SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0000249: Impossible create an external access for ORANGE - ALL access - MantisBT
MantisBT - Endian Firewall
View Issue Details
0000249Endian FirewallOther Servicespublic2007-08-27 14:452007-12-31 19:15
mauretto79 
peter-endian 
normalmajorhave not tried
closedfixed 
2.1.2 
2.2-beta2 
0000249: Impossible create an external access for ORANGE - ALL access
If i create a port forwarding for a port ex. 22 and create i external access only for one ip, port forwarding works, but from all (RED) external IP.
ifconfig
________

br0 Link encap:Ethernet HWaddr 00:13:49:25:6C:69
          inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:932218 errors:0 dropped:0 overruns:0 frame:0
          TX packets:847767 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:118500974 (113.0 MiB) TX bytes:800519041 (763.4 MiB)

br1 Link encap:Ethernet HWaddr 00:E0:4C:E7:36:54
          inet addr:192.168.77.1 Bcast:192.168.77.255 Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:500000 errors:0 dropped:0 overruns:0 frame:0
          TX packets:460534 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:135357965 (129.0 MiB) TX bytes:79148730 (75.4 MiB)

eth0 Link encap:Ethernet HWaddr 00:13:49:25:6C:69
          UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
          RX packets:932255 errors:0 dropped:0 overruns:0 frame:0
          TX packets:847556 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:132601158 (126.4 MiB) TX bytes:801093972 (763.9 MiB)
          Interrupt:16 Base address:0xc000

eth1 Link encap:Ethernet HWaddr 00:**:49:**:AF:46
          inet addr:**.**.**.** Bcast:**.**.**.** Mask:**.**.**.**
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:843944 errors:0 dropped:0 overruns:0 frame:0
          TX packets:727383 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:753151837 (718.2 MiB) TX bytes:137166260 (130.8 MiB)
          Interrupt:17 Base address:0xc400

eth1:0 Link encap:Ethernet HWaddr 00:13:49:25:AF:46
          inet addr:192.168.0.209 Bcast:85.38.127.255 Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          Interrupt:17 Base address:0xc400

eth1:1 Link encap:Ethernet HWaddr 00:13:49:25:AF:46
          inet addr:192.168.0.201 Bcast:85.38.127.255 Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          Interrupt:17 Base address:0xc400

eth2 Link encap:Ethernet HWaddr 00:E0:4C:E7:36:54
          UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
          RX packets:500164 errors:0 dropped:0 overruns:0 frame:0
          TX packets:460482 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:142666108 (136.0 MiB) TX bytes:79141857 (75.4 MiB)
          Interrupt:21 Base address:0x6000

lo Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.0.0.0
          UP LOOPBACK RUNNING MTU:16436 Metric:1
          RX packets:3080 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3080 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:251128 (245.2 KiB) TX bytes:251128 (245.2 KiB)

tap1 Link encap:Ethernet HWaddr 00:FF:2A:7A:FE:9A
          UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:236545 errors:0 dropped:1 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b) TX bytes:16818098 (16.0 MiB)

===========================

iptables -L
____________

Chain ACCEPT_ALL (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state NEW
GREEN_GREEN all -- anywhere anywhere
ORANGE_ORANGE all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere limit: avg 1/sec burst 5 icmp echo-request

Chain BADTCP (2 references)
target prot opt source destination
DROPBADTCP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
DROPBADTCP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROPBADTCP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
DROPBADTCP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
DROPBADTCP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
NEWNOTSYN tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW

Chain BLUEINPUT (1 references)
target prot opt source destination

Chain BLUE_BLUE (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain CUSTOMFORWARD (1 references)
target prot opt source destination

Chain CUSTOMINPUT (1 references)
target prot opt source destination

Chain CUSTOMOUTPUT (1 references)
target prot opt source destination

Chain DHCPBLUEINPUT (1 references)
target prot opt source destination

Chain DMZHOLES (1 references)
target prot opt source destination
ACCEPT tcp -- 192.168.77.209 192.168.0.51 tcp dpt:microsoft-ds
ACCEPT tcp -- 192.168.77.209 192.168.0.51 tcp dpt:netbios-ns
ACCEPT tcp -- 192.168.77.209 192.168.0.51 tcp dpt:netbios-dgm
ACCEPT tcp -- 192.168.77.209 192.168.0.51 tcp dpt:netbios-ssn
ACCEPT tcp -- 192.168.77.201 192.168.0.51 tcp dpt:microsoft-ds
ACCEPT tcp -- 192.168.77.201 192.168.0.51 tcp dpt:netbios-ns
ACCEPT tcp -- 192.168.77.201 192.168.0.51 tcp dpt:netbios-dgm
ACCEPT tcp -- 192.168.77.201 192.168.0.51 tcp dpt:netbios-ssn
ACCEPT tcp -- 192.168.77.209 192.168.0.51 tcp dpt:imap

Chain DROPBADTCP (5 references)
target prot opt source destination
LOG_BADTCP all -- anywhere anywhere
DROP all -- anywhere anywhere

Chain GREEN_GREEN (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain INPUT (policy DROP)
target prot opt source destination
ipac~o all -- anywhere anywhere
PORTSCAN all -- anywhere anywhere
BADTCP all -- anywhere anywhere
           tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 10/sec burst 5
CUSTOMINPUT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere limit: avg 1/sec burst 5 icmp echo-request
ACCEPT all -- anywhere anywhere state NEW
DROP all -- 127.0.0.0/8 anywhere state NEW
DROP all -- anywhere 127.0.0.0/8 state NEW
ACCEPT !icmp -- anywhere anywhere state NEW
BLUEINPUT !icmp -- anywhere anywhere state NEW
ORANGEINPUT !icmp -- anywhere anywhere state NEW
OPENVPN all -- anywhere anywhere state NEW
VPNINPUT all -- anywhere anywhere state NEW
OUTGOINGFW all -- anywhere anywhere state NEW
DHCPBLUEINPUT all -- anywhere anywhere
SIPROXD all -- anywhere anywhere state NEW
SMTPD all -- anywhere anywhere state NEW
IPSECRED all -- anywhere anywhere
IPSECBLUE all -- anywhere anywhere
REDINPUT all -- anywhere anywhere
XTACCESS all -- anywhere anywhere state NEW
LOG_INPUT all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ipac~fi all -- anywhere anywhere
ipac~fo all -- anywhere anywhere
OPENVPNCLIENTDHCP all -- anywhere anywhere
OPENVPNDHCP all -- anywhere anywhere
PORTSCAN all -- anywhere anywhere
BADTCP all -- anywhere anywhere
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
CUSTOMFORWARD all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
DROP all -- 127.0.0.0/8 anywhere state NEW
DROP all -- anywhere 127.0.0.0/8 state NEW
VPNTRAFFIC all -- anywhere anywhere state NEW
OUTGOINGFW all -- anywhere anywhere state NEW
ACCEPT_ALL all -- anywhere anywhere
DMZHOLES all -- anywhere anywhere state NEW
PORTFWACCESS all -- anywhere anywhere state NEW
LOG_FORWARD all -- anywhere anywhere

Chain IPSECBLUE (1 references)
target prot opt source destination

Chain IPSECRED (1 references)
target prot opt source destination

Chain LOG_BADTCP (1 references)
target prot opt source destination

Chain LOG_FORWARD (1 references)
target prot opt source destination

Chain LOG_INPUT (1 references)
target prot opt source destination

Chain LOG_NEWNOTSYN (1 references)
target prot opt source destination

Chain NEWNOTSYN (1 references)
target prot opt source destination
LOG_NEWNOTSYN all -- anywhere anywhere
DROP all -- anywhere anywhere

Chain OPENVPN (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:openvpn

Chain OPENVPNCLIENTDHCP (1 references)
target prot opt source destination

Chain OPENVPNDHCP (1 references)
target prot opt source destination
REJECT udp -- anywhere anywhere udp spt:bootps dpt:bootpc PHYSDEV match --physdev-in tap1 reject-with icmp-port-unreachable

Chain ORANGEINPUT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain ORANGE_ORANGE (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain OUTGOINGFW (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ipac~i all -- anywhere anywhere
CUSTOMOUTPUT all -- anywhere anywhere

Chain PORTFWACCESS (1 references)
target prot opt source destination
ACCEPT tcp -- host100-93-static.34-85-b.business.telecomitalia.it 192.168.77.209 tcp dpt:ssh
ACCEPT tcp -- xs-217-220-156-56-static.mi2.albacom.net 192.168.77.209 tcp dpt:ssh
ACCEPT tcp -- 62-101-126-232.ip.fastwebnet.it 192.168.77.209 tcp dpt:ssh
ACCEPT tcp -- ip-184-39.sn1.eutelia.it 192.168.77.209 tcp dpt:ssh
ACCEPT tcp -- host87-25-static.28-87-b.business.telecomitalia.it 192.168.77.209 tcp dpt:ssh
ACCEPT tcp -- host193-101-static.38-85-b.business.telecomitalia.it 192.168.77.209 tcp dpt:ssh
ACCEPT tcp -- host185-254-static.88-82-b.business.telecomitalia.it 192.168.77.209 tcp dpt:ssh
ACCEPT tcp -- host153-202-static.42-88-b.business.telecomitalia.it 192.168.77.209 tcp dpt:ssh
ACCEPT tcp -- host192-101-static.38-85-b.business.telecomitalia.it 192.168.77.209 tcp dpt:ssh
ACCEPT tcp -- host194-101-static.38-85-b.business.telecomitalia.it 192.168.77.209 tcp dpt:ssh
ACCEPT tcp -- host2-161-static.42-88-b.business.telecomitalia.it 192.168.77.209 tcp dpt:ssh
ACCEPT tcp -- ip-184-39.sn1.eutelia.it 192.168.77.201 tcp dpt:ms-wbt-server
ACCEPT tcp -- 62-101-126-232.ip.fastwebnet.it 192.168.77.201 tcp dpt:ms-wbt-server
ACCEPT tcp -- host100-93-static.34-85-b.business.telecomitalia.it 192.168.77.201 tcp dpt:ms-wbt-server
ACCEPT tcp -- host87-25-static.28-87-b.business.telecomitalia.it 192.168.77.201 tcp dpt:ms-wbt-server
ACCEPT tcp -- host185-254-static.88-82-b.business.telecomitalia.it 192.168.77.201 tcp dpt:ms-wbt-server
ACCEPT tcp -- host153-202-static.42-88-b.business.telecomitalia.it 192.168.77.201 tcp dpt:ms-wbt-server
ACCEPT tcp -- xs-217-220-156-56-static.mi2.albacom.net 192.168.77.201 tcp dpt:ms-wbt-server
ACCEPT tcp -- host192-101-static.38-85-b.business.telecomitalia.it 192.168.77.201 tcp dpt:ms-wbt-server
ACCEPT tcp -- anywhere 192.168.77.209 tcp dpt:http
ACCEPT tcp -- anywhere 192.168.77.209 tcp dpt:ssh
ACCEPT tcp -- anywhere 192.168.77.201 tcp dpt:ms-wbt-server
ACCEPT tcp -- anywhere 192.168.77.209 tcp dpt:http
ACCEPT tcp -- anywhere 192.168.77.209 tcp dpt:netbios-ssn
ACCEPT tcp -- anywhere 192.168.77.209 tcp dpt:netbios-ns
ACCEPT tcp -- anywhere 192.168.77.209 tcp dpt:netbios-dgm
ACCEPT tcp -- anywhere 192.168.77.209 tcp dpt:microsoft-ds
ACCEPT tcp -- host164-29-static.30-87-b.business.telecomitalia.it 192.168.0.51 tcp dpt:http-alt
ACCEPT tcp -- 78-26.cline.it 192.168.0.51 tcp dpt:http-alt
ACCEPT tcp -- host164-29-static.30-87-b.business.telecomitalia.it 192.168.0.51 tcp dpt:ssh
ACCEPT tcp -- 78-26.cline.it 192.168.0.51 tcp dpt:ssh
ACCEPT tcp -- anywhere 192.168.77.209 tcp dpt:websm
ACCEPT tcp -- host164-29-static.30-87-b.business.telecomitalia.it 192.168.77.209 tcp dpt:7071
ACCEPT tcp -- host164-29-static.30-87-b.business.telecomitalia.it 192.168.0.51 tcp dpt:http
ACCEPT tcp -- host164-29-static.30-87-b.business.telecomitalia.it webdefensor.site tcp dpt:redwood-broker

Chain PORTSCAN (2 references)
target prot opt source destination

Chain REDINPUT (1 references)
target prot opt source destination

Chain SIPROXD (1 references)
target prot opt source destination

Chain SMTPD (1 references)
target prot opt source destination

Chain VPNFW (12 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain VPNINPUT (1 references)
target prot opt source destination
VPN_IN all -- anywhere anywhere
VPN_IN all -- anywhere anywhere
VPN_IN all -- anywhere anywhere PHYSDEV match --physdev-in tap+

Chain VPNTRAFFIC (1 references)
target prot opt source destination
VPNFW all -- anywhere anywhere
DROP all -- anywhere anywhere
VPNFW all -- anywhere anywhere
DROP all -- anywhere anywhere
VPNFW all -- anywhere anywhere
DROP all -- anywhere anywhere
VPNFW all -- anywhere anywhere
DROP all -- anywhere anywhere
VPNFW all -- anywhere anywhere PHYSDEV match --physdev-out tap+
DROP all -- anywhere anywhere PHYSDEV match --physdev-out tap+
VPNFW all -- anywhere anywhere PHYSDEV match --physdev-in tap+
DROP all -- anywhere anywhere PHYSDEV match --physdev-in tap+
VPNFW all -- anywhere anywhere
DROP all -- anywhere anywhere
VPNFW all -- anywhere anywhere
DROP all -- anywhere anywhere
VPNFW all -- anywhere anywhere
DROP all -- anywhere anywhere
VPNFW all -- anywhere anywhere
DROP all -- anywhere anywhere
VPNFW all -- anywhere anywhere PHYSDEV match --physdev-out tap+
DROP all -- anywhere anywhere PHYSDEV match --physdev-out tap+
VPNFW all -- anywhere anywhere PHYSDEV match --physdev-in tap+
DROP all -- anywhere anywhere PHYSDEV match --physdev-in tap+

Chain VPN_IN (3 references)
target prot opt source destination
ACCEPT tcp -- host164-29-static.30-87-b.business.telecomitalia.it anywhere tcp dpt:10443
ACCEPT tcp -- 78-26.cline.it anywhere tcp dpt:10443

Chain XTACCESS (1 references)
target prot opt source destination
ACCEPT tcp -- host164-29-static.30-87-b.business.telecomitalia.it host10-100-static.38-85-b.business.telecomitalia.it tcp dpt:10443
ACCEPT tcp -- 78-26.cline.it host10-100-static.38-85-b.business.telecomitalia.it tcp dpt:10443

Chain ipac~fi (1 references)
target prot opt source destination
           all -- anywhere anywhere
           all -- anywhere anywhere
           all -- anywhere anywhere

Chain ipac~fo (1 references)
target prot opt source destination
           all -- anywhere anywhere
           all -- anywhere anywhere
           all -- anywhere anywhere

Chain ipac~i (1 references)
target prot opt source destination
           all -- anywhere anywhere
           all -- anywhere anywhere
           all -- anywhere anywhere

Chain ipac~o (1 references)
target prot opt source destination
           all -- anywhere anywhere
           all -- anywhere anywhere
           all -- anywhere anywhere


Thanks.
Best Regards
No tags attached.
Issue History
2007-08-27 14:45mauretto79New Issue
2007-10-27 19:06peter-endianStatusnew => resolved
2007-10-27 19:06peter-endianFixed in Version => 2.2
2007-10-27 19:06peter-endianResolutionopen => fixed
2007-10-27 19:06peter-endianAssigned To => peter-endian
2007-10-27 19:06peter-endianNote Added: 0000559
2007-12-31 19:15raphael-endianFixed in Version2.2-beta1 => 2.2-beta2
2007-12-31 19:15raphael-endianStatusresolved => closed

Notes
(0000559)
peter-endian   
2007-10-27 19:06   
You can now select on which uplink/vpn endpoint the portfw should happen