LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-17-2003, 11:37 PM   #1
toovato
Member
 
Registered: Jul 2003
Location: Ft Lauderdale, FL
Distribution: debian
Posts: 48

Rep: Reputation: 15
iptables --list


Hello All:
have some questions about about fowarding packets
I am trying to foward packets to a DMZ at 192.168.3.2
I can see the packets hit the NAT table through iptables -v and watching the packet count go up, and I can see that the froward chain accepts the packet through same method.

I am under the impression that FORWARD should place them directly on the line. Is there another step to place them on the line?

The server at the DMZ does not show any incomming packets through iptables -v, nor does apache logs show access. Thanks in advance for your help.

I am sending requests through a anon-proxy to make sure packets go out and back in.

noc:/proc/sys/net/ipv4# iptables --list -v
Chain INPUT (policy DROP 405 packets, 19894 bytes)
pkts bytes target prot opt in out source destination
8902 3101K bad_tcp_packets tcp -- any any anywhere anywhere
199 17840 icmp_packets icmp -- eth0 any anywhere anywhere
1494 600K ACCEPT all -- eth2 any anywhere 192.168.3.1
0 0 ACCEPT all -- eth1 any anywhere 192.168.2.1
3355 983K ACCEPT all -- lo any noc.zionsecure.com anywhere
0 0 ACCEPT all -- lo any 192.168.2.1 anywhere
0 0 ACCEPT all -- lo any adsl-068-209-111-012.sip.mia.bellsouth.net anywhere
0 0 ACCEPT udp -- eth1 any anywhere anywhere udp spt:bootpc dpt:bootps
70 22960 ACCEPT udp -- eth2 any anywhere anywhere udp spt:bootpc dpt:bootps
2202 1375K ACCEPT all -- any any anywhere adsl-068-209-111-012.sip.mia.bellsouth.netstate RELATED,ESTABLISHED
202 9886 LOG all -- any any anywhere anywhere limit: avg 3/min burst 3 LOG level debug prefix `IPT INPUT packet died: '

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
51 3024 bad_tcp_packets tcp -- any any anywhere anywhere
0 0 ACCEPT all -- eth2 eth0 anywhere anywhere
0 0 ACCEPT all -- eth0 eth2 anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth1 eth2 anywhere anywhere
0 0 ACCEPT all -- eth2 eth1 anywhere anywhere state RELATED,ESTABLISHED
51 3024 allowed tcp -- eth0 eth2 anywhere 192.168.3.2 tcp dpt:www
0 0 icmp_packets icmp -- eth0 eth2 anywhere 192.168.3.2
0 0 allowed tcp -- eth0 eth2 anywhere 192.168.3.3 tcp dpt:domain
0 0 ACCEPT udp -- eth0 eth2 anywhere 192.168.3.3 udp dpt:domain
0 0 icmp_packets icmp -- eth0 eth2 anywhere 192.168.3.3
0 0 ACCEPT all -- eth1 any anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 3 LOG level debug prefix `IPT FORWARD packet died: '

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8523 1928K bad_tcp_packets tcp -- any any anywhere anywhere
3355 983K ACCEPT all -- any any noc.zionsecure.com anywhere
0 0 ACCEPT all -- any any 192.168.2.1 anywhere
4309 913K ACCEPT all -- any any adsl-068-209-111-012.sip.mia.bellsouth.net anywhere
1910 143K ACCEPT tcp -- any eth2 192.168.3.1 192.168.3.2 tcp multiport dports ssh,www
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 3 LOG level debug prefix `IPT OUTPUT packet died: '

Chain allowed (2 references)
pkts bytes target prot opt in out source destination
51 3024 ACCEPT tcp -- any any anywhere anywhere tcp flags:SYN,RST,ACK/SYN
0 0 ACCEPT tcp -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 DROP tcp -- any any anywhere anywhere

Chain bad_tcp_packets (3 references)
pkts bytes target prot opt in out source destination
1769 147K ACCEPT tcp -- eth0 any anywhere adsl-068-209-111-012.sip.mia.bellsouth.nettcp dpt:ssh
0 0 ACCEPT tcp -- eth0 any anywhere adsl-068-209-111-012.sip.mia.bellsouth.nettcp dpt:10000
558 126K ACCEPT tcp -- eth0 any anywhere adsl-068-209-111-012.sip.mia.bellsouth.nettcp dpt:https
0 0 REJECT tcp -- any any anywhere anywhere state NEW tcp flags:SYN,ACK/SYN,ACK reject-with tcp-reset
0 0 LOG tcp -- any any anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN LOG level warning prefix `New not syn:'
0 0 DROP tcp -- any any anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN

Chain icmp_packets (3 references)
pkts bytes target prot opt in out source destination
186 17112 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded


noc:/proc/sys/net/ipv4# iptables --list -t nat -v
Chain PREROUTING (policy ACCEPT 630 packets, 42066 bytes)
pkts bytes target prot opt in out source destination
21 1248 DNAT tcp -- eth0 any anywhere adsl-068-209-111-012.sip.mia.bellsouth.nettcp dpt:www to:192.168.3.2
0 0 DNAT tcp -- eth0 any anywhere adsl-068-209-111-012.sip.mia.bellsouth.nettcp dpt:domain to:192.168.3.3
0 0 DNAT udp -- eth0 any anywhere adsl-068-209-111-012.sip.mia.bellsouth.netudp dpt:domain to:192.168.3.3

Chain POSTROUTING (policy ACCEPT 215 packets, 13400 bytes)
pkts bytes target prot opt in out source destination
123 15226 SNAT all -- any eth0 anywhere anywhere to:68.209.111.12

Chain OUTPUT (policy ACCEPT 329 packets, 28098 bytes)
pkts bytes target prot opt in out source destination
noc:/proc/sys/net/ipv4#
 
Old 09-18-2003, 04:32 AM   #2
/bin/bash
Senior Member
 
Registered: Jul 2003
Location: Indiana
Distribution: Mandrake Slackware-current QNX4.25
Posts: 1,802

Rep: Reputation: 47
Are you sure the anon proxy is not mangling them somehow? I would suggest you set your FORWARD CHAIN to ACCEPT all packets and see if that helps.
 
Old 09-18-2003, 04:47 AM   #3
/bin/bash
Senior Member
 
Registered: Jul 2003
Location: Indiana
Distribution: Mandrake Slackware-current QNX4.25
Posts: 1,802

Rep: Reputation: 47
The reason I said that is that it looks like you are getting traffic on 192.168.3.2 tcp dpt:www, but you are opening up dpt:domain? Also you had some bad-packets to other ports e.g. ssh https.

Last edited by /bin/bash; 09-18-2003 at 04:49 AM.
 
Old 09-18-2003, 01:02 PM   #4
toovato
Member
 
Registered: Jul 2003
Location: Ft Lauderdale, FL
Distribution: debian
Posts: 48

Original Poster
Rep: Reputation: 15
Talking

Thanks for your reply:

Here are some of the packets as they come over eth2. They don't look mangled. It is almost like the server on the DMZ doesnt know to answer these packets, although I am able to telnet to the DMZ from the firewall on port 80. For whatever reason the DMZ does not answer these requests from outside the network.

On the same note, if I continually hit ifconfig on the DMZ server I can see TX and RX packets go up when a make a request on 80, and they seem to be more frequent than just arp

about port 67 and 68 - yes I plan on running Bind.

"Also you had some bad-packets to other ports e.g. ssh https."

Those are for the firewall itself - not the DMZ - the only thing I am concerned with sending to the DMZ is 80 and dpt:domain.

Changed the FORWARD chain to accept all, and still no dice



noc:/home/admin# tethereal
Capturing on eth2
0.000000 192.168.3.1 -> Broadcast ARP Who has 192.168.3.2? Tell 192.168.3
.1
0.000125 192.168.3.2 -> 192.168.3.1 ARP 192.168.3.2 is at 00:50:ba:cc:11:d0
0.000139 141.76.1.122 -> 192.168.3.2 TCP 54067 > www [SYN] Seq=4109765753 Ack
=0 Win=5840 Len=0
3.006263 141.76.1.122 -> 192.168.3.2 TCP 54067 > www [SYN] Seq=4109765753 Ack
=0 Win=5840 Len=0
8.922981 141.76.1.122 -> 192.168.3.2 TCP 54067 > www [SYN] Seq=4109765753 Ack
=0 Win=5840 Len=0
20.849090 141.76.1.122 -> 192.168.3.2 TCP 54067 > www [SYN] Seq=4109765753 Ack=0 Win=5840 Len=0
44.998162 141.76.1.122 -> 192.168.3.2 TCP 54067 > www [SYN] Seq=4109765753 Ack=0 Win=5840 Len=0
noc:/home/admin#
 
Old 09-18-2003, 07:19 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
noc:/proc/sys/net/ipv4# iptables --list -v
Could you provide a D/L URI for the actual script? Dunno about other people but I choose reading a script over --list output any time.
 
Old 09-18-2003, 08:15 PM   #6
toovato
Member
 
Registered: Jul 2003
Location: Ft Lauderdale, FL
Distribution: debian
Posts: 48

Original Poster
Rep: Reputation: 15
http://iptables-tutorial.frozentux.n...Z.firewall.txt

Thanks unspawn
 
Old 09-19-2003, 05:33 AM   #7
/bin/bash
Senior Member
 
Registered: Jul 2003
Location: Indiana
Distribution: Mandrake Slackware-current QNX4.25
Posts: 1,802

Rep: Reputation: 47
Did you change the IP numbers in your script before running it, because you have different IP numbers than whats on the script.

What does ifconfig on the firewall show and also on the DMZ computer?
Do you have a firewall on the DMZ computer?You need to double check all your IP's. If your network is really setup the way it is shown in the tutorial then the script should work. It was written by Oskar Andreasson after all.
 
Old 09-19-2003, 09:56 AM   #8
toovato
Member
 
Registered: Jul 2003
Location: Ft Lauderdale, FL
Distribution: debian
Posts: 48

Original Poster
Rep: Reputation: 15
I am a moron - I had all the IP's set up correctly, but I didn't have the "gateway" set on the DMZ - for some reason not having the gateway defined allowed access to the DMZ from the firewall but not from the internet. I set the gateway to IP of eth2 and was good to go.

Thanks guys
Brian
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
get list of latest list of packages bobwall Linux - Distributions 1 11-30-2004 03:48 PM
wireless channel list different from router's list heluani Linux - Laptop and Netbook 1 08-29-2004 10:04 PM
Inserting element to a list of list in C suwandy_chandra Programming 2 03-09-2004 03:08 AM
How to get current IPTABLES NAT record-list? yuzuohong Linux - Networking 1 07-01-2002 08:21 AM
iptables- how to list all rules? Noerr Linux - Networking 4 06-01-2002 04:09 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:29 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration