LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-05-2016, 10:39 AM   #1
Reprovo
Member
 
Registered: Jul 2013
Posts: 59

Rep: Reputation: Disabled
Single outbound FORWARD chain command Is allowing ping replies


Hi.I'm relatively new to iptables.

I'm trying to understand why the following command Is allowing me to ping the address 8.8.8.8

The firewall Is running on a router.

Code:
iptables -t filter -I FORWARD -s 192.168.163.0/24 -d 8.8.8.8/32 -j ACCEPT
I don't understand two things:

1. Why Is the ICMP echo reply not being blocked, I'm only allowing outbound traffic.

2. Why do I not need a second nat prerouting rule since I am using NAT on the router.

I have no other rules In place that would allow any Incoming traffic.


would appreciate any enlightenment ?

** Just to add (edited earlier but wasn't added for some reason). The router Is running ZeroShell and I see a connection tracking for the above addresses Is occurring. I don't know where that Is enabled or disabled though.

Last edited by Reprovo; 08-06-2016 at 01:58 AM.
 
Old 08-05-2016, 01:17 PM   #2
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: CentOS 7
Posts: 3,532

Rep: Reputation: 974Reputation: 974Reputation: 974Reputation: 974Reputation: 974Reputation: 974Reputation: 974Reputation: 974
Could be several reasons. You need to give the rest of your rules from iptables-save.
 
Old 08-06-2016, 04:13 AM   #3
Reprovo
Member
 
Registered: Jul 2013
Posts: 59

Original Poster
Rep: Reputation: Disabled
Hi.
Thanks for taking a look.

Code:
# Generated by iptables-save v1.4.0 on Sat Aug  6 05:05:12 2016
*nat
:PREROUTING ACCEPT [911:252497]
:POSTROUTING ACCEPT [19:1822]
:OUTPUT ACCEPT [381:30810]
:CapPort - [0:0]
:CapPortGW - [0:0]
:CapPortHTTP - [0:0]
:CapPortHTTPS - [0:0]
:CapPortProxy - [0:0]
:OpenVPN - [0:0]
:Proxy - [0:0]
:SNATVS - [0:0]
:UII_CHAIN_DNS - [0:0]
:UII_CHAIN_SYS - [0:0]
:UII_INTERFACERULES - [0:0]
-A PREROUTING -d 75.98.93.51/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A PREROUTING -s 75.98.93.51/32 -p tcp -m tcp --sport 443 -j ACCEPT
-A PREROUTING -s 75.98.93.51/32 -p tcp -j ACCEPT
-A PREROUTING -s 192.168.8.0/24 -d 192.168.8.0/24 -p tcp -j ACCEPT
-A PREROUTING -s 192.168.163.0/24 -d 192.168.163.0/24 -p tcp -j ACCEPT
-A PREROUTING -s 192.168.111.0/24 -d 192.168.111.0/24 -p tcp -j ACCEPT
-A PREROUTING -j UII_CHAIN_DNS
-A PREROUTING -j UII_CHAIN_SYS
-A PREROUTING -s 192.168.0.0/16 -d 192.168.0.0/16 -p tcp -j ACCEPT
-A PREROUTING -j CapPort
-A PREROUTING -p tcp -m tcp --dport 80 -j Proxy
-A POSTROUTING -o ETH00.4013 -j MASQUERADE
-A POSTROUTING -o ETH00.4012 -j MASQUERADE
-A POSTROUTING -o ETH00.111 -j MASQUERADE
-A POSTROUTING -j SNATVS
-A POSTROUTING -o ETH00 -j MASQUERADE
-A POSTROUTING -o ETH01 -j MASQUERADE
-A POSTROUTING -o ETH02 -j MASQUERADE
-A POSTROUTING -o ETH03 -j MASQUERADE
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -o ppp1 -j MASQUERADE
-A POSTROUTING -o wlan0 -j MASQUERADE
-A POSTROUTING -j OpenVPN
-A CapPort -i ETH00.4013 -p tcp -m tcp --dport 12081 -j CapPortGW
-A CapPort -i ETH00.4013 -p tcp -m tcp --dport 12080 -j CapPortGW
-A CapPort -i ETH00.4013 -p tcp -m tcp --dport 443 -j CapPortHTTPS
-A CapPort -i ETH00.4013 -p tcp -m tcp --dport 80 -j CapPortHTTP
-A CapPort -i ETH00.4012 -p tcp -m tcp --dport 12081 -j CapPortGW
-A CapPort -i ETH00.4012 -p tcp -m tcp --dport 12080 -j CapPortGW
-A CapPort -i ETH00.4012 -p tcp -m tcp --dport 443 -j CapPortHTTPS
-A CapPort -i ETH00.4012 -p tcp -m tcp --dport 80 -j CapPortHTTP
-A CapPort -i ETH00.111 -p tcp -m tcp --dport 12081 -j CapPortGW
-A CapPort -i ETH00.111 -p tcp -m tcp --dport 12080 -j CapPortGW
-A CapPort -i ETH00.111 -p tcp -m tcp --dport 443 -j CapPortHTTPS
-A CapPort -i ETH00.111 -p tcp -m tcp --dport 80 -j CapPortHTTP
-A CapPort -i ETH00 -p tcp -m tcp --dport 80 -j CapPortHTTP
-A CapPort -i ETH00 -p tcp -m tcp --dport 443 -j CapPortHTTPS
-A CapPort -i ETH00 -p tcp -m tcp --dport 12080 -j CapPortGW
-A CapPort -i ETH00 -p tcp -m tcp --dport 12081 -j CapPortGW
-A CapPortGW -p tcp -j REDIRECT
-A CapPortHTTP -s 192.168.8.0/24 -d 192.168.8.0/24 -j ACCEPT
-A CapPortHTTP -s 192.168.163.0/24 -d 192.168.163.0/24 -j ACCEPT
-A CapPortHTTP -s 192.168.111.0/24 -d 192.168.111.0/24 -j ACCEPT
-A CapPortHTTP -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
-A CapPortHTTP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m hashlimit --hashlimit 10/min --hashlimit-burst 15 --hashlimit-mode srcip,dstport --hashlimit-name CP_Redirect -j REDIRECT --to-ports 12080
-A CapPortHTTP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A CapPortHTTP -p tcp -j REDIRECT --to-ports 12080
-A CapPortHTTPS -s 192.168.8.0/24 -d 192.168.8.0/24 -j ACCEPT
-A CapPortHTTPS -s 192.168.163.0/24 -d 192.168.163.0/24 -j ACCEPT
-A CapPortHTTPS -s 192.168.111.0/24 -d 192.168.111.0/24 -j ACCEPT
-A CapPortHTTPS -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
-A CapPortHTTPS -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m hashlimit --hashlimit 10/min --hashlimit-burst 15 --hashlimit-mode srcip,dstport --hashlimit-name CP_Redirect -j REDIRECT --to-ports 12081
-A CapPortHTTPS -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A CapPortHTTPS -p tcp -j REDIRECT --to-ports 12081
-A CapPortProxy -p tcp -m tcp --dport 80 -j Proxy
-A CapPortProxy -j ACCEPT
-A OpenVPN -m iprange --src-range 192.168.250.1-192.168.250.253 -j MASQUERADE
-A Proxy -s 192.168.0.0/16 -d 208.64.37.133/32 -i ETH00 -p tcp -j ACCEPT
-A Proxy -d 192.168.0.0/16 -i ETH00 -p tcp -j ACCEPT
-A Proxy -s 192.168.0.0/16 -p tcp -j REDIRECT --to-ports 8080
-A Proxy -s 192.168.111.0/24 -p tcp -j REDIRECT --to-ports 8080
-A Proxy -s 192.168.163.0/24 -p tcp -j REDIRECT --to-ports 8080
-A Proxy -s 192.168.8.0/24 -p tcp -j REDIRECT --to-ports 8080
-A Proxy -s 192.168.15.0/24 -p tcp -j REDIRECT --to-ports 8080
-A Proxy -s 192.168.8.0/24 -p tcp -j REDIRECT --to-ports 8080
-A UII_CHAIN_DNS -i ETH00.4013 -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353
-A UII_CHAIN_DNS -i ETH00.4012 -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353
-A UII_CHAIN_DNS -i ETH00.111 -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353
-A UII_CHAIN_DNS -i ETH00 -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353
-A UII_CHAIN_SYS -s 192.168.10.254/32 -j ACCEPT
-A UII_CHAIN_SYS -d 192.168.10.254/32 -j ACCEPT
COMMIT
# Completed on Sat Aug  6 05:05:12 2016
# Generated by iptables-save v1.4.0 on Sat Aug  6 05:05:12 2016
*mangle
:PREROUTING ACCEPT [1124:267466]
:INPUT ACCEPT [2120:229001]
:FORWARD ACCEPT [74:4934]
:OUTPUT ACCEPT [1988:824504]
:POSTROUTING ACCEPT [1991:825397]
:FTP01IN - [0:0]
:FTP01OUT - [0:0]
:FTP02IN - [0:0]
:FTP02OUT - [0:0]
:HTTP01IN - [0:0]
:HTTP01OUT - [0:0]
:HTTP02IN - [0:0]
:HTTP02OUT - [0:0]
:HTTPS01IN - [0:0]
:HTTPS01OUT - [0:0]
:HTTPS02IN - [0:0]
:HTTPS02OUT - [0:0]
:ICMP01IN - [0:0]
:ICMP01OUT - [0:0]
:ICMP02IN - [0:0]
:ICMP02OUT - [0:0]
:IFACE01IN - [0:0]
:IFACE01OUT - [0:0]
:IFACE02IN - [0:0]
:IFACE02OUT - [0:0]
:IMAP01IN - [0:0]
:IMAP01OUT - [0:0]
:IMAP02IN - [0:0]
:IMAP02OUT - [0:0]
:NB_CT_POST - [0:0]
:NB_STAT - [0:0]
:NetBalancer - [0:0]
:OPTIMA01IN - [0:0]
:OPTIMA01OUT - [0:0]
:OPTIMA02IN - [0:0]
:OPTIMA02OUT - [0:0]
:OpenVPN - [0:0]
:POP01IN - [0:0]
:POP01OUT - [0:0]
:POP02IN - [0:0]
:POP02OUT - [0:0]
:RDP01IN - [0:0]
:RDP01OUT - [0:0]
:RDP02IN - [0:0]
:RDP02OUT - [0:0]
:SIP01IN - [0:0]
:SIP01OUT - [0:0]
:SIP02IN - [0:0]
:SIP02OUT - [0:0]
:SMTP01IN - [0:0]
:SMTP01OUT - [0:0]
:SMTP02IN - [0:0]
:SMTP02OUT - [0:0]
:SQUID01IN - [0:0]
:SQUID01OUT - [0:0]
:SQUID02IN - [0:0]
:SQUID02OUT - [0:0]
:SSH01IN - [0:0]
:SSH01OUT - [0:0]
:SSH02IN - [0:0]
:SSH02OUT - [0:0]
:TV01IN - [0:0]
:TV01OUT - [0:0]
:TV02IN - [0:0]
:TV02OUT - [0:0]
:UII_LOG_ACCEPT - [0:0]
:UII_MARKDEFAULT - [0:0]
:UII_SIMPLE_FW - [0:0]
:VNC01IN - [0:0]
:VNC01OUT - [0:0]
:VNC02IN - [0:0]
:VNC02OUT - [0:0]
:VPNIN - [0:0]
:VPNOUT - [0:0]
-A PREROUTING -i ETH02 -j IFACE02IN
-A PREROUTING -i ETH01 -j IFACE01IN
-A PREROUTING -i ETH02 -p udp -m multiport --sports 5060,5061 -j SIP02IN
-A PREROUTING -i ETH01 -p udp -m multiport --sports 5060,5061 -j SIP01IN
-A PREROUTING -i ETH02 -p tcp -m multiport --sports 5060,5061 -j SIP02IN
-A PREROUTING -i ETH01 -p tcp -m multiport --sports 5060,5061 -j SIP01IN
-A PREROUTING -i ETH02 -p tcp -m multiport --sports 5800,5500 -j VNC02IN
-A PREROUTING -i ETH01 -p tcp -m multiport --sports 5800,5500 -j VNC01IN
-A PREROUTING -i ETH02 -p tcp -m tcp --sport 5938 -j TV02IN
-A PREROUTING -i ETH01 -p tcp -m tcp --sport 5938 -j TV01IN
-A PREROUTING -i ETH02 -p tcp -m tcp --sport 3389 -j RDP02IN
-A PREROUTING -i ETH01 -p tcp -m tcp --sport 3389 -j RDP01IN
-A PREROUTING -s ! 184.173.128.251/32 -i ETH02 -p tcp -m tcp --sport 22 -j SSH02IN
-A PREROUTING -s ! 184.173.128.251/32 -i ETH01 -p tcp -m tcp --sport 22 -j SSH01IN
-A PREROUTING -i ETH02 -p tcp -m multiport --sports 20,21 -j FTP02IN
-A PREROUTING -i ETH01 -p tcp -m multiport --sports 20,21 -j FTP01IN
-A PREROUTING -i ETH02 -p tcp -m multiport --sports 143,220,993 -j IMAP02IN
-A PREROUTING -i ETH01 -p tcp -m multiport --sports 143,220,993 -j IMAP01IN
-A PREROUTING -i ETH02 -p tcp -m multiport --sports 25,587 -j SMTP02IN
-A PREROUTING -i ETH01 -p tcp -m multiport --sports 25,587 -j SMTP01IN
-A PREROUTING -i ETH02 -p tcp -m multiport --sports 110,995 -j POP02IN
-A PREROUTING -i ETH01 -p tcp -m multiport --sports 110,995 -j POP01IN
-A PREROUTING -i ETH02 -p icmp -m icmp --icmp-type 0 -j ICMP02IN
-A PREROUTING -i ETH01 -p icmp -m icmp --icmp-type 0 -j ICMP01IN
-A PREROUTING -i ETH02 -p tcp -m tcp --sport 443 -j HTTPS02IN
-A PREROUTING -i ETH01 -p tcp -m tcp --sport 443 -j HTTPS01IN
-A PREROUTING -i ETH02 -p tcp -m tcp --sport 8080 -j SQUID02IN
-A PREROUTING -i ETH01 -p tcp -m tcp --sport 8080 -j SQUID01IN
-A PREROUTING -i ETH02 -p tcp -m tcp --sport 80 -j HTTP02IN
-A PREROUTING -i ETH01 -p tcp -m tcp --sport 80 -j HTTP01IN
-A PREROUTING -s 184.173.128.250/32 -i ETH02 -p tcp -m tcp --sport 3128 -j OPTIMA02IN
-A PREROUTING -s 184.173.128.250/32 -i ETH01 -p tcp -m tcp --sport 3128 -j OPTIMA01IN
-A PREROUTING -s 10.8.0.1/32 -j VPNIN
-A PREROUTING -j UII_SIMPLE_FW
-A PREROUTING -j UII_MARKDEFAULT
-A PREROUTING -j CONNMARK --restore-mark
-A PREROUTING -j NetBalancer
-A INPUT -j UII_MARKDEFAULT
-A INPUT -j NetBalancer
-A FORWARD -j UII_MARKDEFAULT
-A OUTPUT -j UII_MARKDEFAULT
-A OUTPUT -j NetBalancer
-A OUTPUT -j OpenVPN
-A POSTROUTING -o ETH02 -p udp -m multiport --dports 5060,5061 -j SIP02OUT
-A POSTROUTING -o ETH01 -p udp -m multiport --dports 5060,5061 -j SIP01OUT
-A POSTROUTING -o ETH02 -p tcp -m multiport --dports 5060,5061 -j SIP02OUT
-A POSTROUTING -o ETH01 -p tcp -m multiport --dports 5060,5061 -j SIP01OUT
-A POSTROUTING -o ETH02 -p tcp -m multiport --dports 5800,5500 -j VNC02OUT
-A POSTROUTING -o ETH01 -p tcp -m multiport --dports 5800,5500 -j VNC01OUT
-A POSTROUTING -o ETH02 -p tcp -m tcp --dport 5938 -j TV02OUT
-A POSTROUTING -o ETH01 -p tcp -m tcp --dport 5938 -j TV01OUT
-A POSTROUTING -o ETH02 -p tcp -m tcp --dport 3389 -j RDP02OUT
-A POSTROUTING -o ETH01 -p tcp -m tcp --dport 3389 -j RDP01OUT
-A POSTROUTING -d ! 184.173.128.251/32 -o ETH02 -p tcp -m tcp --dport 22 -j SSH02OUT
-A POSTROUTING -d ! 184.173.128.251/32 -o ETH01 -p tcp -m tcp --dport 22 -j SSH01OUT
-A POSTROUTING -o ETH02 -p tcp -m multiport --dports 20,21 -j FTP02OUT
-A POSTROUTING -o ETH01 -p tcp -m multiport --dports 20,21 -j FTP01OUT
-A POSTROUTING -o ETH02 -p tcp -m multiport --dports 143,220,993 -j IMAP02OUT
-A POSTROUTING -o ETH01 -p tcp -m multiport --dports 143,220,993 -j IMAP01OUT
-A POSTROUTING -o ETH02 -p tcp -m multiport --dports 25,587 -j SMTP02OUT
-A POSTROUTING -o ETH01 -p tcp -m multiport --dports 25,587 -j SMTP01OUT
-A POSTROUTING -o ETH02 -p tcp -m multiport --dports 110,995 -j POP02OUT
-A POSTROUTING -o ETH01 -p tcp -m multiport --dports 110,995 -j POP01OUT
-A POSTROUTING -o ETH02 -p icmp -m icmp --icmp-type 8 -j ICMP02OUT
-A POSTROUTING -o ETH01 -p icmp -m icmp --icmp-type 8 -j ICMP01OUT
-A POSTROUTING -o ETH02 -p tcp -m tcp --dport 443 -j HTTPS02OUT
-A POSTROUTING -o ETH01 -p tcp -m tcp --dport 443 -j HTTPS01OUT
-A POSTROUTING -o ETH02 -p tcp -m tcp --dport 8080 -j SQUID02OUT
-A POSTROUTING -o ETH01 -p tcp -m tcp --dport 8080 -j SQUID01OUT
-A POSTROUTING -o ETH02 -p tcp -m tcp --dport 80 -j HTTP02OUT
-A POSTROUTING -o ETH01 -p tcp -m tcp --dport 80 -j HTTP01OUT
-A POSTROUTING -d 184.173.128.250/32 -o ETH02 -p tcp -m tcp --dport 3128 -j OPTIMA02OUT
-A POSTROUTING -d 184.173.128.250/32 -o ETH01 -p tcp -m tcp --dport 3128 -j OPTIMA01OUT
-A POSTROUTING -d 10.8.0.1/32 -j VPNOUT
-A POSTROUTING -j UII_MARKDEFAULT
-A POSTROUTING -m state --state NEW -j NB_CT_POST
-A POSTROUTING -j NB_STAT
-A POSTROUTING -o ETH01 -j IFACE01OUT
-A POSTROUTING -o ETH02 -j IFACE02OUT
-A NB_CT_POST -m realm --realm 0x68 -j MARK --set-mark 0x68
-A NB_CT_POST -m realm --realm 0x67 -j MARK --set-mark 0x67
-A NB_CT_POST -m realm --realm 0x66 -j MARK --set-mark 0x66
-A NB_CT_POST -j CONNMARK --save-mark
-A NB_STAT -m mark --mark 0x68
-A NB_STAT -m mark --mark 0x67
-A NB_STAT -m mark --mark 0x66
-A UII_LOG_ACCEPT -j ULOG --ulog-prefix "UII_ACT" --ulog-cprange 48 --ulog-qthreshold 50
-A UII_LOG_ACCEPT -j ACCEPT
-A UII_MARKDEFAULT -j MARK --set-mark 0xff03
-A UII_SIMPLE_FW -m iprange --dst-range 207.154.29.100-207.154.29.101 -j UII_LOG_ACCEPT
-A UII_SIMPLE_FW -m iprange --src-range 207.154.29.100-207.154.29.101 -j UII_LOG_ACCEPT
-A UII_SIMPLE_FW -d 192.168.0.0/16 -j ACCEPT
-A UII_SIMPLE_FW -d 206.67.134.101/32 -p tcp -m tcp --dport 6500:6600 -j UII_LOG_ACCEPT
COMMIT
# Completed on Sat Aug  6 05:05:12 2016
# Generated by iptables-save v1.4.0 on Sat Aug  6 05:05:12 2016
*filter
:INPUT ACCEPT [1233:126454]
:FORWARD ACCEPT [4:1228]
:OUTPUT ACCEPT [1340:772858]
:CapPort - [0:0]
:CapPortACL - [0:0]
:CapPortFC - [0:0]
:CapPortFS - [0:0]
:CapPortWL - [0:0]
:DNS01IN - [0:0]
:DNS01OUT - [0:0]
:DNS02IN - [0:0]
:DNS02OUT - [0:0]
:MAXIMA01IN - [0:0]
:MAXIMA01OUT - [0:0]
:MAXIMA02IN - [0:0]
:MAXIMA02OUT - [0:0]
:NetBalancer - [0:0]
:PRERT_VLAN_ALLOW - [0:0]
:SMC01IN - [0:0]
:SMC01OUT - [0:0]
:SMC02IN - [0:0]
:SMC02OUT - [0:0]
:SYS_HTTPS - [0:0]
:SYS_INPUT - [0:0]
:SYS_OUTPUT - [0:0]
:SYS_SSH - [0:0]
:UII_ACCOUNTING - [0:0]
:UII_ACL - [0:0]
:UII_BOXRULES - [0:0]
:UII_BOXRULES_HTTP - [0:0]
:UII_CHAIN_01 - [0:0]
:UII_CHAIN_02 - [0:0]
:UII_CHAIN_03 - [0:0]
:UII_CHAIN_04 - [0:0]
:UII_CHAIN_05 - [0:0]
:UII_CHAIN_SQUIDCONTROL - [0:0]
:UII_CHAIN_SYS - [0:0]
:UII_CHAIN_TESTALL - [0:0]
:UII_INTERFACERULES - [0:0]
:UII_MAIN - [0:0]
:UII_PERSONALRULES - [0:0]
:UII_PROXY_ACCESS_INPUT - [0:0]
:UII_PROXY_ACCESS_OUTPUT - [0:0]
:UII_PROXY_USERACCESS_INPUT - [0:0]
:UII_PROXY_USERACCESS_OUTPUT - [0:0]
:UII_VLANS - [0:0]
-A INPUT -i ETH02 -p udp -m udp --sport 53 -j DNS02IN
-A INPUT -i ETH01 -p udp -m udp --sport 53 -j DNS01IN
-A INPUT -s 184.173.128.251/32 -i ETH02 -j MAXIMA02IN
-A INPUT -s 184.173.128.251/32 -i ETH01 -j MAXIMA01IN
-A INPUT -p tcp -m tcp --dport 8080 -j UII_CHAIN_SQUIDCONTROL
-A INPUT -j SYS_INPUT
-A INPUT -p tcp -m tcp --dport 80 -j SYS_HTTPS
-A INPUT -p tcp -m tcp --dport 443 -j SYS_HTTPS
-A INPUT -p tcp -m tcp --dport 22 -j SYS_SSH
-A INPUT -p tcp -m tcp --dport 8080 -j UII_PROXY_ACCESS_INPUT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -s 192.168.163.0/24 -d 8.8.8.8/32 -j ACCEPT
-A FORWARD -o ETH02 -m iprange --dst-range 207.154.29.100-207.154.29.101 -j SMC02OUT
-A FORWARD -o ETH01 -m iprange --dst-range 207.154.29.100-207.154.29.101 -j SMC01OUT
-A FORWARD -i ETH02 -m iprange --src-range 207.154.29.100-207.154.29.101 -j SMC02IN
-A FORWARD -i ETH01 -m iprange --src-range 207.154.29.100-207.154.29.101 -j SMC01IN
-A FORWARD -d 206.67.134.101/32 -o ETH02 -j SMC02OUT
-A FORWARD -s 206.67.134.101/32 -i ETH02 -j SMC02IN
-A FORWARD -d 206.67.134.101/32 -o ETH01 -j SMC01OUT
-A FORWARD -s 206.67.134.101/32 -i ETH01 -j SMC01IN
-A FORWARD -j UII_MAIN
-A FORWARD -j CapPort
-A OUTPUT -o ETH02 -p udp -m udp --dport 53 -j DNS02OUT
-A OUTPUT -o ETH01 -p udp -m udp --dport 53 -j DNS01OUT
-A OUTPUT -d 184.173.128.251/32 -o ETH02 -j MAXIMA02OUT
-A OUTPUT -d 184.173.128.251/32 -o ETH01 -j MAXIMA01OUT
-A OUTPUT -j UII_ACL
-A OUTPUT -j UII_BOXRULES_HTTP
-A OUTPUT -p tcp -m tcp --sport 8080 -j UII_PROXY_ACCESS_OUTPUT
-A OUTPUT -j SYS_OUTPUT
-A CapPort -i ETH00.4013 -j CapPortACL
-A CapPort -i ETH00.4012 -j CapPortACL
-A CapPort -i ETH00.111 -j CapPortACL
-A CapPort -i ETH00 -j CapPortACL
-A CapPortACL -j CapPortFS
-A CapPortACL -j CapPortFC
-A CapPortACL -j CapPortWL
-A CapPortACL -j DROP
-A CapPortFS -p udp -m udp --dport 67 -j ACCEPT
-A CapPortWL -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
-A SYS_HTTPS -i lo -j ACCEPT
-A SYS_HTTPS -j ACCEPT
-A SYS_INPUT -i ETH00.4013 -p tcp -m tcp --dport 12080:12083 -j ACCEPT
-A SYS_INPUT -i ETH00.4012 -p tcp -m tcp --dport 12080:12083 -j ACCEPT
-A SYS_INPUT -i ETH00.111 -p tcp -m tcp --dport 12080:12083 -j ACCEPT
-A SYS_INPUT -i lo -j ACCEPT
-A SYS_INPUT -i ETH00 -p tcp -m tcp --dport 12080:12083 -j ACCEPT
-A SYS_INPUT -p tcp -m tcp --dport 12080:12083 -j DROP
-A SYS_INPUT -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A SYS_INPUT -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A SYS_INPUT -p tcp -m tcp --sport 8245 -m state --state ESTABLISHED -j ACCEPT
-A SYS_INPUT -p udp -m udp --sport 123 -m state --state ESTABLISHED -j ACCEPT
-A SYS_INPUT -j RETURN
-A SYS_OUTPUT -o lo -j ACCEPT
-A SYS_OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A SYS_OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A SYS_OUTPUT -p tcp -m tcp --dport 8245 -j ACCEPT
-A SYS_OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A SYS_OUTPUT -j RETURN
-A SYS_SSH -i tap0 -j ACCEPT
-A SYS_SSH -i lo -j ACCEPT
-A SYS_SSH -i ETH00 -j ACCEPT
-A SYS_SSH -i VPN00 -j ACCEPT
-A SYS_SSH -s 192.168.0.0/16 -j ACCEPT
-A SYS_SSH -j DROP
-A UII_ACCOUNTING -j ACCEPT
-A UII_ACL -d 207.40.25.189/32 -j ACCEPT
-A UII_ACL -s 207.40.25.189/32 -j ACCEPT
-A UII_ACL -d 184.173.128.250/32 -j ACCEPT
-A UII_ACL -s 184.173.128.250/32 -j ACCEPT
-A UII_ACL -d 184.173.128.251/32 -j ACCEPT
-A UII_ACL -s 184.173.128.251/32 -j ACCEPT
-A UII_ACL -s 192.168.0.0/16 -d 10.0.0.0/8 -j ACCEPT
-A UII_ACL -s 10.0.0.0/8 -d 192.168.0.0/16 -j ACCEPT
-A UII_ACL -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
-A UII_ACL -m iprange --dst-range 207.154.29.100-207.154.29.101 -j ACCEPT
-A UII_ACL -m iprange --src-range 207.154.29.100-207.154.29.101 -j ACCEPT
-A UII_ACL -d 206.67.134.101/32 -j ACCEPT
-A UII_ACL -s 206.67.134.101/32 -j ACCEPT
-A UII_ACL -d 10.8.0.1/32 -j ACCEPT
-A UII_ACL -s 192.168.118.0/24 -p tcp -m tcp --dport 5500 -j RETURN
-A UII_ACL -s 192.168.100.0/24 -p tcp -m tcp --dport 3389 -j RETURN
-A UII_ACL -s 192.168.118.0/24 -j REJECT --reject-with icmp-port-unreachable
-A UII_BOXRULES -j UII_INTERFACERULES
-A UII_CHAIN_SYS -s 192.168.10.254/32 -j ACCEPT
-A UII_CHAIN_SYS -d 192.168.10.254/32 -j ACCEPT
-A UII_CHAIN_TESTALL -j UII_CHAIN_SYS
-A UII_CHAIN_TESTALL -j REJECT --reject-with icmp-port-unreachable
-A UII_MAIN -j UII_VLANS
-A UII_MAIN -j UII_ACL
-A UII_MAIN -j UII_BOXRULES
-A UII_PROXY_ACCESS_INPUT -p tcp -m tcp --dport 8080 -j UII_PROXY_USERACCESS_INPUT
-A UII_PROXY_ACCESS_INPUT -j REJECT --reject-with icmp-port-unreachable
-A UII_PROXY_ACCESS_OUTPUT -p tcp -m tcp --sport 8080 -j UII_PROXY_USERACCESS_OUTPUT
-A UII_PROXY_ACCESS_OUTPUT -j REJECT --reject-with icmp-port-unreachable
-A UII_PROXY_USERACCESS_INPUT -j REJECT --reject-with icmp-port-unreachable
-A UII_PROXY_USERACCESS_OUTPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
 
Old 08-06-2016, 11:25 AM   #4
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: CentOS 7
Posts: 3,532

Rep: Reputation: 974Reputation: 974Reputation: 974Reputation: 974Reputation: 974Reputation: 974Reputation: 974Reputation: 974
Too much for my little brain, but I suspect your outbound has non-local source and dest so goes through the forward chain. Then the packet gets masqueraded so the response has a local dest address. That mean it goes through the input chain. You can print the counters on your icmp input chains to see if there is an accept rule hitting.
 
Old 08-06-2016, 12:43 PM   #5
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,181

Rep: Reputation: 90
Isn't the configuration overly complicated for what is trying to achieve? There are more chains than rules themselves. It's a little bit silly.

@smallpond What do you mean exactly by 'non-local'?

@reprovo So if you delete that rule, you're certain that you can't ping 8.8.8.8? We're obviously talking about pinging from a computer belonging to the 192.168.163.0/24 network, right?

When you use nat, then you don't need to a second rule. It's implied that the traffic going back is going to be allowed. That's the whole idea. It's stateful.

Last edited by vincix; 08-06-2016 at 12:47 PM.
 
Old 08-07-2016, 02:26 AM   #6
Reprovo
Member
 
Registered: Jul 2013
Posts: 59

Original Poster
Rep: Reputation: Disabled
Hi.

I will check the counters on the ICMP input thanks.

The configuration Is messy/complicated.It wasn't setup by me, not sure who set It up.
Ping does stop working when I delete the rule.
 
Old 08-07-2016, 03:09 AM   #7
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,181

Rep: Reputation: 90
What I don't understand is what is happening to packets that are directed to chains such as UII_INTERFACERULES, HTTPS02IN, etc., which have no rules whatsoever. Are they automatically accepted?

If I were you, I would get rid of this configuration, but not until I understood it well, so that I could learn something about it. Beside the standard chains (INPUT, OUTPUT, FORWARD) and the nat chains, I don't think you'd need more than a few other chains. Or you could even make do with basic chains anyway. The rules themselves are not that complicated.
 
Old 08-07-2016, 06:52 AM   #8
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: CentOS 7
Posts: 3,532

Rep: Reputation: 974Reputation: 974Reputation: 974Reputation: 974Reputation: 974Reputation: 974Reputation: 974Reputation: 974
Even though ICMP is stateless, the conntrack code will detect the reply and apply the reverse nat rule. I believe it is time based.
 
Old 08-07-2016, 06:59 AM   #9
Reprovo
Member
 
Registered: Jul 2013
Posts: 59

Original Poster
Rep: Reputation: Disabled
Hi. Not allowed to mess with the config I'm afraid.

I can see In zeroshell now I checked that connection tracker Is monitoring the outgoing 8.8.8.8 ICMP so maybe that's It.

In general, Is It possible to allow traffic to go through the WAN using NAT with only the FORWARD chain being Involved ?
 
Old 08-07-2016, 11:47 AM   #10
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,181

Rep: Reputation: 90
First of all, there's a big difference between DNAT and SNAT. You might know it, but I suppose it's important to understand it here in particular.

If you use SNAT - allowing your private network access to the internet - then the private ip source can be used in order to create rules in the FORWARD chain, because the source ip address is going to be converted into the public ip (masqueraded, in your case, I suppose) only before the router send the traffic out. Whereas, if you use DNAT, then the destination IP is going to be converted to the respective private ip on the PREROUTING chain.
So in that case, you can manipulate the traffic using the "real" source ip (potentially public ip) and the private destination ip.

I still don't really understand what is going on with your iptables configuration, but you might find this information useful, if you're not already aware of it.

What I still find weird is that there are a lot of chains that have no rules and to which packets are forwarded to (jumped), and I think they should be dropped. They don't have a default policy (because you can't change that on non-built-in chains) and if there's no accept rule, I don't understand how it actually works.

Let's take for example this rule:
-A FORWARD -o ETH02 -m iprange --dst-range 207.154.29.100-207.154.29.101 -j SMC02OUT

SMC02OUT chain has no rules defined. I'm supposing the packets should be dropped. But if that's the case, then the rule doesn't make much sense. Does this rule work? If you delete it, would you still be able to reach those IPs?

Last edited by vincix; 08-07-2016 at 11:50 AM.
 
Old 08-07-2016, 06:35 PM   #11
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: CentOS 7
Posts: 3,532

Rep: Reputation: 974Reputation: 974Reputation: 974Reputation: 974Reputation: 974Reputation: 974Reputation: 974Reputation: 974
Every rule has a counter associated with it so firewall software sometimes adds rules just to classify and detect types of traffic.

The NAT ccde only affects the address changes. The traffic can still be accepted or blocked by the filter rules if you want. Echo request packets are type 8 and replies are type 0. I think the reply to an snat packet gets its dest address changed in PREROUTING so it should go through the FORWARD chain rather than INPUT, but what makes sense to me isn't always the case.
 
Old 08-09-2016, 12:46 PM   #12
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,181

Rep: Reputation: 90
Depending on the iptables version, there's an INPUT chain also in the nat table. For instance, in Centos 7, the 1.4.21 version of iptables also contains an INPUT chain. In Centos 6 (v1.4.7), it doesn't.
 
  


Reply

Tags
forward, iptables, ping


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
possible to daisy chain ssh into single command? lleb Linux - Networking 3 05-28-2014 11:55 PM
[SOLVED] Weird ping and ping replies from google.... corp769 Linux - General 6 03-07-2011 07:43 PM
IP Tables, Forward Chain. YellowSnowIsBad Linux - Newbie 2 12-01-2010 07:00 PM
How to get packets into the forward chain? marting Linux - Server 2 09-17-2008 02:15 AM
Iptables not allowing outbound https john8675309 Linux - Software 3 09-13-2004 10:41 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:31 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration