[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Endian Firewall routed subnet on green network

Posted on 2009-04-22
2
Medium Priority
?
9,536 Views
Last Modified: 2013-11-16
I am trying to set up an endian firewall appliance and having a hard time with internal traffic routing.
Here is my setup:

Green subnet: 192.168.168.0/24
Endian firewall IP: 192.168.168.1
Additional internal routed subnet: 10.1.2.0/24
router ip address: 192.168.168.52

I tried following the directions here: http://kb.endian.com/entry/28/ and I also tried adding the route via the following route statement:
route add -net 10.1.2.0 netmask 255.255.255.0 gw 192.168.168.52

Either way, devices on 192.168.168./24 and 10.1.2.0/24 are unable to communicate properly.  I'm able to ping from 192.168.168.0 to 10.1.2.0 but not the opposite way.  For example, I can do a simple telnet port scan from 192.168.168.0/24 to an ip address on 10.1.2.0 listening on port 3389 (terminal services).  The port scan works, but actually trying to use remote desktop fails.  

Internet access from both works fine, it's just communication between the 2 subnets that isn't working.  

A couple of notes:
When I add the static route through the web based gui, the connections status page shows traffic coming from the 10.1.2.0/24 subnet as red (internet traffic).  If I add the static route through the route add command, it shows the traffic as green.  

Attached is a complete dump of the firewall.  My guess is that traffic is getting blocked.  I just don't know enough about iptables to find out where.

Thanks!


# Generated by iptables-save v1.3.8 on Wed Apr 22 11:21:26 2009
*mangle
:PREROUTING ACCEPT [108983:23638102]
:INPUT ACCEPT [39585:3795243]
:FORWARD ACCEPT [68353:19701326]
:OUTPUT ACCEPT [54161:43536415]
:POSTROUTING ACCEPT [122502:63223121]
:CHECKIIF - [0:0]
:INCOMINGMARK - [0:0]
:LOCALMARK - [0:0]
:LOCALPOLICYROUTING - [0:0]
:LOCALROUTING - [0:0]
:LVS - [0:0]
:LVSSMTPSCAN - [0:0]
:MARKIIF - [0:0]
:POLICYROUTING - [0:0]
:ROUTING - [0:0]
:ZONEFW - [0:0]
:ZONETRAFFIC - [0:0]
-A PREROUTING -i lo -j ACCEPT 
-A PREROUTING -j ROUTING 
-A INPUT -i lo -j ACCEPT 
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
-A FORWARD -m state --state NEW -m mark --mark 0x0/0xfff80000 -j ZONETRAFFIC 
-A FORWARD -m state --state RELATED,ESTABLISHED -j MARK --and-mark 0xfffbffff 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -j LOCALROUTING 
-A CHECKIIF -i ! eth1 -m connmark --mark 0x1000/0x3f800 -j MARK --and-mark 0xfffff807 
-A CHECKIIF -i ! eth1 -m connmark --mark 0x1000/0x3f800 -j MARK --or-mark 0x7e0 
-A CHECKIIF -i ! eth0 -m connmark --mark 0x800/0x3f800 -j MARK --and-mark 0xfffff807 
-A CHECKIIF -i ! br0 -m connmark --mark 0x1800/0x3f800 -j MARK --and-mark 0xfffff807 
-A INCOMINGMARK -j POLICYROUTING 
-A INCOMINGMARK -j CONNMARK --restore-mark 
-A LOCALMARK -j LOCALPOLICYROUTING 
-A LOCALMARK -j CONNMARK --restore-mark 
-A LOCALPOLICYROUTING -d 208.67.220.220 -p udp -m udp --dport 53 -j CONNMARK --set-mark 0x7e0/0x7f8 
-A LOCALPOLICYROUTING -d 208.67.220.220 -p udp -m udp --dport 53 -m connmark ! --mark 0x0/0x7f8 -j RETURN 
-A LOCALPOLICYROUTING -d 208.67.220.220 -p tcp -m tcp --dport 53 -j CONNMARK --set-mark 0x7e0/0x7f8 
-A LOCALPOLICYROUTING -d 208.67.220.220 -p tcp -m tcp --dport 53 -m connmark ! --mark 0x0/0x7f8 -j RETURN 
-A LOCALPOLICYROUTING -d 208.67.220.220 -p udp -m udp --dport 53 -j CONNMARK --set-mark 0x7e0/0x7f8 
-A LOCALPOLICYROUTING -d 208.67.220.220 -p udp -m udp --dport 53 -m connmark ! --mark 0x0/0x7f8 -j RETURN 
-A LOCALPOLICYROUTING -d 208.67.220.220 -p tcp -m tcp --dport 53 -j CONNMARK --set-mark 0x7e0/0x7f8 
-A LOCALPOLICYROUTING -d 208.67.220.220 -p tcp -m tcp --dport 53 -m connmark ! --mark 0x0/0x7f8 -j RETURN 
-A LOCALROUTING -i lo -j RETURN 
-A LOCALROUTING -o lo -j RETURN 
-A LOCALROUTING -m state --state INVALID,RELATED,ESTABLISHED,UNTRACKED -m connmark ! --mark 0x0 -j CONNMARK --restore-mark 
-A LOCALROUTING -m state --state INVALID,RELATED,ESTABLISHED,UNTRACKED -m connmark ! --mark 0x0 -j CHECKIIF 
-A LOCALROUTING -m state --state NEW -j MARKIIF 
-A LOCALROUTING -m state --state NEW -j LOCALMARK 
-A MARKIIF -i eth1 -j CONNMARK --set-mark 0x1000/0x3f800 
-A MARKIIF -i eth0 -j CONNMARK --set-mark 0x800/0x3f800 
-A MARKIIF -i br0 -j CONNMARK --set-mark 0x1800/0x3f800 
-A POLICYROUTING -d 208.67.220.220 -p udp -m udp --dport 53 -j CONNMARK --set-mark 0x7e0/0x7f8 
-A POLICYROUTING -d 208.67.220.220 -p udp -m udp --dport 53 -m connmark ! --mark 0x0/0x7f8 -j RETURN 
-A POLICYROUTING -d 208.67.220.220 -p tcp -m tcp --dport 53 -j CONNMARK --set-mark 0x7e0/0x7f8 
-A POLICYROUTING -d 208.67.220.220 -p tcp -m tcp --dport 53 -m connmark ! --mark 0x0/0x7f8 -j RETURN 
-A POLICYROUTING -d 208.67.220.220 -p udp -m udp --dport 53 -j CONNMARK --set-mark 0x7e0/0x7f8 
-A POLICYROUTING -d 208.67.220.220 -p udp -m udp --dport 53 -m connmark ! --mark 0x0/0x7f8 -j RETURN 
-A POLICYROUTING -d 208.67.220.220 -p tcp -m tcp --dport 53 -j CONNMARK --set-mark 0x7e0/0x7f8 
-A POLICYROUTING -d 208.67.220.220 -p tcp -m tcp --dport 53 -m connmark ! --mark 0x0/0x7f8 -j RETURN 
-A ROUTING -i lo -j RETURN 
-A ROUTING -o lo -j RETURN 
-A ROUTING -m state --state INVALID,RELATED,ESTABLISHED,UNTRACKED -m connmark ! --mark 0x0 -j CONNMARK --restore-mark 
-A ROUTING -m state --state INVALID,RELATED,ESTABLISHED,UNTRACKED -m connmark ! --mark 0x0 -j CHECKIIF 
-A ROUTING -m state --state NEW -j MARKIIF 
-A ROUTING -m state --state NEW -j INCOMINGMARK 
-A ZONEFW -i br0 -o br0 -j ACCEPT 
-A ZONEFW -i br0 -o br2 -j ACCEPT 
-A ZONEFW -i br0 -o br1 -j ACCEPT 
-A ZONEFW -i br2 -o br2 -j ACCEPT 
-A ZONEFW -i br1 -o br1 -j ACCEPT 
-A ZONETRAFFIC -i br0 -o br0 -j ZONEFW 
-A ZONETRAFFIC -i br0 -o br0 -j RETURN 
COMMIT
# Completed on Wed Apr 22 11:21:26 2009
# Generated by iptables-save v1.3.8 on Wed Apr 22 11:21:26 2009
*filter
:ALLOW - [0:0]
:ALLOW_HOOKS - [0:0]
:BADTCP - [0:0]
:BADTCP_LOGDROP - [0:0]
:CUSTOMFORWARD - [0:0]
:CUSTOMINPUT - [0:0]
:CUSTOMOUTPUT - [0:0]
:HAFORWARD - [0:0]
:ICMP_LOGDROP - [0:0]
:INPUT DROP [569:493670]
:FORWARD DROP [64:5654]
:INPUTFW - [0:0]
:INPUTFW_LOGDROP - [0:0]
:INPUTTRAFFIC - [0:0]
:LOG_FORWARD - [0:0]
:LOG_INPUT - [0:0]
:NEWNOTSYN - [0:0]
:NEWNOTSYN_LOGDROP - [0:0]
:OPENVPNCLIENTDHCP - [0:0]
:OPENVPNDHCP - [0:0]
:OUTGOINGFW - [0:0]
:OUTPUT ACCEPT [54231:43544381]
:PORTFWACCESS - [0:0]
:REDINPUT - [0:0]
:VPNFW - [0:0]
:VPNFWDST - [0:0]
:VPNFW_LOGDROP - [0:0]
:VPNTRAFFIC - [0:0]
:ZONEFW - [0:0]
:ZONEFW_LOGDROP - [0:0]
:ZONETRAFFIC - [0:0]
:ipac~fi - [0:0]
:ipac~fo - [0:0]
:ipac~i - [0:0]
:ipac~o - [0:0]
-A ALLOW -j ALLOW_HOOKS 
-A ALLOW -j ACCEPT 
-A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j BADTCP_LOGDROP 
-A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j BADTCP_LOGDROP 
-A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j BADTCP_LOGDROP 
-A BADTCP -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j BADTCP_LOGDROP 
-A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j BADTCP_LOGDROP 
-A BADTCP_LOGDROP -j DROP 
-A ICMP_LOGDROP -p icmp -m icmp --icmp-type 8 -j RETURN 
-A ICMP_LOGDROP -p icmp -m icmp --icmp-type 30 -j RETURN 
-A ICMP_LOGDROP -j DROP 
-A INPUT -j ipac~o 
-A INPUT -j REDINPUT 
-A INPUT -j BADTCP 
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j NEWNOTSYN_LOGDROP 
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec 
-A INPUT -j CUSTOMINPUT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ALLOW 
-A INPUT -p icmp -j ICMP_LOGDROP 
-A INPUT -i lo -m state --state NEW -j ALLOW 
-A INPUT -s 127.0.0.0/255.0.0.0 -m state --state NEW -j DROP 
-A INPUT -d 127.0.0.0/255.0.0.0 -m state --state NEW -j DROP 
-A INPUT -m state --state NEW -j INPUTTRAFFIC 
-A INPUT -j LOG_INPUT 
-A FORWARD -j ipac~fi 
-A FORWARD -j ipac~fo 
-A FORWARD -j OPENVPNCLIENTDHCP 
-A FORWARD -j OPENVPNDHCP 
-A FORWARD -j BADTCP 
-A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j NEWNOTSYN 
-A FORWARD -j CUSTOMFORWARD 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ALLOW 
-A FORWARD -p icmp -j ICMP_LOGDROP 
-A FORWARD -i lo -m state --state NEW -j ALLOW 
-A FORWARD -s 127.0.0.0/255.0.0.0 -m state --state NEW -j DROP 
-A FORWARD -d 127.0.0.0/255.0.0.0 -m state --state NEW -j DROP 
-A FORWARD -j HAFORWARD 
-A FORWARD -m state --state NEW -j PORTFWACCESS 
-A FORWARD -j VPNTRAFFIC 
-A FORWARD -m state --state NEW -j OUTGOINGFW 
-A FORWARD -m state --state NEW -j ZONETRAFFIC 
-A FORWARD -j LOG_FORWARD 
-A INPUTFW -s 192.168.168.0/255.255.255.0 -p tcp -m tcp --dport 10000 -j ALLOW 
-A INPUTFW -i br0 -p tcp -m tcp --dport 80 -j ALLOW 
-A INPUTFW -i br2 -p tcp -m tcp --dport 80 -j ALLOW 
-A INPUTFW -i br1 -p tcp -m tcp --dport 80 -j ALLOW 
-A INPUTFW -i br0 -p tcp -m tcp --dport 10443 -j ALLOW 
-A INPUTFW -i br0 -p tcp -m tcp --dport 3001 -j ALLOW 
-A INPUTFW -i br2 -p tcp -m tcp --dport 3001 -j ALLOW 
-A INPUTFW -i br1 -p tcp -m tcp --dport 3001 -j ALLOW 
-A INPUTFW -i br0 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 8 -j ALLOW 
-A INPUTFW -i br0 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 30 -j ALLOW 
-A INPUTFW -i br2 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 8 -j ALLOW 
-A INPUTFW -i br2 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 30 -j ALLOW 
-A INPUTFW -i br1 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 8 -j ALLOW 
-A INPUTFW -i br1 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 30 -j ALLOW 
-A INPUTFW -i ipsec+ -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 8 -j ALLOW 
-A INPUTFW -i ipsec+ -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 30 -j ALLOW 
-A INPUTFW -i br0 -p tcp -m tcp --dport 53 -j ALLOW 
-A INPUTFW -i br0 -p udp -m udp --dport 53 -j ALLOW 
-A INPUTFW -i br2 -p tcp -m tcp --dport 53 -j ALLOW 
-A INPUTFW -i br2 -p udp -m udp --dport 53 -j ALLOW 
-A INPUTFW -i br1 -p tcp -m tcp --dport 53 -j ALLOW 
-A INPUTFW -i br1 -p udp -m udp --dport 53 -j ALLOW 
-A INPUTFW -i ipsec+ -p tcp -m tcp --dport 53 -j ALLOW 
-A INPUTFW -i ipsec+ -p udp -m udp --dport 53 -j ALLOW 
-A INPUTFW -i br0 -p tcp -m tcp --dport 22 -j ALLOW 
-A INPUTFW -i eth1 -p gre -j ALLOW 
-A INPUTFW -i eth1 -p esp -j ALLOW 
-A INPUTFW -i eth1 -p ah -j ALLOW 
-A INPUTFW -i eth1 -p udp -m udp --dport 500 -j ALLOW 
-A INPUTFW -i eth1 -p udp -m udp --dport 4500 -j ALLOW 
-A INPUTFW -i br2 -p gre -j ALLOW 
-A INPUTFW -i br2 -p esp -j ALLOW 
-A INPUTFW -i br2 -p ah -j ALLOW 
-A INPUTFW -i br2 -p udp -m udp --dport 500 -j ALLOW 
-A INPUTFW -i br2 -p udp -m udp --dport 4500 -j ALLOW 
-A INPUTFW -i br1 -p gre -j ALLOW 
-A INPUTFW -i br1 -p esp -j ALLOW 
-A INPUTFW -i br1 -p ah -j ALLOW 
-A INPUTFW -i br1 -p udp -m udp --dport 500 -j ALLOW 
-A INPUTFW -i br1 -p udp -m udp --dport 4500 -j ALLOW 
-A INPUTFW -i br0 -p udp -m udp --dport 5060 -j ALLOW 
-A INPUTFW -i br0 -p udp -m udp --dport 7070:7090 -j ALLOW 
-A INPUTFW -i eth1 -p udp -m udp --dport 5060 -j ALLOW 
-A INPUTFW -i eth1 -p udp -m udp --dport 7070:7090 -j ALLOW 
-A INPUTFW -i br0 -p udp -m udp --dport 123 -j ALLOW 
-A INPUTFW -i br0 -p tcp -m tcp --dport 123 -j ALLOW 
-A INPUTFW -i br2 -p udp -m udp --dport 123 -j ALLOW 
-A INPUTFW -i br2 -p tcp -m tcp --dport 123 -j ALLOW 
-A INPUTFW -i br1 -p udp -m udp --dport 123 -j ALLOW 
-A INPUTFW -i br1 -p tcp -m tcp --dport 123 -j ALLOW 
-A INPUTFW -i ipsec+ -p udp -m udp --dport 123 -j ALLOW 
-A INPUTFW -i ipsec+ -p tcp -m tcp --dport 123 -j ALLOW 
-A INPUTFW -i br0 -p tcp -m tcp --dport 8080 -j ALLOW 
-A INPUTFW -i ipsec+ -p tcp -m tcp --dport 8080 -j ALLOW 
-A INPUTFW -i br2 -p tcp -m tcp --dport 8080 -j ALLOW 
-A INPUTFW -i br1 -p tcp -m tcp --dport 8080 -j ALLOW 
-A INPUTFW_LOGDROP -j DROP 
-A INPUTTRAFFIC -i ipsec+ -j INPUTFW 
-A INPUTTRAFFIC -i ipsec+ -j INPUTFW_LOGDROP 
-A INPUTTRAFFIC -i tap+ -j INPUTFW 
-A INPUTTRAFFIC -i tap+ -j INPUTFW_LOGDROP 
-A INPUTTRAFFIC -m physdev  --physdev-in tap+ -j INPUTFW 
-A INPUTTRAFFIC -m physdev  --physdev-in tap+ -j INPUTFW_LOGDROP 
-A INPUTTRAFFIC -i br0 -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable 
-A INPUTTRAFFIC -i br0 -j INPUTFW 
-A INPUTTRAFFIC -i br0 -j INPUTFW_LOGDROP 
-A INPUTTRAFFIC -j INPUTFW 
-A NEWNOTSYN -i br0 -o br0 -j RETURN 
-A NEWNOTSYN -i tap+ -j RETURN 
-A NEWNOTSYN -o tap+ -j RETURN 
-A NEWNOTSYN -j NEWNOTSYN_LOGDROP 
-A NEWNOTSYN_LOGDROP -j DROP 
-A OUTGOINGFW -i br1 -o eth1 -j ALLOW 
-A OUTGOINGFW -i br2 -o eth1 -j ALLOW 
-A OUTGOINGFW -i br0 -o eth1 -j ALLOW 
-A OUTPUT -j ipac~i 
-A OUTPUT -j CUSTOMOUTPUT 
-A PORTFWACCESS -d 192.168.168.2 -p tcp -m tcp --dport 80 -j ALLOW 
-A PORTFWACCESS -d 192.168.168.2 -p tcp -m tcp --dport 21 -j ALLOW 
-A PORTFWACCESS -d 192.168.168.2 -p tcp -m tcp --dport 443 -j ALLOW 
-A PORTFWACCESS -d 192.168.168.2 -p tcp -m tcp --dport 993 -j ALLOW 
-A PORTFWACCESS -d 192.168.168.2 -p tcp -m tcp --dport 3389 -j ALLOW 
-A PORTFWACCESS -d 192.168.168.2 -p tcp -m tcp --dport 1723 -j ALLOW 
-A PORTFWACCESS -d 192.168.168.9 -p udp -m udp --dport 6277 -j ALLOW 
-A PORTFWACCESS -d 192.168.168.9 -p udp -m udp --dport 24441 -j ALLOW 
-A PORTFWACCESS -d 192.168.168.9 -p tcp -m tcp --dport 2703 -j ALLOW 
-A PORTFWACCESS -d 192.168.168.9 -p tcp -m tcp --dport 4282 -j ALLOW 
-A PORTFWACCESS -d 192.168.168.9 -p tcp -m tcp --dport 4280 -j ALLOW 
-A PORTFWACCESS -d 192.168.168.10 -p udp -m udp --dport 10000:10100 -j ALLOW 
-A PORTFWACCESS -d 192.168.168.2 -p tcp -m tcp --dport 465 -j ALLOW 
-A PORTFWACCESS -d 192.168.168.10 -p udp -m udp --dport 4569 -j ALLOW 
-A PORTFWACCESS -d 192.168.168.10 -p tcp -m tcp --dport 22 -j ALLOW 
-A PORTFWACCESS -d 192.168.168.34 -p tcp -m tcp --dport 3389 -j ALLOW 
-A PORTFWACCESS -d 192.168.168.9 -p tcp -m tcp --dport 25 -j ALLOW 
-A PORTFWACCESS -d 192.168.168.2 -p gre -j ALLOW 
-A VPNFW -j ALLOW 
-A VPNFW_LOGDROP -j DROP 
-A VPNTRAFFIC -o ipsec+ -j VPNFW 
-A VPNTRAFFIC -o ipsec+ -j VPNFW_LOGDROP 
-A VPNTRAFFIC -i ipsec+ -j VPNFW 
-A VPNTRAFFIC -i ipsec+ -j VPNFW_LOGDROP 
-A VPNTRAFFIC -o tap+ -j VPNFW 
-A VPNTRAFFIC -o tap+ -j VPNFW_LOGDROP 
-A VPNTRAFFIC -i tap+ -j VPNFW 
-A VPNTRAFFIC -i tap+ -j VPNFW_LOGDROP 
-A VPNTRAFFIC -m physdev  --physdev-out tap+ --physdev-is-bridged -j VPNFW 
-A VPNTRAFFIC -m physdev  --physdev-out tap+ --physdev-is-bridged -j VPNFW_LOGDROP 
-A VPNTRAFFIC -m physdev  --physdev-in tap+ -j VPNFW 
-A VPNTRAFFIC -m physdev  --physdev-in tap+ -j VPNFW_LOGDROP 
-A ZONEFW -i br0 -o br0 -j ALLOW 
-A ZONEFW -i br0 -o br2 -j ALLOW 
-A ZONEFW -i br0 -o br1 -j ALLOW 
-A ZONEFW -i br2 -o br2 -j ALLOW 
-A ZONEFW -i br1 -o br1 -j ALLOW 
-A ZONEFW_LOGDROP -j DROP 
-A ZONETRAFFIC -i br0 -o br0 -j ZONEFW 
-A ZONETRAFFIC -i br0 -o br0 -j ZONEFW_LOGDROP 
-A ipac~fi -i br0 
-A ipac~fi -i eth1 
-A ipac~fo -o br0 
-A ipac~fo -o eth1 
-A ipac~i -o br0 
-A ipac~i -o eth1 
-A ipac~o -i br0 
-A ipac~o -i eth1 
COMMIT
# Completed on Wed Apr 22 11:21:26 2009
# Generated by iptables-save v1.3.8 on Wed Apr 22 11:21:26 2009
*nat
:PREROUTING ACCEPT [4527:375551]
:POSTROUTING ACCEPT [38:3093]
:OUTPUT ACCEPT [248:18489]
:CONTENTFILTER - [0:0]
:CUSTOMPOSTROUTING - [0:0]
:CUSTOMPREROUTING - [0:0]
:DNSMASQ - [0:0]
:OPENVPNCLIENT - [0:0]
:PORTFW - [0:0]
:POSTPORTFW - [0:0]
:SIPROXDPORTFW - [0:0]
:SMTPSCAN - [0:0]
:SOURCENAT - [0:0]
:SQUID - [0:0]
-A PREROUTING -j CUSTOMPREROUTING 
-A PREROUTING -j SIPROXDPORTFW 
-A PREROUTING -j CONTENTFILTER 
-A PREROUTING -j SQUID 
-A PREROUTING -j DNSMASQ 
-A PREROUTING -j PORTFW 
-A POSTROUTING -j CUSTOMPOSTROUTING 
-A POSTROUTING -j OPENVPNCLIENT 
-A POSTROUTING -j SOURCENAT 
-A POSTROUTING -j POSTPORTFW 
-A OUTPUT -j PORTFW 
-A CUSTOMPREROUTING -p tcp -m tcp --dport 25 -j SMTPSCAN 
-A PORTFW -d 10.1.1.150 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.168.2:80 
-A PORTFW -d 10.1.1.150 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.168.2:21 
-A PORTFW -d 10.1.1.150 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.168.2:443 
-A PORTFW -d 10.1.1.150 -p tcp -m tcp --dport 993 -j DNAT --to-destination 192.168.168.2:993 
-A PORTFW -d 10.1.1.150 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.168.2:3389 
-A PORTFW -d 10.1.1.150 -p tcp -m tcp --dport 1723 -j DNAT --to-destination 192.168.168.2:1723 
-A PORTFW -d 10.1.1.150 -p udp -m udp --dport 6277 -j DNAT --to-destination 192.168.168.9:6277 
-A PORTFW -d 10.1.1.150 -p udp -m udp --dport 24441 -j DNAT --to-destination 192.168.168.9:24441 
-A PORTFW -d 10.1.1.150 -p tcp -m tcp --dport 2703 -j DNAT --to-destination 192.168.168.9:2703 
-A PORTFW -d 10.1.1.150 -p tcp -m tcp --dport 4282 -j DNAT --to-destination 192.168.168.9:4282 
-A PORTFW -d 10.1.1.150 -p tcp -m tcp --dport 4280 -j DNAT --to-destination 192.168.168.9:4280 
-A PORTFW -d 10.1.1.150 -p udp -m udp --dport 10000:10100 -j DNAT --to-destination 192.168.168.10:10000-10100 
-A PORTFW -d 10.1.1.150 -p tcp -m tcp --dport 465 -j DNAT --to-destination 192.168.168.2:465 
-A PORTFW -d 10.1.1.150 -p udp -m udp --dport 4569 -j DNAT --to-destination 192.168.168.10:4569 
-A PORTFW -d 10.1.1.150 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.168.10:22 
-A PORTFW -d 10.1.1.150 -p tcp -m tcp --dport 3390 -j DNAT --to-destination 192.168.168.34:3389 
-A PORTFW -d 10.1.1.150 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.168.9:25 
-A PORTFW -d 10.1.1.150 -p gre -j DNAT --to-destination 192.168.168.2 
-A SOURCENAT -o eth1 -j SNAT --to-source 10.1.1.150 
COMMIT
# Completed on Wed Apr 22 11:21:26 2009

Open in new window

0
Comment
Question by:vipnetworks
2 Comments
 

Accepted Solution

by:
vipnetworks earned 0 total points
ID: 24236203
I figured it out.

I needed an entry in the iptables FORWARD chain to allow traffic to be forwarded from 192.168.168./24 to 10.1.2.0/24.

With endian firewall, I added the following line into /etc/rc.d/rc.firewall:

iptables -A FORWARD -s 192.168.168.0/24 -d 10.1.2.0/24 -j ACCEPT
0
 
LVL 1

Expert Comment

by:eng-sabri
ID: 24792530
Try also to Add


echo "1" > /proc/sys/net/ipv4/ip_forward


0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question