[ale] Iptables wierdness

Alex Carver agcarver+ale at acarver.net
Tue Feb 17 17:58:10 EST 2015 

Are these the rules entirely or did you edit?

If edited, there might be a rule matching and preventing these from
triggering.  I would also try adding NEW to the ESTABLISHED,RELATED
state clause and see if that opens up anything.

On one of my firewalls, I have a blanket --state RELATED,ESTABLISHED (no
NEW) for the entire ruleset and then I add a separate --state
NEW,RELATED,ESTABLISHED onto the more specific rules:

-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s <source IP> --dport <port> -m state --state
NEW,RELATED,ESTABLISHED

(replace INPUT as needed of course)

How did you insert your SNAT/DNAT entries (They look correct, just
double checking).

On 2015-02-17 14:34, Jim Kinney wrote:
> I reworked the network setup to use the new IPADDR0, IPADDR1, IPADDR2
> format for vip's. I even let NetworkManager run things. No changes. The
> internal 192.168.1.12 address is not reachable from the outside over it's
> external IP nor can it reach the outside. Everything else is
> SNAT'ed/DNAT'ed just fine.
> 
> iptables -L -n -t nat
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> DNAT       all  --  0.0.0.0/0            13.160.95.6        to:192.168.1.12
> 
> 
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> SNAT       all  --  192.168.1.12         0.0.0.0/0            to:13.160.95.6
> 
> iptables -L -n
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     all  --  0.0.0.0/0            127.0.0.0/24
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state
> RELATED,ESTABLISHED
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:500
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:4500
> ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            policy match
> dir in pol ipsec udp dpt:1701
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
> 
> Chain FORWARD (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state
> RELATED,ESTABLISHED
> ACCEPT     tcp  --  0.0.0.0/0            192.168.1.12         tcp dpt:22
> ACCEPT     tcp  --  0.0.0.0/0            192.168.1.12         tcp dpt:80
> ACCEPT     all  --  192.168.1.0/24       0.0.0.0/0
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> 
> On Mon, Feb 16, 2015 at 8:51 AM, Jim Kinney <jim.kinney at gmail.com> wrote:
> 
>> I'm on my phone at the moment. I'll get on a keyboard and pull data
>> shortly.
>>
>> It does show rules so its running. I'll include the setup rules for
>> clarity.
>>
>> Oh. NetworkManager is not controlling the process at all. In RHEL7 it's
>> supposed to be able to do many, many things that could only be done with
>> manual tricks. But the new process is far more complicated than doing it
>> manually for the simple setup I have.
>> On Feb 16, 2015 8:42 AM, "Alex Carver" <agcarver+ale at acarver.net> wrote:
>>
>>> What are the current rules as listed by iptables -n -L and iptables -n
>>> -L -t nat?
>>>
>>> On 2015-02-16 05:35, Jim Kinney wrote:
>>>> I've got a firewall/router running centos 7. I've disabled firewalld and
>>>> enabled iptables instead while I learn the new firewalld.
>>>>
>>>> The box has a WAN nic with 3 IPs. One for itself and the other 2 for
>>> other
>>>> systems. I'm using nat and have pre and post routing rules to do the
>>>> translation.
>>>>
>>>> Now for the weirdness.
>>>>
>>>> One works and the other doesn't.
>>>>
>>>> The rules are identical except for IPs. The rest of the LAN is simply
>>> nat
>>>> translated outbound. They all work. One server, the :2 on the nic can't
>>> get
>>>> outside at all if one the static translate. The :1 machine is fine.
>>>>
>>>> Doing a tcpdump shows ping to WAN gateway going out and returning to
>>>> outside nic but it then gets lost in the redirect.
>>>>
>>>> There are explicit forward rules for needed ports but I opened it to all
>>>> ports for the troubled machine.
>>>>
>>>> It's a new machine that passed a full memtest+ run.
>>>>
>>>> I'm stumped.
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Ale mailing list
>>>> Ale at ale.org
>>>> http://mail.ale.org/mailman/listinfo/ale
>>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>>> http://mail.ale.org/mailman/listinfo
>>>>
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>>
>>
> 
> 
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>

More information about the Ale mailing list