sslug-teknik team mailing list archive
-
sslug-teknik team
-
Mailing list archive
-
Message #42955
Re: Routning eller? firewall / webserver problem.
Hmm.... Tjaa... Det er din forwarding den er gal med. Det ser ikke
lige ud til, det er noget galt med din friewall. Der var nok nogen
ting jeg ville have gjort anderledes, men det skal jeg ikke blande mig
i :o)
Som jeg skrev før, så sørg for at du ikke MASQ'er tilbage til samme
net som trafikken kommer fra.
Ret evt. i FORWARD kæden:
MASQ all ------ 192.168.1.0/24 anywhere n/a
til
MASQ all ------ 192.168.1.0/24 !130.226.218.110
n/a
//Jesper
Lasse Taul Bjerre wrote:
>
> -----Original Message-----
> From: balle [mailto:balle]On Behalf Of Jesper Lund
> Sent: 15. oktober 2001 10:41
> To: sslug-teknik@xxxxxxxx
> Subject: Re: [TEKNIK] Routning eller? firewall / webserver problem.
>
> Må vi ikke se dine firewall regler ?
>
> Ummidelbart, mangler du noget, der gør at 192.168.1.0/24 nettet ikke
> bliver SNAT'et, når det skal til DNAT'ets tilbage til samme netværk,
> som det kom fra.... Noget med:
>
> iptables -t nat -I PREROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -j
> ACCEPT
>
> Men lad os se dine regler, så er det nemmere at se, hvad der er
> galt....
>
> //Jesper
>
> [root@test /root]# ipchains -L
> Chain input (policy DENY):
> target prot opt source destination ports
> ACCEPT icmp ------ anywhere anywhere
> fragmentation-needed
> DENY all ----l- BASE-ADDRESS.MCAST.NET/4 anywhere n/a
> DENY all ----l- anywhere 192.168.1.0/24 n/a
> DENY all ----l- 192.168.1.0/24 anywhere n/a
> DENY all ----l- anywhere 192.168.1.0/24 n/a
> DENY all ----l- 192.168.1.0/24 anywhere n/a
> ACCEPT all ------ anywhere anywhere n/a
> ACCEPT tcp ------ anywhere -eth0. any ->
> ssh
> ACCEPT tcp ------ anywhere -eth0. any ->
> 8443
> ACCEPT icmp ------ anywhere anywhere any ->
> any
> ACCEPT tcp ------ anywhere anywhere any ->
> www
> ACCEPT tcp !y---- anywhere anywhere any ->
> any
> ACCEPT icmp ------ anywhere anywhere
> destination-unreachable
> ACCEPT icmp ------ anywhere anywhere
> echo-reply
> ACCEPT icmp ------ anywhere anywhere
> time-exceeded
> DENY icmp ----l- anywhere anywhere any ->
> any
> DENY udp ----l- anywhere anywhere any ->
> 2049
> ACCEPT udp ------ ns.forskningsnettet.dk anywhere
> domain -> 1024:65535
> ACCEPT udp ------ mail.net.uni-c.dk anywhere domain ->
> 1024:65535
> DENY all ----l- anywhere -eth0. n/a
> DENY tcp ------ anywhere -eth0. any ->
> any
> DENY udp ------ anywhere -eth0. any ->
> any
> ACCEPT tcp ------ 192.168.1.0/24 anywhere any ->
> any
> ACCEPT tcp ------ 192.168.1.0/24 anywhere any ->
> domain
> ACCEPT udp ------ 192.168.1.0/24 anywhere any ->
> any
> ACCEPT udp ------ 192.168.1.0/24 anywhere any ->
> domain
> DENY all ----l- 192.168.1.0/24 anywhere n/a
> DENY all ----l- anywhere anywhere n/a
> Chain forward (policy DENY):
> target prot opt source destination ports
> DENY tcp ----l- anywhere anywhere
> netbios-ns:netbios-ssn -> any
> DENY udp ----l- anywhere anywhere
> netbios-ns:netbios-ssn -> any
> MASQ all ------ 192.168.1.0/24 anywhere n/a
> DENY all ----l- anywhere anywhere n/a
> Chain output (policy ACCEPT):
> target prot opt source destination ports
> ACCEPT icmp ------ anywhere anywhere
> fragmentation-needed
> ACCEPT icmp ------ anywhere anywhere any ->
> any
> Chain acctin (0 references):
> Chain acctout (0 references):
> Chain acctboth (0 references):
> Chain inp (0 references):
> Chain out (0 references):
> Chain fwd (0 references):
> Chain IpFwAdM! (0 references):
> target prot opt source destination ports
> - all ------ anywhere anywhere n/a
> - all ------ anywhere anywhere n/a
Follow ups
References
