Pascal Hambourg wrote: > Le 13/11/2016 à 16:05, deloptes a écrit : >> >> These are the rules - a friend created this like 10y ago. I added few >> rules to forward ports from outside to the intranet and to be able to >> handle VPN. >> You can ignore 192.168.60.1 on eth2 - not used. > > IMO, this ruleset is totally insane. >
Haha, yes for me it is also hard to understand it all ... but as I said in the past 10y it did a good work. > However, after clearing out all irrelevant rules, I see nothing in what > is left which may block connections from 192.168.40.0/24 on eth1 to > anywhere through the firewall : > > *nat > :PREROUTING ACCEPT [26000:2533530] > :POSTROUTING ACCEPT [87:4966] > :OUTPUT ACCEPT [28:2038] > -A POSTROUTING -s 192.168.40.0/24 -o eth0 -j SNAT --to-source 10.0.0.1 > COMMIT > *filter > :INPUT DROP [0:0] > :FORWARD DROP [0:0] > :OUTPUT DROP [0:0] > :ifilter - [0:0] > :ofilter - [0:0] > -A INPUT -j ifilter > -A FORWARD -j ifilter > -A FORWARD -j ofilter > -A OUTPUT -j ofilter > -A ifilter -m state --state RELATED,ESTABLISHED -j ACCEPT > -A ifilter -i eth1 -m state --state NEW -j ACCEPT > > What happens exactly when your try to connect ? What is the command, > what is the reply ? Did you make a packet capture on eth0 ? > I do ssh user@10...6 and nothing happens - connection time out after ~1min > Did you check the routing table on the firewall and the targets ? Do > they have a route to all the 10.0.0.0/24 range ? > the one I posted is on the firewall - firewall is the one I am trying to modify. I am not sure that I have a rule to all the 10.0.0.0/24 range, but even if I replace 10.0.0.1/32 with 10.0.0.0/24 it does not work >> Another important information perhaps is that the modem is configured to >> have a DMZ with 10.0.0.1. > > I don't think this is relevant. The modem is not involved. > The modem is a wireless modem so the cable goes to the firewall 10..1 and via the wlan I have 10..6 etc. So IMO it is involved, but I do not have root on it - I have only the admin iface and there I see firewall is active and setup in normal mode (you have easy and hard - translated from the local language) >> Devices 10.0.0.6 and 10.0.0.7 which I want to connect from 192.... do not >> have any firewalls - they are mobile phones. >> >> I will really appreciate your help - perhaps reviewing the rules and >> suggesting improvements as well. > > This ruleset does not need improvements but a total rewrite. Yes I was thinking the same, I'll put it on the TODO. I even tried once with fw builder - it couldn't even import properly, because import and export produced not working firewall. IT is a bit complicated. However I think the ruleset is not that bad as testing from outside shows the network 192.168... is well protected thanks regards
