[Users] problems with SNAT/MASQUERADE
Galia Lisovskaya
inbox at shaggy-cat.ru
Sun Dec 20 05:28:58 EST 2009
Hi all!
I have stupid quation :(
Don't work SNAT/MASQUERADE for VEs. Please help me get knowlege, how
make work configuration.
In my one Hardware node MASQUERADE for VEs work fine, but i want make
deafult configuration with PXE Anaconda kikstart and puppet for put
configs for some count of node. I want have reproduced configuration
:)
But now, I don't understand how, on my node, work MASQUERADE :( This
server have not reproduced configuration:( And i don't remeber how I
was configurated this server in the past :(
I read this guide now, and in the past. And, in the past, as i
remeber, i had means it's doe'snt work for me:
http://wiki.openvz.org/Using_NAT_for_VE_with_private_IPs
I don't remeber, how problem was solved :(
Network in test openvz server, for containers work:
[root at ovz-test2 ~]# vzlist | grep 407
407 14 running 10.0.5.47 test-dns.local
[root at ovz-test2 ~]#
ICMP from HN to VE:
[root at ovz-test2 ~]# ping -c 1 10.0.5.47
PING 10.0.5.47 (10.0.5.47) 56(84) bytes of data.
64 bytes from 10.0.5.47: icmp_seq=1 ttl=64 time=0.258 ms
--- 10.0.5.47 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.258/0.258/0.258/0.000 ms
[root at ovz-test2 ~]#
ICMP from VE to HN:
[root at test-dns ~]# ping -c 1 ovz-test2
PING ovz-test2.local (10.0.5.128) 56(84) bytes of data.
64 bytes from ovz-test2.local (10.0.5.128): icmp_seq=1 ttl=64 time=0.064 ms
--- ovz-test2.local ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.064/0.064/0.064/0.000 ms
[root at test-dns ~]#
And, icmp from VE to another host in LAN:
[root at test-dns ~]# ping -c 1 puppet
PING puppet.local (10.0.5.16) 56(84) bytes of data.
64 bytes from puppet.loc (10.0.5.16): icmp_seq=1 ttl=63 time=1.78 ms
--- puppet.local ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.780/1.780/1.780/0.000 ms
[root at test-dns ~]#
But, NAT to another networks, for example for internet, does'nt work:
[root at test-dns ~]# ping -c 1 google.com
PING google.com (74.125.77.147) 56(84) bytes of data.
>From ovz-test2.local (10.0.5.128) icmp_seq=1 Destination Net Unreachable
--- google.com ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
[root at test-dns ~]#
[root at test-dns ~]# wget google.com
--2009-12-20 13:11:19-- http://google.com/
Resolving google.com... 74.125.77.104, 74.125.77.99, 74.125.77.147
Connecting to google.com|74.125.77.104|:80... failed: Network is unreachable.
Connecting to google.com|74.125.77.99|:80... failed: Network is unreachable.
Connecting to google.com|74.125.77.147|:80... failed: Network is unreachable.
[root at test-dns ~]#
Configuration of HN:
[root at ovz-test2 ~]# cat /etc/redhat-release
CentOS release 5.3 (Final)
[root at ovz-test2 ~]#
[root at ovz-test2 ~]# uname -a
Linux ovz-test2.local 2.6.18-128.2.1.el5.028stab064.4 #1 SMP Wed Jul
22 00:11:00 MSD 2009 i686 i686 i386 GNU/Linux
[root at ovz-test2 ~]#
[root at ovz-test2 ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 54:52:00:3D:CB:40
inet addr:10.0.5.128 Bcast:10.0.5.255 Mask:255.255.255.0
inet6 addr: fe80::5652:ff:fe3d:cb40/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:112743 errors:0 dropped:0 overruns:0 frame:0
TX packets:119926 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:21101421 (20.1 MiB) TX bytes:23473181 (22.3 MiB)
Interrupt:11 Base address:0x4000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:14 errors:0 dropped:0 overruns:0 frame:0
TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:878 (878.0 b) TX bytes:878 (878.0 b)
venet0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:267 errors:0 dropped:0 overruns:0 frame:0
TX packets:368 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:28529 (27.8 KiB) TX bytes:29631 (28.9 KiB)
[root at ovz-test2 ~]#
[root at ovz-test2 ~]# rpm -qa | grep vz
vzctl-lib-3.0.23-1
vzrpm43-python-4.3.3-7_nonptl.6
vzrpm44-4.4.1-22.5
vzrpm43-4.3.3-7_nonptl.6
vzquota-3.0.12-1
vzpkg-2.7.0-18
ovzkernel-2.6.18-128.2.1.el5.028stab064.4
vzrpm44-python-4.4.1-22.5
vzctl-3.0.23-1
vzdump-1.1-2
vzyum-2.4.0-11
ha-ovz-tools-1.2-1
[root at ovz-test2 ~]#
[root at ovz-test2 ~]# sysctl -p
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.ip_forward = 1
net.ipv4.conf.all.rp_filter = 1
kernel.sysrq = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0
[root at ovz-test2 ~]#
[root at ovz-test2 ~]# cat /etc/sysconfig/vz
## Global parameters
VIRTUOZZO=yes
LOCKDIR=/vz/lock
DUMPDIR=/vz/dump
VE0CPUUNITS=1000
## Logging parameters
LOGGING=yes
LOGFILE=/var/log/vzctl.log
LOG_LEVEL=0
VERBOSE=0
## Disk quota parameters
DISK_QUOTA=yes
VZFASTBOOT=no
# Disable module loading. If set, vz initscript do not load any modules.
#MODULES_DISABLED=yes
# The name of the device whose IP address will be used as source IP for CT.
# By default automatically assigned.
VE_ROUTE_SRC_DEV="eth0"
# Controls which interfaces to send ARP requests and modify APR tables on.
NEIGHBOUR_DEVS=detect
## Template parameters
TEMPLATE=/vz/template
## Defaults for containers
VE_ROOT=/vz/root/$VEID
VE_PRIVATE=/vz/private/$VEID
CONFIGFILE="vps.basic"
DEF_OSTEMPLATE="fedora-core-4"
## Load vzwdog module
VZWDOG="no"
## IPv4 iptables kernel modules
IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport
ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG
ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc
ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc
ipt_REDIRECT"
## Enable IPv6
IPV6="no"
## IPv6 ip6tables kernel modules
IP6TABLES="ip6_tables ip6table_filter ip6table_mangle ip6t_REJECT"
[root at ovz-test2 ~]# cat /proc/sys/net/ipv4/conf/eth0/forwarding
1
[root at ovz-test2 ~]# cat /proc/sys/net/ipv4/conf/venet0/forwarding
1
[root at ovz-test2 ~]#
I try very-very many of counts differents configuration of iptables.
All of it's does'nt work. I try use configuration from old hardware
node, it's doe'snt work to :(
One of don't working configuration:
[root at ovz-test2 ~]# iptables-save
# Generated by iptables-save v1.3.5 on Sun Dec 20 13:17:25 2009
*raw
:PREROUTING ACCEPT [9708:1526221]
:OUTPUT ACCEPT [9198:1571058]
COMMIT
# Completed on Sun Dec 20 13:17:25 2009
# Generated by iptables-save v1.3.5 on Sun Dec 20 13:17:25 2009
*nat
:PREROUTING ACCEPT [73:4765]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [945:55800]
-A POSTROUTING -m mark --mark 0x9 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o venet0 -j MASQUERADE
-A POSTROUTING -m mark --mark 0x9 -j MASQUERADE
COMMIT
# Completed on Sun Dec 20 13:17:25 2009
# Generated by iptables-save v1.3.5 on Sun Dec 20 13:17:25 2009
*mangle
:PREROUTING ACCEPT [11775:1810121]
:INPUT ACCEPT [11090:1747639]
:FORWARD ACCEPT [668:61270]
:OUTPUT ACCEPT [11071:1902912]
:POSTROUTING ACCEPT [11739:1964182]
-A PREROUTING -i eth0 -j MARK --set-mark 0x9
-A PREROUTING -i venet0 -j MARK --set-mark 0x9
-A PREROUTING -i eth0 -j MARK --set-mark 0x9
-A PREROUTING -i venet0 -j MARK --set-mark 0x9
COMMIT
# Completed on Sun Dec 20 13:17:25 2009
# Generated by iptables-save v1.3.5 on Sun Dec 20 13:17:25 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11071:1902912]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -i venet0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sun Dec 20 13:17:25 2009
[root at ovz-test2 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
REJECT all -- anywhere anywhere
reject-with icmp-host-prohibited
[root at ovz-test2 ~]#
=================
Iptables from old hardware node (it's has three network interfaces),
SNAT and another networks work for container:
[shaggycat at hn iptables-dumps]$ cat iptables_L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT tcp -- 10.0.9.25 anywhere multiport
dports smtp
ACCEPT all -- 10.0.7.0/24 10.0.10.33
ACCEPT tcp -- 10.0.10.0/24 10.0.9.25 multiport
dports smtp
ACCEPT tcp -- 10.0.5.2 anywhere multiport
dports smtp
ACCEPT all -- anywhere 255.255.255.255
DROP tcp -- 10.0.9.0/24 anywhere multiport
dports smtp
DROP tcp -- 10.0.7.0/24 anywhere multiport
dports smtp
DROP tcp -- 10.0.5.0/24 anywhere multiport
dports smtp
DROP tcp -- 10.0.10.0/24 anywhere multiport
dports smtp
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp any
DROP tcp -- anywhere anywhere tcp
dpt:smtp
ACCEPT all -- anywhere anywhere
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:959
ACCEPT udp -- anywhere anywhere state NEW
udp dpt:4666
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:6419
ACCEPT udp -- anywhere anywhere state NEW
udp dpt:6429
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:oms
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:rmopagt
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:7422
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:7480
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:7622
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:7680
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:7922
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:quest-vista
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:7918
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:7912
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:imap
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:7222
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:itactionserver1
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:7922
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:quest-vista
ACCEPT udp -- anywhere anywhere state NEW
udp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:pcsync-https
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:7222
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:itactionserver1
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:7580
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:7522
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:7880
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:7822
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:7821
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:7843
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:5212
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:xmpp-client
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:5218
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:5228
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:7780
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:7722
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:5142
REJECT all -- anywhere anywhere
reject-with icmp-host-prohibited
[shaggycat at hn iptables-dumps]$
# Generated by iptables-save v1.3.5 on Sun Dec 20 13:26:58 2009
*raw
:PREROUTING ACCEPT [13342675:9357652753]
:OUTPUT ACCEPT [67843:7963321]
COMMIT
# Completed on Sun Dec 20 13:26:58 2009
# Generated by iptables-save v1.3.5 on Sun Dec 20 13:26:58 2009
*nat
:PREROUTING ACCEPT [380907:40676143]
:POSTROUTING ACCEPT [2034:119928]
:OUTPUT ACCEPT [929:57360]
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 4662 -j
DNAT --to-destination 10.0.10.3:4662
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p udp -m udp --dport 4666 -j
DNAT --to-destination 10.0.10.3:4666
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 6419 -j
DNAT --to-destination 10.0.10.3:6419
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p udp -m udp --dport 6419 -j
DNAT --to-destination 10.0.10.3:6419
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 6882 -j
DNAT --to-destination 10.0.10.3:6882
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 1959 -j
DNAT --to-destination 10.0.10.3:22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 10.0.10.33:80
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 2959 -j
DNAT --to-destination 10.0.10.5:22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7422 -j
DNAT --to-destination 10.0.7.4:22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7480 -j
DNAT --to-destination 10.0.7.4:80
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7822 -j
DNAT --to-destination 10.0.7.8:22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7880 -j
DNAT --to-destination 10.0.7.8:80
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7821 -j
DNAT --to-destination 10.0.7.8:21
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7680 -j
DNAT --to-destination 10.0.7.6:80
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7622 -j
DNAT --to-destination 10.0.7.6:22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7922 -j
DNAT --to-destination 10.0.7.9:22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7980 -j
DNAT --to-destination 10.0.7.9:80
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7912 -j
DNAT --to-destination 10.0.7.11:22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7918 -j
DNAT --to-destination 10.0.7.11:80
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 110 -j DNAT
--to-destination 10.0.9.25:110
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 143 -j DNAT
--to-destination 10.0.9.25:143
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 25 -j DNAT
--to-destination 10.0.9.25:25
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7222 -j
DNAT --to-destination 10.0.7.2:22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7980 -j
DNAT --to-destination 10.0.7.2:80
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7980 -j
DNAT --to-destination 10.0.7.9:80
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p udp -m udp --dport 53 -j DNAT
--to-destination 10.0.9.29:53
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 8443 -j
DNAT --to-destination 10.0.9.22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7222 -j
DNAT --to-destination 10.0.7.2:22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7280 -j
DNAT --to-destination 10.0.7.2:80
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7580 -j
DNAT --to-destination 10.0.7.5:80
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7522 -j
DNAT --to-destination 10.0.7.5:22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7822 -j
DNAT --to-destination 10.0.7.8:22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5212 -j
DNAT --to-destination 10.0.5.21:22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5222 -j
DNAT --to-destination 10.0.5.22:22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5218 -j
DNAT --to-destination 10.0.5.21:80
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5228 -j
DNAT --to-destination 10.0.5.22:80
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7322 -j
DNAT --to-destination 10.0.7.3:22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7380 -j
DNAT --to-destination 10.0.7.3:80
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7780 -j
DNAT --to-destination 10.0.7.7:80
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7722 -j
DNAT --to-destination 10.0.7.7:22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5142 -j
DNAT --to-destination 10.0.5.14:22
-A POSTROUTING -m mark --mark 0x9 -j MASQUERADE
-A POSTROUTING -s 10.0.9.25 -p tcp -m tcp --dport 25 -j ACCEPT
-A POSTROUTING -s 10.0.5.2 -p tcp -m tcp --dport 25 -j ACCEPT
-A POSTROUTING -s 10.0.9.0/255.255.255.0 -p tcp -m multiport --dports
25 -j DROP
-A POSTROUTING -s 10.0.7.0/255.255.255.0 -p tcp -m multiport --dports
25 -j DROP
-A POSTROUTING -s 10.0.5.0/255.255.255.0 -p tcp -m multiport --dports
25 -j DROP
-A POSTROUTING -s 10.0.10.0/255.255.255.0 -p tcp -m multiport --dports
25 -j DROP
COMMIT
# Completed on Sun Dec 20 13:26:58 2009
# Generated by iptables-save v1.3.5 on Sun Dec 20 13:26:58 2009
*mangle
:PREROUTING ACCEPT [13342678:9357654449]
:INPUT ACCEPT [121922:31158972]
:FORWARD ACCEPT [13221657:9326618380]
:OUTPUT ACCEPT [67843:7963321]
:POSTROUTING ACCEPT [13289494:9334581397]
-A PREROUTING -i br0 -j MARK --set-mark 0x9
-A PREROUTING -i wlan0 -j MARK --set-mark 0x9
-A PREROUTING -i venet0 -j MARK --set-mark 0x9
COMMIT
# Completed on Sun Dec 20 13:26:58 2009
# Generated by iptables-save v1.3.5 on Sun Dec 20 13:26:58 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [67843:7963321]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -p icmp -m icmp --icmp-type any -j ACCEPT
-A FORWARD -s 10.0.9.25 -p tcp -m multiport --dports 25 -j ACCEPT
-A FORWARD -s 10.0.7.0/255.255.255.0 -d 10.0.10.33 -j ACCEPT
-A FORWARD -s 10.0.10.0/255.255.255.0 -d 10.0.9.25 -p tcp -m multiport
--dports 25 -j ACCEPT
-A FORWARD -s 10.0.5.2 -p tcp -m multiport --dports 25 -j ACCEPT
-A FORWARD -d 255.255.255.255 -j ACCEPT
-A FORWARD -s 10.0.9.0/255.255.255.0 -p tcp -m multiport --dports 25
-j DROP
-A FORWARD -s 10.0.7.0/255.255.255.0 -p tcp -m multiport --dports 25
-j DROP
-A FORWARD -s 10.0.5.0/255.255.255.0 -p tcp -m multiport --dports 25
-j DROP
-A FORWARD -s 10.0.10.0/255.255.255.0 -p tcp -m multiport --dports 25
-j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type any -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 25 -j DROP
-A FORWARD -o eth0 -j ACCEPT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i br0 -j ACCEPT
-A RH-Firewall-1-INPUT -i ath0 -j ACCEPT
-A RH-Firewall-1-INPUT -i venet0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j
ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 959
-j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 4666
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 6419
-j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 6429
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 4662
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2959
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7422
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7480
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7622
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7680
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7922
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7980
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7918
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7912
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7222
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7280 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7922 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7980 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7222 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7280 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7580 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7522 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7880 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7822 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7821 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7843 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5212 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5222 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5218 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5228 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7780 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7722 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5142 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sun Dec 20 13:26:58 2009
--
Galina Lisovskaya
More information about the Users
mailing list