Getting access out through gateway
Simon Slater
pyevet at aapt.net.au
Mon May 5 04:20:36 UTC 2008
On Mon, 2008-05-05 at 12:55 +0930, Tim wrote:
> > Is the problem with the laptop or the gateway box? Here are the
> > iptables rules.
>
> Which machine does those supplied rules apply to, and what are the
> rules
> for the other machine?
>
The previously posted rules apply to the gateway. The following apply
to the laptop:
[root at acer ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp
dpt:domain
ACCEPT tcp -- anywhere anywhere tcp
dpt:domain
ACCEPT udp -- anywhere anywhere udp
dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp
dpt:bootps
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 state
RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT udp -- anywhere 224.0.0.251 udp
dpt:mdns
ACCEPT udp -- anywhere anywhere udp
dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp
dpt:ipp
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:nfs
ACCEPT udp -- anywhere anywhere state NEW
udp dpt:nfs
ACCEPT udp -- anywhere anywhere state NEW
udp dpt:netbios-ns
ACCEPT udp -- anywhere anywhere state NEW
udp dpt:netbios-dgm
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:netbios-ssn
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:microsoft-ds
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:http
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
[root at acer ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.122.0/24 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root at acer ~]#
I didn't think to check the laptop rules because the rejected packet
came from the gateway. It looks like masquerading is setup on the
laptop also. This should be off for the client? I don't know where the
192.168.122.0/24 address came from, nor the 224.0.0.251 for that matter.
--
'ooroo
Simon
Registered Linux User #463789. Sign up at: http://counter.li.org/
More information about the fedora-list
mailing list