I have a feeling the problem is in the way I have stateful filtering enabled on Router2 but I'm too much of a n00b to figure it out.
Any ideas?
Ryan
Router1 configs: ----------------------------------------- fw-up ----------------------------------------- n1:~# cat fw-up iptables -F iptables -X iptables -Z iptables -t nat -F iptables -t nat -X iptables -t nat -Z
## Drop packets iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP
## Nat outbound packets iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 216.29.167.226
#stop stealth scans and bad flags. iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP
## Allow access to internal interface iptables -A INPUT -i eth0 -j ACCEPT iptables -A OUTPUT -o eth0 -j ACCEPT
## Outbound
iptables -A FORWARD -i eth0 -o eth1 -p UDP --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p TCP --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p TCP --sport 1024:65535 --dport 143 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p TCP --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p TCP --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
## Inbound
iptables -A FORWARD -o eth0 -i eth1 -p UDP --dport 1024:65535 --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o eth0 -i eth1 -p TCP --dport 1024:65535 --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o eth0 -i eth1 -p TCP --dport 1024:65535 --sport 143 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o eth0 -i eth1 -p TCP --dport 1024:65535 --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o eth0 -i eth1 -p TCP --dport 1024:65535 --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
------------------------------------------------- fw-dn ------------------------------------------------- n1:~# cat fw-dn iptables -F iptables -X iptables -Z iptables -t nat -F iptables -t nat -X iptables -t nat -Z
## Drop packets iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT
## Nat outbound packets iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 216.29.167.226
## Allow access to internal interface iptables -A INPUT -i eth0 -j ACCEPT iptables -A OUTPUT -o eth0 -j ACCEPT ------------------------------------------------
Router2 config: ------------------------------------------------- /etc/init.d/fw-up ------------------------------------------------- fw77:~# cat /etc/init.d/fw-up ## Clean up iptables -F iptables -X iptables -Z iptables -t nat -F iptables -t nat -X iptables -t nat -Z
## Drop packets iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP
## Nat outbound packets iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 216.29.167.225
#stop stealth scans and bad flags. iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP
## Stateful iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
## Allow outbound forwarding iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
## Allow access to internal interface iptables -A INPUT -i eth0 -j ACCEPT iptables -A OUTPUT -o eth0 -j ACCEPT
## HTTP
##thesommergroup.com
iptables -t nat -A PREROUTING -d 216.29.167.222 -p TCP --dport 80 -j DNAT --to 192.168.1.11:80
##mcalister.cc
iptables -t nat -A PREROUTING -d 216.29.167.220 -p TCP --dport 80 -j DNAT --to 192.168.1.10:80
iptables -A FORWARD -p TCP --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
## HTTPS
##thesommergroup.com
iptables -t nat -A PREROUTING -d 216.29.167.222 -p TCP --dport 443 -j DNAT --to 192.168.1.11:443
##mcalister.cc
iptables -t nat -A PREROUTING -d 216.29.167.220 -p TCP --dport 443 -j DNAT --to 192.168.1.10:443
iptables -A FORWARD -p TCP --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
## SMTP
##thesommergroup.com
iptables -t nat -A PREROUTING -d 216.29.167.222 -p TCP --dport 25 -j DNAT --to 192.168.1.11:25
##mcalister.cc
iptables -t nat -A PREROUTING -d 216.29.167.220 -p TCP --dport 25 -j DNAT --to 192.168.1.10:25
iptables -A FORWARD -p TCP --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
## IMAP
##thesommergroup.com
iptables -t nat -A PREROUTING -d 216.29.167.222 -p TCP --dport 143 -j DNAT --to 192.168.1.11:143
##mcalister.cc
iptables -t nat -A PREROUTING -d 216.29.167.220 -p TCP --dport 143 -j DNAT --to 192.168.1.10:143
iptables -A FORWARD -p TCP --dport 143 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
## IMAPS
##thesommergroup.com
iptables -t nat -A PREROUTING -d 216.29.167.222 -p TCP --dport 993 -j DNAT --to 192.168.1.11:993
##mcalister.cc
iptables -t nat -A PREROUTING -d 216.29.167.220 -p TCP --dport 993 -j DNAT --to 192.168.1.10:993
iptables -A FORWARD -p TCP --dport 993 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
## DNS-TCP
##thesommergroup.com
iptables -t nat -A PREROUTING -d 216.29.167.222 -p TCP --dport 53 -j DNAT --to 192.168.1.11:53
##mcalister.cc
iptables -t nat -A PREROUTING -d 216.29.167.220 -p TCP --dport 53 -j DNAT --to 192.168.1.10:53
iptables -A FORWARD -p TCP --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
##DNS-UDP
##thesommergroup.com
iptables -t nat -A PREROUTING -d 216.29.167.222 -p UDP --dport 53 -j DNAT --to 192.168.1.11:53
##mcalister.cc
iptables -t nat -A PREROUTING -d 216.29.167.220 -p UDP --dport 53 -j DNAT --to 192.168.1.10:53
iptables -A FORWARD -p UDP --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
## SSH
##mcalister.cc
iptables -t nat -A PREROUTING -d 216.29.167.220 -p TCP --dport 22 -j DNAT --to 192.168.1.10:22
iptables -A FORWARD -p TCP --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
## FTP
##mcalister.cc
iptables -t nat -A PREROUTING -d 216.29.167.220 -p TCP --dport 21 -j DNAT --to 192.168.1.10:21
iptables -A FORWARD -p TCP --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
