xDSL.at

von **robspr** » Mo 03 Jan, 2005 12:06

Ich verwende einen Computer mit Linux (Suse 9.2) zur Einwahl und als Firewall für dahinterliegende Rechner. Der internetzugang ist ein xDSL@home Einzelplatz mit VOIP.

Wähle ich mich mit ppptp (scripts von Inode) ein und führe dann ein script mit iptables-commands aus ist alles ok. Wähle ich mich mit pppoe (config mit Suse-Yast) ein, ist direkt von der firewall aus auch alles ok, jedoch lassen sich einige Seiten von Rechnern dahinter nicht mehr ansprechen. Beim Zugriff der Seiten mittels proxy-server auf der firewall funktioniert es. Das script mit den firewall-regeln ist aber immer dasselbe.

Hat jemand eine Idee?

Mitprotokolliert der Zugriff auf www.psk.co.at:

pppoe (NAT von intern über firewall):

Code: Alles auswählen: Jan 3 11:18:28 firewall kernel: IN=eth1 OUT=dsl0 SRC=192.168.250.4 DST=194.107.107.112 LEN=47 TOS=0x00 PREC=0x00 TTL=127 ID=48475 DF PROTO=TCP SPT=1741 DPT=443 WINDOW=65535 RES=0x00 ACK PSH URGP=0 Jan 3 11:18:28 firewall kernel: IN=eth1 OUT=dsl0 SRC=192.168.250.4 DST=194.107.107.112 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=48476 DF PROTO=TCP SPT=1741 DPT=443 WINDOW=65535 RES=0x00 ACK FIN URGP=0 Jan 3 11:18:28 firewall kernel: IN=dsl0 OUT=eth1 SRC=194.107.107.112 DST=192.168.250.4 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=9373 PROTO=TCP SPT=443 DPT=1741 WINDOW=0 RES=0x00 RST URGP=0 Jan 3 11:18:30 firewall kernel: IN=eth1 OUT=dsl0 SRC=192.168.250.4 DST=194.107.107.112 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=48489 DF PROTO=TCP SPT=1747 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 Jan 3 11:18:30 firewall kernel: IN=dsl0 OUT=eth1 SRC=194.107.107.112 DST=192.168.250.4 LEN=44 TOS=0x00 PREC=0x00 TTL=58 ID=59569 DF PROTO=TCP SPT=443 DPT=1747 WINDOW=8760 RES=0x00 ACK SYN URGP=0 Jan 3 11:18:30 firewall kernel: IN=eth1 OUT=dsl0 SRC=192.168.250.4 DST=194.107.107.112 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=48490 DF PROTO=TCP SPT=1747 DPT=443 WINDOW=65535 RES=0x00 ACK URGP=0 Jan 3 11:18:30 firewall kernel: IN=eth1 OUT=dsl0 SRC=192.168.250.4 DST=194.107.107.112 LEN=106 TOS=0x00 PREC=0x00 TTL=127 ID=48491 DF PROTO=TCP SPT=1747 DPT=443 WINDOW=65535 RES=0x00 ACK PSH URGP=0 Jan 3 11:18:33 firewall kernel: IN=eth1 OUT=dsl0 SRC=192.168.250.4 DST=194.107.107.112 LEN=106 TOS=0x00 PREC=0x00 TTL=127 ID=48520 DF PROTO=TCP SPT=1747 DPT=443 WINDOW=65535 RES=0x00 ACK PSH URGP=0 Jan 3 11:18:33 firewall kernel: IN=dsl0 OUT=eth1 SRC=194.107.107.112 DST=192.168.250.4 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=44237 DF PROTO=TCP SPT=443 DPT=1747 WINDOW=8694 RES=0x00 ACK URGP=0

pppoe (via proxy auf der firewall):

Code: Alles auswählen: Jan 3 11:20:10 firewall kernel: IN= OUT=dsl0 SRC=81.223.97.105 DST=194.107.107.112 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26380 DF PROTO=TCP SPT=32826 DPT=443 WINDOW=5808 RES=0x00 SYN URGP=0 Jan 3 11:20:10 firewall kernel: IN=dsl0 OUT= MAC= SRC=194.107.107.112 DST=81.223.97.105 LEN=44 TOS=0x00 PREC=0x00 TTL=59 ID=26046 DF PROTO=TCP SPT=443 DPT=32826 WINDOW=8712 RES=0x00 ACK SYN URGP=0 Jan 3 11:20:10 firewall kernel: IN= OUT=dsl0 SRC=81.223.97.105 DST=194.107.107.112 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=26381 DF PROTO=TCP SPT=32826 DPT=443 WINDOW=5808 RES=0x00 ACK URGP=0 Jan 3 11:20:10 firewall kernel: IN= OUT=dsl0 SRC=81.223.97.105 DST=194.107.107.112 LEN=106 TOS=0x00 PREC=0x00 TTL=64 ID=26382 DF PROTO=TCP SPT=32826 DPT=443 WINDOW=5808 RES=0x00 ACK PSH URGP=0 Jan 3 11:20:10 firewall kernel: IN=dsl0 OUT= MAC= SRC=194.107.107.112 DST=81.223.97.105 LEN=1492 TOS=0x00 PREC=0x00 TTL=59 ID=48830 DF PROTO=TCP SPT=443 DPT=32826 WINDOW=8646 RES=0x00 ACK URGP=0 Jan 3 11:20:10 firewall kernel: IN= OUT=dsl0 SRC=81.223.97.105 DST=194.107.107.112 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=26383 DF PROTO=TCP SPT=32826 DPT=443 WINDOW=8712 RES=0x00 ACK URGP=0 Jan 3 11:20:10 firewall kernel: IN=dsl0 OUT= MAC= SRC=194.107.107.112 DST=81.223.97.105 LEN=1492 TOS=0x00 PREC=0x00 TTL=59 ID=49086 DF PROTO=TCP SPT=443 DPT=32826 WINDOW=8646 RES=0x00 ACK URGP=0 Jan 3 11:20:10 firewall kernel: IN= OUT=dsl0 SRC=81.223.97.105 DST=194.107.107.112 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=26384 DF PROTO=TCP SPT=32826 DPT=443 WINDOW=11616 RES=0x00 ACK URGP=0 Jan 3 11:20:10 firewall kernel: IN=dsl0 OUT= MAC= SRC=194.107.107.112 DST=81.223.97.105 LEN=199 TOS=0x00 PREC=0x00 TTL=59 ID=64958 DF PROTO=TCP SPT=443 DPT=32826 WINDOW=8646 RES=0x00 ACK PSH URGP=0 Jan 3 11:20:10 firewall kernel: IN= OUT=dsl0 SRC=81.223.97.105 DST=194.107.107.112 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=26385 DF PROTO=TCP SPT=32826 DPT=443 WINDOW=14520 RES=0x00 ACK URGP=0 Jan 3 11:20:10 firewall kernel: IN= OUT=dsl0 SRC=81.223.97.105 DST=194.107.107.112 LEN=179 TOS=0x00 PREC=0x00 TTL=64 ID=26386 DF PROTO=TCP SPT=32826 DPT=443 WINDOW=14520 RES=0x00 ACK PSH URGP=0 Jan 3 11:20:10 firewall kernel: IN= OUT=dsl0 SRC=81.223.97.105 DST=194.107.107.112 LEN=46 TOS=0x00 PREC=0x00 TTL=64 ID=26387 DF PROTO=TCP SPT=32826 DPT=443 WINDOW=14520 RES=0x00 ACK PSH URGP=0 Jan 3 11:20:10 firewall kernel: IN=dsl0 OUT= MAC= SRC=194.107.107.112 DST=81.223.97.105 LEN=40 TOS=0x00 PREC=0x00 TTL=59 ID=24255 DF PROTO=TCP SPT=443 DPT=32826 WINDOW=8501 RES=0x00 ACK URGP=0 Jan 3 11:20:10 firewall kernel: IN= OUT=dsl0 SRC=81.223.97.105 DST=194.107.107.112 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=26388 DF PROTO=TCP SPT=32826 DPT=443 WINDOW=14520 RES=0x00 ACK PSH URGP=0 Jan 3 11:20:10 firewall kernel: IN=dsl0 OUT= MAC= SRC=194.107.107.112 DST=81.223.97.105 LEN=87 TOS=0x00 PREC=0x00 TTL=59 ID=17344 DF PROTO=TCP SPT=443 DPT=32826 WINDOW=8460 RES=0x00 ACK PSH URGP=0 Jan 3 11:20:10 firewall kernel: IN= OUT=dsl0 SRC=81.223.97.105 DST=194.107.107.112 LEN=621 TOS=0x00 PREC=0x00 TTL=64 ID=26389 DF PROTO=TCP SPT=32826 DPT=443 WINDOW=14520 RES=0x00 ACK PSH URGP=0 Jan 3 11:20:11 firewall kernel: IN=dsl0 OUT= MAC= SRC=194.107.107.112 DST=81.223.97.105 LEN=885 TOS=0x00 PREC=0x00 TTL=59 ID=45504 DF PROTO=TCP SPT=443 DPT=32826 WINDOW=7879 RES=0x00 ACK PSH URGP=0 Jan 3 11:20:11 firewall kernel: IN= OUT=dsl0 SRC=81.223.97.105 DST=194.107.107.112 LEN=67 TOS=0x00 PREC=0x00 TTL=64 ID=26390 DF PROTO=TCP SPT=32826 DPT=443 WINDOW=17424 RES=0x00 ACK PSH URGP=0 Jan 3 11:20:11 firewall kernel: IN= OUT=dsl0 SRC=81.223.97.105 DST=194.107.107.112 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=26391 DF PROTO=TCP SPT=32826 DPT=443 WINDOW=17424 RES=0x00 ACK FIN URGP=0 Jan 3 11:20:11 firewall kernel: IN= OUT=dsl0 SRC=81.223.97.105 DST=195.58.160.194 LEN=61 TOS=0x00 PREC=0x00 TTL=64 ID=44070 DF PROTO=UDP SPT=32799 DPT=53 LEN=41 Jan 3 11:20:11 firewall kernel: IN= OUT=dsl0 SRC=81.223.97.105 DST=195.58.160.194 LEN=61 TOS=0x00 PREC=0x00 TTL=64 ID=44074 DF PROTO=UDP SPT=32800 DPT=53 LEN=41 Jan 3 11:20:11 firewall kernel: IN= OUT=dsl0 SRC=81.223.97.105 DST=195.58.160.194 LEN=61 TOS=0x00 PREC=0x00 TTL=64 ID=44077 DF PROTO=UDP SPT=32801 DPT=53 LEN=41 Jan 3 11:20:11 firewall kernel: IN=dsl0 OUT= MAC= SRC=194.107.107.112 DST=81.223.97.105 LEN=67 TOS=0x00 PREC=0x00 TTL=59 ID=64960 DF PROTO=TCP SPT=443 DPT=32826 WINDOW=7852 RES=0x00 ACK PSH URGP=0 Jan 3 11:20:11 firewall kernel: IN= OUT=dsl0 SRC=81.223.97.105 DST=194.107.107.112 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=3726 DF PROTO=TCP SPT=32826 DPT=443 WINDOW=0 RES=0x00 RST URGP=0 Jan 3 11:20:11 firewall kernel: IN=dsl0 OUT= MAC= SRC=194.107.107.112 DST=81.223.97.105 LEN=40 TOS=0x00 PREC=0x00 TTL=59 ID=1473 DF PROTO=TCP SPT=443 DPT=32826 WINDOW=7852 RES=0x00 ACK FIN URGP=0 Jan 3 11:20:11 firewall kernel: IN= OUT=dsl0 SRC=81.223.97.105 DST=194.107.107.112 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=3727 DF PROTO=TCP SPT=32826 DPT=443 WINDOW=0 RES=0x00 RST URGP=0 Jan 3 11:20:11 firewall kernel: IN=dsl0 OUT= MAC= SRC=194.107.107.112 DST=81.223.97.105 LEN=40 TOS=0x00 PREC=0x00 TTL=59 ID=6593 DF PROTO=TCP SPT=443 DPT=32826 WINDOW=7852 RES=0x00 ACK URGP=0 Jan 3 11:20:11 firewall kernel: IN= OUT=dsl0 SRC=81.223.97.105 DST=194.107.107.112 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=3728 DF PROTO=TCP SPT=32826 DPT=443 WINDOW=0 RES=0x00 RST URGP=0 Jan 3 11:20:11 firewall kernel: IN=dsl0 OUT= MAC= SRC=195.58.160.194 DST=81.223.97.105 LEN=162 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=UDP SPT=53 DPT=32799 LEN=142

ppptp:

Code: Alles auswählen: Jan 3 11:22:03 firewall kernel: IN=eth1 OUT=ppp0 SRC=192.168.250.4 DST=194.107.107.112 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=51240 DF PROTO=TCP SPT=1761 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 Jan 3 11:22:03 firewall kernel: IN=ppp0 OUT=eth1 SRC=194.107.107.112 DST=192.168.250.4 LEN=44 TOS=0x00 PREC=0x00 TTL=58 ID=46652 DF PROTO=TCP SPT=443 DPT=1761 WINDOW=8760 RES=0x00 ACK SYN URGP=0 Jan 3 11:22:03 firewall kernel: IN=eth1 OUT=ppp0 SRC=192.168.250.4 DST=194.107.107.112 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=51241 DF PROTO=TCP SPT=1761 DPT=443 WINDOW=65535 RES=0x00 ACK URGP=0 Jan 3 11:22:03 firewall kernel: IN=eth1 OUT=ppp0 SRC=192.168.250.4 DST=194.107.107.112 LEN=138 TOS=0x00 PREC=0x00 TTL=127 ID=51242 DF PROTO=TCP SPT=1761 DPT=443 WINDOW=65535 RES=0x00 ACK PSH URGP=0 Jan 3 11:22:03 firewall kernel: IN=ppp0 OUT=eth1 SRC=194.107.107.112 DST=192.168.250.4 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=29246 DF PROTO=TCP SPT=443 DPT=1761 WINDOW=8662 RES=0x00 ACK URGP=0 Jan 3 11:22:03 firewall kernel: IN=ppp0 OUT=eth1 SRC=194.107.107.112 DST=192.168.250.4 LEN=166 TOS=0x00 PREC=0x00 TTL=58 ID=57409 DF PROTO=TCP SPT=443 DPT=1761 WINDOW=8662 RES=0x00 ACK PSH URGP=0 Jan 3 11:22:03 firewall kernel: IN=eth1 OUT=ppp0 SRC=192.168.250.4 DST=194.107.107.112 LEN=46 TOS=0x00 PREC=0x00 TTL=127 ID=51247 DF PROTO=TCP SPT=1761 DPT=443 WINDOW=65409 RES=0x00 ACK PSH URGP=0 Jan 3 11:22:04 firewall kernel: IN=ppp0 OUT=eth1 SRC=194.107.107.112 DST=192.168.250.4 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=49987 DF PROTO=TCP SPT=443 DPT=1761 WINDOW=8656 RES=0x00 ACK URGP=0 Jan 3 11:22:04 firewall kernel: IN=eth1 OUT=ppp0 SRC=192.168.250.4 DST=194.107.107.112 LEN=662 TOS=0x00 PREC=0x00 TTL=127 ID=51248 DF PROTO=TCP SPT=1761 DPT=443 WINDOW=65409 RES=0x00 ACK PSH URGP=0 Jan 3 11:22:04 firewall kernel: IN=ppp0 OUT=eth1 SRC=194.107.107.112 DST=192.168.250.4 LEN=885 TOS=0x00 PREC=0x00 TTL=58 ID=59204 DF PROTO=TCP SPT=443 DPT=1761 WINDOW=8034 RES=0x00 ACK PSH URGP=0 Jan 3 11:22:04 firewall kernel: IN=eth1 OUT=ppp0 SRC=192.168.250.4 DST=194.107.107.112 LEN=67 TOS=0x00 PREC=0x00 TTL=127 ID=51253 DF PROTO=TCP SPT=1761 DPT=443 WINDOW=64564 RES=0x00 ACK PSH URGP=0 Jan 3 11:22:04 firewall kernel: IN=eth1 OUT=ppp0 SRC=192.168.250.4 DST=194.107.107.112 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=51254 DF PROTO=TCP SPT=1762 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 Jan 3 11:22:04 firewall kernel: IN=eth1 OUT=ppp0 SRC=192.168.250.4 DST=194.107.107.112 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=51255 DF PROTO=TCP SPT=1761 DPT=443 WINDOW=64564 RES=0x00 ACK FIN URGP=0 Jan 3 11:22:04 firewall kernel: IN=ppp0 OUT=eth1 SRC=194.107.107.112 DST=192.168.250.4 LEN=44 TOS=0x00 PREC=0x00 TTL=58 ID=23365 DF PROTO=TCP SPT=443 DPT=1762 WINDOW=8760 RES=0x00 ACK SYN URGP=0 Jan 3 11:22:04 firewall kernel: IN=eth1 OUT=ppp0 SRC=192.168.250.4 DST=194.107.107.112 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=51256 DF PROTO=TCP SPT=1762 DPT=443 WINDOW=65535 RES=0x00 ACK URGP=0 Jan 3 11:22:04 firewall kernel: IN=eth1 OUT=ppp0 SRC=192.168.250.4 DST=194.107.107.112 LEN=138 TOS=0x00 PREC=0x00 TTL=127 ID=51257 DF PROTO=TCP SPT=1762 DPT=443 WINDOW=65535 RES=0x00 ACK PSH URGP=0 Jan 3 11:22:04 firewall kernel: IN=ppp0 OUT=eth1 SRC=194.107.107.112 DST=192.168.250.4 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=24133 DF PROTO=TCP SPT=443 DPT=1761 WINDOW=8007 RES=0x00 ACK URGP=0 Jan 3 11:22:04 firewall kernel: IN=ppp0 OUT=eth1 SRC=194.107.107.112 DST=192.168.250.4 LEN=67 TOS=0x00 PREC=0x00 TTL=58 ID=32325 DF PROTO=TCP SPT=443 DPT=1761 WINDOW=8007 RES=0x00 ACK PSH URGP=0 Jan 3 11:22:04 firewall kernel: IN=eth1 OUT=ppp0 SRC=192.168.250.4 DST=194.107.107.112 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=51258 DF PROTO=TCP SPT=1761 DPT=443 WINDOW=0 RES=0x00 ACK RST URGP=0 Jan 3 11:22:04 firewall kernel: IN=ppp0 OUT=eth1 SRC=194.107.107.112 DST=192.168.250.4 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=32581 DF PROTO=TCP SPT=443 DPT=1761 WINDOW=8007 RES=0x00 ACK FIN URGP=0 Jan 3 11:22:04 firewall kernel: IN=eth1 OUT=ppp0 SRC=192.168.250.4 DST=194.107.107.112 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=51259 PROTO=TCP SPT=1761 DPT=443 WINDOW=0 RES=0x00 RST URGP=0 Jan 3 11:22:04 firewall kernel: IN=ppp0 OUT=eth1 SRC=194.107.107.112 DST=192.168.250.4 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=46663 DF PROTO=TCP SPT=443 DPT=1762 WINDOW=8662 RES=0x00 ACK URGP=0 Jan 3 11:22:04 firewall kernel: IN=ppp0 OUT=eth1 SRC=194.107.107.112 DST=192.168.250.4 LEN=166 TOS=0x00 PREC=0x00 TTL=58 ID=32073 DF PROTO=TCP SPT=443 DPT=1762 WINDOW=8662 RES=0x00 ACK PSH URGP=0 Jan 3 11:22:04 firewall kernel: IN=eth1 OUT=ppp0 SRC=192.168.250.4 DST=194.107.107.112 LEN=46 TOS=0x00 PREC=0x00 TTL=127 ID=51260 DF PROTO=TCP SPT=1762 DPT=443 WINDOW=65409 RES=0x00 ACK PSH URGP=0 Jan 3 11:22:04 firewall kernel: IN=ppp0 OUT=eth1 SRC=194.107.107.112 DST=192.168.250.4 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=1612 DF PROTO=TCP SPT=443 DPT=1762 WINDOW=8656 RES=0x00 ACK URGP=0 Jan 3 11:22:04 firewall kernel: IN=eth1 OUT=ppp0 SRC=192.168.250.4 DST=194.107.107.112 LEN=810 TOS=0x00 PREC=0x00 TTL=127 ID=51265 DF PROTO=TCP SPT=1762 DPT=443 WINDOW=65409 RES=0x00 ACK PSH URGP=0 Jan 3 11:22:04 firewall kernel: IN=ppp0 OUT=eth1 SRC=194.107.107.112 DST=192.168.250.4 LEN=1500 TOS=0x00 PREC=0x00 TTL=58 ID=55884 DF PROTO=TCP SPT=443 DPT=1762 WINDOW=7886 RES=0x00 ACK URGP=0

von **robspr** » Mo 10 Jan, 2005 10:49

Da ich noch immer keine Lösung habe, hoffe ich mit folgender Frage weiterzukommen:

Kann jemand der eine (SuSe-)Linux-Firewall mit iptables und PPPoE, sowie NAT mittels "iptables -A POSTROUTING -t nat -o $EXTERNAL_INTERFACE -j MASQUERADE" verwendet ein Log der Verbindung (am besten zu www.psk.co.at) posten, damit ich eventuell einen Unterschied erkennen kann?

von **dfx** » Mo 10 Jan, 2005 10:53

kann es sein, daß dein iptables script als nat-kriterium das ausgehende interface verwendet? beim pptp hast du nämlich als interface "ppp0", beim pppoe aber (komischerweise?) "dsl0".

von **robspr** » Mo 10 Jan, 2005 11:07

Ja, das tut es. Bei ppptp nehme ich ja das inode-script welches mir das interface ppp0 erzeugt, für pppoe nehme ich die yast-konfiguration die mir das interface dsl0 erzeugt.

Im script steht dann am Anfang:
EXTERNAL_INTERFACE=$(/sbin/ifconfig | /bin/grep Point-to-Point | /usr/bin/cut -c 0-4 | /bin/awk '{print $1}' )

somit ergibt sich:
iptables -A POSTROUTING -t nat -o ppp0 -j MASQUERADE
bzw.
iptables -A POSTROUTING -t nat -o dsl0 -j MASQUERADE

je nachdem wie ich mich eingewählt habe.

von **dfx** » Mo 10 Jan, 2005 11:23

dann poste mal den output von

iptables -L -v -n
iptables -t nat -L -v -n
route -n
ifconfig -a

wenn du per pppoe drin bist.

von **robspr** » Mo 10 Jan, 2005 11:44

iptables -L -v -n

Code: Alles auswählen: Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 2 114 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- eth1 * 192.168.250.0/24 0.0.0.0/0 1 28 ACCEPT all -- eth0 * 10.0.0.0/8 0.0.0.0/0 0 0 ACCEPT all -- ipsec0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- ppp1 * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 81.223.155.102 0.0.0.0/0 0 0 DROP tcp -- dsl0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2049 flags:0x16/0x02 0 0 DROP tcp -- dsl0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:6000:6063 flags:0x16/0x02 0 0 DROP tcp -- dsl0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1080 flags:0x16/0x02 0 0 DROP udp -- dsl0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:2049 0 0 DROP udp -- dsl0 * 0.0.0.0/0 0.0.0.0/0 udp spts:32769:65535 dpts:33434:33523 827 78542 ACCEPT tcp -- dsl0 * 0.0.0.0/0 81.223.155.102 tcp flags:!0x16/0x02 26 3764 ACCEPT udp -- dsl0 * 0.0.0.0/0 81.223.155.102 udp spt:53 dpts:1024:65535 0 0 ACCEPT tcp -- dsl0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED tcp spt:80 dpts:1024:65535 0 0 ACCEPT tcp -- dsl0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED tcp spt:443 dpts:1024:65535 0 0 ACCEPT tcp -- dsl0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED tcp spt:1863 dpts:1024:65535 0 0 ACCEPT tcp -- dsl0 * 0.0.0.0/0 81.223.155.102 state RELATED,ESTABLISHED tcp spt:119 dpts:1024:65535 0 0 ACCEPT tcp -- dsl0 * 0.0.0.0/0 81.223.155.102 state RELATED,ESTABLISHED tcp spt:119 dpt:119 0 0 ACCEPT udp -- dsl0 * 0.0.0.0/0 81.223.155.102 state RELATED,ESTABLISHED udp spt:119 dpts:1024:65535 0 0 ACCEPT tcp -- dsl0 * 0.0.0.0/0 81.223.155.102 state RELATED,ESTABLISHED tcp spt:110 dpts:1024:65535 0 0 ACCEPT tcp -- dsl0 * 0.0.0.0/0 81.223.155.102 state RELATED,ESTABLISHED tcp spt:143 dpts:1024:65535 0 0 ACCEPT tcp -- dsl0 * 0.0.0.0/0 81.223.155.102 state RELATED,ESTABLISHED tcp spt:993 dpts:1024:65535 0 0 ACCEPT tcp -- dsl0 * 0.0.0.0/0 81.223.155.102 state RELATED,ESTABLISHED tcp spt:25 dpts:1024:65535 1 48 ACCEPT tcp -- dsl0 * 0.0.0.0/0 81.223.155.102 tcp spts:1024:65535 dpt:22 0 0 ACCEPT tcp -- dsl0 * 0.0.0.0/0 81.223.155.102 state RELATED,ESTABLISHED tcp spt:22 dpts:1022:65535 0 0 ACCEPT tcp -- dsl0 * 0.0.0.0/0 81.223.155.102 state RELATED,ESTABLISHED tcp spt:1022 dpts:1022:65535 0 0 ACCEPT tcp -- dsl0 * 0.0.0.0/0 81.223.155.102 state RELATED,ESTABLISHED tcp spt:23 dpts:1024:65535 0 0 REJECT tcp -- dsl0 * 0.0.0.0/0 81.223.155.102 tcp spts:1024:65535 dpt:113 reject-with icmp-port-unreachable 0 0 ACCEPT tcp -- dsl0 * 0.0.0.0/0 81.223.155.102 state RELATED,ESTABLISHED tcp spt:113 dpts:1024:65535 0 0 ACCEPT tcp -- dsl0 * 0.0.0.0/0 81.223.155.102 state RELATED,ESTABLISHED tcp spt:43 dpts:1024:65535 0 0 ACCEPT tcp -- dsl0 * 0.0.0.0/0 81.223.155.102 state RELATED,ESTABLISHED tcp spt:79 dpts:1024:65535 0 0 ACCEPT tcp -- dsl0 * 0.0.0.0/0 81.223.155.102 state RELATED,ESTABLISHED tcp spt:21 dpts:1024:65535 0 0 ACCEPT tcp -- dsl0 * 0.0.0.0/0 81.223.155.102 tcp spt:20 dpts:1024:65535 0 0 ACCEPT tcp -- dsl0 * 0.0.0.0/0 81.223.155.102 state RELATED,ESTABLISHED tcp spts:1024:65535 dpts:1024:65535 0 0 ACCEPT tcp -- dsl0 * 0.0.0.0/0 81.223.155.102 state RELATED,ESTABLISHED tcp spt:554 dpts:1024:65535 0 0 ACCEPT tcp -- dsl0 * 0.0.0.0/0 81.223.155.102 state RELATED,ESTABLISHED tcp spts:7070:7071 dpts:1024:65535 0 0 ACCEPT tcp -- dsl0 * 0.0.0.0/0 81.223.155.102 state RELATED,ESTABLISHED tcp spt:1723 dpts:1024:65535 0 0 ACCEPT 47 -- dsl0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- dsl0 * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:1723 0 0 ACCEPT 47 -- dsl0 * 0.0.0.0/0 0.0.0.0/0 3 144 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:4661:4662 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4242 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:4800:4801 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8800 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6969 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:6881:6889 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:4762:4763 8 424 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:4804:4805 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:8804 0 0 ACCEPT udp -- dsl0 * 0.0.0.0/0 81.223.155.102 udp spt:123 dpts:1024:65535 0 0 ACCEPT udp -- dsl0 * 0.0.0.0/0 81.223.155.102 udp spt:123 dpt:123 0 0 ACCEPT tcp -- dsl0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED tcp spt:37 dpts:1024:65535 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- dsl0 * 0.0.0.0/0 81.223.155.102 icmp type 0 0 0 ACCEPT icmp -- dsl0 * 0.0.0.0/0 81.223.155.102 icmp type 3 0 0 ACCEPT icmp -- dsl0 * 0.0.0.0/0 81.223.155.102 icmp type 4 0 0 ACCEPT icmp -- dsl0 * 0.0.0.0/0 81.223.155.102 icmp type 11 0 0 ACCEPT icmp -- dsl0 * 0.0.0.0/0 81.223.155.102 icmp type 12 6 288 DROP tcp -- dsl0 * 0.0.0.0/0 0.0.0.0/0 0 0 DROP udp -- dsl0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:0:1023 3 162 DROP udp -- dsl0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 0 0 DROP icmp -- dsl0 * 0.0.0.0/0 0.0.0.0/0 icmp type 5 0 0 DROP icmp -- dsl0 * 0.0.0.0/0 0.0.0.0/0 icmp type 13 0 0 DROP icmp -- dsl0 * 0.0.0.0/0 0.0.0.0/0 icmp type 14 0 0 DROP icmp -- dsl0 * 0.0.0.0/0 0.0.0.0/0 icmp type 15 0 0 DROP icmp -- dsl0 * 0.0.0.0/0 0.0.0.0/0 icmp type 16 0 0 DROP icmp -- dsl0 * 0.0.0.0/0 0.0.0.0/0 icmp type 17 0 0 DROP icmp -- dsl0 * 0.0.0.0/0 0.0.0.0/0 icmp type 18 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- ipsec0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * ipsec0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- ppp1 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * ppp1 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * * 192.168.250.0/24 0.0.0.0/0 udp spts:1024:65535 dpt:53 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.250.0/24 udp spt:53 dpts:1024:65535 0 0 ACCEPT udp -- * * 10.0.0.0/8 0.0.0.0/0 udp spts:1024:65535 dpt:53 0 0 ACCEPT udp -- * * 0.0.0.0/0 10.0.0.0/8 udp spt:53 dpts:1024:65535 0 0 ACCEPT tcp -- * * 192.168.250.0/24 0.0.0.0/0 tcp spts:1024:65535 dpt:53 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.250.0/24 tcp spt:53 dpts:1024:65535 0 0 ACCEPT tcp -- * * 10.0.0.0/8 0.0.0.0/0 tcp spts:1024:65535 dpt:53 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.0/8 tcp spt:53 dpts:1024:65535 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.250.0/24 state RELATED,ESTABLISHED tcp spt:80 dpts:1024:65535 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.0/8 state RELATED,ESTABLISHED tcp spt:80 dpts:1024:65535 0 0 ACCEPT tcp -- * * 192.168.250.0/24 0.0.0.0/0 tcp spts:1024:65535 dpt:80 0 0 ACCEPT tcp -- * * 10.0.0.0/8 0.0.0.0/0 tcp spts:1024:65535 dpt:80 0 0 ACCEPT tcp -- * * 192.168.250.0/24 0.0.0.0/0 tcp spts:1024:65535 dpt:443 0 0 ACCEPT tcp -- * * 10.0.0.0/8 0.0.0.0/0 tcp spts:1024:65535 dpt:443 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.250.0/24 state RELATED,ESTABLISHED tcp spt:443 dpts:1024:65535 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.0/8 state RELATED,ESTABLISHED tcp spt:443 dpts:1024:65535 0 0 ACCEPT tcp -- * * 192.168.250.0/24 0.0.0.0/0 tcp spts:1024:65535 dpt:1863 0 0 ACCEPT tcp -- * * 10.0.0.0/8 0.0.0.0/0 tcp spts:1024:65535 dpt:1863 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.250.0/24 state RELATED,ESTABLISHED tcp spt:1863 dpts:1024:65535 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.0/8 state RELATED,ESTABLISHED tcp spt:1863 dpts:1024:65535 0 0 ACCEPT tcp -- * * 192.168.250.0/24 0.0.0.0/0 tcp spts:1024:65535 dpt:119 0 0 ACCEPT tcp -- * * 10.0.0.0/8 0.0.0.0/0 tcp spts:1024:65535 dpt:119 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.250.0/24 state RELATED,ESTABLISHED tcp spt:119 dpts:1024:65535 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.0/8 state RELATED,ESTABLISHED tcp spt:119 dpts:1024:65535 0 0 ACCEPT tcp -- * * 192.168.250.0/24 0.0.0.0/0 tcp spt:119 dpt:119 0 0 ACCEPT tcp -- * * 10.0.0.0/8 0.0.0.0/0 tcp spt:119 dpt:119 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.250.0/24 state RELATED,ESTABLISHED tcp spt:119 dpt:119 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.0/8 state RELATED,ESTABLISHED tcp spt:119 dpt:119 0 0 ACCEPT udp -- * * 192.168.250.0/24 0.0.0.0/0 udp spts:1024:65535 dpt:119 0 0 ACCEPT udp -- * * 10.0.0.0/8 0.0.0.0/0 udp spts:1024:65535 dpt:119 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.250.0/24 state RELATED,ESTABLISHED udp spt:119 dpts:1024:65535 0 0 ACCEPT udp -- * * 0.0.0.0/0 10.0.0.0/8 state RELATED,ESTABLISHED udp spt:119 dpts:1024:65535 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.250.0/24 state RELATED,ESTABLISHED tcp spt:110 dpts:1024:65535 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.0/8 state RELATED,ESTABLISHED tcp spt:110 dpts:1024:65535 0 0 ACCEPT tcp -- * * 192.168.250.0/24 0.0.0.0/0 tcp spts:1024:65535 dpt:110 0 0 ACCEPT tcp -- * * 10.0.0.0/8 0.0.0.0/0 tcp spts:1024:65535 dpt:110 0 0 ACCEPT tcp -- * * 192.168.250.0/24 0.0.0.0/0 tcp spts:1024:65535 dpt:143 0 0 ACCEPT tcp -- * * 10.0.0.0/8 0.0.0.0/0 tcp spts:1024:65535 dpt:143 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.250.0/24 state RELATED,ESTABLISHED tcp spt:143 dpts:1024:65535 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.0/8 state RELATED,ESTABLISHED tcp spt:143 dpts:1024:65535 0 0 ACCEPT tcp -- * * 192.168.250.0/24 0.0.0.0/0 tcp spts:1024:65535 dpt:993 0 0 ACCEPT tcp -- * * 10.0.0.0/8 0.0.0.0/0 tcp spts:1024:65535 dpt:993 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.250.0/24 state RELATED,ESTABLISHED tcp spt:993 dpts:1024:65535 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.0/8 state RELATED,ESTABLISHED tcp spt:993 dpts:1024:65535 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.250.0/24 state RELATED,ESTABLISHED tcp spt:25 dpts:1024:65535 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.0/8 state RELATED,ESTABLISHED tcp spt:25 dpts:1024:65535 0 0 ACCEPT tcp -- * * 192.168.250.0/24 0.0.0.0/0 tcp spts:1024:65535 dpt:25 0 0 ACCEPT tcp -- * * 10.0.0.0/8 0.0.0.0/0 tcp spts:1024:65535 dpt:25 0 0 ACCEPT tcp -- * * 192.168.250.0/24 0.0.0.0/0 tcp spts:1022:65535 dpt:22 0 0 ACCEPT tcp -- * * 10.0.0.0/8 0.0.0.0/0 tcp spts:1022:65535 dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.250.0/24 state RELATED,ESTABLISHED tcp spt:22 dpts:1022:65535 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.0/8 state RELATED,ESTABLISHED tcp spt:22 dpts:1022:65535 0 0 ACCEPT tcp -- * * 192.168.250.0/24 0.0.0.0/0 tcp spts:1022:65535 dpt:1022 0 0 ACCEPT tcp -- * * 10.0.0.0/8 0.0.0.0/0 tcp spts:1022:65535 dpt:1022 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.250.0/24 state RELATED,ESTABLISHED tcp spt:1022 dpts:1022:65535 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.0/8 state RELATED,ESTABLISHED tcp spt:1022 dpts:1022:65535 0 0 ACCEPT tcp -- * * 192.168.250.0/24 0.0.0.0/0 tcp spts:1024:65535 dpt:23 0 0 ACCEPT tcp -- * * 10.0.0.0/8 0.0.0.0/0 tcp spts:1024:65535 dpt:23 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.250.0/24 state RELATED,ESTABLISHED tcp spt:23 dpts:1024:65535 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.0/8 state RELATED,ESTABLISHED tcp spt:23 dpts:1024:65535 0 0 ACCEPT tcp -- * * 192.168.250.0/24 0.0.0.0/0 tcp spts:1024:65535 dpt:113 0 0 ACCEPT tcp -- * * 10.0.0.0/8 0.0.0.0/0 tcp spts:1024:65535 dpt:113 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.250.0/24 state RELATED,ESTABLISHED tcp spt:113 dpts:1024:65535 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.0/8 state RELATED,ESTABLISHED tcp spt:113 dpts:1024:65535 0 0 ACCEPT tcp -- * * 192.168.250.0/24 0.0.0.0/0 tcp spts:1024:65535 dpt:43 0 0 ACCEPT tcp -- * * 10.0.0.0/8 0.0.0.0/0 tcp spts:1024:65535 dpt:43 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.250.0/24 state RELATED,ESTABLISHED tcp spt:43 dpts:1024:65535 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.0/8 state RELATED,ESTABLISHED tcp spt:43 dpts:1024:65535 0 0 ACCEPT tcp -- * * 192.168.250.0/24 0.0.0.0/0 tcp spts:1024:65535 dpt:79 0 0 ACCEPT tcp -- * * 10.0.0.0/8 0.0.0.0/0 tcp spts:1024:65535 dpt:79 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.250.0/24 state RELATED,ESTABLISHED tcp spt:79 dpts:1024:65535 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.0/8 state RELATED,ESTABLISHED tcp spt:79 dpts:1024:65535 0 0 ACCEPT tcp -- * * 192.168.250.0/24 0.0.0.0/0 tcp spts:1024:65535 dpts:20:21 0 0 ACCEPT tcp -- * * 10.0.0.0/8 0.0.0.0/0 tcp spts:1024:65535 dpts:20:21 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.250.0/24 state RELATED,ESTABLISHED tcp spts:20:21 dpts:1024:65535 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.0/8 state RELATED,ESTABLISHED tcp spts:20:21 dpts:1024:65535 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.250.0/24 state RELATED,ESTABLISHED tcp spts:1024:65535 dpts:1024:65535 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.0/8 state RELATED,ESTABLISHED tcp spts:1024:65535 dpts:1024:65535 0 0 ACCEPT tcp -- * * 192.168.250.0/24 0.0.0.0/0 tcp spts:1024:65535 dpt:554 0 0 ACCEPT tcp -- * * 10.0.0.0/8 0.0.0.0/0 tcp spts:1024:65535 dpt:554 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.250.0/24 state RELATED,ESTABLISHED tcp spt:554 dpts:1024:65535 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.0/8 state RELATED,ESTABLISHED tcp spt:554 dpts:1024:65535 0 0 ACCEPT tcp -- * * 192.168.250.0/24 0.0.0.0/0 tcp spts:1024:65535 dpts:7070:7071 0 0 ACCEPT tcp -- * * 10.0.0.0/8 0.0.0.0/0 tcp spts:1024:65535 dpts:7070:7071 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.250.0/24 state RELATED,ESTABLISHED tcp spts:7070:7071 dpts:1024:65535 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.0/8 state RELATED,ESTABLISHED tcp spts:7070:7071 dpts:1024:65535 0 0 ACCEPT tcp -- * * 192.168.250.0/24 0.0.0.0/0 tcp spts:1024:65535 dpt:1723 0 0 ACCEPT tcp -- * * 10.0.0.0/8 0.0.0.0/0 tcp spts:1024:65535 dpt:1723 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.250.0/24 state RELATED,ESTABLISHED tcp spt:1723 dpts:1024:65535 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.0/8 state RELATED,ESTABLISHED tcp spt:1723 dpts:1024:65535 0 0 ACCEPT tcp -- * * 192.168.250.0/24 0.0.0.0/0 0 0 ACCEPT tcp -- * * 10.0.0.0/8 0.0.0.0/0 0 0 ACCEPT 47 -- * * 0.0.0.0/0 192.168.250.0/24 0 0 ACCEPT 47 -- * * 0.0.0.0/0 10.0.0.0/8 0 0 ACCEPT udp -- * * 192.168.250.0/24 0.0.0.0/0 udp spts:32769:65535 dpts:33434:33523 0 0 ACCEPT udp -- * * 10.0.0.0/8 0.0.0.0/0 udp spts:32769:65535 dpts:33434:33523 0 0 ACCEPT udp -- * * 192.168.250.0/24 0.0.0.0/0 udp spts:33434:33523 dpts:32769:65535 0 0 ACCEPT udp -- * * 10.0.0.0/8 0.0.0.0/0 udp spts:33434:33523 dpts:32769:65535 0 0 ACCEPT udp -- * * 192.168.250.0/24 0.0.0.0/0 udp spts:1024:65535 dpt:123 0 0 ACCEPT udp -- * * 10.0.0.0/8 0.0.0.0/0 udp spts:1024:65535 dpt:123 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.250.0/24 udp spt:123 dpts:1024:65535 0 0 ACCEPT udp -- * * 0.0.0.0/0 10.0.0.0/8 udp spt:123 dpts:1024:65535 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.250.0/24 udp spt:123 dpt:123 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.250.0/24 udp spt:123 dpt:123 0 0 ACCEPT udp -- * * 192.168.250.0/24 0.0.0.0/0 udp spt:123 dpt:123 0 0 ACCEPT udp -- * * 10.0.0.0/8 0.0.0.0/0 udp spt:123 dpt:123 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.250.0/24 state RELATED,ESTABLISHED tcp spt:37 dpts:1024:65535 0 0 ACCEPT tcp -- * * 192.168.250.0/24 0.0.0.0/0 tcp spts:1024:65535 dpt:37 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12 0 0 ACCEPT icmp -- * * 192.168.250.0/24 0.0.0.0/0 icmp type 8 0 0 ACCEPT icmp -- * * 10.0.0.0/8 0.0.0.0/0 icmp type 8 0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.250.0/24 icmp type 0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 10.0.0.0/8 icmp type 0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 2 114 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * eth1 0.0.0.0/0 192.168.250.0/24 0 0 ACCEPT all -- * eth0 0.0.0.0/0 10.0.0.0/8 0 0 ACCEPT all -- * ipsec0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * ppp1 0.0.0.0/0 0.0.0.0/0 0 0 REJECT tcp -- * dsl0 0.0.0.0/0 0.0.0.0/0 tcp dpt:2049 flags:0x16/0x02 reject-with icmp-port-unreachable 0 0 REJECT tcp -- * dsl0 0.0.0.0/0 0.0.0.0/0 tcp dpts:6000:6063 flags:0x16/0x02 reject-with icmp-port-unreachable 0 0 REJECT tcp -- * dsl0 0.0.0.0/0 0.0.0.0/0 tcp dpt:1080 flags:0x16/0x02 reject-with icmp-port-unreachable 26 1742 ACCEPT udp -- * dsl0 81.223.155.102 0.0.0.0/0 udp spts:1024:65535 dpt:53 0 0 ACCEPT tcp -- * dsl0 81.223.155.102 0.0.0.0/0 tcp spts:1024:65535 dpt:53 5 476 ACCEPT tcp -- * dsl0 81.223.155.102 0.0.0.0/0 tcp spts:1024:65535 dpt:80 0 0 ACCEPT tcp -- * dsl0 81.223.155.102 0.0.0.0/0 tcp spts:1024:65535 dpt:443 0 0 ACCEPT tcp -- * dsl0 81.223.155.102 0.0.0.0/0 tcp spts:1024:65535 dpt:1863 0 0 ACCEPT tcp -- * dsl0 81.223.155.102 0.0.0.0/0 tcp spts:1024:65535 dpt:119 0 0 ACCEPT tcp -- * dsl0 81.223.155.102 0.0.0.0/0 tcp spt:119 dpt:119 0 0 ACCEPT udp -- * dsl0 81.223.155.102 0.0.0.0/0 udp spts:1024:65535 dpt:119 43 3848 ACCEPT tcp -- * dsl0 81.223.155.102 0.0.0.0/0 tcp spts:1024:65535 dpt:110 0 0 ACCEPT tcp -- * dsl0 81.223.155.102 0.0.0.0/0 tcp spts:1024:65535 dpt:143 0 0 ACCEPT tcp -- * dsl0 81.223.155.102 0.0.0.0/0 tcp spts:1024:65535 dpt:993 23 2737 ACCEPT tcp -- * dsl0 81.223.155.102 0.0.0.0/0 tcp spts:1024:65535 dpt:25 555 79390 ACCEPT tcp -- * dsl0 81.223.155.102 0.0.0.0/0 tcp spt:22 dpts:1024:65535 flags:!0x16/0x02 0 0 ACCEPT tcp -- * dsl0 81.223.155.102 0.0.0.0/0 tcp spts:1022:65535 dpt:22 0 0 ACCEPT tcp -- * dsl0 81.223.155.102 0.0.0.0/0 tcp spts:1022:65535 dpt:1022 0 0 ACCEPT tcp -- * dsl0 81.223.155.102 0.0.0.0/0 tcp spts:1024:65535 dpt:23 0 0 ACCEPT tcp -- * dsl0 81.223.155.102 0.0.0.0/0 tcp spts:1024:65535 dpt:113 0 0 ACCEPT tcp -- * dsl0 81.223.155.102 0.0.0.0/0 tcp spts:1024:65535 dpt:43 0 0 ACCEPT tcp -- * dsl0 81.223.155.102 0.0.0.0/0 tcp spts:1024:65535 dpt:79 0 0 ACCEPT tcp -- * dsl0 81.223.155.102 0.0.0.0/0 tcp spts:1024:65535 dpt:21 0 0 ACCEPT tcp -- * dsl0 81.223.155.102 0.0.0.0/0 tcp spts:1024:65535 dpt:20 flags:!0x16/0x02 3 120 ACCEPT tcp -- * dsl0 81.223.155.102 0.0.0.0/0 tcp spts:1024:65535 dpts:1024:65535 0 0 ACCEPT tcp -- * dsl0 81.223.155.102 0.0.0.0/0 tcp spts:1024:65535 dpt:554 0 0 ACCEPT tcp -- * dsl0 81.223.155.102 0.0.0.0/0 tcp spts:1024:65535 dpts:7070:7071 0 0 ACCEPT tcp -- * dsl0 81.223.155.102 0.0.0.0/0 tcp spts:1024:65535 dpt:1723 0 0 ACCEPT 47 -- * dsl0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * dsl0 0.0.0.0/0 0.0.0.0/0 tcp spt:1723 dpts:1024:65535 0 0 ACCEPT 47 -- * dsl0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * dsl0 81.223.155.102 0.0.0.0/0 udp spts:32769:65535 dpts:33434:33523 0 0 ACCEPT udp -- * dsl0 81.223.155.102 0.0.0.0/0 udp spts:1024:65535 dpt:123 0 0 ACCEPT udp -- * dsl0 81.223.155.102 0.0.0.0/0 udp spt:123 dpt:123 0 0 ACCEPT tcp -- * dsl0 81.223.155.102 0.0.0.0/0 tcp spts:1024:65535 dpt:37 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * dsl0 81.223.155.102 0.0.0.0/0 icmp type 3 code 4 0 0 ACCEPT icmp -- * dsl0 81.223.155.102 0.0.0.0/0 icmp type 4 0 0 ACCEPT icmp -- * dsl0 81.223.155.102 0.0.0.0/0 icmp type 8 0 0 ACCEPT icmp -- * dsl0 81.223.155.102 0.0.0.0/0 icmp type 12 8 648 REJECT all -- * dsl0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

iptables -t nat -L -v -n

Code: Alles auswählen: Chain PREROUTING (policy ACCEPT 171K packets, 13M bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 934 packets, 54677 bytes) pkts bytes target prot opt in out source destination 19 1220 MASQUERADE all -- * dsl0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

route -n

Code: Alles auswählen: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 62.99.171.167 0.0.0.0 255.255.255.255 UH 0 0 0 dsl0 10.0.0.138 10.29.0.1 255.255.255.254 UG 0 0 0 eth0 192.168.250.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1 10.29.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 62.99.171.167 0.0.0.0 UG 0 0 0 dsl0

ifconfig -a

Code: Alles auswählen: dsl0 Link encap:Point-to-Point Protocol inet addr:81.223.155.102 P-t-P:62.99.171.167 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1 RX packets:1192 errors:0 dropped:0 overruns:0 frame:0 TX packets:995 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:112276 (109.6 Kb) TX bytes:111407 (108.7 Kb) eth0 Link encap:Ethernet HWaddr 00:00:21:14:5B:F9 inet addr:10.29.2.231 Bcast:10.29.255.255 Mask:255.255.0.0 inet6 addr: fe80::200:21ff:fe14:5bf9/64 Scope:Link UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8296812 errors:0 dropped:1 overruns:0 frame:1 TX packets:9690201 errors:14 dropped:0 overruns:0 carrier:26 collisions:46038 txqueuelen:1000 RX bytes:3267506858 (3116.1 Mb) TX bytes:1101556306 (1050.5 Mb) Interrupt:10 Base address:0xe800 eth1 Link encap:Ethernet HWaddr 00:40:F4:73:C0:CF inet addr:192.168.250.201 Bcast:192.168.250.255 Mask:255.255.255.0 inet6 addr: fe80::240:f4ff:fe73:c0cf/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:94030812 errors:2156 dropped:48530 overruns:2041 frame:0 TX packets:109504100 errors:0 dropped:0 overruns:20 carrier:0 collisions:0 txqueuelen:1000 RX bytes:262905682 (250.7 Mb) TX bytes:1164340622 (1110.4 Mb) Interrupt:12 Base address:0xc000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:161571 errors:0 dropped:0 overruns:0 frame:0 TX packets:161571 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:15743361 (15.0 Mb) TX bytes:15743361 (15.0 Mb) sit0 Link encap:IPv6-in-IPv4 NOARP MTU:1480 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

von **dfx** » Mo 10 Jan, 2005 12:44

ok, nach genauerer analyse dürfte die ursache ein mtu-, genauer gesagt pmtu-problem sein. psk.co.at versucht offenbar, path mtu discovery durchzuführen, was zu sehen ist an solchen paketen:

Code: Alles auswählen: Frame 1 (1514 bytes on wire, 1514 bytes captured) ... Packet Length: 1514 bytes Capture Length: 1514 bytes ... Internet Protocol, Src Addr: 194.107.107.115 (194.107.107.115), Dst Addr: 192.168.34.170 (192.168.34.170) ... Total Length: 1500 Flags: 0x04 (Don't Fragment) ... Transmission Control Protocol, Src Port: 80 (80), Dst Port: 36131 (36131), Seq: 0, Ack: 0, Len: 1460 Source port: 80 (80) Destination port: 36131 (36131) ...

derartige pakete passen durch ein pppoe-interface nicht durch und können auch nicht fragmentiert werden, wodurch vom router ein fragmentation-needed zurückgeschickt wird. anscheinend ist die firewall von psk.co.at aber zu scharf eingestellt, wodurch diese pakete ignoriert werden und somit funktioniert die path mtu discovery nicht mehr und die seite kann nicht geladen werden.

abhilfe schafft "mss clamping". der pppoe client/daemon kann die mss (in tcp-paketen) auf einen maximalen wert beschränken, wodurch die gegenseite veranlaßt wird, keine größeren pakete zu schicken. beim rp-pppoe client ist dies zb die option "-m 1412", wie auch in der man page beschrieben steht. dann klappts auch mit dem nachbarn (der psk).

trotzdem gehört dem psk admin mal eins auf den deckel gegeben.

von **robspr** » Mo 10 Jan, 2005 12:52

ok, danke. ich probier das am abend aus (ich bin jetzt nicht zu hause).

von **robspr** » Mo 10 Jan, 2005 14:38

@dfx:

sollte folgendes auch funktionieren:
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

von **dfx** » Mo 10 Jan, 2005 14:46

richtig, damit müßte es auch gehen

von **robspr** » Mo 10 Jan, 2005 19:44

@dfx

Danke, es geht jetzt. (Ich habe den zusätzlichen iptables-Befehl ins script eingetragen)

von **bignfan** » Mi 19 Jan, 2005 22:02

hab ich das richtig verstanden, dass man sich bei suse 9.2 auch ohne das inode-skript nur durch einstellen im yast einwählen kann?

falls ja, bitte erklär mir das genauer..
wie wählst dich dann ein wennst es eingestellt hast?

das inode-skript hat leider kein wiedereinwahl-feature

von **robspr** » Mi 19 Jan, 2005 22:18

Im yast "network devices", dort "dsl" und einfach einen neuen Eintrag erzeugen (mit Protokoll pppoe). Dazu deine Netzwerkkarte angeben und deine Einwahlparameter - das wars.

Automatische Wiedereinwahl funktioniert nicht unbedingt, also am besten einen cronjob der immer wieder schaut ob die Verbindung noch da ist und gegebenenfalls neu einwählt.

Einwahl mit: ifup, Abwahl mit ifdown

von **bignfan** » Mi 19 Jan, 2005 23:02

ah cool
bei älteren versionen ging das nicht..

muss ich gleich mal ausprobieren wenn ich zeit zum installieren habe...
und wie mach ich das mit dem cronjob? was muss ich da machen dass er die connection checkt?

von **robspr** » Mi 19 Jan, 2005 23:20

prüf z.B. alle 5 Minuten ob ping -c 1 -w 4 195.58.161.122 noch geht, wenn nicht mach einen disconnect und einen neuen connect.

du kannst aber auch prüfen mit: "ps aux | grep pppd | grep -v grep" ob der pppd daemon noch läuft.

oder schau mal auf: http://xDSL.at/phpbb2/viewtopic.php?t=1 ... ect+script

xDSL.at

Inode xDSL linux nat probleme mit pppoe

Inode xDSL linux nat probleme mit pppoe

Wer ist online?