Router-firewall problem

Petr Hřebíček petr.hrebicek na ceistat.com
Čtvrtek Prosinec 19 16:37:19 CET 2002


> > Ne, NAT nepouzivam.
> > PC v LAN maji verejne adresy.
> > Petr
> 
> Poslete vypis iptables -n -L; iptables -t nat -n -L; iptables 
> -t mangle -n 
> -L a pak uvidime :-) I kdyz to bude mozna dlouhe.
> 
> -- 
> Bc. Zdenek Kaminski <xkaminsk at fi.muni.cz>
> 

Ok, tady to je:
adresa .131 je eht0 - Internet
adresa .225 je eth1 - LAN
LAN je podsit 62.168.40.224/255.255.255.224

iptables -n -L :
Chain INPUT (policy DROP)
target     prot opt source               destination         
bad_packets  tcp  --  0.0.0.0/0            0.0.0.0/0          
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 0 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 3 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 11

LOG        icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 9
LOG flags 0 level 4 prefix ` _! ICMP Type 9,REJECT: ' 
REJECT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 9
reject-with icmp-port-unreachable 
ACCEPT     all  --  0.0.0.0/0            62.168.40.131      state
RELATED,ESTABLISHED 
LOG        tcp  --  0.0.0.0/0            62.168.40.131      tcp dpt:113
LOG flags 0 level 4 prefix ` _! AUTH na .131,RJ: ' 
REJECT     tcp  --  0.0.0.0/0            62.168.40.131      tcp dpt:113
reject-with icmp-port-unreachable 
ACCEPT     all  --  0.0.0.0/0            127.0.0.1          
ACCEPT     tcp  --  0.0.0.0/0            62.168.40.131      tcp dpt:80 
ACCEPT     tcp  --  0.0.0.0/0            62.168.40.131      tcp dpt:443 
ACCEPT     tcp  --  0.0.0.0/0            62.168.40.131      tcp dpt:21 
ACCEPT     tcp  --  0.0.0.0/0            62.168.40.131      tcp dpt:25 
ACCEPT     udp  --  0.0.0.0/0            62.168.40.131      udp dpt:25 
ACCEPT     tcp  --  0.0.0.0/0            62.168.40.131      tcp dpt:53 
ACCEPT     udp  --  0.0.0.0/0            62.168.40.131      udp dpt:53 
LOG        tcp  --  195.122.215.0/24     62.168.40.131      tcp dpt:110
LOG flags 0 level 4 prefix `_! POP3_MP na .131,AC: ' 
ACCEPT     tcp  --  195.122.215.0/24     62.168.40.131      tcp dpt:110 
LOG        tcp  --  62.177.103.0/24      62.168.40.131      tcp dpt:110
LOG flags 0 level 4 prefix `_! POP3_MP na .131,AC: ' 
ACCEPT     tcp  --  62.177.103.0/24      62.168.40.131      tcp dpt:110 
LOG        tcp  --  160.218.14.0/24      62.168.40.131      tcp dpt:110
LOG flags 0 level 4 prefix `_! POP3_Por na .131,AC: ' 
ACCEPT     tcp  --  160.218.14.0/24      62.168.40.131      tcp dpt:110 
LOG        tcp  --  0.0.0.0/0            62.168.40.131      tcp dpt:110
LOG flags 0 level 4 prefix ` _! POP3 na .131,DROP: ' 
DROP       tcp  --  0.0.0.0/0            62.168.40.131      tcp dpt:110 
ACCEPT     icmp --  62.168.40.224/27     62.168.40.225      
ACCEPT     tcp  --  62.168.40.227        62.168.40.225      tcp dpt:80 
ACCEPT     tcp  --  62.168.40.224/27     62.168.40.225      tcp dpt:443 
ACCEPT     tcp  --  62.168.40.224/27     62.168.40.225      tcp dpt:21 
ACCEPT     tcp  --  62.168.40.224/27     62.168.40.225      tcp dpt:22 
ACCEPT     tcp  --  62.168.40.224/27     62.168.40.225      tcp dpt:25 
ACCEPT     udp  --  62.168.40.224/27     62.168.40.225      udp dpt:25 
ACCEPT     tcp  --  62.168.40.224/27     62.168.40.225      tcp dpt:53 
ACCEPT     udp  --  62.168.40.224/27     62.168.40.225      udp dpt:53 
ACCEPT     tcp  --  62.168.40.224/27     62.168.40.225      tcp dpt:113 
ACCEPT     udp  --  62.168.40.224/27     62.168.40.225      udp dpt:113 
LOG        tcp  --  62.168.40.224/27     62.168.40.225      tcp dpt:20
LOG flags 0 level 4 prefix ` _! FTP-DATA z LAN: ' 
ACCEPT     tcp  --  62.168.40.224/27     62.168.40.225      tcp dpt:20 
ACCEPT     tcp  --  62.168.40.224/27     62.168.40.225      tcp dpt:110 
ACCEPT     tcp  --  62.168.40.224/27     62.168.40.225      tcp dpt:995 

Chain FORWARD (policy DROP)
target     prot opt source               destination         
bad_packets  tcp  --  0.0.0.0/0            62.168.40.224/27   
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state
RELATED,ESTABLISHED 
ACCEPT     tcp  --  62.168.40.227        0.0.0.0/0          tcp dpt:80 
REJECT     tcp  --  62.168.40.224/27     0.0.0.0/0          tcp dpt:80
reject-with icmp-port-unreachable 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 0 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 3 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 11

LOG        icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 9
LOG flags 0 level 4 prefix ` _! ICMP Type 9: ' 
REJECT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 9
reject-with icmp-port-unreachable 
ACCEPT     all  --  62.168.40.224/27     0.0.0.0/0          

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            62.168.40.224/27   
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          

Chain bad_packets (2 references)
target     prot opt source               destination         
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0          tcp
flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `New not syn,DROP:
' 
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp
flags:!0x16/0x02 state NEW  


iptables -t nat -n -L:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination          


iptables -t mangle -n 

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination          



---
Odchozí zpráva neobsahuje viry.
Zkontrolováno antivirovým systémem AVG (http://www.grisoft.cz).
Verze: 6.0.427 / Virová báze: 240 - datum vydání: 6.12.2002
 



Další informace o konferenci Linux