[Firewall] Firewall Digest, Vol 51, Issue 19

Romy Roma bouroy at googlemail.com
Sun Mar 28 18:49:37 CEST 2010


Can someone help please?


On Sun, Mar 28, 2010 at 3:24 PM, Romy Roma <bouroy at googlemail.com> wrote:

> Still not working.
> The browser connects, but no response from the server.
>
> Following is the output of the arno-iptables-firewall start
>
> Arno's Iptables Firewall Script v1.9.2d
>
> -------------------------------------------------------------------------------
> Sanity checks passed...OK
> Stopping (user) plugins...
> Checking/probing IPv4 Iptables modules:
>  Module check done...
> Setup kernel settings:
>  Setting the max. amount of simultaneous connections to 16384
>  Setting default conntrack timeouts
>  Enabling protection against source routed packets
>  Enabling packet forwarding
>  Enabling reduction of the DoS'ing ability
>  Enabling anti-spoof with rp_filter
>  Enabling SYN-flood protection via SYN-cookies
>  Disabling the logging of martians
>  Disabling the acception of ICMP-redirect messages
>  Setting default TTL=64
>  Disabling ECN (Explicit Congestion Notification)
>  Flushing route table
>  Kernel setup done...
> Reinitializing firewall chains
>  Setting default INPUT/FORWARD policy to DROP
> Using loglevel "debug" for syslogd
>
> Setting up firewall rules:
>
> -------------------------------------------------------------------------------
> Enabling setting the maximum packet size via MSS
> Enabling mangling TOS
> Logging of stealth scans (nmap probes etc.) enabled
> Logging of packets with bad TCP-flags enabled
> Logging of INVALID TCP packets disabled
> Logging of INVALID UDP packets disabled
> Logging of INVALID ICMP packets disabled
> Logging of fragmented packets enabled
> Logging of access from reserved addresses enabled
> Setting up (antispoof) INTERNAL net(s): 10.120.132.0/23 10.120.131.0/24
> Logging incoming connections of 10.120.132.2 to TCP port(s): 3306
> Logging incoming connections of  to TCP port(s): 10.120.132.105
> Logging outgoing connections of  to TCP port(s): 10.120.132.105
> Reading custom rules from /etc/arno-iptables-firewall/custom-rules
> Checking for (user) plugins in /usr/share/arno-iptables-firewall/plugins...
>  Loaded 0 plugin(s)...
> Setting up INPUT policy for the external net (INET):
>  Logging of explicitly blocked hosts enabled
>  Logging of denied local output connections enabled
>  Packets will NOT be checked for private source addresses
>  Allowing ANYHOST for TCP port(s): 22
>  Allowing ANYHOST for TCP port(s): 25
>  Allowing ANYHOST for UDP port(s): 1194
>  Allowing ANYHOST to send ICMP-requests(ping)
>  Logging of dropped ICMP-request(ping) packets enabled
>  Logging of dropped other ICMP packets enabled
>  Logging of possible stealth scans enabled
>  Logging of (other) connection attempts to PRIVILEGED TCP ports enabled
>  Logging of (other) connection attempts to PRIVILEGED UDP ports enabled
>  Logging of (other) connection attempts to UNPRIVILEGED TCP ports enabled
>  Logging of (other) connection attempts to UNPRIVILEGED UDP ports enabled
>  Logging of other IP protocols (non TCP/UDP/ICMP) connection attempts
> enabled
>  Logging of ICMP flooding enabled
> Setting up OUTPUT policy for the external net (INET):
>  Allowing all (other) ports/protocols
> Applying INET policy to external interface: eth0 (without an external
> subnet specified)
> Setting up INPUT policy for internal (LAN) interface(s): dummy+ tun0 tap+
>  Allowing ICMP-requests(ping)
>  Allowing all (other) ports/protocols
> Accepting ALL INPUT traffic from trusted interface(s): tun+ dummy0
> Accepting ALL FORWARD traffic for trusted interface(s): tun+ dummy0
> Setting up FORWARD policy for internal (LAN) interface(s): dummy+ tun0 tap+
>  Logging of denied LAN->INET FORWARD connections enabled
>  Setting up LAN->INET policy:
>   Allowing ICMP-requests(ping)
>   Allowing all (other) TCP ports
>   Allowing all (other) UDP ports
>   Allowing all (other) protocols
> Enabling SNAT via external interface(s): eth0
>  Adding (internal) host(s): 10.120.132.0/23 10.120.131.0/24
> (eth0) Forwarding(NAT) TCP port(s) 0/0:25,143 to 10.120.132.6
> (eth0) Forwarding(NAT) TCP port(s) 188.40.124.147:443 to
> 10.120.132.105:8543
> Security is ENFORCED for external interface(s) in the FORWARD chain
>
> Mar 28 15:20:55 All firewall rules applied.
>
>
>
> Appreciate your help.
>
> Regards,
> Romain
>
>
> On Sun, Mar 28, 2010 at 2:24 PM, Randy <thejunk.b at gmail.com> wrote:
>
>> On Sunday 28 March 2010, firewall-request at rocky.eld.leidenuniv.nl wrote:
>> > NAT_FORWARD_TCP="443>10.120.xxx.105~8543 80>10.120.xxx.105~8180"
>> >
>>
>> try
>>
>> NAT_FORWARD_TCP="xxx.xxx.xxx.xxx~443>10.120.xxx.105~8543
>> xxx.xxx.xxx.xxx~80>10.120.xxx.105~8180"
>>
>> where xxx.xxx.xxx.xxx is the external ip
>> --
>> If it ain't broke tweek it
>> _______________________________________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.nl
>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20100328/0fc105af/attachment-0001.htm>


More information about the Firewall mailing list