[Firewall] Firewall Digest, Vol 51, Issue 18

Romy Roma bouroy at googlemail.com
Mon Mar 29 08:41:11 CEST 2010


I put this in my custom-rules:

OPEN_TCP="25 143 443"
NAT_FORWARD_TCP="25,143>10.120.132.6 443>10.120.132.105~8543"

But didn't help.

Please help


On Sun, Mar 28, 2010 at 1:58 PM, Randy <thejunk.b at gmail.com> wrote:

> On Sunday 28 March 2010, firewall-request at rocky.eld.leidenuniv.nl wrote:
> > Send Firewall mailing list submissions to
> >       firewall at rocky.eld.leidenuniv.nl
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> >       http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> > or, via email, send a message with subject or body 'help' to
> >       firewall-request at rocky.eld.leidenuniv.nl
> >
> > You can reach the person managing the list at
> >       firewall-owner at rocky.eld.leidenuniv.nl
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Firewall digest..."
> >
> >
> > Today's Topics:
> >
> >    1. Can't get the HTTPS port forwarding (Romy Roma)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Sun, 28 Mar 2010 13:42:18 +0200
> > From: Romy Roma <bouroy at googlemail.com>
> > Subject: [Firewall] Can't get the HTTPS port forwarding
> > To: firewall at rocky.eld.leidenuniv.nl
> > Message-ID:
> >       <m2tee66d0af1003280442sef41bab8q2241931459335630 at mail.gmail.com>
> > Content-Type: text/plain; charset="iso-8859-1"
> >
> > More information for my network settings:
> >
> > dummy0    Link encap:Ethernet  HWaddr 0e:77:98:b1:d9:cf
> >           inet addr:10.120.132.1  Bcast:10.120.133.255
>  Mask:255.255.254.0
> >           inet6 addr: fe80::c77:98ff:feb1:d9cf/64 Scope:Link
> >           UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
> >           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> >           TX packets:4084682 errors:0 dropped:0 overruns:0 carrier:0
> >           collisions:0 txqueuelen:0
> >           RX bytes:0 (0.0 B)  TX bytes:619589989 (590.8 MiB)
> >
> > dummy0:2  Link encap:Ethernet  HWaddr 0e:77:98:b1:d9:cf
> >           inet addr:10.120.132.2  Bcast:10.120.133.255
>  Mask:255.255.254.0
> >           UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
> >
> > dummy0:3  Link encap:Ethernet  HWaddr 0e:77:98:b1:d9:cf
> >           inet addr:10.120.132.3  Bcast:10.120.133.255
>  Mask:255.255.254.0
> >           UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
> >
> > dummy0:6  Link encap:Ethernet  HWaddr 0e:77:98:b1:d9:cf
> >           inet addr:10.120.132.6  Bcast:10.120.133.255
>  Mask:255.255.254.0
> >           UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
> >
> > dummy0:25 Link encap:Ethernet  HWaddr 0e:77:98:b1:d9:cf
> >           inet addr:10.120.132.25  Bcast:10.120.133.255
>  Mask:255.255.254.0
> >           UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
> >
> > dummy0:100 Link encap:Ethernet  HWaddr 0e:77:98:b1:d9:cf
> >           inet addr:10.120.132.100  Bcast:10.120.133.255
> >  Mask:255.255.254.0 UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
> >
> > dummy0:105 Link encap:Ethernet  HWaddr 0e:77:98:b1:d9:cf
> >           inet addr:10.120.132.105  Bcast:10.120.133.255
> >  Mask:255.255.254.0 UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
> >
> > eth0      Link encap:Ethernet  HWaddr 40:61:86:2b:87:3d
> >           inet addr:188.40.124.147  Bcast:188.40.124.191
> > Mask:255.255.255.192
> >           inet6 addr: fe80::4261:86ff:fe2b:873d/64 Scope:Link
> >           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> >           RX packets:7325170 errors:0 dropped:0 overruns:0 frame:0
> >           TX packets:7193856 errors:0 dropped:0 overruns:0 carrier:0
> >           collisions:0 txqueuelen:1000
> >           RX bytes:3181589365 (2.9 GiB)  TX bytes:2200985718 (2.0 GiB)
> >           Interrupt:249 Base address:0xe000
> >
> > lo        Link encap:Local Loopback
> >           inet addr:127.0.0.1  Mask:255.0.0.0
> >           inet6 addr: ::1/128 Scope:Host
> >           UP LOOPBACK RUNNING  MTU:16436  Metric:1
> >           RX packets:364598805 errors:0 dropped:0 overruns:0 frame:0
> >           TX packets:364598805 errors:0 dropped:0 overruns:0 carrier:0
> >           collisions:0 txqueuelen:0
> >           RX bytes:40148997340 (37.3 GiB)  TX bytes:40148997340 (37.3
> GiB)
> >
> > tun0      Link encap:UNSPEC  HWaddr
> > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
> >           inet addr:10.120.130.1  P-t-P:10.120.130.2
>  Mask:255.255.255.255
> >           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
> >           RX packets:2529740 errors:0 dropped:0 overruns:0 frame:0
> >           TX packets:2520017 errors:0 dropped:13 overruns:0 carrier:0
> >           collisions:0 txqueuelen:100
> >           RX bytes:1254615195 (1.1 GiB)  TX bytes:1162277600 (1.0 GiB)
> >
> > --> Output of my iptables-save -L
> >
> > # Generated by iptables-save v1.4.2 on Sun Mar 28 13:40:13 2010
> > *nat
> >
> > :PREROUTING ACCEPT [2812:165128]
> > :POSTROUTING ACCEPT [1916071:125832286]
> > :OUTPUT ACCEPT [1917072:125905280]
> > :NAT_POSTROUTING_CHAIN - [0:0]
> > :NAT_PREROUTING_CHAIN - [0:0]
> > :POST_NAT_POSTROUTING_CHAIN - [0:0]
> > :POST_NAT_PREROUTING_CHAIN - [0:0]
> >
> > -A PREROUTING -j NAT_PREROUTING_CHAIN
> > -A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination
> > 10.120.132.6
> > -A PREROUTING -i eth0 -p tcp -m tcp --dport 143 -j DNAT --to-destination
> > 10.120.132.6
> > -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination
> > 10.120.132.105:8543
> > -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination
> > 10.120.132.105:8180
> > -A PREROUTING -j POST_NAT_PREROUTING_CHAIN
> > -A POSTROUTING -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
> > --clamp-mss-to-pmtu
> > -A POSTROUTING -j NAT_POSTROUTING_CHAIN
> > -A POSTROUTING -s 10.120.132.0/23 -d ! 10.120.132.0/23 -o eth0 -j SNAT
> > --to-source 188.40.124.147
> > -A POSTROUTING -s 10.120.131.0/24 -d ! 10.120.131.0/24 -o eth0 -j SNAT
> > --to-source 188.40.124.147
> > -A POSTROUTING -j POST_NAT_POSTROUTING_CHAIN
> > COMMIT
> > # Completed on Sun Mar 28 13:40:13 2010
> > # Generated by iptables-save v1.4.2 on Sun Mar 28 13:40:13 2010
> > *mangle
> >
> > :PREROUTING ACCEPT [4701048:499606367]
> > :INPUT ACCEPT [4700772:499591798]
> > :FORWARD ACCEPT [274:14248]
> > :OUTPUT ACCEPT [4700636:507688825]
> > :POSTROUTING ACCEPT [4763855:516434731]
> >
> > -A PREROUTING -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08/0x3f
> > -A PREROUTING -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10/0x3f
> > -A PREROUTING -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10/0x3f
> > -A PREROUTING -p tcp -m tcp --dport 23 -j TOS --set-tos 0x10/0x3f
> > -A PREROUTING -p tcp -m tcp --dport 25 -j TOS --set-tos 0x10/0x3f
> > -A PREROUTING -p udp -m udp --dport 53 -j TOS --set-tos 0x10/0x3f
> > -A PREROUTING -p tcp -m tcp --dport 67 -j TOS --set-tos 0x10/0x3f
> > -A PREROUTING -p tcp -m tcp --dport 80 -j TOS --set-tos 0x08/0x3f
> > -A PREROUTING -p tcp -m tcp --dport 110 -j TOS --set-tos 0x08/0x3f
> > -A PREROUTING -p tcp -m tcp --dport 113 -j TOS --set-tos 0x10/0x3f
> > -A PREROUTING -p tcp -m tcp --dport 123 -j TOS --set-tos 0x10/0x3f
> > -A PREROUTING -p tcp -m tcp --dport 143 -j TOS --set-tos 0x08/0x3f
> > -A PREROUTING -p tcp -m tcp --dport 443 -j TOS --set-tos 0x08/0x3f
> > -A PREROUTING -p tcp -m tcp --dport 993 -j TOS --set-tos 0x08/0x3f
> > -A PREROUTING -p tcp -m tcp --dport 995 -j TOS --set-tos 0x08/0x3f
> > -A PREROUTING -p tcp -m tcp --dport 1080 -j TOS --set-tos 0x10/0x3f
> > -A PREROUTING -p tcp -m tcp --dport 6000:6063 -j TOS --set-tos 0x08/0x3f
> > -A OUTPUT -o eth0 -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08/0x3f
> > -A OUTPUT -o eth0 -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10/0x3f
> > -A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10/0x3f
> > -A OUTPUT -o eth0 -p tcp -m tcp --dport 23 -j TOS --set-tos 0x10/0x3f
> > -A OUTPUT -o eth0 -p tcp -m tcp --dport 25 -j TOS --set-tos 0x10/0x3f
> > -A OUTPUT -o eth0 -p udp -m udp --dport 53 -j TOS --set-tos 0x08/0x3f
> > -A OUTPUT -o eth0 -p tcp -m tcp --dport 67 -j TOS --set-tos 0x10/0x3f
> > -A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -j TOS --set-tos 0x08/0x3f
> > -A OUTPUT -o eth0 -p tcp -m tcp --dport 110 -j TOS --set-tos 0x08/0x3f
> > -A OUTPUT -o eth0 -p tcp -m tcp --dport 113 -j TOS --set-tos 0x10/0x3f
> > -A OUTPUT -o eth0 -p tcp -m tcp --dport 123 -j TOS --set-tos 0x10/0x3f
> > -A OUTPUT -o eth0 -p tcp -m tcp --dport 143 -j TOS --set-tos 0x08/0x3f
> > -A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -j TOS --set-tos 0x08/0x3f
> > -A OUTPUT -o eth0 -p tcp -m tcp --dport 993 -j TOS --set-tos 0x08/0x3f
> > -A OUTPUT -o eth0 -p tcp -m tcp --dport 995 -j TOS --set-tos 0x08/0x3f
> > -A OUTPUT -o eth0 -p tcp -m tcp --dport 1080 -j TOS --set-tos 0x10/0x3f
> > -A OUTPUT -o eth0 -p tcp -m tcp --dport 6000:6063 -j TOS --set-tos
> >  0x08/0x3f
> >
> > COMMIT
> > # Completed on Sun Mar 28 13:40:13 2010
> > # Generated by iptables-save v1.4.2 on Sun Mar 28 13:40:13 2010
> > *filter
> >
> > :INPUT DROP [2:144]
> > :FORWARD DROP [0:0]
> > :OUTPUT ACCEPT [223:30945]
> > :BASE_FORWARD_CHAIN - [0:0]
> > :BASE_INPUT_CHAIN - [0:0]
> > :BASE_OUTPUT_CHAIN - [0:0]
> > :DMZ_FORWARD_IN_CHAIN - [0:0]
> > :DMZ_FORWARD_OUT_CHAIN - [0:0]
> > :DMZ_INET_FORWARD_CHAIN - [0:0]
> > :DMZ_INPUT_CHAIN - [0:0]
> > :DMZ_LAN_FORWARD_CHAIN - [0:0]
> > :DMZ_OUTPUT_CHAIN - [0:0]
> > :EXT_FORWARD_IN_CHAIN - [0:0]
> > :EXT_FORWARD_OUT_CHAIN - [0:0]
> > :EXT_ICMP_FLOOD_CHAIN - [0:0]
> > :EXT_INPUT_CHAIN - [0:0]
> > :EXT_OUTPUT_CHAIN - [0:0]
> > :FORWARD_CHAIN - [0:0]
> > :HOST_BLOCK - [0:0]
> > :INET_DMZ_FORWARD_CHAIN - [0:0]
> > :INPUT_CHAIN - [0:0]
> > :INT_FORWARD_IN_CHAIN - [0:0]
> > :INT_FORWARD_OUT_CHAIN - [0:0]
> > :INT_INPUT_CHAIN - [0:0]
> > :INT_OUTPUT_CHAIN - [0:0]
> > :LAN_INET_FORWARD_CHAIN - [0:0]
> > :OUTPUT_CHAIN - [0:0]
> > :POST_FORWARD_CHAIN - [0:0]
> > :POST_INPUT_CHAIN - [0:0]
> > :POST_INPUT_DROP_CHAIN - [0:0]
> > :POST_OUTPUT_CHAIN - [0:0]
> > :RESERVED_NET_CHK - [0:0]
> > :SPOOF_CHK - [0:0]
> > :VALID_CHK - [0:0]
> >
> > -A INPUT -j BASE_INPUT_CHAIN
> > -A INPUT -j INPUT_CHAIN
> > -A INPUT -j HOST_BLOCK
> > -A INPUT -j SPOOF_CHK
> > -A INPUT -s 10.120.132.2/32 -p tcp -m tcp --dport 3306 -m state --state
> NEW
> > -m limit --limit 12/min -j LOG --log-prefix "AIF:Hostwise TCP log (IN): "
> > --log-level 7
> > -A INPUT -i eth0 -j VALID_CHK
> > -A INPUT -i eth0 -p ! icmp -m state --state NEW -j EXT_INPUT_CHAIN
> > -A INPUT -i eth0 -p icmp -m state --state NEW -m limit --limit 60/sec
> > --limit-burst 100 -j EXT_INPUT_CHAIN
> > -A INPUT -i eth0 -p icmp -m state --state NEW -j EXT_ICMP_FLOOD_CHAIN
> > -A INPUT -i dummy+ -j INT_INPUT_CHAIN
> > -A INPUT -i tun0 -j INT_INPUT_CHAIN
> > -A INPUT -i tap+ -j INT_INPUT_CHAIN
> > -A INPUT -i tun+ -j ACCEPT
> > -A INPUT -j POST_INPUT_CHAIN
> > -A INPUT -m limit --limit 1/sec -j LOG --log-prefix "AIF:Dropped INPUT
> > packet: " --log-level 7
> > -A INPUT -j DROP
> > -A FORWARD -j BASE_FORWARD_CHAIN
> > -A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
> > --clamp-mss-to-pmtu
> > -A FORWARD -j FORWARD_CHAIN
> > -A FORWARD -j HOST_BLOCK
> > -A FORWARD -i tun+ -j ACCEPT
> > -A FORWARD -o tun+ -j ACCEPT
> > -A FORWARD -i eth0 -j EXT_FORWARD_IN_CHAIN
> > -A FORWARD -o eth0 -j EXT_FORWARD_OUT_CHAIN
> > -A FORWARD -i dummy+ -j INT_FORWARD_IN_CHAIN
> > -A FORWARD -o dummy+ -j INT_FORWARD_OUT_CHAIN
> > -A FORWARD -i tun0 -j INT_FORWARD_IN_CHAIN
> > -A FORWARD -o tun0 -j INT_FORWARD_OUT_CHAIN
> > -A FORWARD -i tap+ -j INT_FORWARD_IN_CHAIN
> > -A FORWARD -o tap+ -j INT_FORWARD_OUT_CHAIN
> > -A FORWARD -j SPOOF_CHK
> > -A FORWARD -i dummy+ -o dummy+ -j ACCEPT
> > -A FORWARD -i dummy+ -o eth0 -j LAN_INET_FORWARD_CHAIN
> > -A FORWARD -i tun0 -o tun0 -j ACCEPT
> > -A FORWARD -i tun0 -o eth0 -j LAN_INET_FORWARD_CHAIN
> > -A FORWARD -i tap+ -o tap+ -j ACCEPT
> > -A FORWARD -i tap+ -o eth0 -j LAN_INET_FORWARD_CHAIN
> > -A FORWARD -d 10.120.132.6/32 -i eth0 -o ! eth0 -p tcp -m tcp --dport 25
> -j
> > ACCEPT
> > -A FORWARD -d 10.120.132.6/32 -i eth0 -o ! eth0 -p tcp -m tcp --dport
> 143
> >  -j ACCEPT
> > -A FORWARD -d 10.120.132.105/32 -i eth0 -o ! eth0 -p tcp -m tcp --dport
> >  8543 -j ACCEPT
> > -A FORWARD -d 10.120.132.105/32 -i eth0 -o ! eth0 -p tcp -m tcp --dport
> >  8180 -j ACCEPT
> > -A FORWARD -j POST_FORWARD_CHAIN
> > -A FORWARD -m limit --limit 1/min --limit-burst 3 -j LOG --log-prefix
> > "AIF:Dropped FORWARD packet: " --log-level 7
> > -A FORWARD -j DROP
> > -A OUTPUT -j BASE_OUTPUT_CHAIN
> > -A OUTPUT -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
> > --clamp-mss-to-pmtu
> > -A OUTPUT -j OUTPUT_CHAIN
> > -A OUTPUT -j HOST_BLOCK
> > -A OUTPUT -f -m limit --limit 3/min -j LOG --log-prefix "AIF:Fragment
> > packet: " --log-level 7
> > -A OUTPUT -f -j DROP
> > -A OUTPUT -o eth0 -j EXT_OUTPUT_CHAIN
> > -A OUTPUT -o dummy+ -j INT_OUTPUT_CHAIN
> > -A OUTPUT -o tun0 -j INT_OUTPUT_CHAIN
> > -A OUTPUT -o tap+ -j INT_OUTPUT_CHAIN
> > -A OUTPUT -j POST_OUTPUT_CHAIN
> > -A BASE_FORWARD_CHAIN -m state --state ESTABLISHED -j ACCEPT
> > -A BASE_FORWARD_CHAIN -p tcp -m state --state RELATED -m tcp --dport
> > 1024:65535 -j ACCEPT
> > -A BASE_FORWARD_CHAIN -p udp -m state --state RELATED -m udp --dport
> > 1024:65535 -j ACCEPT
> > -A BASE_FORWARD_CHAIN -p icmp -m state --state RELATED -j ACCEPT
> > -A BASE_FORWARD_CHAIN -i lo -j ACCEPT
> > -A BASE_INPUT_CHAIN -m state --state ESTABLISHED -j ACCEPT
> > -A BASE_INPUT_CHAIN -p tcp -m state --state RELATED -m tcp --dport
> > 1024:65535 -j ACCEPT
> > -A BASE_INPUT_CHAIN -p udp -m state --state RELATED -m udp --dport
> > 1024:65535 -j ACCEPT
> > -A BASE_INPUT_CHAIN -p icmp -m state --state RELATED -j ACCEPT
> > -A BASE_INPUT_CHAIN -i lo -j ACCEPT
> > -A BASE_OUTPUT_CHAIN -m state --state ESTABLISHED -j ACCEPT
> > -A BASE_OUTPUT_CHAIN -o lo -j ACCEPT
> > -A EXT_FORWARD_IN_CHAIN -j VALID_CHK
> > -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 3 -m limit --limit
> > 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-unreachable flood:
> "
> > --log-level 7
> > -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 3 -j
> > POST_INPUT_DROP_CHAIN
> > -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 11 -m limit --limit
> > 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-time-exceeded fld:
> "
> > --log-level 7
> > -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 11 -j
> > POST_INPUT_DROP_CHAIN
> > -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 12 -m limit --limit
> > 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-param-problem fld:
> "
> > --log-level 7
> > -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 12 -j
> > POST_INPUT_DROP_CHAIN
> > -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit
> > 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request(ping) fld:
> "
> > --log-level 7
> > -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 8 -j
> > POST_INPUT_DROP_CHAIN
> > -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 0 -m limit --limit
> > 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-reply(pong) flood:
> "
> > --log-level 7
> > -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 0 -j
> > POST_INPUT_DROP_CHAIN
> > -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 4 -m limit --limit
> > 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-source-quench fld:
> "
> > --log-level 7
> > -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 4 -j
> > POST_INPUT_DROP_CHAIN
> > -A EXT_ICMP_FLOOD_CHAIN -p icmp -m limit --limit 12/hour --limit-burst 1
> -j
> > LOG --log-prefix "AIF:ICMP(other) flood: " --log-level 7
> > -A EXT_ICMP_FLOOD_CHAIN -p icmp -j POST_INPUT_DROP_CHAIN
> > -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0 -m limit --limit 6/hour
> > --limit-burst 1 -j LOG --log-prefix "AIF:Port 0 OS fingerprint: "
> > --log-level 7
> > -A EXT_INPUT_CHAIN -p udp -m udp --dport 0 -m limit --limit 6/hour
> > --limit-burst 1 -j LOG --log-prefix "AIF:Port 0 OS fingerprint: "
> > --log-level 7
> > -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0 -j POST_INPUT_DROP_CHAIN
> > -A EXT_INPUT_CHAIN -p udp -m udp --dport 0 -j POST_INPUT_DROP_CHAIN
> > -A EXT_INPUT_CHAIN -p tcp -m tcp --sport 0 -m limit --limit 6/hour -j LOG
> > --log-prefix "AIF:TCP source port 0: " --log-level 7
> > -A EXT_INPUT_CHAIN -p udp -m udp --sport 0 -m limit --limit 6/hour -j LOG
> > --log-prefix "AIF:UDP source port 0: " --log-level 7
> > -A EXT_INPUT_CHAIN -p tcp -m tcp --sport 0 -j POST_INPUT_DROP_CHAIN
> > -A EXT_INPUT_CHAIN -p udp -m udp --sport 0 -j POST_INPUT_DROP_CHAIN
> > -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 22 -j ACCEPT
> > -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 25 -j ACCEPT
> > -A EXT_INPUT_CHAIN -p udp -m udp --dport 1194 -j ACCEPT
> > -A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 20/sec
> > --limit-burst 100 -j ACCEPT
> > -A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min
> > --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request: " --log-level 7
> > -A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 3 -m limit --limit 12/hour
> > --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-unreachable: " --log-level
> 7
> > -A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 11 -m limit --limit
> 12/hour
> > --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-time-exceeded: "
> --log-level
> >  7
> >
> > -A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 12 -m limit --limit
> 12/hour
> > --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-param.-problem: "
> --log-level
> > 7
> > -A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 3 -j POST_INPUT_DROP_CHAIN
> > -A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 11 -j
> POST_INPUT_DROP_CHAIN
> > -A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 12 -j
> POST_INPUT_DROP_CHAIN
> > -A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -j POST_INPUT_DROP_CHAIN
> > -A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 0 -j POST_INPUT_DROP_CHAIN
> > -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 1024:65535 ! --tcp-flags
> > FIN,SYN,RST,ACK SYN -m limit --limit 3/min -j LOG --log-prefix
> "AIF:Stealth
> > scan (UNPRIV)?: " --log-level 7
> > -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0:1023 ! --tcp-flags
> > FIN,SYN,RST,ACK SYN -m limit --limit 3/min -j LOG --log-prefix
> "AIF:Stealth
> > scan (PRIV)?: " --log-level 7
> > -A EXT_INPUT_CHAIN -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j
> > POST_INPUT_DROP_CHAIN
> > -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0:1023 -m limit --limit 6/min
> > --limit-burst 2 -j LOG --log-prefix "AIF:PRIV connect attempt: "
> >  --log-level 7
> > -A EXT_INPUT_CHAIN -p udp -m udp --dport 0:1023 -m limit --limit 6/min
> > --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV connect attempt: "
> > --log-level 7
> > -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 1024:65535 -m limit --limit
> 6/min
> > --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV connect attempt: "
> > --log-level 7
> > -A EXT_INPUT_CHAIN -p udp -m udp --dport 1024:65535 -m limit --limit
> 6/min
> > --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV connect attempt: "
> > --log-level 7
> > -A EXT_INPUT_CHAIN -p tcp -j POST_INPUT_DROP_CHAIN
> > -A EXT_INPUT_CHAIN -p udp -j POST_INPUT_DROP_CHAIN
> > -A EXT_INPUT_CHAIN -p icmp -j POST_INPUT_DROP_CHAIN
> > -A EXT_INPUT_CHAIN -m limit --limit 1/min -j LOG --log-prefix
> "AIF:Connect
> > attempt: " --log-level 7
> > -A EXT_INPUT_CHAIN -j POST_INPUT_DROP_CHAIN
> > -A EXT_OUTPUT_CHAIN -j ACCEPT
> > -A INT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 20/sec
> > --limit-burst 100 -j ACCEPT
> > -A INT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min
> > --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request: " --log-level 7
> > -A INT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -j DROP
> > -A INT_INPUT_CHAIN -j ACCEPT
> > -A LAN_INET_FORWARD_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit
> > 20/sec --limit-burst 100 -j ACCEPT
> > -A LAN_INET_FORWARD_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit
> > 3/min --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request: "
> --log-level
> >  7
> >
> > -A LAN_INET_FORWARD_CHAIN -p icmp -m icmp --icmp-type 8 -j DROP
> > -A LAN_INET_FORWARD_CHAIN -p tcp -j ACCEPT
> > -A LAN_INET_FORWARD_CHAIN -p udp -j ACCEPT
> > -A LAN_INET_FORWARD_CHAIN -j ACCEPT
> > -A POST_INPUT_DROP_CHAIN -j DROP
> > -A RESERVED_NET_CHK -s 10.0.0.0/8 -m limit --limit 1/min --limit-burst 1
> -j
> > LOG --log-prefix "AIF:Class A address: " --log-level 7
> > -A RESERVED_NET_CHK -s 172.16.0.0/12 -m limit --limit 1/min
> --limit-burst 1
> > -j LOG --log-prefix "AIF:Class B address: " --log-level 7
> > -A RESERVED_NET_CHK -s 192.168.0.0/16 -m limit --limit 1/min
> --limit-burst
> >  1 -j LOG --log-prefix "AIF:Class C address: " --log-level 7
> > -A RESERVED_NET_CHK -s 169.254.0.0/16 -m limit --limit 1/min
> --limit-burst
> >  1 -j LOG --log-prefix "AIF:Class M$ address: " --log-level 7
> > -A RESERVED_NET_CHK -s 10.0.0.0/8 -j POST_INPUT_DROP_CHAIN
> > -A RESERVED_NET_CHK -s 172.16.0.0/12 -j POST_INPUT_DROP_CHAIN
> > -A RESERVED_NET_CHK -s 192.168.0.0/16 -j POST_INPUT_DROP_CHAIN
> > -A RESERVED_NET_CHK -s 169.254.0.0/16 -j POST_INPUT_DROP_CHAIN
> > -A SPOOF_CHK -s 10.120.132.0/23 -i dummy+ -j RETURN
> > -A SPOOF_CHK -s 10.120.132.0/23 -i tun0 -j RETURN
> > -A SPOOF_CHK -s 10.120.132.0/23 -i tap+ -j RETURN
> > -A SPOOF_CHK -s 10.120.132.0/23 -m limit --limit 3/min -j LOG
> --log-prefix
> > "AIF:Spoofed packet: " --log-level 7
> > -A SPOOF_CHK -s 10.120.132.0/23 -j POST_INPUT_DROP_CHAIN
> > -A SPOOF_CHK -s 10.120.131.0/24 -i dummy+ -j RETURN
> > -A SPOOF_CHK -s 10.120.131.0/24 -i tun0 -j RETURN
> > -A SPOOF_CHK -s 10.120.131.0/24 -i tap+ -j RETURN
> > -A SPOOF_CHK -s 10.120.131.0/24 -m limit --limit 3/min -j LOG
> --log-prefix
> > "AIF:Spoofed packet: " --log-level 7
> > -A SPOOF_CHK -s 10.120.131.0/24 -j POST_INPUT_DROP_CHAIN
> > -A SPOOF_CHK -j RETURN
> > -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> FIN,PSH,URG
> > -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth XMAS scan: "
> > --log-level 7
> > -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> > FIN,SYN,RST,ACK,URG -m limit --limit 3/min -j LOG --log-prefix
> "AIF:Stealth
> > XMAS-PSH scan: " --log-level 7
> > -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> > FIN,SYN,RST,PSH,ACK,URG -m limit --limit 3/min -j LOG --log-prefix
> > "AIF:Stealth XMAS-ALL scan: " --log-level 7
> > -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -m
> limit
> > --limit 3/min -j LOG --log-prefix "AIF:Stealth FIN scan: " --log-level 7
> > -A VALID_CHK -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit
> > 3/min -j LOG --log-prefix "AIF:Stealth SYN/RST scan: " --log-level 7
> > -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit
> > 3/min -j LOG --log-prefix "AIF:Stealth SYN/FIN scan?: " --log-level 7
> > -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m
> >  limit --limit 3/min -j LOG --log-prefix "AIF:Stealth Null scan: "
> >  --log-level 7 -A VALID_CHK -p tcp -m tcp --tcp-flags
> >  FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j POST_INPUT_DROP_CHAIN
> > -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> > FIN,SYN,RST,ACK,URG -j POST_INPUT_DROP_CHAIN
> > -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> > FIN,SYN,RST,PSH,ACK,URG -j POST_INPUT_DROP_CHAIN
> > -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j
> > POST_INPUT_DROP_CHAIN
> > -A VALID_CHK -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j
> > POST_INPUT_DROP_CHAIN
> > -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j
> > POST_INPUT_DROP_CHAIN
> > -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j
> > POST_INPUT_DROP_CHAIN
> > -A VALID_CHK -p tcp -m tcp --tcp-option 64 -m limit --limit 3/min
> > --limit-burst 1 -j LOG --log-prefix "AIF:Bad TCP flag(64): " --log-level
> 7
> > -A VALID_CHK -p tcp -m tcp --tcp-option 128 -m limit --limit 3/min
> > --limit-burst 1 -j LOG --log-prefix "AIF:Bad TCP flag(128): " --log-level
> 7
> > -A VALID_CHK -p tcp -m tcp --tcp-option 64 -j POST_INPUT_DROP_CHAIN
> > -A VALID_CHK -p tcp -m tcp --tcp-option 128 -j POST_INPUT_DROP_CHAIN
> > -A VALID_CHK -m state --state INVALID -j POST_INPUT_DROP_CHAIN
> > -A VALID_CHK -f -m limit --limit 3/min --limit-burst 1 -j LOG
> --log-prefix
> > "AIF:Fragment packet: "
> > -A VALID_CHK -f -j DROP
> > COMMIT
> > # Completed on Sun Mar 28 13:40:13 2010
> >
> > Many thanks for your help
> >
> >
> > ---------- Forwarded message ----------
> > From: Romy Roma <bouroy at googlemail.com>
> > Date: Sat, Mar 27, 2010 at 11:14 PM
> > Subject: HTTPS port forwarding to vlan
> > To: firewall at rocky.eld.leidenuniv.nl
> >
> >
> > Hi
> > I am new in arno iptables firewall and cannot get the port forwarding
> work
> > from my internet interface eth0  to an internal  vlan says dummy0:105
> >
> > I expected putting something like this in the config will do the job:
> >
> > NAT_FORWARD_TCP="443>10.120.xxx.105~8543 80>10.120.xxx.105~8180"
> > 1. Forward incoming https request to IP 10.120.xxx.105 on port 8543
> > 2. Forward incoming http request to IP 10.120.xxx.105 on port 8180
> >
> > But no reply from server.
> >
> > In the log:
> > AIF:UNPRIV connect attempt: IN=eth0 OUT= MAC=xxxx SRC=91.64.138.xx
> > DST=10.120.xxx.105 LEN=60 TOS=0x08 PREC=0x00 TTL=
> > 54 ID=14473 DF PROTO=TCP SPT=32974 DPT=8543 WINDOW=5840 RES=0x00
> SYN URGP=0
> >
> >
> > BUT If I turn off the arno iptables and execute following iptable rule,
> it
> > works fine:
> >
> > iptables -t nat -A PREROUTING -s ! 10.120.xxx.0/23 -m tcp -p tcp --dport
> >  443 -j DNAT --to-destination 10.120.xxx.105:8543
> >
> > Am i missing something in the configuration?
> >
> > Please any help is welcome
> >
> > Regards
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL:
> >  <
> http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20100328/a2
> > eb95b3/attachment.htm>
> >
> > ------------------------------
> >
> > _______________________________________________
> > Firewall mailing list
> > Firewall at rocky.eld.leidenuniv.nl
> > http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> >
> >
> > End of Firewall Digest, Vol 51, Issue 18
> > ****************************************
> >
>
> Look for this in your config file and put in the options you want, then
> restart the firewall
>
> NAT_FORWARD_TCP=""
> NAT_FORWARD_UDP=""
> NAT_FORWARD_IP=""
>
> --
> If it ain't broke tweek it
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20100329/24471ab3/attachment-0001.htm>


More information about the Firewall mailing list