[plug] rooted routing :(
bob
bob at fots.org.au
Thu Apr 29 12:02:00 WST 2004
On Wednesday 28 April 2004 22:50, Ryan wrote:
> Not immediately obvious why you are having dramas, maybe posting your
> closest working output from 'route -n' and 'iptables -L' and 'iptables
> -t nat -L' and 'ifconfig'
Well - ok, but iptables -L is loong. See appended. (iptables is built using
monmotha's script)
In passing - does anyone care to comment on shorewall as a firewall? It
appears to be somewhat better suited to what I am trying to do...
> What subnet masks are you using btw?
both are /24s. You think it might work with /16s? Overlap the netmasks?
(though I see in your example that is not the case)
> Ensure your 'iptables -t nat -L' output is empty before you start
> running your scripts so you can be sure there are no hang-overs from
> past efforts.
'K
> I've done this on a box (which is currently in Kalgoorlie), maybe this
> working example will help you:
<snip> thanks for the example :)
By the way, the default gw for "hosts on LAN" is the 192.168.0.x of the
gateway box for what it is worth. I think I mentioned that I added a route
to the 192.168.1.X net to the "hosts on LAN" with mixed result.
===============================
going via ppp (works)
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth1
203.59.0.253 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 203.59.0.253 0.0.0.0 UG 0 0 0 ppp0
===============================
===============================
going via eth1 (does not work)
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth1
203.59.0.253 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
===============================
===============================
localnet is 192.168.0.x
adslnet is 192.168.1.x
iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- localnet/24 anywhere
MASQUERADE all -- adslnet/24 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Hmm noticed the masquerades there... turned them off... no diff.
===============================
===============================
ifconfig
eth0 Link encap:Ethernet HWaddr 00:A0:C9:E1:84:45
inet addr:192.168.0.x Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::2a0:c9ff:fee1:x/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11119016 errors:0 dropped:0 overruns:0 frame:0
TX packets:10414791 errors:0 dropped:0 overruns:11 carrier:0
collisions:0 txqueuelen:1000
RX bytes:768762191 (733.1 MiB) TX bytes:1910350732 (1.7 GiB)
Interrupt:15 Base address:0xc000
eth1 Link encap:Ethernet HWaddr 00:60:94:0A:47:19
inet addr:192.168.1.x Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::260:94ff:fe0ax/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:461177 errors:0 dropped:0 overruns:0 frame:0
TX packets:434767 errors:6 dropped:0 overruns:0 carrier:6
collisions:6 txqueuelen:1000
RX bytes:42672522 (40.6 MiB) TX bytes:31285048 (29.8 MiB)
Interrupt:10 Base address:0x9100
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:235396 errors:0 dropped:0 overruns:0 frame:0
TX packets:235396 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:35118704 (33.4 MiB) TX bytes:35118704 (33.4 MiB)
ppp0 Link encap:Point-to-Point Protocol
inet addr:203.59.131.x P-t-P:203.59.0.253 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:17247 errors:2 dropped:0 overruns:0 frame:0
TX packets:16565 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:7025627 (6.7 MiB) TX bytes:2850911 (2.7 MiB)
===============================
===============================
iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
LDROP all -- 219-88-203-27.jetstream.xtra.co.nz anywhere
LDROP all -- ip199-210-54-23.dsl.quik.co.nz anywhere
LDROP all -- 218.94.83.211 anywhere
LDROP all -- 61.152.102.47 anywhere
LDROP all -- 203.251.136.103 anywhere
LDROP all -- 202.155.104.210 anywhere
LDROP all -- 218.188.1.135 anywhere
LDROP all -- w125.z216112102.sjc-ca.dsl.cnc.net anywhere
LDROP all -- 007.a.002.cba.iprimus.net.au anywhere
LDROP all -- h-64-105-175-75.snvacaid.covad.net anywhere
LDROP all -- 64.27.55.1 anywhere
LDROP all -- 63.148.99.224/27 anywhere
LDROP all -- 216.27.93.0/24 anywhere
LDROP all -- modemcable213.133-131-66.mc.videotron.ca anywhere
INETIN all -- anywhere anywhere
ACCEPT all -- localnet/24 anywhere
ACCEPT all -- adslnet/24 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:bootps
Chain FORWARD (policy DROP)
target prot opt source destination
LDROP all -- 219-88-203-27.jetstream.xtra.co.nz anywhere
LDROP all -- anywhere 219-88-203-27.jetstream.xtra.co.nz
LDROP all -- ip199-210-54-23.dsl.quik.co.nz anywhere
LDROP all -- anywhere ip199-210-54-23.dsl.quik.co.nz
LDROP all -- 218.94.83.211 anywhere
LDROP all -- anywhere 218.94.83.211
LDROP all -- 61.152.102.47 anywhere
LDROP all -- anywhere 61.152.102.47
LDROP all -- 203.251.136.103 anywhere
LDROP all -- anywhere 203.251.136.103
LDROP all -- 202.155.104.210 anywhere
LDROP all -- anywhere 202.155.104.210
LDROP all -- 218.188.1.135 anywhere
LDROP all -- anywhere 218.188.1.135
LDROP all -- w125.z216112102.sjc-ca.dsl.cnc.net anywhere
LDROP all -- anywhere w125.z216112102.sjc-ca.dsl.cnc.net
LDROP all -- 007.a.002.cba.iprimus.net.au anywhere
LDROP all -- anywhere 007.a.002.cba.iprimus.net.au
LDROP all -- h-64-105-175-75.snvacaid.covad.net anywhere
LDROP all -- anywhere h-64-105-175-75.snvacaid.covad.net
LDROP all -- 64.27.55.1 anywhere
LDROP all -- anywhere 64.27.55.1
LDROP all -- 63.148.99.224/27 anywhere
LDROP all -- anywhere 63.148.99.224/27
LDROP all -- 216.27.93.0/24 anywhere
LDROP all -- modemcable213.133-131-66.mc.videotron.ca anywhere
INETIN all -- anywhere anywhere
INETIN all -- anywhere anywhere
INETOUT all -- anywhere anywhere
INETOUT all -- anywhere anywhere
ACCEPT all -- localnet/24 anywhere
ACCEPT all -- adslnet/24 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LDROP all -- anywhere 219-88-203-27.jetstream.xtra.co.nz
LDROP all -- anywhere ip199-210-54-23.dsl.quik.co.nz
LDROP all -- anywhere 218.94.83.211
LDROP all -- anywhere 61.152.102.47
LDROP all -- anywhere 203.251.136.103
LDROP all -- anywhere 202.155.104.210
LDROP all -- anywhere 218.188.1.135
LDROP all -- anywhere w125.z216112102.sjc-ca.dsl.cnc.net
LDROP all -- anywhere 007.a.002.cba.iprimus.net.au
LDROP all -- anywhere h-64-105-175-75.snvacaid.covad.net
LDROP all -- anywhere 64.27.55.1
LDROP all -- anywhere 63.148.99.224/27
INETOUT all -- anywhere anywhere
Chain DMZIN (0 references)
target prot opt source destination
Chain DMZOUT (0 references)
target prot opt source destination
Chain INETIN (3 references)
target prot opt source destination
LDROP all -- anywhere anywhere state INVALID
LDROP icmp -- anywhere anywhere icmp redirect
LDROP icmp -- anywhere anywhere icmp
router-advertisement
LDROP icmp -- anywhere anywhere icmp
router-solicitation
LDROP icmp -- anywhere anywhere icmp type 15
LDROP icmp -- anywhere anywhere icmp type 16
LDROP icmp -- anywhere anywhere icmp
address-mask-request
LDROP icmp -- anywhere anywhere icmp
address-mask-reply
ACCEPT icmp -- anywhere anywhere icmp
echo-request limit: avg 2/sec burst 5
LDROP icmp -- anywhere anywhere icmp
echo-request
ACCEPT icmp -- anywhere anywhere icmp
!echo-request
TCPACCEPT tcp -- anywhere anywhere tcp dpt:ssh
TCPACCEPT tcp -- anywhere anywhere tcp dpt:smtp
TCPACCEPT tcp -- anywhere anywhere tcp dpt:domain
TCPACCEPT tcp -- anywhere anywhere tcp dpt:www
UDPACCEPT udp -- anywhere anywhere udp dpt:domain
UDPACCEPT udp -- anywhere anywhere udp dpt:bootpc
UDPACCEPT udp -- anywhere anywhere udp dpt:6112
UDPACCEPT udp -- anywhere anywhere udp dpt:6119
UDPACCEPT udp -- anywhere anywhere udp dpt:4000
ACCEPT all -- anywhere anywhere state
ESTABLISHED
TCPACCEPT tcp -- anywhere anywhere tcp
dpts:1024:65535 state RELATED
UDPACCEPT udp -- anywhere anywhere udp
dpts:1024:65535 state RELATED
LDROP all -- anywhere anywhere
Chain INETOUT (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain LDROP (65 references)
target prot opt source destination
LOG tcp -- anywhere anywhere limit: avg
2/sec burst 5 LOG level info prefix `TCP Dropped '
LOG udp -- anywhere anywhere limit: avg
2/sec burst 5 LOG level info prefix `UDP Dropped '
LOG icmp -- anywhere anywhere limit: avg
2/sec burst 5 LOG level info prefix `ICMP Dropped '
LOG all -f anywhere anywhere limit: avg
2/sec burst 5 LOG level warning prefix `FRAGMENT Dropped '
DROP all -- anywhere anywhere
Chain LREJECT (0 references)
target prot opt source destination
LOG tcp -- anywhere anywhere limit: avg
2/sec burst 5 LOG level info prefix `TCP Rejected '
LOG udp -- anywhere anywhere limit: avg
2/sec burst 5 LOG level info prefix `UDP Rejected '
LOG icmp -- anywhere anywhere limit: avg
2/sec burst 5 LOG level info prefix `ICMP Rejected '
LOG all -f anywhere anywhere limit: avg
2/sec burst 5 LOG level warning prefix `FRAGMENT Rejected '
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
Chain LTREJECT (0 references)
target prot opt source destination
LOG tcp -- anywhere anywhere limit: avg
2/sec burst 5 LOG level info prefix `TCP Rejected '
LOG udp -- anywhere anywhere limit: avg
2/sec burst 5 LOG level info prefix `UDP Rejected '
LOG icmp -- anywhere anywhere limit: avg
2/sec burst 5 LOG level info prefix `ICMP Rejected '
LOG all -f anywhere anywhere limit: avg
2/sec burst 5 LOG level warning prefix `FRAGMENT Rejected '
TREJECT all -- anywhere anywhere
Chain TCPACCEPT (5 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp
flags:SYN,RST,ACK/SYN limit: avg 100/sec burst 5
LOG tcp -- anywhere anywhere tcp
flags:SYN,RST,ACK/SYN limit: avg 2/sec burst 5 LOG level warning prefix
`Possible SynFlood '
LDROP tcp -- anywhere anywhere tcp
flags:SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp
flags:!SYN,RST,ACK/SYN
LOG all -- anywhere anywhere limit: avg
2/sec burst 5 LOG level warning prefix `Mismatch in TCPACCEPT '
LDROP all -- anywhere anywhere
Chain TREJECT (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with
tcp-reset
REJECT udp -- anywhere anywhere reject-with
icmp-port-unreachable
DROP icmp -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
Chain UDPACCEPT (6 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg
2/sec burst 5 LOG level warning prefix `Mismatch on UDPACCEPT '
LDROP all -- anywhere anywhere
Chain ULDROP (0 references)
target prot opt source destination
ULOG tcp -- anywhere anywhere limit: avg
2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LDROP_TCP'
queue_threshold 1
ULOG udp -- anywhere anywhere limit: avg
2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LDROP_UDP'
queue_threshold 1
ULOG icmp -- anywhere anywhere limit: avg
2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LDROP_ICMP'
queue_threshold 1
ULOG all -f anywhere anywhere limit: avg
2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LDROP_FRAG'
queue_threshold 1
DROP all -- anywhere anywhere
Chain ULREJECT (0 references)
target prot opt source destination
ULOG tcp -- anywhere anywhere limit: avg
2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LREJECT_TCP'
queue_threshold 1
ULOG udp -- anywhere anywhere limit: avg
2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LREJECT_UDP'
queue_threshold 1
ULOG icmp -- anywhere anywhere limit: avg
2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LREJECT_UDP'
queue_threshold 1
ULOG all -f anywhere anywhere limit: avg
2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LREJECT_FRAG'
queue_threshold 1
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
Chain ULTREJECT (0 references)
target prot opt source destination
ULOG tcp -- anywhere anywhere limit: avg
2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LTREJECT_TCP'
queue_threshold 1
ULOG udp -- anywhere anywhere limit: avg
2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LTREJECT_UDP'
queue_threshold 1
ULOG icmp -- anywhere anywhere limit: avg
2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LTREJECT_ICMP'
queue_threshold 1
ULOG all -f anywhere anywhere limit: avg
2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LTREJECT_FRAG'
queue_threshold 1
REJECT tcp -- anywhere anywhere reject-with
tcp-reset
REJECT udp -- anywhere anywhere reject-with
icmp-port-unreachable
DROP icmp -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
===============================
--
We interrupt this fortune for an important announcement...
More information about the plug
mailing list