[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Strange MASQ problem
I have a strange problem that just popped up the other day. I have made
several changes recently on the both the host exibiting the problem, and the
router box. I have backtracked and tried un-doing all the changes one at a
time, but the problem persists.. Here it is....
I MASQ all traffic from my internal network to the internet. ONE port on ONE
box is somehow getting through without being masq'd. I refer to port 5060 on
my asterisk box. The IAX ports, any pings etc from this box go out masq'd
fine, but sip is going out with my internal ip's so concequently they are
not arriving at their destinations..
Has anybody got a clearer view of this? Am I just too close to the problem
to see the obvious? Here is a dump from iptables-save.. 192.168.9.12 is the
asterisk box.
(Some lines related to other hosts were removed to make the list easier to
read)
Would appreciate a fresh look at this by anyone that would give me a clue.
More interested in the cause of the problem than a 'quick solution'
Thanks
# Generated by iptables-save v1.2.11 on Thu Jan 27 11:43:29 2006
*nat
:PREROUTING ACCEPT [79493:25195979]
:POSTROUTING ACCEPT [16542:1226592]
:OUTPUT ACCEPT [8276:651188]
:portfw_post - [0:0]
:portfw_pre - [0:0]
-A PREROUTING -j portfw_pre
-A POSTROUTING -o eth1 -j MASQUERADE
-A portfw_pre -d 209.107.230.125 -p udp -m udp --dport 6060 -j
DNAT --to-destination 192.168.9.12:5060
-A portfw_pre -d 209.107.230.125 -p udp -m udp --dport 4569 -j
DNAT --to-destination 192.168.9.12:4569
-A portfw_pre -d 209.107.230.125 -p udp -m udp --dport 4520 -j
DNAT --to-destination 192.168.9.12:4520
-A portfw_pre -d 209.107.230.125 -p udp -m udp --dport 10000:10100 -j
DNAT --to-destination 192.168.9.12
COMMIT
# Completed on Thu Jan 27 11:43:29 2006
# Generated by iptables-save v1.2.11 on Thu Jan 27 11:43:29 2006
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [471741:221439496]
:advnet - [0:0]
:block - [0:0]
:dmzholes - [0:0]
:ipac~fi - [0:0]
:ipac~fo - [0:0]
:ipac~i - [0:0]
:ipac~o - [0:0]
:ipblock - [0:0]
:ipsec - [0:0]
:portfwf - [0:0]
:secin - [0:0]
:secout - [0:0]
:spoof - [0:0]
:xtaccess - [0:0]
-A INPUT -j ipac~o
-A INPUT -i ppp0 -j ipblock
-A INPUT -i ippp0 -j ipblock
-A INPUT -i eth1 -j ipblock
-A INPUT -i ppp0 -j advnet
-A INPUT -i ippp0 -j advnet
-A INPUT -i eth1 -j advnet
-A INPUT -j portfwf
-A INPUT -i ppp0 -j spoof
-A INPUT -i ippp0 -j spoof
-A INPUT -i eth1 -j spoof
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j secin
-A INPUT -j block
-A INPUT -j LOG
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j ipac~fi
-A FORWARD -j ipac~fo
-A FORWARD -i eth1 -j ipblock
-A FORWARD -j portfwf
-A FORWARD -j secout
-A FORWARD -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j portfwf
-A FORWARD -j LOG
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ipac~i
-A ipac~fi -i eth0
-A ipac~fi -i eth1
-A ipac~fo -o eth0
-A ipac~fo -o eth1
-A ipac~i -o eth0
-A ipac~i -o eth1
-A ipac~o -i eth0
-A ipac~o -i eth1
-A portfwf -d 209.107.230.125 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A portfwf -d 192.168.9.12 -p udp -m udp --dport 6060 -j ACCEPT
-A portfwf -d 192.168.9.12 -i eth1 -o eth0 -p udp -m udp --dport 4569 -j
ACCEPT
-A portfwf -d 192.168.9.12 -i eth1 -o eth0 -p udp -m udp --dport 4520 -j
ACCEPT
-A portfwf -d 192.168.9.12 -i eth1 -o eth0 -p udp -m udp --dport
10000:10100 -j ACCEPT
-A portfwf -d 192.168.9.12 -i eth1 -o eth0 -p udp -m udp --dport
8000:8001 -j ACCEPT
-A portfwf -i eth0 -j ACCEPT
-A secin -i ipsec0 -j ACCEPT
-A secout -i ipsec0 -j ACCEPT
-A spoof -s 192.168.9.0/255.255.255.0 -j DROP
-A xtaccess -i eth1 -p tcp -m tcp --dport 113 -j ACCEPT
COMMIT
# Completed on Thu Jan 27 11:43:29 2006
-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.