[Firewall] Can't get NAT - Masquerading to work....

mombasa mombasa at skynet.be
Sat Oct 28 04:28:30 MDT 2006


Hi Arno,

I've tried the additional parameters you gave me but the result is the same.
Below i've included the result of ifconfig and the firewall log.

Perhaps a small explanation with the firewall log:

192.168.10.222 is the ip adres of the Win XP Pro host from which i'm trying
to get on the internet via the Linux gateway

195.238.2.21 is the adres of the DNS server of my ISP

As for as i can see the firewall drops all packages that attempt to reach my
ISP DNS server. As to why: i don't have a clue....

Note: i can surf the internet on my Linux box without a problem...

Cheers,

Mombasa



IFCONFIG result:
linux:~ # ifconfig
dsl0      Link encap:Point-to-Point Protocol
          inet addr:81.245.30.57  P-t-P:81.245.30.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:60 errors:0 dropped:0 overruns:0 frame:0
          TX packets:68 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:27484 (26.8 Kb)  TX bytes:9159 (8.9 Kb)

eth0      Link encap:Ethernet  HWaddr 00:02:B3:27:F5:91
          inet addr:192.168.10.213  Bcast:192.168.10.255  Mask:255.255.255.0
          inet6 addr: fe80::202:b3ff:fe27:f591/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:129 errors:0 dropped:0 overruns:0 frame:0
          TX packets:41 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:17086 (16.6 Kb)  TX bytes:3662 (3.5 Kb)

eth1      Link encap:Ethernet  HWaddr 00:A0:24:CA:E8:2F
          inet6 addr: fe80::2a0:24ff:feca:e82f/64 Scope:Link
          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:66 errors:0 dropped:0 overruns:0 frame:0
          TX packets:84 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:29239 (28.5 Kb)  TX bytes:14417 (14.0 Kb)
          Interrupt:11 Base address:0xe400

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:56 errors:0 dropped:0 overruns:0 frame:0
          TX packets:56 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3283 (3.2 Kb)  TX bytes:3283 (3.2 Kb)


FIREWALL LOG:

Oct 28 11:21:05 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
ID=132 PROTO=UDP SPT=1031 DPT=53 LEN=90
Oct 28 11:21:13 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=137
PROTO=UDP SPT=1026 DPT=53 LEN=54
Oct 28 11:21:14 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=138
PROTO=UDP SPT=1026 DPT=53 LEN=54
Oct 28 11:22:05 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=169
PROTO=UDP SPT=1036 DPT=53 LEN=54
Oct 28 11:22:16 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
SRC=65.54.195.185 DST=81.245.30.57 LEN=40 TOS=0x00 PREC=0x00 TTL=246
ID=31609 PROTO=TCP SPT=80 DPT=1051 WINDOW=8190 RES=0x00 ACK FIN URGP=0
Oct 28 11:22:17 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
SRC=65.54.195.185 DST=81.245.30.57 LEN=40 TOS=0x00 PREC=0x00 TTL=246
ID=63363 PROTO=TCP SPT=80 DPT=1051 WINDOW=8190 RES=0x00 ACK FIN URGP=0
Oct 28 11:22:20 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
SRC=65.54.195.185 DST=81.245.30.57 LEN=40 TOS=0x00 PREC=0x00 TTL=246
ID=17186 PROTO=TCP SPT=80 DPT=1051 WINDOW=8190 RES=0x00 ACK FIN URGP=0
Oct 28 11:22:26 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
SRC=65.54.195.185 DST=81.245.30.57 LEN=40 TOS=0x00 PREC=0x00 TTL=246
ID=52673 PROTO=TCP SPT=80 DPT=1051 WINDOW=8190 RES=0x00 ACK FIN URGP=0
Oct 28 11:22:37 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
SRC=65.54.195.185 DST=81.245.30.57 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=3785
PROTO=TCP SPT=80 DPT=1051 WINDOW=8190 RES=0x00 ACK FIN URGP=0
Oct 28 11:23:06 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=196
PROTO=UDP SPT=1040 DPT=53 LEN=54
Oct 28 11:23:15 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
SRC=81.245.137.65 DST=81.245.30.57 LEN=48 TOS=0x00 PREC=0x00 TTL=124
ID=13885 DF PROTO=TCP SPT=1463 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
Oct 28 11:23:18 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
SRC=81.245.137.65 DST=81.245.30.57 LEN=48 TOS=0x00 PREC=0x00 TTL=124
ID=14232 DF PROTO=TCP SPT=1463 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=8192
Oct 28 11:24:06 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=225
PROTO=UDP SPT=1026 DPT=53 LEN=54
Oct 28 11:24:07 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
SRC=81.245.89.170 DST=81.245.30.57 LEN=48 TOS=0x00 PREC=0x00 TTL=124
ID=25682 DF PROTO=TCP SPT=1578 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
Oct 28 11:24:29 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
SRC=81.245.87.165 DST=81.245.30.57 LEN=48 TOS=0x00 PREC=0x00 TTL=124
ID=15133 DF PROTO=TCP SPT=3769 DPT=139 WINDOW=32000 RES=0x00 SYN URGP=0
Oct 28 11:24:31 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
SRC=204.16.208.76 DST=81.245.30.57 LEN=585 TOS=0x00 PREC=0x00 TTL=53 ID=0 DF
PROTO=UDP SPT=32843 DPT=1027 LEN=565
Oct 28 11:24:39 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
SRC=207.46.106.51 DST=81.245.30.57 LEN=49 TOS=0x00 PREC=0x00 TTL=119
ID=41751 DF PROTO=TCP SPT=1863 DPT=1027 WINDOW=64140 RES=0x00 ACK PSH URGP=0
Oct 28 11:24:39 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
SRC=207.46.106.51 DST=81.245.30.57 LEN=40 TOS=0x00 PREC=0x00 TTL=119
ID=41752 DF PROTO=TCP SPT=1863 DPT=1027 WINDOW=64140 RES=0x00 ACK FIN URGP=0
Oct 28 11:24:40 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
SRC=207.46.106.51 DST=81.245.30.57 LEN=49 TOS=0x00 PREC=0x00 TTL=119
ID=45662 DF PROTO=TCP SPT=1863 DPT=1027 WINDOW=64140 RES=0x00 ACK PSH FIN
URGP=0
Oct 28 11:24:42 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
SRC=207.46.106.51 DST=81.245.30.57 LEN=49 TOS=0x00 PREC=0x00 TTL=119
ID=52454 DF PROTO=TCP SPT=1863 DPT=1027 WINDOW=64140 RES=0x00 ACK PSH FIN
URGP=0
Oct 28 11:24:46 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
SRC=207.46.106.51 DST=81.245.30.57 LEN=49 TOS=0x00 PREC=0x00 TTL=119 ID=2106
DF PROTO=TCP SPT=1863 DPT=1027 WINDOW=64140 RES=0x00 ACK PSH FIN URGP=0
Oct 28 11:24:55 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
SRC=207.46.106.51 DST=81.245.30.57 LEN=49 TOS=0x00 PREC=0x00 TTL=119
ID=29802 DF PROTO=TCP SPT=1863 DPT=1027 WINDOW=64140 RES=0x00 ACK PSH FIN
URGP=0
Oct 28 11:25:04 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
SRC=81.245.95.187 DST=81.245.30.57 LEN=48 TOS=0x00 PREC=0x00 TTL=124
ID=18227 DF PROTO=TCP SPT=4533 DPT=1433 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 28 11:25:07 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
SRC=81.245.95.187 DST=81.245.30.57 LEN=48 TOS=0x00 PREC=0x00 TTL=124
ID=18591 DF PROTO=TCP SPT=4533 DPT=1433 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 28 11:25:13 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
SRC=207.46.106.51 DST=81.245.30.57 LEN=49 TOS=0x00 PREC=0x00 TTL=119
ID=19491 DF PROTO=TCP SPT=1863 DPT=1027 WINDOW=64140 RES=0x00 ACK PSH FIN
URGP=0
Oct 28 11:25:15 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=226
PROTO=UDP SPT=1026 DPT=53 LEN=54
Oct 28 11:26:08 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=256
PROTO=UDP SPT=1026 DPT=53 LEN=54
Oct 28 11:27:01 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
SRC=194.78.133.231 DST=81.245.30.57 LEN=40 TOS=0x00 PREC=0x00 TTL=61
ID=25376 DF PROTO=TCP SPT=80 DPT=1046 WINDOW=6432 RES=0x00 ACK FIN URGP=0
Oct 28 11:27:01 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
SRC=194.78.133.231 DST=81.245.30.57 LEN=40 TOS=0x00 PREC=0x00 TTL=61
ID=25377 DF PROTO=TCP SPT=80 DPT=1046 WINDOW=6432 RES=0x00 ACK FIN URGP=0
Oct 28 11:27:02 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
SRC=194.78.133.231 DST=81.245.30.57 LEN=40 TOS=0x00 PREC=0x00 TTL=61
ID=25378 DF PROTO=TCP SPT=80 DPT=1046 WINDOW=6432 RES=0x00 ACK FIN URGP=0
Oct 28 11:27:17 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=257
PROTO=UDP SPT=1026 DPT=53 LEN=54
Oct 28 11:27:29 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
SRC=81.245.80.58 DST=81.245.30.57 LEN=48 TOS=0x00 PREC=0x00 TTL=124 ID=52016
DF PROTO=TCP SPT=2277 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
Oct 28 11:27:32 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
SRC=81.245.80.58 DST=81.245.30.57 LEN=48 TOS=0x00 PREC=0x00 TTL=124 ID=52190
DF PROTO=TCP SPT=2277 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
Oct 28 11:28:09 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=283
PROTO=UDP SPT=1026 DPT=53 LEN=54
Oct 28 11:31:17 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
ID=284 PROTO=UDP SPT=1026 DPT=53 LEN=90
Oct 28 11:31:18 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
ID=285 PROTO=UDP SPT=1026 DPT=53 LEN=90
Oct 28 11:31:19 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
ID=286 PROTO=UDP SPT=1026 DPT=53 LEN=90
Oct 28 11:32:22 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=64 TOS=0x10 PREC=0x00 TTL=127 ID=329
PROTO=UDP SPT=1026 DPT=53 LEN=44
Oct 28 11:35:48 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0 SRC=1
92.168.10.222 DST=195.238.2.21 LEN=68 TOS=0x10 PREC=0x00 TTL=127 ID=335
PROTO=UDP SPT=1054 DPT=53 LEN=48
Oct 28 11:35:49 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=68 TOS=0x10 PREC=0x00 TTL=127 ID=336
PROTO=UDP SPT=1054 DPT=53 LEN=48
Oct 28 11:35:50 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=68 TOS=0x10 PREC=0x00 TTL=127 ID=337
PROTO=UDP SPT=1054 DPT=53 LEN=48
Oct 28 11:44:05 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
ID=358 PROTO=UDP SPT=1026 DPT=53 LEN=90
Oct 28 11:44:06 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
ID=359 PROTO=UDP SPT=1026 DPT=53 LEN=90
Oct 28 11:44:07 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
ID=360 PROTO=UDP SPT=1026 DPT=53 LEN=90
Oct 28 11:45:07 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=412
PROTO=UDP SPT=1062 DPT=53 LEN=54
Oct 28 11:48:56 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
ID=418 PROTO=UDP SPT=1025 DPT=53 LEN=90
Oct 28 11:48:57 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
ID=419 PROTO=UDP SPT=1025 DPT=53 LEN=90
Oct 28 11:48:58 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
ID=420 PROTO=UDP SPT=1025 DPT=53 LEN=90
Oct 28 11:57:28 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
ID=457 PROTO=UDP SPT=1025 DPT=53 LEN=90
Oct 28 11:57:29 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
ID=458 PROTO=UDP SPT=1025 DPT=53 LEN=90
Oct 28 11:57:30 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
ID=459 PROTO=UDP SPT=1025 DPT=53 LEN=90
Oct 28 11:59:30 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=488
PROTO=UDP SPT=1025 DPT=53 LEN=54
Oct 28 11:59:31 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=489
PROTO=UDP SPT=1025 DPT=53 LEN=54
Oct 28 12:07:51 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=82 TOS=0x10 PREC=0x00 TTL=127 ID=533
PROTO=UDP SPT=1025 DPT=53 LEN=62
Oct 28 12:07:52 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=82 TOS=0x10 PREC=0x00 TTL=127 ID=534
PROTO=UDP SPT=1025 DPT=53 LEN=62
Oct 28 12:07:53 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=82 TOS=0x10 PREC=0x00 TTL=127 ID=535
PROTO=UDP SPT=1025 DPT=53 LEN=62
Oct 28 12:14:42 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=544
PROTO=UDP SPT=1025 DPT=53 LEN=54
Oct 28 12:14:43 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=545
PROTO=UDP SPT=1025 DPT=53 LEN=54
Oct 28 12:14:44 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=546
PROTO=UDP SPT=1025 DPT=53 LEN=54
Oct 28 12:20:09 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=82 TOS=0x10 PREC=0x00 TTL=127 ID=575
PROTO=UDP SPT=1026 DPT=53 LEN=62
Oct 28 12:20:10 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=82 TOS=0x10 PREC=0x00 TTL=127 ID=576
PROTO=UDP SPT=1026 DPT=53 LEN=62
Oct 28 12:20:11 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=82 TOS=0x10 PREC=0x00 TTL=127 ID=577
PROTO=UDP SPT=1026 DPT=53 LEN=62
Oct 28 12:29:28 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
ID=584 PROTO=UDP SPT=1026 DPT=53 LEN=90
Oct 28 12:29:29 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
ID=585 PROTO=UDP SPT=1026 DPT=53 LEN=90
Oct 28 12:29:30 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
ID=586 PROTO=UDP SPT=1026 DPT=53 LEN=90
Oct 28 12:30:28 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
ID=616 PROTO=UDP SPT=1025 DPT=53 LEN=90
Oct 28 12:31:33 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=663
PROTO=UDP SPT=1077 DPT=53 LEN=54
Oct 28 12:33:02 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=64 TOS=0x10 PREC=0x00 TTL=127 ID=680
PROTO=UDP SPT=1026 DPT=53 LEN=44
Oct 28 12:33:03 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=64 TOS=0x10 PREC=0x00 TTL=127 ID=681
PROTO=UDP SPT=1026 DPT=53 LEN=44
Oct 28 12:33:04 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=64 TOS=0x10 PREC=0x00 TTL=127 ID=682
PROTO=UDP SPT=1026 DPT=53 LEN=44
Oct 28 12:34:09 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=64 TOS=0x10 PREC=0x00 TTL=127 ID=685
PROTO=UDP SPT=1026 DPT=53 LEN=44
Oct 28 12:34:10 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=64 TOS=0x10 PREC=0x00 TTL=127 ID=686
PROTO=UDP SPT=1026 DPT=53 LEN=44
Oct 28 12:34:11 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=64 TOS=0x10 PREC=0x00 TTL=127 ID=687
PROTO=UDP SPT=1026 DPT=53 LEN=44
Oct 28 12:35:16 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=64 TOS=0x10 PREC=0x00 TTL=127 ID=690
PROTO=UDP SPT=1026 DPT=53 LEN=44
Oct 28 12:35:17 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=64 TOS=0x10 PREC=0x00 TTL=127 ID=691
PROTO=UDP SPT=1026 DPT=53 LEN=44
Oct 28 12:35:18 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
SRC=192.168.10.222 DST=195.238.2.21 LEN=64 TOS=0x10 PREC=0x00 TTL=127 ID=692
PROTO=UDP SPT=1026 DPT=53 LEN=44








----- Original Message -----
From: "Arno van Amersfoort" <arnova at rocky.eld.leidenuniv.nl>
To: "Arno's IPTABLES firewall script" <firewall at lists.btito.net>
Sent: Thursday, October 26, 2006 9:16 PM
Subject: Re: [Firewall] Can't get NAT - Masquerading to work....


>
> Could you also provide us with a dump of 'ifconfig' + anything shown in
> your firewall logs (ie. dropped packets)? For now you could try to set
> "SET_MSS=0" and/or "NO_PMTU_DISCOVERY=1".
>
> Please let us now your findings and provide us with the additional
> information as requested....
>
> a.
>
> mombasa wrote:
> >
> > i'm a linux novice and i am trying to build a internet gateway for a
> > network of Windows XP Pro clients.
> >
> > I used the latest Suse Linux Distro (i believe v10.1).
> > When i configure the firewall and masquerading with the Suse Yast tool,
> > everything works fine and my Windows XP Pro clients can acces the
> > internet trough the Linux gateway machine.
> >
> > Because i would like to tighten security, i would like to use arno's
> > Firewall script instead.
> >
> > I've made only minimal changes to the config file to try to get the
> > masquerading running, but i can't seem to get it to work.
> > When i run the script i can still acces the internet from the Linux box,
> > but my XP Pro clients lose their internet connection.
> > I've read all the faqs and browsed trough the mailing list and i don't
> > see what i'm doing wrong.
> >
> > It will probably be something stupid of me.
> >
> > I hope somebody can help me because it is driving me nuts...
> >
> > Here is the config file and the result of running this config file:
> >
> >
> >
############################################################################
###
> > # You should put this config-file in
> > /etc/arno-iptables-firewall/             #
> >
############################################################################
###
> >
> > IPTABLES="/usr/sbin/iptables"
> >
> >
############################################################################
###
> > # External (internet) interface
> > settings                                      #
> >
############################################################################
###
> >
> >
> > EXT_IF="ppp+"
> >
> > EXT_IF_DHCP_IP=1
> >
> >
> > EXTERNAL_NET=""
> >
> >
> > EXT_NET_BCAST_ADDRESS=""
> >
> >
> > EXTERNAL_DHCP_SERVER=0
> >
> >
> >
############################################################################
###
> > # Internal (LAN) interface
> > settings                                           #
> >
############################################################################
###
> >
> >
> > INT_IF="eth0"
> >
> >
> > INTERNAL_NET="192.168.10.0/24"
> >
> >
> > INT_NET_BCAST_ADDRESS=""
> >
> >
> >
> >
############################################################################
###
> > # DMZ (aka DeMilitarized Zone)
> > settings                                       #
> >
############################################################################
###
> >
> >
> > DMZ_IF=""
> >
> >
> > DMZ_NET=""
> >
> >
> >
############################################################################
###
> > # NAT (Masquerade, SNAT, DNAT)
> > settings                                       #
> >
############################################################################
###
> >
> >
> > NAT=1
> >
> >
> > NAT_INTERNAL_NET="$INTERNAL_NET"
> >
> > NAT_TCP_FORWARD=""
> > NAT_UDP_FORWARD=""
> > NAT_IP_FORWARD=""
> >
> >
> >
############################################################################
###
> > # (ADSL) Modem
> > settings                                                       #
> >
> >
############################################################################
###
> >
> >
> > MODEM_IF="eth1"
> >
> >
> > MODEM_INTERNAL_NET=$INTERNAL_NET
> >
> >
> >
############################################################################
###
> > # General
> > settings                                                            #
> >
############################################################################
###
> >
> >
> > DMESG_PANIC_ONLY=1
> >
> > MANGLE_TOS=1
> >
> >
> > SET_MSS=1
> >
> >
> > TTL_INC=0
> >
> >
> > RESOLV_IPS=0
> >
> > USE_IRC=0
> >
> >
> > LOOSE_FORWARD=0
> >
> >
> > DROP_PRIVATE_ADDRESSES=0
> >
> >
> > DRDOS_PROTECT=0
> >
> >
> > IPV6_SUPPORT=0
> >
> >
> > NMB_BROADCAST_FIX=0
> >
> >
> > TRUSTED_IF=""
> >
> > INT_IF_TRUST=""
> >
> >
> > CUSTOM_RULES=/etc/arno-iptables-firewall/custom-rules
> >
> >
> >
############################################################################
###
> > # Logging options - All logging is rate limited to prevent log
> > flooding       #
> >
############################################################################
###
> >
> > # Enable logging for explicitly blocked hosts.
> > #
>
> --------------------------------------------------------------------------
---
> > BLOCKED_HOST_LOG=1
> >
> > # Enable logging for various stealth scans (reliable).
> > #
>
> --------------------------------------------------------------------------
---
> > SCAN_LOG=1
> >
> > # Enable logging for possible stealth scans (less reliable).
> > #
>
> --------------------------------------------------------------------------
---
> > POSSIBLE_SCAN_LOG=0
> >
> > # Enable logging for TCP-packets with bad flags.
> > #
>
> --------------------------------------------------------------------------
---
> > BAD_FLAGS_LOG=0
> >
> >
> > INVALID_PACKET_LOG=0
> >
> > # Enable logging of source IP's with reserved addresses.
> > #
>
> --------------------------------------------------------------------------
---
> > RESERVED_NET_LOG=1
> >
> > # Enable logging of fragmented packets.
> > #
>
> --------------------------------------------------------------------------
---
> > FRAG_LOG=1
> >
> > # Enable logging of denied local (OUTPUT) connections.
> > #
>
> --------------------------------------------------------------------------
---
> > OUTPUT_DENY_LOG=1
> >
> > # Enable logging of denied LAN output (FORWARD) connections.
> > #
>
> --------------------------------------------------------------------------
---
> > LAN_OUTPUT_DENY_LOG=1
> >
> > # Enable logging of denied LAN INPUT connections.
> > #
>
> --------------------------------------------------------------------------
---
> > LAN_INPUT_DENY_LOG=1
> >
> > # Enable logging of denied DMZ output (FORWARD) connections.
> > #
>
> --------------------------------------------------------------------------
---
> > DMZ_OUTPUT_DENY_LOG=1
> >
> > # Enable logging of denied DMZ input (FORWARD) connections.
> > #
>
> --------------------------------------------------------------------------
---
> > DMZ_INPUT_DENY_LOG=1
> >
> > # Enable logging of dropped ICMP-request packets (ping).
> > #
>
> --------------------------------------------------------------------------
---
> > ICMP_REQUEST_LOG=1
> >
> > # Enable logging of dropped "other" ICMP packets.
> > #
>
> --------------------------------------------------------------------------
---
> > ICMP_OTHER_LOG=1
> >
> > # Enable logging of normal connection attempts to privileged TCP ports.
> > #
>
> --------------------------------------------------------------------------
---
> > PRIV_TCP_LOG=1
> >
> > # Enable logging of normal connection attempts to privileged UDP ports.
> > #
>
> --------------------------------------------------------------------------
---
> > PRIV_UDP_LOG=1
> >
> > # Enable logging of normal connection attempts to unprivileged TCP
ports.
> > #
>
> --------------------------------------------------------------------------
---
> > UNPRIV_TCP_LOG=1
> >
> > # Enable logging of normal connection attempts to unprivileged UDP
ports.
> > #
>
> --------------------------------------------------------------------------
---
> > UNPRIV_UDP_LOG=1
> >
> > # Enable logging of normal connection attempts to "other-IP"-protocols
(non
> > # TCP/UDP/ICMP).
> > #
>
> --------------------------------------------------------------------------
---
> > OTHER_IP_LOG=1
> >
> > # Enable logging for ICMP flooding.
> > #
>
> --------------------------------------------------------------------------
---
> > ICMP_FLOOD_LOG=1
> >
> > # Enable logging for not-allowed MAC addresses (if used).
> > #
>
> --------------------------------------------------------------------------
---
> > MAC_ADDRESS_LOG=1
> >
> >
> >
> >
> > LOGLEVEL=info
> >
> >
> > LOG_HOST_TCP_INPUT=""
> > LOG_HOST_UDP_INPUT=""
> > LOG_HOST_IP_INPUT=""
> >
> >
> > LOG_HOST_TCP_OUTPUT=""
> > LOG_HOST_UDP_OUTPUT=""
> > LOG_HOST_IP_OUTPUT=""
> >
> > # Put in the following variables which services you want to log incoming
> > # connection attempts for.
> > #
>
> --------------------------------------------------------------------------
---
> > LOG_TCP_INPUT=""
> > LOG_UDP_INPUT=""
> > LOG_IP_INPUT=""
> >
> > # Put in the following variables which services you want to log outgoing
> > # connection attempts for.
> > #
>
> --------------------------------------------------------------------------
---
> > LOG_TCP_OUTPUT=""
> > LOG_UDP_OUTPUT=""
> > LOG_IP_OUTPUT=""
> >
> > # Put in the following variable which hosts you want to log incoming
> > connection
> > # (attempts) for.
> > #
>
> --------------------------------------------------------------------------
---
> > LOG_HOST_INPUT=""
> >
> > # Put in the following variable which hosts you want to log outgoing
> > connection
> > # (attempts) to.
> > #
>
> --------------------------------------------------------------------------
---
> > LOG_HOST_OUTPUT=""
> >
> >
> >
############################################################################
###
> > # /proc based settings (EXPERT
> > SETTINGS!)                                     #
> >
############################################################################
###
> >
> > # Enable for synflood protection (through /proc/.../tcp_syncookies).
> > #
>
> --------------------------------------------------------------------------
---
> > SYN_PROT=1
> >
> > # Enable this to reduce the ability of others DOS'ing your machine.
> > #
>
> --------------------------------------------------------------------------
---
> > REDUCE_DOS_ABILITY=1
> >
> > # Enable to ignore all ICMP echo-requests (IPv4) on ALL interfaces.
> > #
>
> --------------------------------------------------------------------------
---
> > ECHO_IGNORE=0
> >
> > # Enable to log packets with impossible addresses to the kernel log.
> > #
>
> --------------------------------------------------------------------------
---
> > LOG_MARTIANS=0
> >
> > # Only disable this if you're NOT using forwarding (required for NAT
> > etc.) for
> > # increased security.
> > #
>
> --------------------------------------------------------------------------
---
> > IP_FORWARDING=1
> >
> > # Enable if you want to accept ICMP redirect messages. Should be set to
> > "0" in
> > # case of a router.
> > #
>
> --------------------------------------------------------------------------
---
> > ICMP_REDIRECT=0
> >
> > # Enable/modify this if you want to be a able to handle a larger (or
> > smaller)
> > # number of simultaneous connections. For high traffic machines I
> > recommend to
> > # use a value of at least 16384 (note that a higher value (obviously)
> > also uses
> > # more memory).
> > #
>
> --------------------------------------------------------------------------
---
> > CONNTRACK=16384
> >
> > # You may need to enable this to get some internet games to work, but
> > note that
> > # it's *less* secure.
> > #
>
> --------------------------------------------------------------------------
---
> > LOOSE_UDP_PATCH=0
> >
> > # Enable ECN (Explicit Congestion Notification) TCP flag. Disabled by
> > default,
> > # as some routers are still not compatible with this.
> > #
>
> --------------------------------------------------------------------------
---
> > ECN=0
> >
> >
> > RP_FILTER=1
> >
> >
> > SOURCE_ROUTE_PROTECTION=1
> >
> >
> > LOCAL_PORT_RANGE="32768 61000"
> >
> >
> > DEFAULT_TTL=64
> >
> > # In most cases pmtu discovery is ok, but in some rare cases (when
having
> > # problems) you might want to disable it.
> > #
>
> --------------------------------------------------------------------------
---
> > NO_PMTU_DISCOVERY=0
> >
> >
> >
############################################################################
###
> > # (Transparent) proxy settings (EXPERT
> > SETTINGS!)                             #
> >
############################################################################
###
> > #HTTP_PROXY_PORT="3128"
> > HTTPS_PROXY_PORT=""
> > FTP_PROXY_PORT=""
> > SMTP_PROXY_PORT=""
> > POP3_PROXY_PORT=""
> >
> >
> >
############################################################################
###
> > # Firewall policies for the LAN (EXPERT
> > SETTINGS!)                            #
> >
############################################################################
###
> >
> >
############################################################################
###
> > # LAN_xxx = LAN->localhost(this machine) input access
> > rules                   #
> > #
> > #
> > # Note that when both LAN_OPEN_xxx & LAN_HOST_OPEN_xxx are NOT used,
> > the      #
> > # default policy for this chain is accept (unless denied
> > through              #
> > # LAN_DENY_xxx and/or
> > LAN_HOST_DENY_xxx)!                                     #
> >
############################################################################
###
> >
> > # Enable this to allow for ICMP-requests(ping) from your LAN
> > #
>
> --------------------------------------------------------------------------
---
> > LAN_OPEN_ICMP=1
> >
> > # Put in the following variables the TCP/UDP ports or IP protocols TO
> > # (remote end-point) which the LAN hosts are permitted to connect to.
> > #
>
> --------------------------------------------------------------------------
---
> > LAN_OPEN_TCP=""
> > LAN_OPEN_UDP=""
> > LAN_OPEN_IP=""
> >
> > # Put in the following variables the TCP/UDP ports or IP protocols TO
> > (remote
> > # end-point) which LAN hosts are NOT permitted to connect to.
> > #
>
> --------------------------------------------------------------------------
---
> > LAN_DENY_TCP=""
> > LAN_DENY_UDP=""
> > LAN_DENY_IP=""
> >
> >
> > LAN_HOST_OPEN_TCP=""
> > LAN_HOST_OPEN_UDP=""
> > LAN_HOST_OPEN_IP=""
> >
> >
> > LAN_HOST_DENY_TCP=""
> > LAN_HOST_DENY_UDP=""
> > LAN_HOST_DENY_IP=""
> >
> >
> >
############################################################################
###
> > # LAN_INET_xxx = LAN->internet access rules
> > (forward)                         #
> > #
> > #
> > # Note that when both LAN_INET_OPEN_xxx & LAN_INET_HOST_OPEN_xxx are
> > NOT      #
> > # used, the default policy for this chain is accept (unless
> > denied            #
> > # through LAN_INET_DENY_xxx and/or
> > LAN_INET_HOST_DENY_xxx)!                   #
> >
############################################################################
###
> >
> > # Enable this to allow for ICMP-requests(ping) for LAN->INET
> > #
>
> --------------------------------------------------------------------------
---
> > LAN_INET_OPEN_ICMP=1
> >
> >
> > LAN_INET_OPEN_TCP=""
> > LAN_INET_OPEN_UDP=""
> > LAN_INET_OPEN_IP=""
> >
> >
> > LAN_INET_DENY_TCP=""
> > LAN_INET_DENY_UDP=""
> > LAN_INET_DENY_IP=""
> >
> > # Put in the following variables which LAN hosts you want to allow to
> > certain
> > # hosts/services on the internet. By default all services are allowed.
> >
> > LAN_INET_HOST_OPEN_TCP=""
> > LAN_INET_HOST_OPEN_UDP=""
> > LAN_INET_HOST_OPEN_IP=""
> >
> > # Put in the following variables which DMZ hosts you want to deny to
certain
> > # hosts/services on the internet.
> >
> > LAN_INET_HOST_DENY_TCP=""
> > LAN_INET_HOST_DENY_UDP=""
> > LAN_INET_HOST_DENY_IP=""
> >
> >
> >
############################################################################
###
> > # Firewall policies for the DMZ (EXPERT
> > SETTINGS!)                            #
> >
############################################################################
###
> >
> >
############################################################################
###
> > # DMZ_xxx      = DMZ->localhost(this machine) input access
> > rules              #
> >
############################################################################
###
> >
> > # Enable this to allow ICMP-requests(ping) from the DMZ
> > #
>
> --------------------------------------------------------------------------
---
> > DMZ_OPEN_ICMP=1
> >
> >
> > DMZ_OPEN_TCP=""
> > DMZ_OPEN_UDP=""
> > DMZ_OPEN_IP=""
> >
> >
> > DMZ_HOST_OPEN_TCP=""
> > DMZ_HOST_OPEN_UDP=""
> > DMZ_HOST_OPEN_IP=""
> >
> >
> >
############################################################################
###
> > # INET_DMZ_xxx = Internet->DMZ access rules
> > (forward)                         #
> > #
> > #
> > # Note that when both INET_DMZ_OPEN_xxx & INET_DMZ_HOST_OPEN_xxx are
> > NOT      #
> > # used, the default policy for this chain is accept (unless
> > denied            #
> > # through INET_DMZ_DENY_xxx and/or
> > INET_DMZ_HOST_DENY_xxx)!                   #
> >
############################################################################
###
> >
> > # Enable this to make the default policy allow for ICMP(ping) for
INET->DMZ
> > #
>
> --------------------------------------------------------------------------
---
> > INET_DMZ_OPEN_ICMP=0
> >
> > # Put in the following variables which INET hosts are permitted to
> > connect to
> > # certain the TCP/UDP ports or IP protocols in the DMZ.
> > #
>
> --------------------------------------------------------------------------
---
> > INET_DMZ_OPEN_TCP=""
> > INET_DMZ_OPEN_UDP=""
> > INET_DMZ_OPEN_IP=""
> >
> > # Put in the following variables which INET hosts are NOT permitted to
> > connect
> > # to certain the TCP/UDP ports or IP protocols in the DMZ.
> > #
>
> --------------------------------------------------------------------------
---
> > INET_DMZ_DENY_TCP=""
> > INET_DMZ_DENY_UDP=""
> > INET_DMZ_DENY_IP=""
> >
> > # Put in the following variables which INET hosts you want to allow to
> > certain
> > # hosts/services on the DMZ net. By default all services are allowed.
> >
> > INET_DMZ_HOST_OPEN_TCP=""
> > INET_DMZ_HOST_OPEN_UDP=""
> > INET_DMZ_HOST_OPEN_IP=""
> >
> > # Put in the following variables which INET hosts you want to deny to
> > certain
> > # hosts/services on the DMZ net.
> >
> > INET_DMZ_HOST_DENY_TCP=""
> > INET_DMZ_HOST_DENY_UDP=""
> > INET_DMZ_HOST_DENY_IP=""
> >
> >
> >
############################################################################
###
> > # DMZ_INET_xxx = DMZ->internet access rules
> > (forward)                         #
> > #
> > #
> > # Note that when both DMZ_INET_OPEN_xxx & DMZ_INET_HOST_OPEN_xxx are
> > NOT      #
> > # used, the default policy for this chain is accept (unless
> > denied            #
> > # through DMZ_INET_DENY_xxx and/or
> > DMZ_INET_HOST_DENY_xxx)!                   #
> >
############################################################################
###
> >
> > # Enable this to make the default policy allow for ICMP(ping) for
DMZ->INET
> > #
>
> --------------------------------------------------------------------------
---
> > DMZ_INET_OPEN_ICMP=1
> >
> >
> > DMZ_INET_OPEN_TCP=""
> > DMZ_INET_OPEN_UDP=""
> > DMZ_INET_OPEN_IP=""
> >
> >
> > DMZ_INET_DENY_TCP=""
> > DMZ_INET_DENY_UDP=""
> > DMZ_INET_DENY_IP=""
> >
> > # Put in the following variables which DMZ hosts you want to allow to
> > certain
> > # hosts/services on the internet. By default all services are allowed.
> > #
> >
> > DMZ_INET_HOST_OPEN_TCP=""
> > DMZ_INET_HOST_OPEN_UDP=""
> > DMZ_INET_HOST_OPEN_IP=""
> >
> > # Put in the following variables which DMZ hosts you want to deny to
certain
> > # hosts/services on the internet.
> >
> > DMZ_INET_HOST_DENY_TCP=""
> > DMZ_INET_HOST_DENY_UDP=""
> > DMZ_INET_HOST_DENY_IP=""
> >
> >
> >
############################################################################
###
> > # DMZ_LAN_xxx  = DMZ->LAN access rules
> > (forward)                              #
> >
############################################################################
###
> >
> > # Enable this to make the default policy allow for ICMP(ping) for
DMZ->LAN
> > #
>
> --------------------------------------------------------------------------
---
> > DMZ_LAN_OPEN_ICMP=0
> >
> > # Put in the following variables which DMZ hosts you want to allow to
> > certain
> > # hosts/services on the LAN (net).
> >
> > DMZ_LAN_HOST_OPEN_TCP=""
> > DMZ_LAN_HOST_OPEN_UDP=""
> > DMZ_LAN_HOST_OPEN_IP=""
> >
> >
> >
############################################################################
###
> > # Firewall policies for the external (inet) interface (default policy =
> > drop) #
> >
############################################################################
###
> >
> >
> > FULL_ACCESS_HOSTS=""
> >
> > # Enable this to make the default policy allow for ICMP(ping) for INET
> > access
> > #
>
> --------------------------------------------------------------------------
---
> > OPEN_ICMP=0
> >
> > # Put in the following variables which ports or IP protocols you want to
> > leave
> > # open to the whole world.
> > #
>
> --------------------------------------------------------------------------
---
> > OPEN_TCP=""
> > OPEN_UDP=""
> > OPEN_IP=""
> >
> >
> > DENY_TCP=""
> > DENY_UDP=""
> >
> >
> > DENY_TCP_NOLOG=""
> > DENY_UDP_NOLOG=""
> >
> > # Put in the following variables the TCP/UDP ports you want to REJECT
> > (instead
> > # of DROP) for everyone (and logged).
> > #
>
> --------------------------------------------------------------------------
---
> > REJECT_TCP=""
> > REJECT_UDP=""
> >
> > # Put in the following variables the TCP/UDP ports you want to REJECT
> > (instead
> > # of DROP) for everyone but NOT logged.
> > #
>
> --------------------------------------------------------------------------
---
> > REJECT_TCP_NOLOG=""
> > REJECT_UDP_NOLOG=""
> >
> > # Put in the following variables which hosts you want to allow for
certain
> > # services.
> >
> > HOST_OPEN_TCP=""
> > HOST_OPEN_UDP=""
> > HOST_OPEN_IP=""
> > HOST_OPEN_ICMP=""
> >
> > # Put in the following variables which hosts you want to DENY(DROP) for
> > certain
> > # services (and logged).
> >
> > HOST_DENY_TCP=""
> > HOST_DENY_UDP=""
> > HOST_DENY_IP=""
> > HOST_DENY_ICMP=""
> >
> > # Put in the following variables which hosts you want to DENY(DROP) for
> > certain
> > # services but NOT logged.
> >
> > HOST_DENY_TCP_NOLOG=""
> > HOST_DENY_UDP_NOLOG=""
> > HOST_DENY_IP_NOLOG=""
> > HOST_DENY_ICMP_NOLOG=""
> >
> >
> > HOST_REJECT_TCP=""
> > HOST_REJECT_UDP=""
> >
> >
> > HOST_REJECT_TCP_NOLOG=""
> > HOST_REJECT_UDP_NOLOG=""
> >
> >
> > DENY_TCP_OUTPUT=""
> > DENY_UDP_OUTPUT=""
> > DENY_IP_OUTPUT=""
> >
> >
> >
> > HOST_DENY_TCP_OUTPUT=""
> > HOST_DENY_UDP_OUTPUT=""
> > HOST_DENY_IP_OUTPUT=""
> >
> >
> > BROADCAST_TCP_NOLOG=""
> >
> > BLOCK_HOSTS=""
> >
> >
> >
> >
> >
> > Here the result of running this config file:
> >
> >
> >
> >
> > Arno's Iptables Firewall Script v1.8.8b
>
> --------------------------------------------------------------------------
-----
> > Sanity checks passed...OK
> > Detected IPTABLES module... Loading additional IPTABLES modules:
> > All IPTABLES modules loaded!
> > Setting the kernel ring buffer to only log panic messages to the console
> > Configuring /proc/.... settings:
> >  Enabling anti-spoof with rp_filter
> >  Enabling SYN-flood protection via SYN-cookies
> >  Disabling the logging of martians
> >  Disabling the acception of ICMP-redirect messages
> >  Setting the max. amount of simultaneous connections to 16384
> >  Enabling protection against source routed packets
> >  Setting default conntrack timeouts
> >  Enabling reduction of the DoS'ing ability
> >  Setting Default TTL=64
> >  Disabling ECN (Explicit Congestion Notification)
> >  Enabling support for dynamic IP's
> >  Flushing route table
> > /proc/ setup done...
> > Flushing rules in the filter table
> > Setting default (secure) policies
> > Using loglevel "info" for syslogd
> >
> > Setting up firewall rules:
>
> --------------------------------------------------------------------------
-----
> > Accepting packets from the local loopback device
> > Enabling setting the maximum packet size via MSS
> > Enabling mangling TOS
> > Logging of stealth scans (nmap probes etc.) enabled
> > Logging of packets with bad TCP-flags disabled
> > Logging of INVALID packets disabled
> > Logging of fragmented packets enabled
> > Logging of access from reserved addresses enabled
> > Setting up anti-spoof rules
> > Reading custom IPTABLES rules from
/etc/arno-iptables-firewall/custom-rules
> > Loading (user) plugins
> > Applying rules for (A)DSL modem on interface: eth1
> > Setting up INPUT policy for the external net (INET):
> > Enabling support for a DHCP assigned IP on external interface(s): ppp+
> > Logging of explicitly blocked hosts enabled
> > Logging of denied local output connections enabled
> > Packets will NOT be checked for private source addresses
> > Denying the whole world to send ICMP-requests(ping)
> > Logging of dropped ICMP-request(ping) packets enabled
> > Logging of dropped other ICMP packets enabled
> > Logging of possible stealth scans disabled
> > Logging of (other) connection attempts to PRIVILEGED TCP ports enabled
> > Logging of (other) connection attempts to PRIVILEGED UDP ports enabled
> > Logging of (other) connection attempts to UNPRIVILEGED TCP ports enabled
> > Logging of (other) connection attempts to UNPRIVILEGED UDP ports enabled
> > Logging of other IP protocols (non TCP/UDP/ICMP) connection attempts
enabled
> > Logging of ICMP flooding enabled
> > Applying INET policy to external (INET) interface: ppp+ (without an
> > external subnet specified)
> > Setting up INPUT policy for internal (LAN) interface(s): eth0
> >  Allowing ICMP-requests(ping)
> >  Allowing all (other) protocols
> > Setting up FORWARD policy for internal (LAN) interface(s): eth0
> >  Logging of denied LAN->INET FORWARD connections enabled
> >  Setting up LAN->INET policy:
> >   Allowing ICMP-requests(ping)
> >   Allowing all (other) protocols
> > Enabling masquerading(NAT) for internal host(s): 192.168.10.0/24 via
ppp+
> > Security is ENFORCED for external interface(s) in the FORWARD chain
> >
> > Oct 25 11:26:37 All firewall rules applied.
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Firewall mailing list
> > Firewall at lists.btito.net
> > http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
> > Arno's (Linux IPTABLES Firewall) Homepage:
> > http://rocky.eld.leidenuniv.nl
>
> --
> Arno van Amersfoort
> E-mail    : arnova at rocky.eld.leidenuniv.nl
> Donations are welcome through Paypal!
> --------------------------------------------------------------------------
-
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>
> _______________________________________________
> Firewall mailing list
> Firewall at lists.btito.net
> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>





More information about the Firewall mailing list