On Di, 2016-09-27 at 09:13 -0500, Lonnie Abelbeck wrote: ...
> > I'm trying to reach 192.168.60.6 (EXTIP) from 192.168.10/24 or > > 192.168.50/24 on tcp port ssh and tcp port sip. > > Excerpt from "arno-iptables-firewall status EXT_INPUT_CHAIN" > > > > > > 0 0 ACCEPT udp > > -- + * 0.0.0.0/0 0.0.0.0/0 tcp > > dpt:22 > > > > > > 0 0 ACCEPT tcp > > - + * 0.0.0.0/0 0.0.0.0/0 tcp > > dpt:5060 > > Are you really doing SIP over TCP on port 5060 ? Or do you want UDP > ? Surely - I'm doing UDP. I wanted to list that these specific two rules exists! I wanted to allow three services being available on 192.168.60.6 - SSH, SIP (TCP/UDP) and RTP. > Also, you do not want to access AstLinux's SIP from 192.168.10/24 and > 192.168.50/24 to 192.168.60.6 which adds 1 level of NAT, instead use > 192.168.40.6 which is not NAT'ed. I believe this is the root cause of my brain not getting it. Why I can't simple ping 192.168.60.6? "___ Allow IPv4 ICMP (ping) on External (EXT) Interface" is enabled ... > > > Without NAT_FOREIGN_NETWORK your 192.168.10.0/24 and > > > 192.168.50.0/24 > > > networks could not ping www.google.com (upstream from eth0), does > > > that work now ? > > ping google.com goes a different route - I'm afraid! > > I want to do a simple ping 192.168.60.6 from 192.168.10/24 or > > 192.168.50/24. I'm able to see them arriving on eth0 with tcpdump! > > Do these packets need to pass EXT_INT_CHAIN? > > The EXT_INPUT_CHAIN is followed if the destination is 192.168.60.6 > which is on eth0. > > Display INPUT chain: > -- > iptables -nvL INPUT iptables -nvL INPUT Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1182K 226M ADAPTIVE_BAN_CHAIN all -- * * 0.0.0.0/0 0.0.0.0/0 1182K 226M BASE_INPUT_CHAIN all -- * * 0.0.0.0/0 0.0.0.0/0 1067 223K INPUT_CHAIN all -- * * 0.0.0.0/0 0.0.0.0/0 1067 223K HOST_BLOCK_SRC all -- * * 0.0.0.0/0 0.0.0.0/0 1067 223K SPOOF_CHK all -- * * 0.0.0.0/0 0.0.0.0/0 269 155K VALID_CHK all -- eth0 * 0.0.0.0/0 0.0.0.0/0 269 155K EXT_INPUT_CHAIN !icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW 0 0 EXT_INPUT_CHAIN icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW limit: avg 60/sec burst 100 0 0 EXT_ICMP_FLOOD_CHAIN icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW 798 67612 INT_INPUT_CHAIN all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 POST_INPUT_CHAIN all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix "AIF:Dropped INPUT packet: " 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 > > Does EXTIF allow any "private" addresses? My assumption is as > > follow - > > they'll be processed within iptables and won't be discarded. > > Yes, by default private addresses are allowed. Thanks for your clarification! Armin. ------------------------------------------------------------------------------ _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.