2007/11/4, Raj Kiran Grandhi <[EMAIL PROTECTED]>: > > You did enable IP masquerading on your gateway machine, didn't you?
No, I did not. > Also output of "iptaples --list" on your gateway Chain INPUT (policy DROP) target prot opt source destination ACCEPT 0 -- anywhere anywhere eth3_in 0 -- anywhere anywhere eth1_in 0 -- anywhere anywhere eth2_in 0 -- anywhere anywhere Reject 0 -- anywhere anywhere LOG 0 -- anywhere anywhere LOG level info prefix `Shorewall:INPU T:REJECT:' reject 0 -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination eth3_fwd 0 -- anywhere anywhere eth1_fwd 0 -- anywhere anywhere eth2_fwd 0 -- anywhere anywhere Reject 0 -- anywhere anywhere LOG 0 -- anywhere anywhere LOG level info prefix `Shorewall:FORW ARD:REJECT:' reject 0 -- anywhere anywhere Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT 0 -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc fw2stc 0 -- anywhere anywhere policy match dir out pol none fw2loc 0 -- anywhere anywhere policy match dir out pol none fw2dmz 0 -- anywhere anywhere policy match dir out pol none Reject 0 -- anywhere anywhere LOG 0 -- anywhere anywhere LOG level info prefix `Shorewall:OUTP UT:REJECT:' reject 0 -- anywhere anywhere Chain Drop (1 references) target prot opt source destination reject tcp -- anywhere anywhere tcp dpt:auth dropBcast 0 -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed ACCEPT icmp -- anywhere anywhere icmp time-exceeded dropInvalid 0 -- anywhere anywhere DROP udp -- anywhere anywhere multiport dports loc-srv,microsoft-ds DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn DROP udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 DROP tcp -- anywhere anywhere multiport dports loc-srv,netbios-ssn, microsoft-ds DROP udp -- anywhere anywhere udp dpt:1900 dropNotSyn tcp -- anywhere anywhere DROP udp -- anywhere anywhere udp spt:domain Chain Reject (4 references) target prot opt source destination reject tcp -- anywhere anywhere tcp dpt:auth dropBcast 0 -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed ACCEPT icmp -- anywhere anywhere icmp time-exceeded dropInvalid 0 -- anywhere anywhere reject udp -- anywhere anywhere multiport dports loc-srv,microsoft-ds reject udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn reject udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 reject tcp -- anywhere anywhere multiport dports loc-srv,netbios-ssn, microsoft-ds DROP udp -- anywhere anywhere udp dpt:1900 dropNotSyn tcp -- anywhere anywhere DROP udp -- anywhere anywhere udp spt:domain Chain all2all (2 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED Reject 0 -- anywhere anywhere LOG 0 -- anywhere anywhere LOG level info prefix `Shorewall:all2 all:REJECT:' reject 0 -- anywhere anywhere Chain dmz2all (3 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT 0 -- anywhere anywhere Chain dmz2fw (1 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT tcp -- debian-szerver anywhere multiport dports 9999,www dmz2all 0 -- anywhere anywhere Chain dmz2loc (1 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT tcp -- debian-szerver debian-asztal tcp dpt:9999 dmz2all 0 -- anywhere anywhere Chain dropBcast (2 references) target prot opt source destination DROP 0 -- anywhere anywhere PKTTYPE = broadcast DROP 0 -- anywhere anywhere PKTTYPE = multicast Chain dropInvalid (2 references) target prot opt source destination DROP 0 -- anywhere anywhere state INVALID Chain dropNotSyn (2 references) target prot opt source destination DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN Chain dynamic (6 references) target prot opt source destination Chain eth1_fwd (1 references) target prot opt source destination dynamic 0 -- anywhere anywhere state INVALID,NEW loc2stc 0 -- anywhere anywhere policy match dir out pol none loc2dmz 0 -- anywhere anywhere policy match dir out pol none Chain eth1_in (1 references) target prot opt source destination dynamic 0 -- anywhere anywhere state INVALID,NEW ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc loc2fw 0 -- anywhere anywhere policy match dir in pol none Chain eth2_fwd (1 references) target prot opt source destination dynamic 0 -- anywhere anywhere state INVALID,NEW dmz2all 0 -- anywhere anywhere policy match dir out pol none dmz2loc 0 -- anywhere anywhere policy match dir out pol none Chain eth2_in (1 references) target prot opt source destination dynamic 0 -- anywhere anywhere state INVALID,NEW ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc dmz2fw 0 -- anywhere anywhere policy match dir in pol none Chain eth3_fwd (1 references) target prot opt source destination dynamic 0 -- anywhere anywhere state INVALID,NEW stc2loc 0 -- anywhere anywhere policy match dir out pol none stc2dmz 0 -- anywhere anywhere policy match dir out pol none Chain eth3_in (1 references) target prot opt source destination dynamic 0 -- anywhere anywhere state INVALID,NEW ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc stc2fw 0 -- anywhere anywhere policy match dir in pol none Chain fw2dmz (1 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT tcp -- anywhere debian-szerver tcp dpt:9999 all2all 0 -- anywhere anywhere Chain fw2loc (1 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp echo-request all2all 0 -- anywhere anywhere Chain fw2stc (1 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT 0 -- anywhere anywhere Chain loc2all (3 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT 0 -- anywhere anywhere Chain loc2dmz (1 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere debian-szerver tcp dpt:www ACCEPT tcp -- anywhere debian-szerver tcp dpt:ipp ACCEPT tcp -- anywhere debian-szerver tcp dpt:https ACCEPT tcp -- anywhere debian-szerver tcp dpt:microsoft-ds ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT tcp -- anywhere debian-szerver tcp dpt:ssh ACCEPT tcp -- debian-asztal debian-szerver tcp dpt:9999 loc2all 0 -- anywhere anywhere Chain loc2fw (1 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT tcp -- debian-asztal anywhere tcp dpt:ssh loc2all 0 -- anywhere anywhere Chain loc2stc (1 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:www loc2all 0 -- anywhere anywhere Chain logdrop (0 references) target prot opt source destination LOG 0 -- anywhere anywhere LOG level info prefix `Shorewall:logdrop:DROP:' DROP 0 -- anywhere anywhere Chain logreject (0 references) target prot opt source destination LOG 0 -- anywhere anywhere LOG level info prefix `Shorewall:logreject:REJECT:' reject 0 -- anywhere anywhere Chain reject (11 references) target prot opt source destination DROP 0 -- 255.255.255.255 anywhere DROP 0 -- BASE-ADDRESS.MCAST.NET/4 anywhere DROP 0 -- anywhere anywhere PKTTYPE = broadcast DROP 0 -- anywhere anywhere PKTTYPE = multicast DROP 0 -- 255.255.255.255 anywhere DROP 0 -- BASE-ADDRESS.MCAST.NET/4 anywhere REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable REJECT icmp -- anywhere anywhere reject-with icmp-host-unreachable REJECT 0 -- anywhere anywhere reject-with icmp-host-prohibited Chain shorewall (0 references) target prot opt source destination Chain smurfs (0 references) target prot opt source destination LOG 0 -- 10.91.255.255 anywhere LOG level info prefix `Shorewall:smurfs:DROP:' DROP 0 -- 10.91.255.255 anywhere LOG 0 -- 192.168.1.255 anywhere LOG level info prefix `Shorewall:smurfs:DROP:' DROP 0 -- 192.168.1.255 anywhere LOG 0 -- 192.168.2.255 anywhere LOG level info prefix `Shorewall:smurfs:DROP:' DROP 0 -- 192.168.2.255 anywhere LOG 0 -- 255.255.255.255 anywhere LOG level info prefix `Shorewall:smurfs:DROP:' DROP 0 -- 255.255.255.255 anywhere LOG 0 -- BASE-ADDRESS.MCAST.NET/4 anywhere LOG level info prefix `Shorewall:smurfs:DROP:' DROP 0 -- BASE-ADDRESS.MCAST.NET/4 anywhere Chain stc2all (3 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED Drop 0 -- anywhere anywhere LOG 0 -- anywhere anywhere LOG level info prefix `Shorewall:stc2all:DROP:' DROP 0 -- anywhere anywhere Chain stc2dmz (1 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere debian-szerver tcp dpt:www stc2all 0 -- anywhere anywhere Chain stc2fw (1 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp echo-request DROP udp -- anywhere anywhere udp dpts:1026:1029 stc2all 0 -- anywhere anywhere Chain stc2loc (1 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:www stc2all 0 -- anywhere anywhere > and "route" on your lan clients would help. route on box-3 -------------- Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0 route on box-2 -------------- Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth1 -- Regards, Paul Csanyi http://www.freewebs.com/csanyi-pal/index.htm -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
