[Firewall] Firewall Digest, Vol 51, Issue 19

Romy Roma bouroy at googlemail.com
Sun Mar 28 15:24:07 CEST 2010


Still not working.
The browser connects, but no response from the server.

Following is the output of the arno-iptables-firewall start

Arno's Iptables Firewall Script v1.9.2d
-------------------------------------------------------------------------------
Sanity checks passed...OK
Stopping (user) plugins...
Checking/probing IPv4 Iptables modules:
 Module check done...
Setup kernel settings:
 Setting the max. amount of simultaneous connections to 16384
 Setting default conntrack timeouts
 Enabling protection against source routed packets
 Enabling packet forwarding
 Enabling reduction of the DoS'ing ability
 Enabling anti-spoof with rp_filter
 Enabling SYN-flood protection via SYN-cookies
 Disabling the logging of martians
 Disabling the acception of ICMP-redirect messages
 Setting default TTL=64
 Disabling ECN (Explicit Congestion Notification)
 Flushing route table
 Kernel setup done...
Reinitializing firewall chains
 Setting default INPUT/FORWARD policy to DROP
Using loglevel "debug" for syslogd

Setting up firewall rules:
-------------------------------------------------------------------------------
Enabling setting the maximum packet size via MSS
Enabling mangling TOS
Logging of stealth scans (nmap probes etc.) enabled
Logging of packets with bad TCP-flags enabled
Logging of INVALID TCP packets disabled
Logging of INVALID UDP packets disabled
Logging of INVALID ICMP packets disabled
Logging of fragmented packets enabled
Logging of access from reserved addresses enabled
Setting up (antispoof) INTERNAL net(s): 10.120.132.0/23 10.120.131.0/24
Logging incoming connections of 10.120.132.2 to TCP port(s): 3306
Logging incoming connections of  to TCP port(s): 10.120.132.105
Logging outgoing connections of  to TCP port(s): 10.120.132.105
Reading custom rules from /etc/arno-iptables-firewall/custom-rules
Checking for (user) plugins in /usr/share/arno-iptables-firewall/plugins...
 Loaded 0 plugin(s)...
Setting up INPUT policy for the external net (INET):
 Logging of explicitly blocked hosts enabled
 Logging of denied local output connections enabled
 Packets will NOT be checked for private source addresses
 Allowing ANYHOST for TCP port(s): 22
 Allowing ANYHOST for TCP port(s): 25
 Allowing ANYHOST for UDP port(s): 1194
 Allowing ANYHOST to send ICMP-requests(ping)
 Logging of dropped ICMP-request(ping) packets enabled
 Logging of dropped other ICMP packets enabled
 Logging of possible stealth scans enabled
 Logging of (other) connection attempts to PRIVILEGED TCP ports enabled
 Logging of (other) connection attempts to PRIVILEGED UDP ports enabled
 Logging of (other) connection attempts to UNPRIVILEGED TCP ports enabled
 Logging of (other) connection attempts to UNPRIVILEGED UDP ports enabled
 Logging of other IP protocols (non TCP/UDP/ICMP) connection attempts
enabled
 Logging of ICMP flooding enabled
Setting up OUTPUT policy for the external net (INET):
 Allowing all (other) ports/protocols
Applying INET policy to external interface: eth0 (without an external subnet
specified)
Setting up INPUT policy for internal (LAN) interface(s): dummy+ tun0 tap+
 Allowing ICMP-requests(ping)
 Allowing all (other) ports/protocols
Accepting ALL INPUT traffic from trusted interface(s): tun+ dummy0
Accepting ALL FORWARD traffic for trusted interface(s): tun+ dummy0
Setting up FORWARD policy for internal (LAN) interface(s): dummy+ tun0 tap+
 Logging of denied LAN->INET FORWARD connections enabled
 Setting up LAN->INET policy:
  Allowing ICMP-requests(ping)
  Allowing all (other) TCP ports
  Allowing all (other) UDP ports
  Allowing all (other) protocols
Enabling SNAT via external interface(s): eth0
 Adding (internal) host(s): 10.120.132.0/23 10.120.131.0/24
(eth0) Forwarding(NAT) TCP port(s) 0/0:25,143 to 10.120.132.6
(eth0) Forwarding(NAT) TCP port(s) 188.40.124.147:443 to 10.120.132.105:8543
Security is ENFORCED for external interface(s) in the FORWARD chain

Mar 28 15:20:55 All firewall rules applied.



Appreciate your help.

Regards,
Romain

On Sun, Mar 28, 2010 at 2:24 PM, Randy <thejunk.b at gmail.com> wrote:

> On Sunday 28 March 2010, firewall-request at rocky.eld.leidenuniv.nl wrote:
> > NAT_FORWARD_TCP="443>10.120.xxx.105~8543 80>10.120.xxx.105~8180"
> >
>
> try
>
> NAT_FORWARD_TCP="xxx.xxx.xxx.xxx~443>10.120.xxx.105~8543
> xxx.xxx.xxx.xxx~80>10.120.xxx.105~8180"
>
> where xxx.xxx.xxx.xxx is the external ip
> --
> If it ain't broke tweek it
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20100328/e3c1b8ba/attachment.htm>


More information about the Firewall mailing list