sslug-teknik team mailing list archive

["Lasse Taul Bjerre" <lasse@xxxxxxxxx>]

-----Original Message-----
From: balle [mailto:balle]On Behalf Of Jesper Lund
Sent: 15. oktober 2001 10:41
To: sslug-teknik@xxxxxxxx
Subject: Re: [TEKNIK] Routning eller? firewall / webserver problem.


Må vi ikke se dine firewall regler ?

Ummidelbart, mangler du noget, der gør at 192.168.1.0/24 nettet ikke
bliver SNAT'et, når det skal til DNAT'ets tilbage til samme netværk,
som det kom fra.... Noget med:

iptables -t nat -I PREROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -j
ACCEPT

Men lad os se dine regler, så er det nemmere at se, hvad der er
galt....

//Jesper

[root@test /root]# ipchains -L
Chain input (policy DENY):
target     prot opt     source                destination           ports
ACCEPT     icmp ------  anywhere             anywhere
fragmentation-needed
DENY       all  ----l-  BASE-ADDRESS.MCAST.NET/4 anywhere              n/a
DENY       all  ----l-  anywhere             192.168.1.0/24        n/a
DENY       all  ----l-  192.168.1.0/24       anywhere              n/a
DENY       all  ----l-  anywhere             192.168.1.0/24        n/a
DENY       all  ----l-  192.168.1.0/24       anywhere              n/a
ACCEPT     all  ------  anywhere             anywhere              n/a
ACCEPT     tcp  ------  anywhere             -eth0.                any ->
ssh
ACCEPT     tcp  ------  anywhere             -eth0.                any ->
8443
ACCEPT     icmp ------  anywhere             anywhere              any ->
any
ACCEPT     tcp  ------  anywhere             anywhere              any ->
www
ACCEPT     tcp  !y----  anywhere             anywhere              any ->
any
ACCEPT     icmp ------  anywhere             anywhere
destination-unreachable
ACCEPT     icmp ------  anywhere             anywhere
echo-reply
ACCEPT     icmp ------  anywhere             anywhere
time-exceeded
DENY       icmp ----l-  anywhere             anywhere              any ->
any
DENY       udp  ----l-  anywhere             anywhere              any ->
2049
ACCEPT     udp  ------  ns.forskningsnettet.dk anywhere
             domain ->   1024:65535
ACCEPT     udp  ------  mail.net.uni-c.dk    anywhere              domain ->
1024:65535
DENY       all  ----l-  anywhere             -eth0.                n/a
DENY       tcp  ------  anywhere             -eth0.                any ->
any
DENY       udp  ------  anywhere             -eth0.                any ->
any
ACCEPT     tcp  ------  192.168.1.0/24       anywhere              any ->
any
ACCEPT     tcp  ------  192.168.1.0/24       anywhere              any ->
domain
ACCEPT     udp  ------  192.168.1.0/24       anywhere              any ->
any
ACCEPT     udp  ------  192.168.1.0/24       anywhere              any ->
domain
DENY       all  ----l-  192.168.1.0/24       anywhere              n/a
DENY       all  ----l-  anywhere             anywhere              n/a
Chain forward (policy DENY):
target     prot opt     source                destination           ports
DENY       tcp  ----l-  anywhere             anywhere
netbios-ns:netbios-ssn ->   any
DENY       udp  ----l-  anywhere             anywhere
netbios-ns:netbios-ssn ->   any
MASQ       all  ------  192.168.1.0/24       anywhere              n/a
DENY       all  ----l-  anywhere             anywhere              n/a
Chain output (policy ACCEPT):
target     prot opt     source                destination           ports
ACCEPT     icmp ------  anywhere             anywhere
fragmentation-needed
ACCEPT     icmp ------  anywhere             anywhere              any ->
any
Chain acctin (0 references):
Chain acctout (0 references):
Chain acctboth (0 references):
Chain inp (0 references):
Chain out (0 references):
Chain fwd (0 references):
Chain IpFwAdM! (0 references):
target     prot opt     source                destination           ports
-          all  ------  anywhere             anywhere              n/a
-          all  ------  anywhere             anywhere              n/a