[Firewall] Can't get NAT - Masquerading to work....

Arno van Amersfoort arnova at rocky.eld.leidenuniv.nl
Sat Oct 28 09:00:14 MDT 2006


Hello,

I think the fix is quite simple: you'll have to make EXT_IF="dsl0", as 
you simply (as your ifconfig shows) don't have a ppp-interface. I think 
this will fix your problem....

Let us know whether this fixes your problem.

a.

mombasa wrote:
> Hi Arno,
> 
> I've tried the additional parameters you gave me but the result is the same.
> Below i've included the result of ifconfig and the firewall log.
> 
> Perhaps a small explanation with the firewall log:
> 
> 192.168.10.222 is the ip adres of the Win XP Pro host from which i'm trying
> to get on the internet via the Linux gateway
> 
> 195.238.2.21 is the adres of the DNS server of my ISP
> 
> As for as i can see the firewall drops all packages that attempt to reach my
> ISP DNS server. As to why: i don't have a clue....
> 
> Note: i can surf the internet on my Linux box without a problem...
> 
> Cheers,
> 
> Mombasa
> 
> 
> 
> IFCONFIG result:
> linux:~ # ifconfig
> dsl0      Link encap:Point-to-Point Protocol
>           inet addr:81.245.30.57  P-t-P:81.245.30.1  Mask:255.255.255.255
>           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
>           RX packets:60 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:68 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:3
>           RX bytes:27484 (26.8 Kb)  TX bytes:9159 (8.9 Kb)
> 
> eth0      Link encap:Ethernet  HWaddr 00:02:B3:27:F5:91
>           inet addr:192.168.10.213  Bcast:192.168.10.255  Mask:255.255.255.0
>           inet6 addr: fe80::202:b3ff:fe27:f591/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:129 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:41 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:17086 (16.6 Kb)  TX bytes:3662 (3.5 Kb)
> 
> eth1      Link encap:Ethernet  HWaddr 00:A0:24:CA:E8:2F
>           inet6 addr: fe80::2a0:24ff:feca:e82f/64 Scope:Link
>           UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:66 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:84 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:29239 (28.5 Kb)  TX bytes:14417 (14.0 Kb)
>           Interrupt:11 Base address:0xe400
> 
> lo        Link encap:Local Loopback
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           inet6 addr: ::1/128 Scope:Host
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:56 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:56 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:3283 (3.2 Kb)  TX bytes:3283 (3.2 Kb)
> 
> 
> FIREWALL LOG:
> 
> Oct 28 11:21:05 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
> ID=132 PROTO=UDP SPT=1031 DPT=53 LEN=90
> Oct 28 11:21:13 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=137
> PROTO=UDP SPT=1026 DPT=53 LEN=54
> Oct 28 11:21:14 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=138
> PROTO=UDP SPT=1026 DPT=53 LEN=54
> Oct 28 11:22:05 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=169
> PROTO=UDP SPT=1036 DPT=53 LEN=54
> Oct 28 11:22:16 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
> SRC=65.54.195.185 DST=81.245.30.57 LEN=40 TOS=0x00 PREC=0x00 TTL=246
> ID=31609 PROTO=TCP SPT=80 DPT=1051 WINDOW=8190 RES=0x00 ACK FIN URGP=0
> Oct 28 11:22:17 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
> SRC=65.54.195.185 DST=81.245.30.57 LEN=40 TOS=0x00 PREC=0x00 TTL=246
> ID=63363 PROTO=TCP SPT=80 DPT=1051 WINDOW=8190 RES=0x00 ACK FIN URGP=0
> Oct 28 11:22:20 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
> SRC=65.54.195.185 DST=81.245.30.57 LEN=40 TOS=0x00 PREC=0x00 TTL=246
> ID=17186 PROTO=TCP SPT=80 DPT=1051 WINDOW=8190 RES=0x00 ACK FIN URGP=0
> Oct 28 11:22:26 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
> SRC=65.54.195.185 DST=81.245.30.57 LEN=40 TOS=0x00 PREC=0x00 TTL=246
> ID=52673 PROTO=TCP SPT=80 DPT=1051 WINDOW=8190 RES=0x00 ACK FIN URGP=0
> Oct 28 11:22:37 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
> SRC=65.54.195.185 DST=81.245.30.57 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=3785
> PROTO=TCP SPT=80 DPT=1051 WINDOW=8190 RES=0x00 ACK FIN URGP=0
> Oct 28 11:23:06 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=196
> PROTO=UDP SPT=1040 DPT=53 LEN=54
> Oct 28 11:23:15 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
> SRC=81.245.137.65 DST=81.245.30.57 LEN=48 TOS=0x00 PREC=0x00 TTL=124
> ID=13885 DF PROTO=TCP SPT=1463 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
> Oct 28 11:23:18 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
> SRC=81.245.137.65 DST=81.245.30.57 LEN=48 TOS=0x00 PREC=0x00 TTL=124
> ID=14232 DF PROTO=TCP SPT=1463 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=8192
> Oct 28 11:24:06 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=225
> PROTO=UDP SPT=1026 DPT=53 LEN=54
> Oct 28 11:24:07 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
> SRC=81.245.89.170 DST=81.245.30.57 LEN=48 TOS=0x00 PREC=0x00 TTL=124
> ID=25682 DF PROTO=TCP SPT=1578 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
> Oct 28 11:24:29 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
> SRC=81.245.87.165 DST=81.245.30.57 LEN=48 TOS=0x00 PREC=0x00 TTL=124
> ID=15133 DF PROTO=TCP SPT=3769 DPT=139 WINDOW=32000 RES=0x00 SYN URGP=0
> Oct 28 11:24:31 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
> SRC=204.16.208.76 DST=81.245.30.57 LEN=585 TOS=0x00 PREC=0x00 TTL=53 ID=0 DF
> PROTO=UDP SPT=32843 DPT=1027 LEN=565
> Oct 28 11:24:39 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
> SRC=207.46.106.51 DST=81.245.30.57 LEN=49 TOS=0x00 PREC=0x00 TTL=119
> ID=41751 DF PROTO=TCP SPT=1863 DPT=1027 WINDOW=64140 RES=0x00 ACK PSH URGP=0
> Oct 28 11:24:39 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
> SRC=207.46.106.51 DST=81.245.30.57 LEN=40 TOS=0x00 PREC=0x00 TTL=119
> ID=41752 DF PROTO=TCP SPT=1863 DPT=1027 WINDOW=64140 RES=0x00 ACK FIN URGP=0
> Oct 28 11:24:40 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
> SRC=207.46.106.51 DST=81.245.30.57 LEN=49 TOS=0x00 PREC=0x00 TTL=119
> ID=45662 DF PROTO=TCP SPT=1863 DPT=1027 WINDOW=64140 RES=0x00 ACK PSH FIN
> URGP=0
> Oct 28 11:24:42 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
> SRC=207.46.106.51 DST=81.245.30.57 LEN=49 TOS=0x00 PREC=0x00 TTL=119
> ID=52454 DF PROTO=TCP SPT=1863 DPT=1027 WINDOW=64140 RES=0x00 ACK PSH FIN
> URGP=0
> Oct 28 11:24:46 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
> SRC=207.46.106.51 DST=81.245.30.57 LEN=49 TOS=0x00 PREC=0x00 TTL=119 ID=2106
> DF PROTO=TCP SPT=1863 DPT=1027 WINDOW=64140 RES=0x00 ACK PSH FIN URGP=0
> Oct 28 11:24:55 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
> SRC=207.46.106.51 DST=81.245.30.57 LEN=49 TOS=0x00 PREC=0x00 TTL=119
> ID=29802 DF PROTO=TCP SPT=1863 DPT=1027 WINDOW=64140 RES=0x00 ACK PSH FIN
> URGP=0
> Oct 28 11:25:04 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
> SRC=81.245.95.187 DST=81.245.30.57 LEN=48 TOS=0x00 PREC=0x00 TTL=124
> ID=18227 DF PROTO=TCP SPT=4533 DPT=1433 WINDOW=65535 RES=0x00 SYN URGP=0
> Oct 28 11:25:07 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
> SRC=81.245.95.187 DST=81.245.30.57 LEN=48 TOS=0x00 PREC=0x00 TTL=124
> ID=18591 DF PROTO=TCP SPT=4533 DPT=1433 WINDOW=65535 RES=0x00 SYN URGP=0
> Oct 28 11:25:13 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
> SRC=207.46.106.51 DST=81.245.30.57 LEN=49 TOS=0x00 PREC=0x00 TTL=119
> ID=19491 DF PROTO=TCP SPT=1863 DPT=1027 WINDOW=64140 RES=0x00 ACK PSH FIN
> URGP=0
> Oct 28 11:25:15 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=226
> PROTO=UDP SPT=1026 DPT=53 LEN=54
> Oct 28 11:26:08 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=256
> PROTO=UDP SPT=1026 DPT=53 LEN=54
> Oct 28 11:27:01 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
> SRC=194.78.133.231 DST=81.245.30.57 LEN=40 TOS=0x00 PREC=0x00 TTL=61
> ID=25376 DF PROTO=TCP SPT=80 DPT=1046 WINDOW=6432 RES=0x00 ACK FIN URGP=0
> Oct 28 11:27:01 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
> SRC=194.78.133.231 DST=81.245.30.57 LEN=40 TOS=0x00 PREC=0x00 TTL=61
> ID=25377 DF PROTO=TCP SPT=80 DPT=1046 WINDOW=6432 RES=0x00 ACK FIN URGP=0
> Oct 28 11:27:02 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
> SRC=194.78.133.231 DST=81.245.30.57 LEN=40 TOS=0x00 PREC=0x00 TTL=61
> ID=25378 DF PROTO=TCP SPT=80 DPT=1046 WINDOW=6432 RES=0x00 ACK FIN URGP=0
> Oct 28 11:27:17 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=257
> PROTO=UDP SPT=1026 DPT=53 LEN=54
> Oct 28 11:27:29 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
> SRC=81.245.80.58 DST=81.245.30.57 LEN=48 TOS=0x00 PREC=0x00 TTL=124 ID=52016
> DF PROTO=TCP SPT=2277 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
> Oct 28 11:27:32 linux kernel: Dropped INPUT packet: IN=dsl0 OUT= MAC=
> SRC=81.245.80.58 DST=81.245.30.57 LEN=48 TOS=0x00 PREC=0x00 TTL=124 ID=52190
> DF PROTO=TCP SPT=2277 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
> Oct 28 11:28:09 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=283
> PROTO=UDP SPT=1026 DPT=53 LEN=54
> Oct 28 11:31:17 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
> ID=284 PROTO=UDP SPT=1026 DPT=53 LEN=90
> Oct 28 11:31:18 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
> ID=285 PROTO=UDP SPT=1026 DPT=53 LEN=90
> Oct 28 11:31:19 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
> ID=286 PROTO=UDP SPT=1026 DPT=53 LEN=90
> Oct 28 11:32:22 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=64 TOS=0x10 PREC=0x00 TTL=127 ID=329
> PROTO=UDP SPT=1026 DPT=53 LEN=44
> Oct 28 11:35:48 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0 SRC=1
> 92.168.10.222 DST=195.238.2.21 LEN=68 TOS=0x10 PREC=0x00 TTL=127 ID=335
> PROTO=UDP SPT=1054 DPT=53 LEN=48
> Oct 28 11:35:49 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=68 TOS=0x10 PREC=0x00 TTL=127 ID=336
> PROTO=UDP SPT=1054 DPT=53 LEN=48
> Oct 28 11:35:50 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=68 TOS=0x10 PREC=0x00 TTL=127 ID=337
> PROTO=UDP SPT=1054 DPT=53 LEN=48
> Oct 28 11:44:05 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
> ID=358 PROTO=UDP SPT=1026 DPT=53 LEN=90
> Oct 28 11:44:06 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
> ID=359 PROTO=UDP SPT=1026 DPT=53 LEN=90
> Oct 28 11:44:07 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
> ID=360 PROTO=UDP SPT=1026 DPT=53 LEN=90
> Oct 28 11:45:07 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=412
> PROTO=UDP SPT=1062 DPT=53 LEN=54
> Oct 28 11:48:56 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
> ID=418 PROTO=UDP SPT=1025 DPT=53 LEN=90
> Oct 28 11:48:57 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
> ID=419 PROTO=UDP SPT=1025 DPT=53 LEN=90
> Oct 28 11:48:58 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
> ID=420 PROTO=UDP SPT=1025 DPT=53 LEN=90
> Oct 28 11:57:28 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
> ID=457 PROTO=UDP SPT=1025 DPT=53 LEN=90
> Oct 28 11:57:29 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
> ID=458 PROTO=UDP SPT=1025 DPT=53 LEN=90
> Oct 28 11:57:30 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
> ID=459 PROTO=UDP SPT=1025 DPT=53 LEN=90
> Oct 28 11:59:30 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=488
> PROTO=UDP SPT=1025 DPT=53 LEN=54
> Oct 28 11:59:31 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=489
> PROTO=UDP SPT=1025 DPT=53 LEN=54
> Oct 28 12:07:51 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=82 TOS=0x10 PREC=0x00 TTL=127 ID=533
> PROTO=UDP SPT=1025 DPT=53 LEN=62
> Oct 28 12:07:52 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=82 TOS=0x10 PREC=0x00 TTL=127 ID=534
> PROTO=UDP SPT=1025 DPT=53 LEN=62
> Oct 28 12:07:53 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=82 TOS=0x10 PREC=0x00 TTL=127 ID=535
> PROTO=UDP SPT=1025 DPT=53 LEN=62
> Oct 28 12:14:42 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=544
> PROTO=UDP SPT=1025 DPT=53 LEN=54
> Oct 28 12:14:43 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=545
> PROTO=UDP SPT=1025 DPT=53 LEN=54
> Oct 28 12:14:44 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=546
> PROTO=UDP SPT=1025 DPT=53 LEN=54
> Oct 28 12:20:09 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=82 TOS=0x10 PREC=0x00 TTL=127 ID=575
> PROTO=UDP SPT=1026 DPT=53 LEN=62
> Oct 28 12:20:10 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=82 TOS=0x10 PREC=0x00 TTL=127 ID=576
> PROTO=UDP SPT=1026 DPT=53 LEN=62
> Oct 28 12:20:11 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=82 TOS=0x10 PREC=0x00 TTL=127 ID=577
> PROTO=UDP SPT=1026 DPT=53 LEN=62
> Oct 28 12:29:28 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
> ID=584 PROTO=UDP SPT=1026 DPT=53 LEN=90
> Oct 28 12:29:29 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
> ID=585 PROTO=UDP SPT=1026 DPT=53 LEN=90
> Oct 28 12:29:30 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
> ID=586 PROTO=UDP SPT=1026 DPT=53 LEN=90
> Oct 28 12:30:28 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=110 TOS=0x10 PREC=0x00 TTL=127
> ID=616 PROTO=UDP SPT=1025 DPT=53 LEN=90
> Oct 28 12:31:33 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=74 TOS=0x10 PREC=0x00 TTL=127 ID=663
> PROTO=UDP SPT=1077 DPT=53 LEN=54
> Oct 28 12:33:02 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=64 TOS=0x10 PREC=0x00 TTL=127 ID=680
> PROTO=UDP SPT=1026 DPT=53 LEN=44
> Oct 28 12:33:03 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=64 TOS=0x10 PREC=0x00 TTL=127 ID=681
> PROTO=UDP SPT=1026 DPT=53 LEN=44
> Oct 28 12:33:04 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=64 TOS=0x10 PREC=0x00 TTL=127 ID=682
> PROTO=UDP SPT=1026 DPT=53 LEN=44
> Oct 28 12:34:09 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=64 TOS=0x10 PREC=0x00 TTL=127 ID=685
> PROTO=UDP SPT=1026 DPT=53 LEN=44
> Oct 28 12:34:10 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=64 TOS=0x10 PREC=0x00 TTL=127 ID=686
> PROTO=UDP SPT=1026 DPT=53 LEN=44
> Oct 28 12:34:11 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=64 TOS=0x10 PREC=0x00 TTL=127 ID=687
> PROTO=UDP SPT=1026 DPT=53 LEN=44
> Oct 28 12:35:16 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=64 TOS=0x10 PREC=0x00 TTL=127 ID=690
> PROTO=UDP SPT=1026 DPT=53 LEN=44
> Oct 28 12:35:17 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=64 TOS=0x10 PREC=0x00 TTL=127 ID=691
> PROTO=UDP SPT=1026 DPT=53 LEN=44
> Oct 28 12:35:18 linux kernel: Dropped FORWARD packet: IN=eth0 OUT=dsl0
> SRC=192.168.10.222 DST=195.238.2.21 LEN=64 TOS=0x10 PREC=0x00 TTL=127 ID=692
> PROTO=UDP SPT=1026 DPT=53 LEN=44
> 
> 
> 
> 
> 
> 
> 
> 
> ----- Original Message -----
> From: "Arno van Amersfoort" <arnova at rocky.eld.leidenuniv.nl>
> To: "Arno's IPTABLES firewall script" <firewall at lists.btito.net>
> Sent: Thursday, October 26, 2006 9:16 PM
> Subject: Re: [Firewall] Can't get NAT - Masquerading to work....
> 
> 
>> Could you also provide us with a dump of 'ifconfig' + anything shown in
>> your firewall logs (ie. dropped packets)? For now you could try to set
>> "SET_MSS=0" and/or "NO_PMTU_DISCOVERY=1".
>>
>> Please let us now your findings and provide us with the additional
>> information as requested....
>>
>> a.
>>
>> mombasa wrote:
>>> i'm a linux novice and i am trying to build a internet gateway for a
>>> network of Windows XP Pro clients.
>>>
>>> I used the latest Suse Linux Distro (i believe v10.1).
>>> When i configure the firewall and masquerading with the Suse Yast tool,
>>> everything works fine and my Windows XP Pro clients can acces the
>>> internet trough the Linux gateway machine.
>>>
>>> Because i would like to tighten security, i would like to use arno's
>>> Firewall script instead.
>>>
>>> I've made only minimal changes to the config file to try to get the
>>> masquerading running, but i can't seem to get it to work.
>>> When i run the script i can still acces the internet from the Linux box,
>>> but my XP Pro clients lose their internet connection.
>>> I've read all the faqs and browsed trough the mailing list and i don't
>>> see what i'm doing wrong.
>>>
>>> It will probably be something stupid of me.
>>>
>>> I hope somebody can help me because it is driving me nuts...
>>>
>>> Here is the config file and the result of running this config file:
>>>
>>>
>>>
> ############################################################################
> ###
>>> # You should put this config-file in
>>> /etc/arno-iptables-firewall/             #
>>>
> ############################################################################
> ###
>>> IPTABLES="/usr/sbin/iptables"
>>>
>>>
> ############################################################################
> ###
>>> # External (internet) interface
>>> settings                                      #
>>>
> ############################################################################
> ###
>>>
>>> EXT_IF="ppp+"
>>>
>>> EXT_IF_DHCP_IP=1
>>>
>>>
>>> EXTERNAL_NET=""
>>>
>>>
>>> EXT_NET_BCAST_ADDRESS=""
>>>
>>>
>>> EXTERNAL_DHCP_SERVER=0
>>>
>>>
>>>
> ############################################################################
> ###
>>> # Internal (LAN) interface
>>> settings                                           #
>>>
> ############################################################################
> ###
>>>
>>> INT_IF="eth0"
>>>
>>>
>>> INTERNAL_NET="192.168.10.0/24"
>>>
>>>
>>> INT_NET_BCAST_ADDRESS=""
>>>
>>>
>>>
>>>
> ############################################################################
> ###
>>> # DMZ (aka DeMilitarized Zone)
>>> settings                                       #
>>>
> ############################################################################
> ###
>>>
>>> DMZ_IF=""
>>>
>>>
>>> DMZ_NET=""
>>>
>>>
>>>
> ############################################################################
> ###
>>> # NAT (Masquerade, SNAT, DNAT)
>>> settings                                       #
>>>
> ############################################################################
> ###
>>>
>>> NAT=1
>>>
>>>
>>> NAT_INTERNAL_NET="$INTERNAL_NET"
>>>
>>> NAT_TCP_FORWARD=""
>>> NAT_UDP_FORWARD=""
>>> NAT_IP_FORWARD=""
>>>
>>>
>>>
> ############################################################################
> ###
>>> # (ADSL) Modem
>>> settings                                                       #
>>>
>>>
> ############################################################################
> ###
>>>
>>> MODEM_IF="eth1"
>>>
>>>
>>> MODEM_INTERNAL_NET=$INTERNAL_NET
>>>
>>>
>>>
> ############################################################################
> ###
>>> # General
>>> settings                                                            #
>>>
> ############################################################################
> ###
>>>
>>> DMESG_PANIC_ONLY=1
>>>
>>> MANGLE_TOS=1
>>>
>>>
>>> SET_MSS=1
>>>
>>>
>>> TTL_INC=0
>>>
>>>
>>> RESOLV_IPS=0
>>>
>>> USE_IRC=0
>>>
>>>
>>> LOOSE_FORWARD=0
>>>
>>>
>>> DROP_PRIVATE_ADDRESSES=0
>>>
>>>
>>> DRDOS_PROTECT=0
>>>
>>>
>>> IPV6_SUPPORT=0
>>>
>>>
>>> NMB_BROADCAST_FIX=0
>>>
>>>
>>> TRUSTED_IF=""
>>>
>>> INT_IF_TRUST=""
>>>
>>>
>>> CUSTOM_RULES=/etc/arno-iptables-firewall/custom-rules
>>>
>>>
>>>
> ############################################################################
> ###
>>> # Logging options - All logging is rate limited to prevent log
>>> flooding       #
>>>
> ############################################################################
> ###
>>> # Enable logging for explicitly blocked hosts.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> BLOCKED_HOST_LOG=1
>>>
>>> # Enable logging for various stealth scans (reliable).
>>> #
>> --------------------------------------------------------------------------
> ---
>>> SCAN_LOG=1
>>>
>>> # Enable logging for possible stealth scans (less reliable).
>>> #
>> --------------------------------------------------------------------------
> ---
>>> POSSIBLE_SCAN_LOG=0
>>>
>>> # Enable logging for TCP-packets with bad flags.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> BAD_FLAGS_LOG=0
>>>
>>>
>>> INVALID_PACKET_LOG=0
>>>
>>> # Enable logging of source IP's with reserved addresses.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> RESERVED_NET_LOG=1
>>>
>>> # Enable logging of fragmented packets.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> FRAG_LOG=1
>>>
>>> # Enable logging of denied local (OUTPUT) connections.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> OUTPUT_DENY_LOG=1
>>>
>>> # Enable logging of denied LAN output (FORWARD) connections.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> LAN_OUTPUT_DENY_LOG=1
>>>
>>> # Enable logging of denied LAN INPUT connections.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> LAN_INPUT_DENY_LOG=1
>>>
>>> # Enable logging of denied DMZ output (FORWARD) connections.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> DMZ_OUTPUT_DENY_LOG=1
>>>
>>> # Enable logging of denied DMZ input (FORWARD) connections.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> DMZ_INPUT_DENY_LOG=1
>>>
>>> # Enable logging of dropped ICMP-request packets (ping).
>>> #
>> --------------------------------------------------------------------------
> ---
>>> ICMP_REQUEST_LOG=1
>>>
>>> # Enable logging of dropped "other" ICMP packets.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> ICMP_OTHER_LOG=1
>>>
>>> # Enable logging of normal connection attempts to privileged TCP ports.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> PRIV_TCP_LOG=1
>>>
>>> # Enable logging of normal connection attempts to privileged UDP ports.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> PRIV_UDP_LOG=1
>>>
>>> # Enable logging of normal connection attempts to unprivileged TCP
> ports.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> UNPRIV_TCP_LOG=1
>>>
>>> # Enable logging of normal connection attempts to unprivileged UDP
> ports.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> UNPRIV_UDP_LOG=1
>>>
>>> # Enable logging of normal connection attempts to "other-IP"-protocols
> (non
>>> # TCP/UDP/ICMP).
>>> #
>> --------------------------------------------------------------------------
> ---
>>> OTHER_IP_LOG=1
>>>
>>> # Enable logging for ICMP flooding.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> ICMP_FLOOD_LOG=1
>>>
>>> # Enable logging for not-allowed MAC addresses (if used).
>>> #
>> --------------------------------------------------------------------------
> ---
>>> MAC_ADDRESS_LOG=1
>>>
>>>
>>>
>>>
>>> LOGLEVEL=info
>>>
>>>
>>> LOG_HOST_TCP_INPUT=""
>>> LOG_HOST_UDP_INPUT=""
>>> LOG_HOST_IP_INPUT=""
>>>
>>>
>>> LOG_HOST_TCP_OUTPUT=""
>>> LOG_HOST_UDP_OUTPUT=""
>>> LOG_HOST_IP_OUTPUT=""
>>>
>>> # Put in the following variables which services you want to log incoming
>>> # connection attempts for.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> LOG_TCP_INPUT=""
>>> LOG_UDP_INPUT=""
>>> LOG_IP_INPUT=""
>>>
>>> # Put in the following variables which services you want to log outgoing
>>> # connection attempts for.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> LOG_TCP_OUTPUT=""
>>> LOG_UDP_OUTPUT=""
>>> LOG_IP_OUTPUT=""
>>>
>>> # Put in the following variable which hosts you want to log incoming
>>> connection
>>> # (attempts) for.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> LOG_HOST_INPUT=""
>>>
>>> # Put in the following variable which hosts you want to log outgoing
>>> connection
>>> # (attempts) to.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> LOG_HOST_OUTPUT=""
>>>
>>>
>>>
> ############################################################################
> ###
>>> # /proc based settings (EXPERT
>>> SETTINGS!)                                     #
>>>
> ############################################################################
> ###
>>> # Enable for synflood protection (through /proc/.../tcp_syncookies).
>>> #
>> --------------------------------------------------------------------------
> ---
>>> SYN_PROT=1
>>>
>>> # Enable this to reduce the ability of others DOS'ing your machine.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> REDUCE_DOS_ABILITY=1
>>>
>>> # Enable to ignore all ICMP echo-requests (IPv4) on ALL interfaces.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> ECHO_IGNORE=0
>>>
>>> # Enable to log packets with impossible addresses to the kernel log.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> LOG_MARTIANS=0
>>>
>>> # Only disable this if you're NOT using forwarding (required for NAT
>>> etc.) for
>>> # increased security.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> IP_FORWARDING=1
>>>
>>> # Enable if you want to accept ICMP redirect messages. Should be set to
>>> "0" in
>>> # case of a router.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> ICMP_REDIRECT=0
>>>
>>> # Enable/modify this if you want to be a able to handle a larger (or
>>> smaller)
>>> # number of simultaneous connections. For high traffic machines I
>>> recommend to
>>> # use a value of at least 16384 (note that a higher value (obviously)
>>> also uses
>>> # more memory).
>>> #
>> --------------------------------------------------------------------------
> ---
>>> CONNTRACK=16384
>>>
>>> # You may need to enable this to get some internet games to work, but
>>> note that
>>> # it's *less* secure.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> LOOSE_UDP_PATCH=0
>>>
>>> # Enable ECN (Explicit Congestion Notification) TCP flag. Disabled by
>>> default,
>>> # as some routers are still not compatible with this.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> ECN=0
>>>
>>>
>>> RP_FILTER=1
>>>
>>>
>>> SOURCE_ROUTE_PROTECTION=1
>>>
>>>
>>> LOCAL_PORT_RANGE="32768 61000"
>>>
>>>
>>> DEFAULT_TTL=64
>>>
>>> # In most cases pmtu discovery is ok, but in some rare cases (when
> having
>>> # problems) you might want to disable it.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> NO_PMTU_DISCOVERY=0
>>>
>>>
>>>
> ############################################################################
> ###
>>> # (Transparent) proxy settings (EXPERT
>>> SETTINGS!)                             #
>>>
> ############################################################################
> ###
>>> #HTTP_PROXY_PORT="3128"
>>> HTTPS_PROXY_PORT=""
>>> FTP_PROXY_PORT=""
>>> SMTP_PROXY_PORT=""
>>> POP3_PROXY_PORT=""
>>>
>>>
>>>
> ############################################################################
> ###
>>> # Firewall policies for the LAN (EXPERT
>>> SETTINGS!)                            #
>>>
> ############################################################################
> ###
>>>
> ############################################################################
> ###
>>> # LAN_xxx = LAN->localhost(this machine) input access
>>> rules                   #
>>> #
>>> #
>>> # Note that when both LAN_OPEN_xxx & LAN_HOST_OPEN_xxx are NOT used,
>>> the      #
>>> # default policy for this chain is accept (unless denied
>>> through              #
>>> # LAN_DENY_xxx and/or
>>> LAN_HOST_DENY_xxx)!                                     #
>>>
> ############################################################################
> ###
>>> # Enable this to allow for ICMP-requests(ping) from your LAN
>>> #
>> --------------------------------------------------------------------------
> ---
>>> LAN_OPEN_ICMP=1
>>>
>>> # Put in the following variables the TCP/UDP ports or IP protocols TO
>>> # (remote end-point) which the LAN hosts are permitted to connect to.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> LAN_OPEN_TCP=""
>>> LAN_OPEN_UDP=""
>>> LAN_OPEN_IP=""
>>>
>>> # Put in the following variables the TCP/UDP ports or IP protocols TO
>>> (remote
>>> # end-point) which LAN hosts are NOT permitted to connect to.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> LAN_DENY_TCP=""
>>> LAN_DENY_UDP=""
>>> LAN_DENY_IP=""
>>>
>>>
>>> LAN_HOST_OPEN_TCP=""
>>> LAN_HOST_OPEN_UDP=""
>>> LAN_HOST_OPEN_IP=""
>>>
>>>
>>> LAN_HOST_DENY_TCP=""
>>> LAN_HOST_DENY_UDP=""
>>> LAN_HOST_DENY_IP=""
>>>
>>>
>>>
> ############################################################################
> ###
>>> # LAN_INET_xxx = LAN->internet access rules
>>> (forward)                         #
>>> #
>>> #
>>> # Note that when both LAN_INET_OPEN_xxx & LAN_INET_HOST_OPEN_xxx are
>>> NOT      #
>>> # used, the default policy for this chain is accept (unless
>>> denied            #
>>> # through LAN_INET_DENY_xxx and/or
>>> LAN_INET_HOST_DENY_xxx)!                   #
>>>
> ############################################################################
> ###
>>> # Enable this to allow for ICMP-requests(ping) for LAN->INET
>>> #
>> --------------------------------------------------------------------------
> ---
>>> LAN_INET_OPEN_ICMP=1
>>>
>>>
>>> LAN_INET_OPEN_TCP=""
>>> LAN_INET_OPEN_UDP=""
>>> LAN_INET_OPEN_IP=""
>>>
>>>
>>> LAN_INET_DENY_TCP=""
>>> LAN_INET_DENY_UDP=""
>>> LAN_INET_DENY_IP=""
>>>
>>> # Put in the following variables which LAN hosts you want to allow to
>>> certain
>>> # hosts/services on the internet. By default all services are allowed.
>>>
>>> LAN_INET_HOST_OPEN_TCP=""
>>> LAN_INET_HOST_OPEN_UDP=""
>>> LAN_INET_HOST_OPEN_IP=""
>>>
>>> # Put in the following variables which DMZ hosts you want to deny to
> certain
>>> # hosts/services on the internet.
>>>
>>> LAN_INET_HOST_DENY_TCP=""
>>> LAN_INET_HOST_DENY_UDP=""
>>> LAN_INET_HOST_DENY_IP=""
>>>
>>>
>>>
> ############################################################################
> ###
>>> # Firewall policies for the DMZ (EXPERT
>>> SETTINGS!)                            #
>>>
> ############################################################################
> ###
>>>
> ############################################################################
> ###
>>> # DMZ_xxx      = DMZ->localhost(this machine) input access
>>> rules              #
>>>
> ############################################################################
> ###
>>> # Enable this to allow ICMP-requests(ping) from the DMZ
>>> #
>> --------------------------------------------------------------------------
> ---
>>> DMZ_OPEN_ICMP=1
>>>
>>>
>>> DMZ_OPEN_TCP=""
>>> DMZ_OPEN_UDP=""
>>> DMZ_OPEN_IP=""
>>>
>>>
>>> DMZ_HOST_OPEN_TCP=""
>>> DMZ_HOST_OPEN_UDP=""
>>> DMZ_HOST_OPEN_IP=""
>>>
>>>
>>>
> ############################################################################
> ###
>>> # INET_DMZ_xxx = Internet->DMZ access rules
>>> (forward)                         #
>>> #
>>> #
>>> # Note that when both INET_DMZ_OPEN_xxx & INET_DMZ_HOST_OPEN_xxx are
>>> NOT      #
>>> # used, the default policy for this chain is accept (unless
>>> denied            #
>>> # through INET_DMZ_DENY_xxx and/or
>>> INET_DMZ_HOST_DENY_xxx)!                   #
>>>
> ############################################################################
> ###
>>> # Enable this to make the default policy allow for ICMP(ping) for
> INET->DMZ
>>> #
>> --------------------------------------------------------------------------
> ---
>>> INET_DMZ_OPEN_ICMP=0
>>>
>>> # Put in the following variables which INET hosts are permitted to
>>> connect to
>>> # certain the TCP/UDP ports or IP protocols in the DMZ.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> INET_DMZ_OPEN_TCP=""
>>> INET_DMZ_OPEN_UDP=""
>>> INET_DMZ_OPEN_IP=""
>>>
>>> # Put in the following variables which INET hosts are NOT permitted to
>>> connect
>>> # to certain the TCP/UDP ports or IP protocols in the DMZ.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> INET_DMZ_DENY_TCP=""
>>> INET_DMZ_DENY_UDP=""
>>> INET_DMZ_DENY_IP=""
>>>
>>> # Put in the following variables which INET hosts you want to allow to
>>> certain
>>> # hosts/services on the DMZ net. By default all services are allowed.
>>>
>>> INET_DMZ_HOST_OPEN_TCP=""
>>> INET_DMZ_HOST_OPEN_UDP=""
>>> INET_DMZ_HOST_OPEN_IP=""
>>>
>>> # Put in the following variables which INET hosts you want to deny to
>>> certain
>>> # hosts/services on the DMZ net.
>>>
>>> INET_DMZ_HOST_DENY_TCP=""
>>> INET_DMZ_HOST_DENY_UDP=""
>>> INET_DMZ_HOST_DENY_IP=""
>>>
>>>
>>>
> ############################################################################
> ###
>>> # DMZ_INET_xxx = DMZ->internet access rules
>>> (forward)                         #
>>> #
>>> #
>>> # Note that when both DMZ_INET_OPEN_xxx & DMZ_INET_HOST_OPEN_xxx are
>>> NOT      #
>>> # used, the default policy for this chain is accept (unless
>>> denied            #
>>> # through DMZ_INET_DENY_xxx and/or
>>> DMZ_INET_HOST_DENY_xxx)!                   #
>>>
> ############################################################################
> ###
>>> # Enable this to make the default policy allow for ICMP(ping) for
> DMZ->INET
>>> #
>> --------------------------------------------------------------------------
> ---
>>> DMZ_INET_OPEN_ICMP=1
>>>
>>>
>>> DMZ_INET_OPEN_TCP=""
>>> DMZ_INET_OPEN_UDP=""
>>> DMZ_INET_OPEN_IP=""
>>>
>>>
>>> DMZ_INET_DENY_TCP=""
>>> DMZ_INET_DENY_UDP=""
>>> DMZ_INET_DENY_IP=""
>>>
>>> # Put in the following variables which DMZ hosts you want to allow to
>>> certain
>>> # hosts/services on the internet. By default all services are allowed.
>>> #
>>>
>>> DMZ_INET_HOST_OPEN_TCP=""
>>> DMZ_INET_HOST_OPEN_UDP=""
>>> DMZ_INET_HOST_OPEN_IP=""
>>>
>>> # Put in the following variables which DMZ hosts you want to deny to
> certain
>>> # hosts/services on the internet.
>>>
>>> DMZ_INET_HOST_DENY_TCP=""
>>> DMZ_INET_HOST_DENY_UDP=""
>>> DMZ_INET_HOST_DENY_IP=""
>>>
>>>
>>>
> ############################################################################
> ###
>>> # DMZ_LAN_xxx  = DMZ->LAN access rules
>>> (forward)                              #
>>>
> ############################################################################
> ###
>>> # Enable this to make the default policy allow for ICMP(ping) for
> DMZ->LAN
>>> #
>> --------------------------------------------------------------------------
> ---
>>> DMZ_LAN_OPEN_ICMP=0
>>>
>>> # Put in the following variables which DMZ hosts you want to allow to
>>> certain
>>> # hosts/services on the LAN (net).
>>>
>>> DMZ_LAN_HOST_OPEN_TCP=""
>>> DMZ_LAN_HOST_OPEN_UDP=""
>>> DMZ_LAN_HOST_OPEN_IP=""
>>>
>>>
>>>
> ############################################################################
> ###
>>> # Firewall policies for the external (inet) interface (default policy =
>>> drop) #
>>>
> ############################################################################
> ###
>>>
>>> FULL_ACCESS_HOSTS=""
>>>
>>> # Enable this to make the default policy allow for ICMP(ping) for INET
>>> access
>>> #
>> --------------------------------------------------------------------------
> ---
>>> OPEN_ICMP=0
>>>
>>> # Put in the following variables which ports or IP protocols you want to
>>> leave
>>> # open to the whole world.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> OPEN_TCP=""
>>> OPEN_UDP=""
>>> OPEN_IP=""
>>>
>>>
>>> DENY_TCP=""
>>> DENY_UDP=""
>>>
>>>
>>> DENY_TCP_NOLOG=""
>>> DENY_UDP_NOLOG=""
>>>
>>> # Put in the following variables the TCP/UDP ports you want to REJECT
>>> (instead
>>> # of DROP) for everyone (and logged).
>>> #
>> --------------------------------------------------------------------------
> ---
>>> REJECT_TCP=""
>>> REJECT_UDP=""
>>>
>>> # Put in the following variables the TCP/UDP ports you want to REJECT
>>> (instead
>>> # of DROP) for everyone but NOT logged.
>>> #
>> --------------------------------------------------------------------------
> ---
>>> REJECT_TCP_NOLOG=""
>>> REJECT_UDP_NOLOG=""
>>>
>>> # Put in the following variables which hosts you want to allow for
> certain
>>> # services.
>>>
>>> HOST_OPEN_TCP=""
>>> HOST_OPEN_UDP=""
>>> HOST_OPEN_IP=""
>>> HOST_OPEN_ICMP=""
>>>
>>> # Put in the following variables which hosts you want to DENY(DROP) for
>>> certain
>>> # services (and logged).
>>>
>>> HOST_DENY_TCP=""
>>> HOST_DENY_UDP=""
>>> HOST_DENY_IP=""
>>> HOST_DENY_ICMP=""
>>>
>>> # Put in the following variables which hosts you want to DENY(DROP) for
>>> certain
>>> # services but NOT logged.
>>>
>>> HOST_DENY_TCP_NOLOG=""
>>> HOST_DENY_UDP_NOLOG=""
>>> HOST_DENY_IP_NOLOG=""
>>> HOST_DENY_ICMP_NOLOG=""
>>>
>>>
>>> HOST_REJECT_TCP=""
>>> HOST_REJECT_UDP=""
>>>
>>>
>>> HOST_REJECT_TCP_NOLOG=""
>>> HOST_REJECT_UDP_NOLOG=""
>>>
>>>
>>> DENY_TCP_OUTPUT=""
>>> DENY_UDP_OUTPUT=""
>>> DENY_IP_OUTPUT=""
>>>
>>>
>>>
>>> HOST_DENY_TCP_OUTPUT=""
>>> HOST_DENY_UDP_OUTPUT=""
>>> HOST_DENY_IP_OUTPUT=""
>>>
>>>
>>> BROADCAST_TCP_NOLOG=""
>>>
>>> BLOCK_HOSTS=""
>>>
>>>
>>>
>>>
>>>
>>> Here the result of running this config file:
>>>
>>>
>>>
>>>
>>> Arno's Iptables Firewall Script v1.8.8b
>> --------------------------------------------------------------------------
> -----
>>> Sanity checks passed...OK
>>> Detected IPTABLES module... Loading additional IPTABLES modules:
>>> All IPTABLES modules loaded!
>>> Setting the kernel ring buffer to only log panic messages to the console
>>> Configuring /proc/.... settings:
>>>  Enabling anti-spoof with rp_filter
>>>  Enabling SYN-flood protection via SYN-cookies
>>>  Disabling the logging of martians
>>>  Disabling the acception of ICMP-redirect messages
>>>  Setting the max. amount of simultaneous connections to 16384
>>>  Enabling protection against source routed packets
>>>  Setting default conntrack timeouts
>>>  Enabling reduction of the DoS'ing ability
>>>  Setting Default TTL=64
>>>  Disabling ECN (Explicit Congestion Notification)
>>>  Enabling support for dynamic IP's
>>>  Flushing route table
>>> /proc/ setup done...
>>> Flushing rules in the filter table
>>> Setting default (secure) policies
>>> Using loglevel "info" for syslogd
>>>
>>> Setting up firewall rules:
>> --------------------------------------------------------------------------
> -----
>>> Accepting packets from the local loopback device
>>> Enabling setting the maximum packet size via MSS
>>> Enabling mangling TOS
>>> Logging of stealth scans (nmap probes etc.) enabled
>>> Logging of packets with bad TCP-flags disabled
>>> Logging of INVALID packets disabled
>>> Logging of fragmented packets enabled
>>> Logging of access from reserved addresses enabled
>>> Setting up anti-spoof rules
>>> Reading custom IPTABLES rules from
> /etc/arno-iptables-firewall/custom-rules
>>> Loading (user) plugins
>>> Applying rules for (A)DSL modem on interface: eth1
>>> Setting up INPUT policy for the external net (INET):
>>> Enabling support for a DHCP assigned IP on external interface(s): ppp+
>>> Logging of explicitly blocked hosts enabled
>>> Logging of denied local output connections enabled
>>> Packets will NOT be checked for private source addresses
>>> Denying the whole world to send ICMP-requests(ping)
>>> Logging of dropped ICMP-request(ping) packets enabled
>>> Logging of dropped other ICMP packets enabled
>>> Logging of possible stealth scans disabled
>>> Logging of (other) connection attempts to PRIVILEGED TCP ports enabled
>>> Logging of (other) connection attempts to PRIVILEGED UDP ports enabled
>>> Logging of (other) connection attempts to UNPRIVILEGED TCP ports enabled
>>> Logging of (other) connection attempts to UNPRIVILEGED UDP ports enabled
>>> Logging of other IP protocols (non TCP/UDP/ICMP) connection attempts
> enabled
>>> Logging of ICMP flooding enabled
>>> Applying INET policy to external (INET) interface: ppp+ (without an
>>> external subnet specified)
>>> Setting up INPUT policy for internal (LAN) interface(s): eth0
>>>  Allowing ICMP-requests(ping)
>>>  Allowing all (other) protocols
>>> Setting up FORWARD policy for internal (LAN) interface(s): eth0
>>>  Logging of denied LAN->INET FORWARD connections enabled
>>>  Setting up LAN->INET policy:
>>>   Allowing ICMP-requests(ping)
>>>   Allowing all (other) protocols
>>> Enabling masquerading(NAT) for internal host(s): 192.168.10.0/24 via
> ppp+
>>> Security is ENFORCED for external interface(s) in the FORWARD chain
>>>
>>> Oct 25 11:26:37 All firewall rules applied.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Firewall mailing list
>>> Firewall at lists.btito.net
>>> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>> http://rocky.eld.leidenuniv.nl
>> --
>> Arno van Amersfoort
>> E-mail    : arnova at rocky.eld.leidenuniv.nl
>> Donations are welcome through Paypal!
>> --------------------------------------------------------------------------
> -
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>>
>> _______________________________________________
>> Firewall mailing list
>> Firewall at lists.btito.net
>> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>>
> 
> 
> 
> _______________________________________________
> Firewall mailing list
> Firewall at lists.btito.net
> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl

-- 
Arno van Amersfoort
E-mail    : arnova at rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
---------------------------------------------------------------------------
Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl



More information about the Firewall mailing list