Dear All,
I have a firewall related question:
I did install a passthrough kind of set up, as described in
this other thread in this forum. It all worked well until I wanted to extend the facility to some more ports. I extended the script below, restarted the firewall, and now nothing works anymore. No access to any of the routers, even the ones that previously worked fine. VPN access works fine though, so my best guess is that there were some manual configurations outside of Bastille, which were whipped through the Bastille firewall restart. But which one?
Here is my problem: I do not know how to analyse the IPTables firewall (Bastille driven or otherwise). I can see with TCPdump that some packets reach my server, they have the correct IP address and port and are TCP type packets. All good. And then what? How can I analyse what is going wrong, and why the packets are being blocked from further processing and prevented to passthrough to my external routers, which are connected to my server vai a VPN connection? It is the analysis process I am struggling with. IPTables seems like a black box and I cannot find where the packets get dropped and why.
Any hints as to ho to analyse the IPTables firewall???
any hints welcome.
Cheers
PS: Attached are the config file /etc/Bastille/firewall.d/pre-chain-split.sh and the output of IPTables.
Code:
#vi /etc/Bastille/firewall.d/pre-chain-split.sh
#!/bin/sh
/sbin/iptables -A FORWARD -o tun+ -j ACCEPT
/sbin/iptables -t nat -F
#requires one for every router you want to connect to
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8004 -j DNAT --to-destination 10.8.0.4:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8005 -j DNAT --to-destination 10.8.0.5:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8006 -j DNAT --to-destination 10.8.0.6:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8007 -j DNAT --to-destination 10.8.0.7:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8008 -j DNAT --to-destination 10.8.0.8:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8009 -j DNAT --to-destination 10.8.0.9:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8010 -j DNAT --to-destination 10.8.0.10:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8011 -j DNAT --to-destination 10.8.0.11:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8012 -j DNAT --to-destination 10.8.0.12:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8013 -j DNAT --to-destination 10.8.0.13:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8014 -j DNAT --to-destination 10.8.0.14:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8015 -j DNAT --to-destination 10.8.0.15:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8016 -j DNAT --to-destination 10.8.0.16:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8017 -j DNAT --to-destination 10.8.0.17:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8018 -j DNAT --to-destination 10.8.0.18:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8019 -j DNAT --to-destination 10.8.0.19:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8020 -j DNAT --to-destination 10.8.0.20:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8004 -j DNAT --to-destination 10.8.0.4:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8005 -j DNAT --to-destination 10.8.0.5:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8006 -j DNAT --to-destination 10.8.0.6:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8007 -j DNAT --to-destination 10.8.0.7:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8008 -j DNAT --to-destination 10.8.0.8:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8009 -j DNAT --to-destination 10.8.0.9:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8010 -j DNAT --to-destination 10.8.0.10:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8011 -j DNAT --to-destination 10.8.0.11:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8012 -j DNAT --to-destination 10.8.0.12:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8013 -j DNAT --to-destination 10.8.0.13:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8014 -j DNAT --to-destination 10.8.0.14:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8015 -j DNAT --to-destination 10.8.0.15:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8016 -j DNAT --to-destination 10.8.0.16:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8017 -j DNAT --to-destination 10.8.0.17:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8018 -j DNAT --to-destination 10.8.0.18:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8019 -j DNAT --to-destination 10.8.0.19:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8020 -j DNAT --to-destination 10.8.0.20:8080
/sbin/iptables -A POSTROUTING --table nat -o tun+ -j MASQUERADE
Code:
#iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 632K packets, 31M bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- any any anywhere server.chillifire.net tcp dpt:8004 to:10.8.0.4:8080
0 0 DNAT tcp -- any any anywhere server.chillifire.net tcp dpt:8005 to:10.8.0.5:8080
0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8006 to:10.8.0.6:8080
0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8007 to:10.8.0.7:8080
0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8008 to:10.8.0.8:8080
0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8009 to:10.8.0.9:8080
3 144 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8010 to:10.8.0.10:8080
12 576 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8011 to:10.8.0.11:8080
3 144 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8012 to:10.8.0.12:8080
3 144 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8013 to:10.8.0.13:8080
6 288 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8014 to:10.8.0.14:8080
3 144 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8015 to:10.8.0.15:8080
3 144 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8016 to:10.8.0.16:8080
12 576 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8017 to:10.8.0.17:8080
6 288 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8018 to:10.8.0.18:8080
3 144 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8019 to:10.8.0.19:8080
3 144 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8020 to:10.8.0.20:8080
Chain POSTROUTING (policy ACCEPT 40397 packets, 2575K bytes)
pkts bytes target prot opt in out source destination
3 252 MASQUERADE all -- any tun+ anywhere anywhere
Chain OUTPUT (policy ACCEPT 40440 packets, 2578K bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8004 to:10.8.0.4:8080
0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8005 to:10.8.0.5:8080
0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8006 to:10.8.0.6:8080
0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8007 to:10.8.0.7:8080
0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8008 to:10.8.0.8:8080
0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8009 to:10.8.0.9:8080
0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8010 to:10.8.0.10:8080
0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8011 to:10.8.0.11:8080
0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8012 to:10.8.0.12:8080
0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8013 to:10.8.0.13:8080
0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8014 to:10.8.0.14:8080
0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8015 to:10.8.0.15:8080
0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8016 to:10.8.0.16:8080
0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8017 to:10.8.0.17:8080
0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8018 to:10.8.0.18:8080
0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8019 to:10.8.0.19:8080
0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8020 to:10.8.0.20:8080
Code:
# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
21 2560 DROP all -- any any 189.51.255.168.static.nqt.com.br anywhere
0 0 DROP tcp -- !lo any anywhere 127.0.0.0/8
346K 46M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
7447 405K ACCEPT all -- lo any anywhere anywhere
0 0 DROP all -- any any BASE-ADDRESS.MCAST.NET/4 anywhere
0 0 PUB_IN all -- tun+ any anywhere anywhere
8641 543K PUB_IN all -- eth+ any anywhere anywhere
0 0 PUB_IN all -- ppp+ any anywhere anywhere
0 0 PUB_IN all -- slip+ any anywhere anywhere
0 0 PUB_IN all -- venet+ any anywhere anywhere
0 0 DROP all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any 189.51.255.168.static.nqt.com.br anywhere
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- any tun+ anywhere anywhere
0 0 DROP all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 57197 packets, 5912K bytes)
pkts bytes target prot opt in out source destination
3 252 PUB_OUT all -- any tun+ anywhere anywhere
418K 97M PUB_OUT all -- any eth+ anywhere anywhere
0 0 PUB_OUT all -- any ppp+ anywhere anywhere
0 0 PUB_OUT all -- any slip+ anywhere anywhere
0 0 PUB_OUT all -- any venet+ anywhere anywhere
Chain INT_IN (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- any any anywhere anywhere
0 0 DROP all -- any any anywhere anywhere
Chain INT_OUT (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- any any anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere
Chain PAROLE (17 references)
pkts bytes target prot opt in out source destination
6111 320K ACCEPT all -- any any anywhere anywhere
Chain PUB_IN (5 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-reply
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
78 4758 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
45 2724 PAROLE tcp -- any any anywhere anywhere tcp dpt:ftp
46 3324 PAROLE tcp -- any any anywhere anywhere tcp dpt:ssh
7 420 PAROLE tcp -- any any anywhere anywhere tcp dpt:smtp
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:domain
4717 246K PAROLE tcp -- any any anywhere anywhere tcp dpt:www
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:81
66 3168 PAROLE tcp -- any any anywhere anywhere tcp dpt:pop3
838 41116 PAROLE tcp -- any any anywhere anywhere tcp dpt:https
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:webmin
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:radius
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:radius-acct
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:mysql
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:openvpn
392 23520 PAROLE tcp -- any any anywhere anywhere tcp dpt:munin
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:2812
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:4960
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpts:8000:8199
626 49136 ACCEPT udp -- any any anywhere anywhere udp dpt:domain
1068 83219 ACCEPT udp -- any any anywhere anywhere udp dpt:openvpn
339 17628 DROP icmp -- any any anywhere anywhere
419 68552 DROP all -- any any anywhere anywhere
Chain PUB_OUT (5 references)
pkts bytes target prot opt in out source destination
418K 97M ACCEPT all -- any any anywhere anywhere
English | 
Deutsch
Howto analyse a IPTables firewall issue?
Linear Mode
Recent comments
3 hours 23 min ago
8 hours 15 min ago
17 hours 7 min ago
18 hours 7 min ago
21 hours 54 min ago
23 hours 8 min ago
1 day 2 hours ago
1 day 9 hours ago
1 day 18 hours ago
1 day 20 hours ago