[Firewall] Fwd: Can't get the HTTPS port forwarding

Romy Roma bouroy at googlemail.com
Sun Mar 28 14:00:10 CEST 2010


Output of arno-iptables-firewall start

Arno's Iptables Firewall Script v1.9.2d
-------------------------------------------------------------------------------
Sanity checks passed...OK
Stopping (user) plugins...
Checking/probing IPv4 Iptables modules:
 Module check done...
Setup kernel settings:
 Setting the max. amount of simultaneous connections to 16384
 Setting default conntrack timeouts
 Enabling protection against source routed packets
 Enabling packet forwarding
 Enabling reduction of the DoS'ing ability
 Enabling anti-spoof with rp_filter
 Enabling SYN-flood protection via SYN-cookies
 Disabling the logging of martians
 Disabling the acception of ICMP-redirect messages
 Setting default TTL=64
 Disabling ECN (Explicit Congestion Notification)
 Flushing route table
 Kernel setup done...
Reinitializing firewall chains
 Setting default INPUT/FORWARD policy to DROP
Using loglevel "debug" for syslogd

Setting up firewall rules:
-------------------------------------------------------------------------------
Enabling setting the maximum packet size via MSS
Enabling mangling TOS
Logging of stealth scans (nmap probes etc.) enabled
Logging of packets with bad TCP-flags enabled
Logging of INVALID TCP packets disabled
Logging of INVALID UDP packets disabled
Logging of INVALID ICMP packets disabled
Logging of fragmented packets enabled
Logging of access from reserved addresses enabled
Setting up (antispoof) INTERNAL net(s): 10.120.132.0/23 10.120.131.0/24
Logging incoming connections of 10.120.132.2 to TCP port(s): 3306
Logging incoming connections of  to TCP port(s): 10.120.132.105
Logging outgoing connections of  to TCP port(s): 10.120.132.105
Reading custom rules from /etc/arno-iptables-firewall/custom-rules
Checking for (user) plugins in /usr/share/arno-iptables-firewall/plugins...
 Loaded 0 plugin(s)...
Setting up INPUT policy for the external net (INET):
 Logging of explicitly blocked hosts enabled
 Logging of denied local output connections enabled
 Packets will NOT be checked for private source addresses
 Allowing ANYHOST for TCP port(s): 22
 Allowing ANYHOST for TCP port(s): 25
 Allowing ANYHOST for UDP port(s): 1194
 Allowing ANYHOST to send ICMP-requests(ping)
 Logging of dropped ICMP-request(ping) packets enabled
 Logging of dropped other ICMP packets enabled
 Logging of possible stealth scans enabled
 Logging of (other) connection attempts to PRIVILEGED TCP ports enabled
 Logging of (other) connection attempts to PRIVILEGED UDP ports enabled
 Logging of (other) connection attempts to UNPRIVILEGED TCP ports enabled
 Logging of (other) connection attempts to UNPRIVILEGED UDP ports enabled
 Logging of other IP protocols (non TCP/UDP/ICMP) connection attempts
enabled
 Logging of ICMP flooding enabled
Setting up OUTPUT policy for the external net (INET):
 Allowing all (other) ports/protocols
Applying INET policy to external interface: eth0 (without an external subnet
specified)
Setting up INPUT policy for internal (LAN) interface(s): dummy+ tun0 tap+
 Allowing ICMP-requests(ping)
 Allowing all (other) ports/protocols
Accepting ALL INPUT traffic from trusted interface(s): tun+
Accepting ALL FORWARD traffic for trusted interface(s): tun+
Setting up FORWARD policy for internal (LAN) interface(s): dummy+ tun0 tap+
 Logging of denied LAN->INET FORWARD connections enabled
 Setting up LAN->INET policy:
  Allowing ICMP-requests(ping)
  Allowing all (other) TCP ports
  Allowing all (other) UDP ports
  Allowing all (other) protocols
Enabling SNAT via external interface(s): eth0
 Adding (internal) host(s): 10.120.132.0/23 10.120.131.0/24
(eth0) Forwarding(NAT) TCP port(s) 0/0:25,143 to 10.120.132.6
(eth0) Forwarding(NAT) TCP port(s) 0/0:443 to 10.120.132.105:8543
Security is ENFORCED for external interface(s) in the FORWARD chain

Mar 28 13:53:01 All firewall rules applied.

---------- Forwarded message ----------
From: Romy Roma <bouroy at googlemail.com>
Date: Sun, Mar 28, 2010 at 1:42 PM
Subject: Can't get the HTTPS port forwarding
To: firewall at rocky.eld.leidenuniv.nl


More information for my network settings:

dummy0    Link encap:Ethernet  HWaddr 0e:77:98:b1:d9:cf
          inet addr:10.120.132.1  Bcast:10.120.133.255  Mask:255.255.254.0
          inet6 addr: fe80::c77:98ff:feb1:d9cf/64 Scope:Link
          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4084682 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:619589989 (590.8 MiB)

dummy0:2  Link encap:Ethernet  HWaddr 0e:77:98:b1:d9:cf
          inet addr:10.120.132.2  Bcast:10.120.133.255  Mask:255.255.254.0
          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1

dummy0:3  Link encap:Ethernet  HWaddr 0e:77:98:b1:d9:cf
          inet addr:10.120.132.3  Bcast:10.120.133.255  Mask:255.255.254.0
          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1

dummy0:6  Link encap:Ethernet  HWaddr 0e:77:98:b1:d9:cf
          inet addr:10.120.132.6  Bcast:10.120.133.255  Mask:255.255.254.0
          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1

dummy0:25 Link encap:Ethernet  HWaddr 0e:77:98:b1:d9:cf
          inet addr:10.120.132.25  Bcast:10.120.133.255  Mask:255.255.254.0
          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1

dummy0:100 Link encap:Ethernet  HWaddr 0e:77:98:b1:d9:cf
          inet addr:10.120.132.100  Bcast:10.120.133.255  Mask:255.255.254.0
          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1

dummy0:105 Link encap:Ethernet  HWaddr 0e:77:98:b1:d9:cf
          inet addr:10.120.132.105  Bcast:10.120.133.255  Mask:255.255.254.0
          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1

eth0      Link encap:Ethernet  HWaddr 40:61:86:2b:87:3d
          inet addr:188.40.124.147  Bcast:188.40.124.191
Mask:255.255.255.192
          inet6 addr: fe80::4261:86ff:fe2b:873d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7325170 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7193856 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3181589365 (2.9 GiB)  TX bytes:2200985718 (2.0 GiB)
          Interrupt:249 Base address:0xe000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:364598805 errors:0 dropped:0 overruns:0 frame:0
          TX packets:364598805 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:40148997340 (37.3 GiB)  TX bytes:40148997340 (37.3 GiB)

tun0      Link encap:UNSPEC  HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.120.130.1  P-t-P:10.120.130.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:2529740 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2520017 errors:0 dropped:13 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:1254615195 (1.1 GiB)  TX bytes:1162277600 (1.0 GiB)

--> Output of my iptables-save -L

# Generated by iptables-save v1.4.2 on Sun Mar 28 13:40:13 2010
*nat
:PREROUTING ACCEPT [2812:165128]
:POSTROUTING ACCEPT [1916071:125832286]
:OUTPUT ACCEPT [1917072:125905280]
:NAT_POSTROUTING_CHAIN - [0:0]
:NAT_PREROUTING_CHAIN - [0:0]
:POST_NAT_POSTROUTING_CHAIN - [0:0]
:POST_NAT_PREROUTING_CHAIN - [0:0]
-A PREROUTING -j NAT_PREROUTING_CHAIN
-A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination
10.120.132.6
-A PREROUTING -i eth0 -p tcp -m tcp --dport 143 -j DNAT --to-destination
10.120.132.6
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination
10.120.132.105:8543
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination
10.120.132.105:8180
-A PREROUTING -j POST_NAT_PREROUTING_CHAIN
-A POSTROUTING -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
-A POSTROUTING -j NAT_POSTROUTING_CHAIN
-A POSTROUTING -s 10.120.132.0/23 -d ! 10.120.132.0/23 -o eth0 -j SNAT
--to-source 188.40.124.147
-A POSTROUTING -s 10.120.131.0/24 -d ! 10.120.131.0/24 -o eth0 -j SNAT
--to-source 188.40.124.147
-A POSTROUTING -j POST_NAT_POSTROUTING_CHAIN
COMMIT
# Completed on Sun Mar 28 13:40:13 2010
# Generated by iptables-save v1.4.2 on Sun Mar 28 13:40:13 2010
*mangle
:PREROUTING ACCEPT [4701048:499606367]
:INPUT ACCEPT [4700772:499591798]
:FORWARD ACCEPT [274:14248]
:OUTPUT ACCEPT [4700636:507688825]
:POSTROUTING ACCEPT [4763855:516434731]
-A PREROUTING -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08/0x3f
-A PREROUTING -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10/0x3f
-A PREROUTING -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10/0x3f
-A PREROUTING -p tcp -m tcp --dport 23 -j TOS --set-tos 0x10/0x3f
-A PREROUTING -p tcp -m tcp --dport 25 -j TOS --set-tos 0x10/0x3f
-A PREROUTING -p udp -m udp --dport 53 -j TOS --set-tos 0x10/0x3f
-A PREROUTING -p tcp -m tcp --dport 67 -j TOS --set-tos 0x10/0x3f
-A PREROUTING -p tcp -m tcp --dport 80 -j TOS --set-tos 0x08/0x3f
-A PREROUTING -p tcp -m tcp --dport 110 -j TOS --set-tos 0x08/0x3f
-A PREROUTING -p tcp -m tcp --dport 113 -j TOS --set-tos 0x10/0x3f
-A PREROUTING -p tcp -m tcp --dport 123 -j TOS --set-tos 0x10/0x3f
-A PREROUTING -p tcp -m tcp --dport 143 -j TOS --set-tos 0x08/0x3f
-A PREROUTING -p tcp -m tcp --dport 443 -j TOS --set-tos 0x08/0x3f
-A PREROUTING -p tcp -m tcp --dport 993 -j TOS --set-tos 0x08/0x3f
-A PREROUTING -p tcp -m tcp --dport 995 -j TOS --set-tos 0x08/0x3f
-A PREROUTING -p tcp -m tcp --dport 1080 -j TOS --set-tos 0x10/0x3f
-A PREROUTING -p tcp -m tcp --dport 6000:6063 -j TOS --set-tos 0x08/0x3f
-A OUTPUT -o eth0 -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08/0x3f
-A OUTPUT -o eth0 -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10/0x3f
-A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10/0x3f
-A OUTPUT -o eth0 -p tcp -m tcp --dport 23 -j TOS --set-tos 0x10/0x3f
-A OUTPUT -o eth0 -p tcp -m tcp --dport 25 -j TOS --set-tos 0x10/0x3f
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j TOS --set-tos 0x08/0x3f
-A OUTPUT -o eth0 -p tcp -m tcp --dport 67 -j TOS --set-tos 0x10/0x3f
-A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -j TOS --set-tos 0x08/0x3f
-A OUTPUT -o eth0 -p tcp -m tcp --dport 110 -j TOS --set-tos 0x08/0x3f
-A OUTPUT -o eth0 -p tcp -m tcp --dport 113 -j TOS --set-tos 0x10/0x3f
-A OUTPUT -o eth0 -p tcp -m tcp --dport 123 -j TOS --set-tos 0x10/0x3f
-A OUTPUT -o eth0 -p tcp -m tcp --dport 143 -j TOS --set-tos 0x08/0x3f
-A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -j TOS --set-tos 0x08/0x3f
-A OUTPUT -o eth0 -p tcp -m tcp --dport 993 -j TOS --set-tos 0x08/0x3f
-A OUTPUT -o eth0 -p tcp -m tcp --dport 995 -j TOS --set-tos 0x08/0x3f
-A OUTPUT -o eth0 -p tcp -m tcp --dport 1080 -j TOS --set-tos 0x10/0x3f
-A OUTPUT -o eth0 -p tcp -m tcp --dport 6000:6063 -j TOS --set-tos 0x08/0x3f

COMMIT
# Completed on Sun Mar 28 13:40:13 2010
# Generated by iptables-save v1.4.2 on Sun Mar 28 13:40:13 2010
*filter
:INPUT DROP [2:144]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [223:30945]
:BASE_FORWARD_CHAIN - [0:0]
:BASE_INPUT_CHAIN - [0:0]
:BASE_OUTPUT_CHAIN - [0:0]
:DMZ_FORWARD_IN_CHAIN - [0:0]
:DMZ_FORWARD_OUT_CHAIN - [0:0]
:DMZ_INET_FORWARD_CHAIN - [0:0]
:DMZ_INPUT_CHAIN - [0:0]
:DMZ_LAN_FORWARD_CHAIN - [0:0]
:DMZ_OUTPUT_CHAIN - [0:0]
:EXT_FORWARD_IN_CHAIN - [0:0]
:EXT_FORWARD_OUT_CHAIN - [0:0]
:EXT_ICMP_FLOOD_CHAIN - [0:0]
:EXT_INPUT_CHAIN - [0:0]
:EXT_OUTPUT_CHAIN - [0:0]
:FORWARD_CHAIN - [0:0]
:HOST_BLOCK - [0:0]
:INET_DMZ_FORWARD_CHAIN - [0:0]
:INPUT_CHAIN - [0:0]
:INT_FORWARD_IN_CHAIN - [0:0]
:INT_FORWARD_OUT_CHAIN - [0:0]
:INT_INPUT_CHAIN - [0:0]
:INT_OUTPUT_CHAIN - [0:0]
:LAN_INET_FORWARD_CHAIN - [0:0]
:OUTPUT_CHAIN - [0:0]
:POST_FORWARD_CHAIN - [0:0]
:POST_INPUT_CHAIN - [0:0]
:POST_INPUT_DROP_CHAIN - [0:0]
:POST_OUTPUT_CHAIN - [0:0]
:RESERVED_NET_CHK - [0:0]
:SPOOF_CHK - [0:0]
:VALID_CHK - [0:0]
-A INPUT -j BASE_INPUT_CHAIN
-A INPUT -j INPUT_CHAIN
-A INPUT -j HOST_BLOCK
-A INPUT -j SPOOF_CHK
-A INPUT -s 10.120.132.2/32 -p tcp -m tcp --dport 3306 -m state --state NEW
-m limit --limit 12/min -j LOG --log-prefix "AIF:Hostwise TCP log (IN): "
--log-level 7
-A INPUT -i eth0 -j VALID_CHK
-A INPUT -i eth0 -p ! icmp -m state --state NEW -j EXT_INPUT_CHAIN
-A INPUT -i eth0 -p icmp -m state --state NEW -m limit --limit 60/sec
--limit-burst 100 -j EXT_INPUT_CHAIN
-A INPUT -i eth0 -p icmp -m state --state NEW -j EXT_ICMP_FLOOD_CHAIN
-A INPUT -i dummy+ -j INT_INPUT_CHAIN
-A INPUT -i tun0 -j INT_INPUT_CHAIN
-A INPUT -i tap+ -j INT_INPUT_CHAIN
-A INPUT -i tun+ -j ACCEPT
-A INPUT -j POST_INPUT_CHAIN
-A INPUT -m limit --limit 1/sec -j LOG --log-prefix "AIF:Dropped INPUT
packet: " --log-level 7
-A INPUT -j DROP
-A FORWARD -j BASE_FORWARD_CHAIN
-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
-A FORWARD -j FORWARD_CHAIN
-A FORWARD -j HOST_BLOCK
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -o tun+ -j ACCEPT
-A FORWARD -i eth0 -j EXT_FORWARD_IN_CHAIN
-A FORWARD -o eth0 -j EXT_FORWARD_OUT_CHAIN
-A FORWARD -i dummy+ -j INT_FORWARD_IN_CHAIN
-A FORWARD -o dummy+ -j INT_FORWARD_OUT_CHAIN
-A FORWARD -i tun0 -j INT_FORWARD_IN_CHAIN
-A FORWARD -o tun0 -j INT_FORWARD_OUT_CHAIN
-A FORWARD -i tap+ -j INT_FORWARD_IN_CHAIN
-A FORWARD -o tap+ -j INT_FORWARD_OUT_CHAIN
-A FORWARD -j SPOOF_CHK
-A FORWARD -i dummy+ -o dummy+ -j ACCEPT
-A FORWARD -i dummy+ -o eth0 -j LAN_INET_FORWARD_CHAIN
-A FORWARD -i tun0 -o tun0 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -j LAN_INET_FORWARD_CHAIN
-A FORWARD -i tap+ -o tap+ -j ACCEPT
-A FORWARD -i tap+ -o eth0 -j LAN_INET_FORWARD_CHAIN
-A FORWARD -d 10.120.132.6/32 -i eth0 -o ! eth0 -p tcp -m tcp --dport 25 -j
ACCEPT
-A FORWARD -d 10.120.132.6/32 -i eth0 -o ! eth0 -p tcp -m tcp --dport 143 -j
ACCEPT
-A FORWARD -d 10.120.132.105/32 -i eth0 -o ! eth0 -p tcp -m tcp --dport 8543
-j ACCEPT
-A FORWARD -d 10.120.132.105/32 -i eth0 -o ! eth0 -p tcp -m tcp --dport 8180
-j ACCEPT
-A FORWARD -j POST_FORWARD_CHAIN
-A FORWARD -m limit --limit 1/min --limit-burst 3 -j LOG --log-prefix
"AIF:Dropped FORWARD packet: " --log-level 7
-A FORWARD -j DROP
-A OUTPUT -j BASE_OUTPUT_CHAIN
-A OUTPUT -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
-A OUTPUT -j OUTPUT_CHAIN
-A OUTPUT -j HOST_BLOCK
-A OUTPUT -f -m limit --limit 3/min -j LOG --log-prefix "AIF:Fragment
packet: " --log-level 7
-A OUTPUT -f -j DROP
-A OUTPUT -o eth0 -j EXT_OUTPUT_CHAIN
-A OUTPUT -o dummy+ -j INT_OUTPUT_CHAIN
-A OUTPUT -o tun0 -j INT_OUTPUT_CHAIN
-A OUTPUT -o tap+ -j INT_OUTPUT_CHAIN
-A OUTPUT -j POST_OUTPUT_CHAIN
-A BASE_FORWARD_CHAIN -m state --state ESTABLISHED -j ACCEPT
-A BASE_FORWARD_CHAIN -p tcp -m state --state RELATED -m tcp --dport
1024:65535 -j ACCEPT
-A BASE_FORWARD_CHAIN -p udp -m state --state RELATED -m udp --dport
1024:65535 -j ACCEPT
-A BASE_FORWARD_CHAIN -p icmp -m state --state RELATED -j ACCEPT
-A BASE_FORWARD_CHAIN -i lo -j ACCEPT
-A BASE_INPUT_CHAIN -m state --state ESTABLISHED -j ACCEPT
-A BASE_INPUT_CHAIN -p tcp -m state --state RELATED -m tcp --dport
1024:65535 -j ACCEPT
-A BASE_INPUT_CHAIN -p udp -m state --state RELATED -m udp --dport
1024:65535 -j ACCEPT
-A BASE_INPUT_CHAIN -p icmp -m state --state RELATED -j ACCEPT
-A BASE_INPUT_CHAIN -i lo -j ACCEPT
-A BASE_OUTPUT_CHAIN -m state --state ESTABLISHED -j ACCEPT
-A BASE_OUTPUT_CHAIN -o lo -j ACCEPT
-A EXT_FORWARD_IN_CHAIN -j VALID_CHK
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 3 -m limit --limit
12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-unreachable flood: "
--log-level 7
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 3 -j
POST_INPUT_DROP_CHAIN
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 11 -m limit --limit
12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-time-exceeded fld: "
--log-level 7
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 11 -j
POST_INPUT_DROP_CHAIN
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 12 -m limit --limit
12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-param-problem fld: "
--log-level 7
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 12 -j
POST_INPUT_DROP_CHAIN
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit
12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request(ping) fld: "
--log-level 7
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 8 -j
POST_INPUT_DROP_CHAIN
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 0 -m limit --limit
12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-reply(pong) flood: "
--log-level 7
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 0 -j
POST_INPUT_DROP_CHAIN
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 4 -m limit --limit
12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-source-quench fld: "
--log-level 7
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 4 -j
POST_INPUT_DROP_CHAIN
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m limit --limit 12/hour --limit-burst 1 -j
LOG --log-prefix "AIF:ICMP(other) flood: " --log-level 7
-A EXT_ICMP_FLOOD_CHAIN -p icmp -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0 -m limit --limit 6/hour
--limit-burst 1 -j LOG --log-prefix "AIF:Port 0 OS fingerprint: "
--log-level 7
-A EXT_INPUT_CHAIN -p udp -m udp --dport 0 -m limit --limit 6/hour
--limit-burst 1 -j LOG --log-prefix "AIF:Port 0 OS fingerprint: "
--log-level 7
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0 -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p udp -m udp --dport 0 -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p tcp -m tcp --sport 0 -m limit --limit 6/hour -j LOG
--log-prefix "AIF:TCP source port 0: " --log-level 7
-A EXT_INPUT_CHAIN -p udp -m udp --sport 0 -m limit --limit 6/hour -j LOG
--log-prefix "AIF:UDP source port 0: " --log-level 7
-A EXT_INPUT_CHAIN -p tcp -m tcp --sport 0 -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p udp -m udp --sport 0 -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 22 -j ACCEPT
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 25 -j ACCEPT
-A EXT_INPUT_CHAIN -p udp -m udp --dport 1194 -j ACCEPT
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 20/sec
--limit-burst 100 -j ACCEPT
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min
--limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request: " --log-level 7
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 3 -m limit --limit 12/hour
--limit-burst 1 -j LOG --log-prefix "AIF:ICMP-unreachable: " --log-level 7
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 11 -m limit --limit 12/hour
--limit-burst 1 -j LOG --log-prefix "AIF:ICMP-time-exceeded: " --log-level 7

-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 12 -m limit --limit 12/hour
--limit-burst 1 -j LOG --log-prefix "AIF:ICMP-param.-problem: " --log-level
7
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 3 -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 11 -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 12 -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 0 -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 1024:65535 ! --tcp-flags
FIN,SYN,RST,ACK SYN -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth
scan (UNPRIV)?: " --log-level 7
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0:1023 ! --tcp-flags
FIN,SYN,RST,ACK SYN -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth
scan (PRIV)?: " --log-level 7
-A EXT_INPUT_CHAIN -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j
POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0:1023 -m limit --limit 6/min
--limit-burst 2 -j LOG --log-prefix "AIF:PRIV connect attempt: " --log-level
7
-A EXT_INPUT_CHAIN -p udp -m udp --dport 0:1023 -m limit --limit 6/min
--limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV connect attempt: "
--log-level 7
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 1024:65535 -m limit --limit 6/min
--limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV connect attempt: "
--log-level 7
-A EXT_INPUT_CHAIN -p udp -m udp --dport 1024:65535 -m limit --limit 6/min
--limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV connect attempt: "
--log-level 7
-A EXT_INPUT_CHAIN -p tcp -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p udp -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p icmp -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -m limit --limit 1/min -j LOG --log-prefix "AIF:Connect
attempt: " --log-level 7
-A EXT_INPUT_CHAIN -j POST_INPUT_DROP_CHAIN
-A EXT_OUTPUT_CHAIN -j ACCEPT
-A INT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 20/sec
--limit-burst 100 -j ACCEPT
-A INT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min
--limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request: " --log-level 7
-A INT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -j DROP
-A INT_INPUT_CHAIN -j ACCEPT
-A LAN_INET_FORWARD_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit
20/sec --limit-burst 100 -j ACCEPT
-A LAN_INET_FORWARD_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit
3/min --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request: " --log-level 7

-A LAN_INET_FORWARD_CHAIN -p icmp -m icmp --icmp-type 8 -j DROP
-A LAN_INET_FORWARD_CHAIN -p tcp -j ACCEPT
-A LAN_INET_FORWARD_CHAIN -p udp -j ACCEPT
-A LAN_INET_FORWARD_CHAIN -j ACCEPT
-A POST_INPUT_DROP_CHAIN -j DROP
-A RESERVED_NET_CHK -s 10.0.0.0/8 -m limit --limit 1/min --limit-burst 1 -j
LOG --log-prefix "AIF:Class A address: " --log-level 7
-A RESERVED_NET_CHK -s 172.16.0.0/12 -m limit --limit 1/min --limit-burst 1
-j LOG --log-prefix "AIF:Class B address: " --log-level 7
-A RESERVED_NET_CHK -s 192.168.0.0/16 -m limit --limit 1/min --limit-burst 1
-j LOG --log-prefix "AIF:Class C address: " --log-level 7
-A RESERVED_NET_CHK -s 169.254.0.0/16 -m limit --limit 1/min --limit-burst 1
-j LOG --log-prefix "AIF:Class M$ address: " --log-level 7
-A RESERVED_NET_CHK -s 10.0.0.0/8 -j POST_INPUT_DROP_CHAIN
-A RESERVED_NET_CHK -s 172.16.0.0/12 -j POST_INPUT_DROP_CHAIN
-A RESERVED_NET_CHK -s 192.168.0.0/16 -j POST_INPUT_DROP_CHAIN
-A RESERVED_NET_CHK -s 169.254.0.0/16 -j POST_INPUT_DROP_CHAIN
-A SPOOF_CHK -s 10.120.132.0/23 -i dummy+ -j RETURN
-A SPOOF_CHK -s 10.120.132.0/23 -i tun0 -j RETURN
-A SPOOF_CHK -s 10.120.132.0/23 -i tap+ -j RETURN
-A SPOOF_CHK -s 10.120.132.0/23 -m limit --limit 3/min -j LOG --log-prefix
"AIF:Spoofed packet: " --log-level 7
-A SPOOF_CHK -s 10.120.132.0/23 -j POST_INPUT_DROP_CHAIN
-A SPOOF_CHK -s 10.120.131.0/24 -i dummy+ -j RETURN
-A SPOOF_CHK -s 10.120.131.0/24 -i tun0 -j RETURN
-A SPOOF_CHK -s 10.120.131.0/24 -i tap+ -j RETURN
-A SPOOF_CHK -s 10.120.131.0/24 -m limit --limit 3/min -j LOG --log-prefix
"AIF:Spoofed packet: " --log-level 7
-A SPOOF_CHK -s 10.120.131.0/24 -j POST_INPUT_DROP_CHAIN
-A SPOOF_CHK -j RETURN
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG
-m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth XMAS scan: "
--log-level 7
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth
XMAS-PSH scan: " --log-level 7
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,PSH,ACK,URG -m limit --limit 3/min -j LOG --log-prefix
"AIF:Stealth XMAS-ALL scan: " --log-level 7
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -m limit
--limit 3/min -j LOG --log-prefix "AIF:Stealth FIN scan: " --log-level 7
-A VALID_CHK -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit
3/min -j LOG --log-prefix "AIF:Stealth SYN/RST scan: " --log-level 7
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit
3/min -j LOG --log-prefix "AIF:Stealth SYN/FIN scan?: " --log-level 7
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit
--limit 3/min -j LOG --log-prefix "AIF:Stealth Null scan: " --log-level 7
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG
-j POST_INPUT_DROP_CHAIN
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,ACK,URG -j POST_INPUT_DROP_CHAIN
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,PSH,ACK,URG -j POST_INPUT_DROP_CHAIN
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j
POST_INPUT_DROP_CHAIN
-A VALID_CHK -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j
POST_INPUT_DROP_CHAIN
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j
POST_INPUT_DROP_CHAIN
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j
POST_INPUT_DROP_CHAIN
-A VALID_CHK -p tcp -m tcp --tcp-option 64 -m limit --limit 3/min
--limit-burst 1 -j LOG --log-prefix "AIF:Bad TCP flag(64): " --log-level 7
-A VALID_CHK -p tcp -m tcp --tcp-option 128 -m limit --limit 3/min
--limit-burst 1 -j LOG --log-prefix "AIF:Bad TCP flag(128): " --log-level 7
-A VALID_CHK -p tcp -m tcp --tcp-option 64 -j POST_INPUT_DROP_CHAIN
-A VALID_CHK -p tcp -m tcp --tcp-option 128 -j POST_INPUT_DROP_CHAIN
-A VALID_CHK -m state --state INVALID -j POST_INPUT_DROP_CHAIN
-A VALID_CHK -f -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix
"AIF:Fragment packet: "
-A VALID_CHK -f -j DROP
COMMIT
# Completed on Sun Mar 28 13:40:13 2010

Many thanks for your help


---------- Forwarded message ----------
From: Romy Roma <bouroy at googlemail.com>
Date: Sat, Mar 27, 2010 at 11:14 PM
Subject: HTTPS port forwarding to vlan
To: firewall at rocky.eld.leidenuniv.nl


Hi
I am new in arno iptables firewall and cannot get the port forwarding work
from my internet interface eth0  to an internal  vlan says dummy0:105

I expected putting something like this in the config will do the job:

NAT_FORWARD_TCP="443>10.120.xxx.105~8543 80>10.120.xxx.105~8180"
1. Forward incoming https request to IP 10.120.xxx.105 on port 8543
2. Forward incoming http request to IP 10.120.xxx.105 on port 8180

But no reply from server.

In the log:
AIF:UNPRIV connect attempt: IN=eth0 OUT= MAC=xxxx SRC=91.64.138.xx
DST=10.120.xxx.105 LEN=60 TOS=0x08 PREC=0x00 TTL=
54 ID=14473 DF PROTO=TCP SPT=32974 DPT=8543 WINDOW=5840 RES=0x00 SYN URGP=0


BUT If I turn off the arno iptables and execute following iptable rule, it
works fine:

iptables -t nat -A PREROUTING -s ! 10.120.xxx.0/23 -m tcp -p tcp --dport 443
-j DNAT --to-destination 10.120.xxx.105:8543

Am i missing something in the configuration?

Please any help is welcome

Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20100328/6f43aae7/attachment-0001.htm>


More information about the Firewall mailing list