Answer the question
In order to leave comments, you need to log in
D
D
Denis Sechin2018-05-24 10:09:07
Denis Sechin, 2018-05-24 10:09:07
Iptables glitches?
Greetings. There is an ubuntu router + iptables + nat scheme. 3 vlans are terminated on it, they also act as gateways for their subnets. Problems that the subnet behind one vlan "3624" ceased to respond, from outside. Other subnets behind vlans are pinged, there are no restrictions in the firewall. I added rules to the firewall to allow packets to pass to this network, the counters grow, but there are still no pings, here are the rules that work at the moment:
pkts bytes target prot opt in out source destination
8509 571K fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
2322K 1772M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 172.17.8.0/21
0 0 ACCEPT all -- * * 0.0.0.0/0 172.17.0.0/21
0 0 ACCEPT tcp -- * * ***.***.**** 0.0.0.0/0 tcp dpt:3306
2 108 REJECT tcp -- * * !127.0.0.0/8 0.0.0.0/0 tcp dpt:3306 reject-with icmp-port-unreachable
0 0 ACCEPT tcp -- * * ***.***/26 92.60.184.138 tcp dpt:8443
0 0 ACCEPT tcp -- * * ***.***.184.148 ***.***.184.138 tcp dpt:8443
0 0 REJECT tcp -- * * 0.0.0.0/0 ***.***.184.138 tcp dpt:8443 reject-with icmp-port-unreachable
0 0 ACCEPT tcp -- * * ***.***.191.0/26 ***,***.184.138 tcp dpt:8843
0 0 ACCEPT tcp -- * * ***.***.184.148 ***.***.184.138 tcp dpt:8843
0 0 REJECT tcp -- * * 0.0.0.0/0 ***.184.138 tcp dpt:8843 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 148K packets, 24M bytes)
pkts bytes target prot opt in out source destination
6801K 3974M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
<b>88 6464 LOG all -- * eth0 10.55.7.0/24 0.0.0.0/0 LOG flags 0 level 7 prefix "test"</b>
81 4112 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
83 4212 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
0 0 ACCEPT all -- * * 0.0.0.0/0 172.17.8.0/21
0 0 ACCEPT all -- * * 0.0.0.0/0 172.17.0.0/21
Chain OUTPUT (policy ACCEPT 203K packets, 108M bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 owner UID match 112
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 owner UID match 0
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25The subnet that is not pinged is 10.55.7.0/24, it did not figure in any way in the firewall rules. I added the rule marked in bold myself, here is the log of this rule:
testIN=eth0 OUT=vlan3624 MAC=00:0d:56:6f:cc:5f:80:71:1f:d6:2d:41:08:00 SRC=<b>10.10.10.1</b> DST=10.55.7.101 LEN=84 TOS=0x00 PREC=0x00 TTL=61 ID=45054 DF PROTO=ICMP TYPE=8 CODE=0 ID=25877 SEQ=1
May 24 10:04:23 gauss kernel: [21280730.292876] testIN=eth0 OUT=vlan3624 MAC=00:0d:56:6f:cc:5f:80:71:1f:d6:2d:41:08:00 SRC=<b>10.10.10.1</b> DST=10.55.7.1 LEN=84 TOS=0x00 PREC=0x00 TTL=61 ID=62465 DF PROTO=ICMP TYPE=8 CODE=0 ID=5743 SEQ=3
May 24 10:04:24 gauss kernel: [21280730.808709] testIN=eth0 OUT=vlan3624 MAC=00:0d:56:6f:cc:5f:80:71:1f:d6:2d:41:08:00 SRC=<b>10.10.10.1</b> DST=10.55.7.101 LEN=84 TOS=0x00 PREC=0x00 TTL=61 ID=45263 DF PROTO=ICMP TYPE=8 CODE=0 ID=25877 SEQ=2
May 24 10:04:24 gauss kernel: [21280731.301006] testIN=eth0 OUT=vlan3624 MAC=00:0d:56:6f:cc:5f:80:71:1f:d6:2d:41:08:00 SRC=<b>10.10.10.</b>1 DST=10.55.7.1 LEN=84 TOS=0x00 PREC=0x00 TTL=61 ID=62492 DF PROTO=ICMP TYPE=8 CODE=0 ID=5743 SEQ=4It can be seen from the log that my ip 10.10.10.1, which is located from the outside, is trying to ping the ip of the network 10.55.7.0/24, echo request is also visible in tcpdump but there is no reply, From the outside, I can only ping the gateway of this vlan of an inaccessible network. What is it? firewall glitch?
Similar questions
T
D
K
Y
M
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question