:OUTPUT DROP [21:1764]
:INBOUND - [0:0]
:LOG_FILTER - [0:0]
:LSI - [0:0]
:LSO - [0:0]
:OUTBOUND - [0:0]
-A INPUT -s 200.75.51.132/32 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 200.75.51.132/32 -p udp -j ACCEPT
-A INPUT -s 200.75.51.133/32 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 200.75.51.133/32 -p udp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m limit --limit 10/sec -j ACCEPT
-A INPUT -d 255.255.255.255/32 -i eth0 -j DROP
-A INPUT -d 190.24.226.47/32 -j DROP
-A INPUT -s 224.0.0.0/8 -j DROP
-A INPUT -d 224.0.0.0/8 -j DROP
-A INPUT -s 255.255.255.255/32 -j DROP
-A INPUT -d 0.0.0.0/32 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -f -m limit --limit 10/min -j LSI
-A INPUT -i eth0 -j INBOUND
-A INPUT -d 10.10.10.1/32 -i eth1 -j INBOUND
-A INPUT -d 190.24.226.46/32 -i eth1 -j INBOUND
-A INPUT -d 10.10.10.255/32 -i eth1 -j INBOUND
-A INPUT -d 192.168.1.6/32 -i eth2 -j INBOUND
-A INPUT -j LOG_FILTER
-A INPUT -j LOG --log-prefix "Unknown Input" --log-level 6
-A FORWARD -d 192.168.1.5/32 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A FORWARD -p icmp -m limit --limit 10/sec -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -d 10.10.10.1/32 -i eth0 -p tcp -m tcp --dport 3690 -j ACCEPT
-A FORWARD -d 10.10.10.1/32 -i eth0 -p udp -m udp --dport 3690 -j ACCEPT
-A FORWARD -i eth1 -j OUTBOUND
-A FORWARD -d 10.10.10.0/24 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.10.10.0/24 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG_FILTER
-A FORWARD -j LOG --log-prefix "Unknown Forward" --log-level 6
-A OUTPUT -s 190.24.226.46/32 -d 200.75.51.132/32 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -s 190.24.226.46/32 -d 200.75.51.132/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -s 190.24.226.46/32 -d 200.75.51.133/32 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -s 190.24.226.46/32 -d 200.75.51.133/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 224.0.0.0/8 -j DROP
-A OUTPUT -d 224.0.0.0/8 -j DROP
-A OUTPUT -s 255.255.255.255/32 -j DROP
-A OUTPUT -d 0.0.0.0/32 -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o eth0 -j OUTBOUND
-A OUTPUT -o eth1 -j OUTBOUND
-A OUTPUT -j LOG_FILTER
-A OUTPUT -j LOG --log-prefix "Unknown Output" --log-level 6
-A INBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INBOUND -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INBOUND -p tcp -m tcp --dport 22 -j ACCEPT
-A INBOUND -p udp -m udp --dport 22 -j ACCEPT
-A INBOUND -p tcp -m tcp --dport 3690 -j ACCEPT
-A INBOUND -p udp -m udp --dport 3690 -j ACCEPT
-A INBOUND -p tcp -m tcp --dport 80 -j ACCEPT
-A INBOUND -p udp -m udp --dport 80 -j ACCEPT
-A INBOUND -p tcp -m tcp --dport 5900 -j ACCEPT
-A INBOUND -p udp -m udp --dport 5900 -j ACCEPT
-A INBOUND -j LSI
-A LSI -j LOG_FILTER
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A LSI -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -p icmp -m icmp --icmp-type 8 -j DROP
-A LSI -m limit --limit 5/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -j DROP
-A LSO -j LOG_FILTER
-A LSO -m limit --limit 5/sec -j LOG --log-prefix "Outbound " --log-level 6
-A LSO -j REJECT --reject-with icmp-port-unreachable
-A OUTBOUND -p icmp -j ACCEPT
-A OUTBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTBOUND -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTBOUND -j ACCEPT
COMMIT
# Completed on Mon Oct 31 18:41:49 2011
I'm in despair.
regards
edotom
|
