Le 13/11/2016 à 16:05, deloptes a écrit :
These are the rules - a friend created this like 10y ago. I added few rules
to forward ports from outside to the intranet and to be able to handle VPN.
You can ignore 192.168.60.1 on eth2 - not used.
IMO, this ruleset is totally insane.
However, after clearing out all irrelevant rules, I see nothing in what
is left which may block connections from 192.168.40.0/24 on eth1 to
anywhere through the firewall :
*nat
:PREROUTING ACCEPT [26000:2533530]
:POSTROUTING ACCEPT [87:4966]
:OUTPUT ACCEPT [28:2038]
-A POSTROUTING -s 192.168.40.0/24 -o eth0 -j SNAT --to-source 10.0.0.1
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:ifilter - [0:0]
:ofilter - [0:0]
-A INPUT -j ifilter
-A FORWARD -j ifilter
-A FORWARD -j ofilter
-A OUTPUT -j ofilter
-A ifilter -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ifilter -i eth1 -m state --state NEW -j ACCEPT
What happens exactly when your try to connect ? What is the command,
what is the reply ? Did you make a packet capture on eth0 ?
Did you check the routing table on the firewall and the targets ? Do
they have a route to all the 10.0.0.0/24 range ?
Another important information perhaps is that the modem is configured to
have a DMZ with 10.0.0.1.
I don't think this is relevant. The modem is not involved.
Devices 10.0.0.6 and 10.0.0.7 which I want to connect from 192.... do not
have any firewalls - they are mobile phones.
I will really appreciate your help - perhaps reviewing the rules and
suggesting improvements as well.
This ruleset does not need improvements but a total rewrite.
