SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264
| Anonymous | Login | 2021-05-10 22:17 UTC |  |
| Main | My View | View Issues | Change Log | Roadmap |
| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
| 0000249 | Endian Firewall | Other Services | public | 2007-08-27 14:45 | 2007-12-31 19:15 | ||||
| Reporter | mauretto79 | ||||||||
| Assigned To | peter-endian | ||||||||
| Priority | normal | Severity | major | Reproducibility | have not tried | ||||
| Status | closed | Resolution | fixed | ||||||
| Platform | OS | OS Version | |||||||
| Product Version | 2.1.2 | ||||||||
| Target Version | Fixed in Version | 2.2-beta2 | |||||||
| Summary | 0000249: Impossible create an external access for ORANGE - ALL access | ||||||||
| Description | If i create a port forwarding for a port ex. 22 and create i external access only for one ip, port forwarding works, but from all (RED) external IP. | ||||||||
| Additional Information | ifconfig ________ br0 Link encap:Ethernet HWaddr 00:13:49:25:6C:69 inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:932218 errors:0 dropped:0 overruns:0 frame:0 TX packets:847767 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:118500974 (113.0 MiB) TX bytes:800519041 (763.4 MiB) br1 Link encap:Ethernet HWaddr 00:E0:4C:E7:36:54 inet addr:192.168.77.1 Bcast:192.168.77.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:500000 errors:0 dropped:0 overruns:0 frame:0 TX packets:460534 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:135357965 (129.0 MiB) TX bytes:79148730 (75.4 MiB) eth0 Link encap:Ethernet HWaddr 00:13:49:25:6C:69 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:932255 errors:0 dropped:0 overruns:0 frame:0 TX packets:847556 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:132601158 (126.4 MiB) TX bytes:801093972 (763.9 MiB) Interrupt:16 Base address:0xc000 eth1 Link encap:Ethernet HWaddr 00:**:49:**:AF:46 inet addr:**.**.**.** Bcast:**.**.**.** Mask:**.**.**.** UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:843944 errors:0 dropped:0 overruns:0 frame:0 TX packets:727383 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:753151837 (718.2 MiB) TX bytes:137166260 (130.8 MiB) Interrupt:17 Base address:0xc400 eth1:0 Link encap:Ethernet HWaddr 00:13:49:25:AF:46 inet addr:192.168.0.209 Bcast:85.38.127.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:17 Base address:0xc400 eth1:1 Link encap:Ethernet HWaddr 00:13:49:25:AF:46 inet addr:192.168.0.201 Bcast:85.38.127.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:17 Base address:0xc400 eth2 Link encap:Ethernet HWaddr 00:E0:4C:E7:36:54 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:500164 errors:0 dropped:0 overruns:0 frame:0 TX packets:460482 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:142666108 (136.0 MiB) TX bytes:79141857 (75.4 MiB) Interrupt:21 Base address:0x6000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:3080 errors:0 dropped:0 overruns:0 frame:0 TX packets:3080 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:251128 (245.2 KiB) TX bytes:251128 (245.2 KiB) tap1 Link encap:Ethernet HWaddr 00:FF:2A:7A:FE:9A UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:236545 errors:0 dropped:1 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:16818098 (16.0 MiB) =========================== iptables -L ____________ Chain ACCEPT_ALL (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state NEW GREEN_GREEN all -- anywhere anywhere ORANGE_ORANGE all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere limit: avg 1/sec burst 5 icmp echo-request Chain BADTCP (2 references) target prot opt source destination DROPBADTCP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG DROPBADTCP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE DROPBADTCP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN DROPBADTCP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST DROPBADTCP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN NEWNOTSYN tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW Chain BLUEINPUT (1 references) target prot opt source destination Chain BLUE_BLUE (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain CUSTOMFORWARD (1 references) target prot opt source destination Chain CUSTOMINPUT (1 references) target prot opt source destination Chain CUSTOMOUTPUT (1 references) target prot opt source destination Chain DHCPBLUEINPUT (1 references) target prot opt source destination Chain DMZHOLES (1 references) target prot opt source destination ACCEPT tcp -- 192.168.77.209 192.168.0.51 tcp dpt:microsoft-ds ACCEPT tcp -- 192.168.77.209 192.168.0.51 tcp dpt:netbios-ns ACCEPT tcp -- 192.168.77.209 192.168.0.51 tcp dpt:netbios-dgm ACCEPT tcp -- 192.168.77.209 192.168.0.51 tcp dpt:netbios-ssn ACCEPT tcp -- 192.168.77.201 192.168.0.51 tcp dpt:microsoft-ds ACCEPT tcp -- 192.168.77.201 192.168.0.51 tcp dpt:netbios-ns ACCEPT tcp -- 192.168.77.201 192.168.0.51 tcp dpt:netbios-dgm ACCEPT tcp -- 192.168.77.201 192.168.0.51 tcp dpt:netbios-ssn ACCEPT tcp -- 192.168.77.209 192.168.0.51 tcp dpt:imap Chain DROPBADTCP (5 references) target prot opt source destination LOG_BADTCP all -- anywhere anywhere DROP all -- anywhere anywhere Chain GREEN_GREEN (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain INPUT (policy DROP) target prot opt source destination ipac~o all -- anywhere anywhere PORTSCAN all -- anywhere anywhere BADTCP all -- anywhere anywhere tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 10/sec burst 5 CUSTOMINPUT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere limit: avg 1/sec burst 5 icmp echo-request ACCEPT all -- anywhere anywhere state NEW DROP all -- 127.0.0.0/8 anywhere state NEW DROP all -- anywhere 127.0.0.0/8 state NEW ACCEPT !icmp -- anywhere anywhere state NEW BLUEINPUT !icmp -- anywhere anywhere state NEW ORANGEINPUT !icmp -- anywhere anywhere state NEW OPENVPN all -- anywhere anywhere state NEW VPNINPUT all -- anywhere anywhere state NEW OUTGOINGFW all -- anywhere anywhere state NEW DHCPBLUEINPUT all -- anywhere anywhere SIPROXD all -- anywhere anywhere state NEW SMTPD all -- anywhere anywhere state NEW IPSECRED all -- anywhere anywhere IPSECBLUE all -- anywhere anywhere REDINPUT all -- anywhere anywhere XTACCESS all -- anywhere anywhere state NEW LOG_INPUT all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ipac~fi all -- anywhere anywhere ipac~fo all -- anywhere anywhere OPENVPNCLIENTDHCP all -- anywhere anywhere OPENVPNDHCP all -- anywhere anywhere PORTSCAN all -- anywhere anywhere BADTCP all -- anywhere anywhere TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU CUSTOMFORWARD all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state NEW DROP all -- 127.0.0.0/8 anywhere state NEW DROP all -- anywhere 127.0.0.0/8 state NEW VPNTRAFFIC all -- anywhere anywhere state NEW OUTGOINGFW all -- anywhere anywhere state NEW ACCEPT_ALL all -- anywhere anywhere DMZHOLES all -- anywhere anywhere state NEW PORTFWACCESS all -- anywhere anywhere state NEW LOG_FORWARD all -- anywhere anywhere Chain IPSECBLUE (1 references) target prot opt source destination Chain IPSECRED (1 references) target prot opt source destination Chain LOG_BADTCP (1 references) target prot opt source destination Chain LOG_FORWARD (1 references) target prot opt source destination Chain LOG_INPUT (1 references) target prot opt source destination Chain LOG_NEWNOTSYN (1 references) target prot opt source destination Chain NEWNOTSYN (1 references) target prot opt source destination LOG_NEWNOTSYN all -- anywhere anywhere DROP all -- anywhere anywhere Chain OPENVPN (1 references) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:openvpn Chain OPENVPNCLIENTDHCP (1 references) target prot opt source destination Chain OPENVPNDHCP (1 references) target prot opt source destination REJECT udp -- anywhere anywhere udp spt:bootps dpt:bootpc PHYSDEV match --physdev-in tap1 reject-with icmp-port-unreachable Chain ORANGEINPUT (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain ORANGE_ORANGE (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain OUTGOINGFW (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ipac~i all -- anywhere anywhere CUSTOMOUTPUT all -- anywhere anywhere Chain PORTFWACCESS (1 references) target prot opt source destination ACCEPT tcp -- host100-93-static.34-85-b.business.telecomitalia.it 192.168.77.209 tcp dpt:ssh ACCEPT tcp -- xs-217-220-156-56-static.mi2.albacom.net 192.168.77.209 tcp dpt:ssh ACCEPT tcp -- 62-101-126-232.ip.fastwebnet.it 192.168.77.209 tcp dpt:ssh ACCEPT tcp -- ip-184-39.sn1.eutelia.it 192.168.77.209 tcp dpt:ssh ACCEPT tcp -- host87-25-static.28-87-b.business.telecomitalia.it 192.168.77.209 tcp dpt:ssh ACCEPT tcp -- host193-101-static.38-85-b.business.telecomitalia.it 192.168.77.209 tcp dpt:ssh ACCEPT tcp -- host185-254-static.88-82-b.business.telecomitalia.it 192.168.77.209 tcp dpt:ssh ACCEPT tcp -- host153-202-static.42-88-b.business.telecomitalia.it 192.168.77.209 tcp dpt:ssh ACCEPT tcp -- host192-101-static.38-85-b.business.telecomitalia.it 192.168.77.209 tcp dpt:ssh ACCEPT tcp -- host194-101-static.38-85-b.business.telecomitalia.it 192.168.77.209 tcp dpt:ssh ACCEPT tcp -- host2-161-static.42-88-b.business.telecomitalia.it 192.168.77.209 tcp dpt:ssh ACCEPT tcp -- ip-184-39.sn1.eutelia.it 192.168.77.201 tcp dpt:ms-wbt-server ACCEPT tcp -- 62-101-126-232.ip.fastwebnet.it 192.168.77.201 tcp dpt:ms-wbt-server ACCEPT tcp -- host100-93-static.34-85-b.business.telecomitalia.it 192.168.77.201 tcp dpt:ms-wbt-server ACCEPT tcp -- host87-25-static.28-87-b.business.telecomitalia.it 192.168.77.201 tcp dpt:ms-wbt-server ACCEPT tcp -- host185-254-static.88-82-b.business.telecomitalia.it 192.168.77.201 tcp dpt:ms-wbt-server ACCEPT tcp -- host153-202-static.42-88-b.business.telecomitalia.it 192.168.77.201 tcp dpt:ms-wbt-server ACCEPT tcp -- xs-217-220-156-56-static.mi2.albacom.net 192.168.77.201 tcp dpt:ms-wbt-server ACCEPT tcp -- host192-101-static.38-85-b.business.telecomitalia.it 192.168.77.201 tcp dpt:ms-wbt-server ACCEPT tcp -- anywhere 192.168.77.209 tcp dpt:http ACCEPT tcp -- anywhere 192.168.77.209 tcp dpt:ssh ACCEPT tcp -- anywhere 192.168.77.201 tcp dpt:ms-wbt-server ACCEPT tcp -- anywhere 192.168.77.209 tcp dpt:http ACCEPT tcp -- anywhere 192.168.77.209 tcp dpt:netbios-ssn ACCEPT tcp -- anywhere 192.168.77.209 tcp dpt:netbios-ns ACCEPT tcp -- anywhere 192.168.77.209 tcp dpt:netbios-dgm ACCEPT tcp -- anywhere 192.168.77.209 tcp dpt:microsoft-ds ACCEPT tcp -- host164-29-static.30-87-b.business.telecomitalia.it 192.168.0.51 tcp dpt:http-alt ACCEPT tcp -- 78-26.cline.it 192.168.0.51 tcp dpt:http-alt ACCEPT tcp -- host164-29-static.30-87-b.business.telecomitalia.it 192.168.0.51 tcp dpt:ssh ACCEPT tcp -- 78-26.cline.it 192.168.0.51 tcp dpt:ssh ACCEPT tcp -- anywhere 192.168.77.209 tcp dpt:websm ACCEPT tcp -- host164-29-static.30-87-b.business.telecomitalia.it 192.168.77.209 tcp dpt:7071 ACCEPT tcp -- host164-29-static.30-87-b.business.telecomitalia.it 192.168.0.51 tcp dpt:http ACCEPT tcp -- host164-29-static.30-87-b.business.telecomitalia.it webdefensor.site tcp dpt:redwood-broker Chain PORTSCAN (2 references) target prot opt source destination Chain REDINPUT (1 references) target prot opt source destination Chain SIPROXD (1 references) target prot opt source destination Chain SMTPD (1 references) target prot opt source destination Chain VPNFW (12 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain VPNINPUT (1 references) target prot opt source destination VPN_IN all -- anywhere anywhere VPN_IN all -- anywhere anywhere VPN_IN all -- anywhere anywhere PHYSDEV match --physdev-in tap+ Chain VPNTRAFFIC (1 references) target prot opt source destination VPNFW all -- anywhere anywhere DROP all -- anywhere anywhere VPNFW all -- anywhere anywhere DROP all -- anywhere anywhere VPNFW all -- anywhere anywhere DROP all -- anywhere anywhere VPNFW all -- anywhere anywhere DROP all -- anywhere anywhere VPNFW all -- anywhere anywhere PHYSDEV match --physdev-out tap+ DROP all -- anywhere anywhere PHYSDEV match --physdev-out tap+ VPNFW all -- anywhere anywhere PHYSDEV match --physdev-in tap+ DROP all -- anywhere anywhere PHYSDEV match --physdev-in tap+ VPNFW all -- anywhere anywhere DROP all -- anywhere anywhere VPNFW all -- anywhere anywhere DROP all -- anywhere anywhere VPNFW all -- anywhere anywhere DROP all -- anywhere anywhere VPNFW all -- anywhere anywhere DROP all -- anywhere anywhere VPNFW all -- anywhere anywhere PHYSDEV match --physdev-out tap+ DROP all -- anywhere anywhere PHYSDEV match --physdev-out tap+ VPNFW all -- anywhere anywhere PHYSDEV match --physdev-in tap+ DROP all -- anywhere anywhere PHYSDEV match --physdev-in tap+ Chain VPN_IN (3 references) target prot opt source destination ACCEPT tcp -- host164-29-static.30-87-b.business.telecomitalia.it anywhere tcp dpt:10443 ACCEPT tcp -- 78-26.cline.it anywhere tcp dpt:10443 Chain XTACCESS (1 references) target prot opt source destination ACCEPT tcp -- host164-29-static.30-87-b.business.telecomitalia.it host10-100-static.38-85-b.business.telecomitalia.it tcp dpt:10443 ACCEPT tcp -- 78-26.cline.it host10-100-static.38-85-b.business.telecomitalia.it tcp dpt:10443 Chain ipac~fi (1 references) target prot opt source destination all -- anywhere anywhere all -- anywhere anywhere all -- anywhere anywhere Chain ipac~fo (1 references) target prot opt source destination all -- anywhere anywhere all -- anywhere anywhere all -- anywhere anywhere Chain ipac~i (1 references) target prot opt source destination all -- anywhere anywhere all -- anywhere anywhere all -- anywhere anywhere Chain ipac~o (1 references) target prot opt source destination all -- anywhere anywhere all -- anywhere anywhere all -- anywhere anywhere Thanks. Best Regards | ||||||||
| Tags | No tags attached. | ||||||||
| Attached Files | |||||||||
 Relationships |
|
 Relationships |
|
Notes |
|
|
(0000559) peter-endian (administrator) 2007-10-27 19:06 |
You can now select on which uplink/vpn endpoint the portfw should happen |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2007-08-27 14:45 | mauretto79 | New Issue | |
| 2007-10-27 19:06 | peter-endian | Status | new => resolved |
| 2007-10-27 19:06 | peter-endian | Fixed in Version | => 2.2 |
| 2007-10-27 19:06 | peter-endian | Resolution | open => fixed |
| 2007-10-27 19:06 | peter-endian | Assigned To | => peter-endian |
| 2007-10-27 19:06 | peter-endian | Note Added: 0000559 | |
| 2007-12-31 19:15 | raphael-endian | Fixed in Version | 2.2-beta1 => 2.2-beta2 |
| 2007-12-31 19:15 | raphael-endian | Status | resolved => closed |
|
Issue History |
| Copyright © 2000 - 2012 MantisBT Group |
 |