Linux IP routing: help

362 views

Skip to first unread message

José Sanabria

unread,

May 12, 2015, 8:25:41 PM5/12/15

to vg...@googlegroups.com

Hi!
I have two access to internet..

I have a LAN 192.168.0.0/24 but, the IP 192.168.0.2 only I need to out for the other conection.

Example:

192.168.0.0/24 <- ppp0
192.168.0.2/32 <- ppp1

How to make the changes? I don't understand all the options of IP..
Thanks in advance!

jigar soni

unread,

May 13, 2015, 12:56:19 AM5/13/15

to vg...@googlegroups.com

Hello,

Please explain in detail what is your requirement and what u want to do?
so that anyone can help

José Sanabria

unread,

May 13, 2015, 11:44:57 AM5/13/15

to vg...@googlegroups.com

Hi Jigar!

Well, I have a one LAN 192.168.0.0/24

And have two conection to Internet (ppp0 and ppp1)

All PCs get out to Internet over the conexion of ppp0

But, I need only one PC of the LAN 192.168.0.0/24 to get out over the ppp1

The PC have a fix IP 192.168.0.2/32

I can make the changes with IP command?

I test the iptables, without result.

I make the changes with the IP command:

# echo 202 voip >> /etc/iproute2/rt_tables

# ip rule add from 192.168.0.2/32 table fibra

# ip route add default dev ppp1 table fibra

# ip route flush cache

The IP 192.168.0.2/32 get out to the Internet over ppp1

But, connecting other PC with OPENVPN to access lan remotely, I can't ping or see the 192.168.0.2/32, but I can see all other IP. Only the 192.168.0.2/32 I can't access.

Only within the LAN I can ping..

You understand me?

Nilesh Jain

unread,

May 13, 2015, 11:45:06 AM5/13/15

to vg...@googlegroups.com

we cant get you what you want to know, please let us know your lan ip details and internet connection network/ip details.

--
Please read http://www.catb.org/~esr/faqs/smart-questions.html before posting.
You received this message because you are subscribed to the "Vibrant GNU/Linux User Group".
To stop receiving emails from this group, mail to VGLUG+un...@googlegroups.com
To post to this group, send email to VG...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/VGLUG

---
You received this message because you are subscribed to the Google Groups "VGLUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vglug+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Nilesh Jain

Nimit Gajjar

unread,

May 13, 2015, 12:51:16 PM5/13/15

to vglug

Hi ,

Can you go through below links might be that will surely will help you.

http://www.linuxhorizon.ro/iproute2.html

http://www.rjsystems.nl/en/2100-adv-routing.php

http://linux-ip.net/html/adv-multi-internet.html

I assure you will get your solutions in above URL.

Thanks

NImit GAjjar

--

Please read http://www.catb.org/~esr/faqs/smart-questions.html before posting.
You received this message because you are subscribed to the "Vibrant GNU/Linux User Group".
To stop receiving emails from this group, mail to VGLUG+un...@googlegroups.com
To post to this group, send email to VG...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/VGLUG

---
You received this message because you are subscribed to the Google Groups "VGLUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vglug+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Regards
Nimit Gajjar

tell : +91 8734851688
e-mail : nimit....@gmail.com
Skype : nimit.gajjar

Bhushan

unread,

May 14, 2015, 6:09:05 AM5/14/15

to vg...@googlegroups.com

Hi José,

In this case, you can achieve this by MARKING and Classifying packets with TOS. You will need to add one iptables rule in PREROUTING chain and one rule using ip command to define route based on TOS value. Below are the commands for the same.

iptables -t mangle -I PREROUTING -s 192.168.0.2 -j TOS --set-tos 0x10
ip route add tos 0x10 dev ppp1

Let me know if you face any problem in above implementation.

Regards,
Bhushan Karia

Nilesh Jain

unread,

May 14, 2015, 11:10:58 AM5/14/15

to vg...@googlegroups.com

post me here your iptables -nL and iptables -t nat -vL and ifconfig

Thanks

Nilesh Jain

José Sanabria

unread,

May 18, 2015, 8:46:38 PM5/18/15

to vg...@googlegroups.com

Bhushan!

Your configuration is great! Work 100%

Very Thanks for your help!!!

José Sanabria

unread,

May 18, 2015, 8:46:38 PM5/18/15

to vg...@googlegroups.com

Nilesh!

Later of the configuration of Bhushan, the config look as:

# iptables -nL

Chain INPUT (policy DROP)

target prot opt source destination

AS0_ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

AS0_ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

AS0_IN_PRE all -- 0.0.0.0/0 0.0.0.0/0 MARK match 0x2000000/0x2000000

AS0_ACCEPT tcp -- 0.0.0.0/0 201.217.4X.17X state NEW tcp dpt:915

AS0_ACCEPT tcp -- 0.0.0.0/0 201.217.4X.17X state NEW tcp dpt:914

AS0_ACCEPT udp -- 0.0.0.0/0 201.217.4X.17X state NEW udp dpt:917

AS0_ACCEPT udp -- 0.0.0.0/0 201.217.4X.17X state NEW udp dpt:916

AS0_WEBACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

AS0_WEBACCEPT tcp -- 0.0.0.0/0 201.217.4X.17X state NEW tcp dpt:943

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

ACCEPT tcp -- 8.8.8.8 0.0.0.0/0 tcp dpt:53

ACCEPT udp -- 8.8.8.8 0.0.0.0/0 udp dpt:53

ACCEPT tcp -- 8.8.8.8 0.0.0.0/0 tcp spt:53

ACCEPT udp -- 8.8.8.8 0.0.0.0/0 udp spt:53

ACCEPT tcp -- 201.217.1.230 0.0.0.0/0 tcp dpt:53

ACCEPT udp -- 201.217.1.230 0.0.0.0/0 udp dpt:53

ACCEPT tcp -- 201.217.1.230 0.0.0.0/0 tcp spt:53

ACCEPT udp -- 201.217.1.230 0.0.0.0/0 udp spt:53

LOCALINPUT all -- 0.0.0.0/0 0.0.0.0/0

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

SYNFLOOD tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02

INVALID tcp -- 0.0.0.0/0 0.0.0.0/0

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:25

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:110

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:143

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:443

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:465

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:587

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:993

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:995

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:1194

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:1891

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:7100

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:8000

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:8500

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:8080

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:8246

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:8888

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:10000

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:31272

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:20

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:21

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:53

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:123

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:5060

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:7100

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:8000

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:8246

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:8500

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:1194

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:31272

ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5

ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 limit: avg 1/sec burst 5

ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11

ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3

LOGDROPIN all -- 0.0.0.0/0 0.0.0.0/0

ACCEPT tcp -- 0.0.0.0/0 201.217.55.1X tcp dpt:25

DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25

ACCEPT tcp -- 0.0.0.0/0 201.217.55.1X tcp dpt:110

DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110

ACCEPT tcp -- 0.0.0.0/0 201.217.55.1X tcp dpt:143

DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143

ACCEPT tcp -- 0.0.0.0/0 201.217.55.1X tcp dpt:443

DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443

ACCEPT tcp -- 0.0.0.0/0 201.217.55.1X tcp dpt:465

DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465

DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53

DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:111

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139

DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139

DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445

DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306

DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5989

ACCEPT tcp -- 0.0.0.0/0 201.217.55.1X tcp dpt:993

ACCEPT tcp -- 0.0.0.0/0 201.217.55.1X tcp dpt:995

DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993

DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995

ACCEPT tcp -- 0.0.0.0/0 201.217.55.1X tcp dpt:10000

ACCEPT tcp -- 0.0.0.0/0 201.217.4X.17X tcp dpt:8000

DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8000

DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000

Chain FORWARD (policy DROP)

target prot opt source destination

AS0_ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

AS0_IN_PRE all -- 0.0.0.0/0 0.0.0.0/0 MARK match 0x2000000/0x2000000

AS0_OUT_S2C all -- 0.0.0.0/0 0.0.0.0/0

DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy DROP)

target prot opt source destination

AS0_OUT_LOCAL all -- 0.0.0.0/0 0.0.0.0/0

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

ACCEPT tcp -- 0.0.0.0/0 8.8.8.8 tcp dpt:53

ACCEPT udp -- 0.0.0.0/0 8.8.8.8 udp dpt:53

ACCEPT tcp -- 0.0.0.0/0 8.8.8.8 tcp spt:53

ACCEPT udp -- 0.0.0.0/0 8.8.8.8 udp spt:53

ACCEPT tcp -- 0.0.0.0/0 201.217.1.230 tcp dpt:53

ACCEPT udp -- 0.0.0.0/0 201.217.1.230 udp dpt:53

ACCEPT tcp -- 0.0.0.0/0 201.217.1.230 tcp spt:53

ACCEPT udp -- 0.0.0.0/0 201.217.1.230 udp spt:53

LOCALOUTPUT all -- 0.0.0.0/0 0.0.0.0/0

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 OWNER GID match 89

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 OWNER GID match 41

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 OWNER GID match 12

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 OWNER UID match 89

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 OWNER UID match 0

DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 OWNER GID match 89

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 OWNER GID match 41

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 OWNER GID match 12

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 OWNER UID match 89

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 OWNER UID match 0

DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

INVALID tcp -- 0.0.0.0/0 0.0.0.0/0

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:20

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:21

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:25

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:110

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:113

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:443

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:1194

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:5060

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:5900

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:8246

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:20

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:21

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:53

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:113

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:123

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:5060

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:8246

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:1194

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpts:33434:33523

ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0

ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8

ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11

ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3

DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain ALLOWIN (1 references)

target prot opt source destination

Chain ALLOWOUT (1 references)

target prot opt source destination

Chain AS0_ACCEPT (7 references)

target prot opt source destination

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain AS0_DNS (2 references)

target prot opt source destination

ACCEPT all -- 0.0.0.0/0 8.8.8.8

ACCEPT all -- 0.0.0.0/0 201.217.1.230

DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain AS0_IN (3 references)

target prot opt source destination

ACCEPT all -- 0.0.0.0/0 10.215.11.1

ACCEPT all -- 0.0.0.0/0 192.168.0.0/24

DROP all -- 0.0.0.0 0.0.0.0/0

AS0_IN_POST all -- 0.0.0.0/0 0.0.0.0/0

Chain AS0_IN_POST (2 references)

target prot opt source destination

AS0_OUT all -- 0.0.0.0/0 0.0.0.0/0

DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain AS0_IN_PRE (2 references)

target prot opt source destination

AS0_DNS tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53

AS0_DNS udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53

AS0_IN all -- 0.0.0.0/0 192.168.0.0/16

AS0_IN all -- 0.0.0.0/0 172.16.0.0/12

AS0_IN all -- 0.0.0.0/0 10.0.0.0/8

DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain AS0_OUT (2 references)

target prot opt source destination

DROP all -- 0.0.0.0/0 0.0.0.0

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain AS0_OUT_LOCAL (1 references)

target prot opt source destination

DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 5

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain AS0_OUT_S2C (1 references)

target prot opt source destination

AS0_OUT all -- 0.0.0.0/0 0.0.0.0/0

Chain AS0_U_ESOJ_IN (0 references)

target prot opt source destination

ACCEPT all -- 0.0.0.0/0 192.168.0.0/24

AS0_IN_POST all -- 0.0.0.0/0 0.0.0.0/0

Chain AS0_U_ESOJ_OUT (0 references)

target prot opt source destination

ACCEPT all -- 192.168.0.0/24 0.0.0.0/0

ACCEPT all -- 10.215.11.0/24 0.0.0.0/0

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain AS0_WEBACCEPT (2 references)

target prot opt source destination

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain DENYIN (1 references)

target prot opt source destination

DROP all -- 50.117.114.82 0.0.0.0/0

DROP all -- 184.75.215.138 0.0.0.0/0

DROP all -- 69.30.209.188 0.0.0.0/0

DROP all -- 5.79.71.41 0.0.0.0/0

DROP all -- 5.79.71.39 0.0.0.0/0

DROP all -- 93.107.165.70 0.0.0.0/0

DROP all -- 213.136.70.62 0.0.0.0/0

DROP all -- 198.27.108.0/24 0.0.0.0/0

DROP all -- 198.100.150.99 0.0.0.0/0

DROP all -- 198.100.156.138 0.0.0.0/0

DROP all -- 201.217.6.126 0.0.0.0/0

DROP all -- 85.13.223.0/24 0.0.0.0/0

DROP all -- 192.99.147.120 0.0.0.0/0

DROP all -- 177.2.102.136 0.0.0.0/0

DROP all -- 94.245.121.253 0.0.0.0/0

DROP all -- 181.40.78.66 0.0.0.0/0

DROP all -- 190.104.130.19 0.0.0.0/0

DROP all -- 190.104.130.10 0.0.0.0/0

DROP all -- 69.25.27.0/24 0.0.0.0/0

DROP all -- 190.104.130.21 0.0.0.0/0

DROP all -- 190.104.130.13 0.0.0.0/0

DROP all -- 190.104.130.8 0.0.0.0/0

DROP all -- 162.220.112.0/24 0.0.0.0/0

DROP all -- 173.225.191.0/24 0.0.0.0/0

DROP all -- 201.217.236.53 0.0.0.0/0

DROP all -- 8.29.153.0/24 0.0.0.0/0

DROP all -- 192.168.1.101 0.0.0.0/0

DROP all -- 78.153.194.0/24 0.0.0.0/0

DROP all -- 192.168.0.126 0.0.0.0/0

DROP all -- 192.168.1.102 0.0.0.0/0

DROP all -- 192.168.0.126 0.0.0.0/0

DROP all -- 87.223.200.180 0.0.0.0/0

DROP all -- 69.36.160.0/24 0.0.0.0/0

DROP all -- 192.168.0.126 0.0.0.0/0

DROP all -- 192.168.0.116 0.0.0.0/0

DROP all -- 192.168.0.7 0.0.0.0/0

DROP all -- 200.40.216.234 0.0.0.0/0

DROP all -- 192.168.0.126 0.0.0.0/0

DROP all -- 99.166.126.34 0.0.0.0/0

DROP all -- 142.0.41.40 0.0.0.0/0

DROP all -- 192.168.0.102 0.0.0.0/0

DROP all -- 180.179.207.134 0.0.0.0/0

DROP all -- 81.44.140.67 0.0.0.0/0

DROP all -- 1.168.141.98 0.0.0.0/0

DROP all -- 187.246.234.80 0.0.0.0/0

DROP all -- 94.203.3.234 0.0.0.0/0

DROP all -- 5.70.108.82 0.0.0.0/0

DROP all -- 212.117.61.248 0.0.0.0/0

DROP all -- 32.208.156.153 0.0.0.0/0

DROP all -- 46.29.255.28 0.0.0.0/0

DROP all -- 222.186.21.0/24 0.0.0.0/0

DROP all -- 192.168.1.25 0.0.0.0/0

DROP all -- 82.103.94.62 0.0.0.0/0

DROP all -- 162.208.48.107 0.0.0.0/0

DROP all -- 200.3.251.237 0.0.0.0/0

DROP all -- 72.81.224.178 0.0.0.0/0

DROP all -- 192.168.1.2 0.0.0.0/0

DROP all -- 159.104.162.0/24 0.0.0.0/0

DROP all -- 61.183.128.6 0.0.0.0/0

DROP all -- 222.174.5.45 0.0.0.0/0

DROP all -- 216.107.152.228 0.0.0.0/0

DROP all -- 94.102.56.231 0.0.0.0/0

DROP all -- 162.195.125.39 0.0.0.0/0

DROP all -- 192.168.0.181 0.0.0.0/0

Chain DENYOUT (1 references)

target prot opt source destination

DROP all -- 0.0.0.0/0 50.117.114.82

DROP all -- 0.0.0.0/0 184.75.215.138

DROP all -- 0.0.0.0/0 69.30.209.188

DROP all -- 0.0.0.0/0 5.79.71.41

DROP all -- 0.0.0.0/0 5.79.71.39

DROP all -- 0.0.0.0/0 93.107.165.70

DROP all -- 0.0.0.0/0 213.136.70.62

DROP all -- 0.0.0.0/0 198.27.108.0/24

DROP all -- 0.0.0.0/0 198.100.150.99

DROP all -- 0.0.0.0/0 198.100.156.138

DROP all -- 0.0.0.0/0 201.217.6.126

DROP all -- 0.0.0.0/0 85.13.223.0/24

DROP all -- 0.0.0.0/0 192.99.147.120

DROP all -- 0.0.0.0/0 177.2.102.136

DROP all -- 0.0.0.0/0 94.245.121.253

DROP all -- 0.0.0.0/0 181.40.78.66

DROP all -- 0.0.0.0/0 190.104.130.19

DROP all -- 0.0.0.0/0 190.104.130.10

DROP all -- 0.0.0.0/0 69.25.27.0/24

DROP all -- 0.0.0.0/0 190.104.130.21

DROP all -- 0.0.0.0/0 190.104.130.13

DROP all -- 0.0.0.0/0 190.104.130.8

DROP all -- 0.0.0.0/0 162.220.112.0/24

DROP all -- 0.0.0.0/0 173.225.191.0/24

DROP all -- 0.0.0.0/0 201.217.236.53

DROP all -- 0.0.0.0/0 8.29.153.0/24

DROP all -- 0.0.0.0/0 192.168.1.101

DROP all -- 0.0.0.0/0 78.153.194.0/24

DROP all -- 0.0.0.0/0 192.168.0.126

DROP all -- 0.0.0.0/0 192.168.1.102

DROP all -- 0.0.0.0/0 192.168.0.126

DROP all -- 0.0.0.0/0 87.223.200.180

DROP all -- 0.0.0.0/0 69.36.160.0/24

DROP all -- 0.0.0.0/0 192.168.0.126

DROP all -- 0.0.0.0/0 192.168.0.116

DROP all -- 0.0.0.0/0 192.168.0.7

DROP all -- 0.0.0.0/0 200.40.216.234

DROP all -- 0.0.0.0/0 192.168.0.126

DROP all -- 0.0.0.0/0 99.166.126.34

DROP all -- 0.0.0.0/0 142.0.41.40

DROP all -- 0.0.0.0/0 192.168.0.102

DROP all -- 0.0.0.0/0 180.179.207.134

DROP all -- 0.0.0.0/0 81.44.140.67

DROP all -- 0.0.0.0/0 1.168.141.98

DROP all -- 0.0.0.0/0 187.246.234.80

DROP all -- 0.0.0.0/0 94.203.3.234

DROP all -- 0.0.0.0/0 5.70.108.82

DROP all -- 0.0.0.0/0 212.117.61.248

DROP all -- 0.0.0.0/0 32.208.156.153

DROP all -- 0.0.0.0/0 46.29.255.28

DROP all -- 0.0.0.0/0 222.186.21.0/24

DROP all -- 0.0.0.0/0 192.168.1.25

DROP all -- 0.0.0.0/0 82.103.94.62

DROP all -- 0.0.0.0/0 162.208.48.107

DROP all -- 0.0.0.0/0 200.3.251.237

DROP all -- 0.0.0.0/0 72.81.224.178

DROP all -- 0.0.0.0/0 192.168.1.2

DROP all -- 0.0.0.0/0 159.104.162.0/24

DROP all -- 0.0.0.0/0 61.183.128.6

DROP all -- 0.0.0.0/0 222.174.5.45

DROP all -- 0.0.0.0/0 216.107.152.228

DROP all -- 0.0.0.0/0 94.102.56.231

DROP all -- 0.0.0.0/0 162.195.125.39

DROP all -- 0.0.0.0/0 192.168.0.181

Chain INVALID (2 references)

target prot opt source destination

INVDROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID

INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00

INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F

INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03

INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06

INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05

INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01

INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08

INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20

INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 ctstate NEW

Chain INVDROP (10 references)

target prot opt source destination

DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain LOCALINPUT (1 references)

target prot opt source destination

ALLOWIN all -- 0.0.0.0/0 0.0.0.0/0

DENYIN all -- 0.0.0.0/0 0.0.0.0/0

Chain LOCALOUTPUT (1 references)

target prot opt source destination

ALLOWOUT all -- 0.0.0.0/0 0.0.0.0/0

DENYOUT all -- 0.0.0.0/0 0.0.0.0/0

UDPFLOOD udp -- 0.0.0.0/0 0.0.0.0/0

Chain LOGDROPIN (1 references)

target prot opt source destination

DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67

DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67

DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:68

DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68

DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:111

DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:111

DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113

DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:113

DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:135:139

DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:135:139

DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445

DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:445

DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:500

DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500

DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:513

DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:513

DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:520

DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520

LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* '

LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* '

LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* '

DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain LOGDROPOUT (0 references)

target prot opt source destination

LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *TCP_OUT Blocked* '

LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *UDP_OUT Blocked* '

LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *ICMP_OUT Blocked* '

DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain SYNFLOOD (1 references)

target prot opt source destination

RETURN all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 100/sec burst 150

LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *SYNFLOOD Blocked* '

DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain UDPFLOOD (1 references)

target prot opt source destination

RETURN udp -- 0.0.0.0/0 0.0.0.0/0 OWNER UID match 25

RETURN udp -- 0.0.0.0/0 0.0.0.0/0 OWNER UID match 0

RETURN udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 100/sec burst 500

LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *UDPFLOOD* '

DROP udp -- 0.0.0.0/0 0.0.0.0/0

iptables -t nat -vL

Chain PREROUTING (policy ACCEPT 373K packets, 26M bytes)

pkts bytes target prot opt in out source destination

4 240 AS0_NAT_PRE_REL_EST all -- any any anywhere anywhere state RELATED,ESTABLISHED

7 490 AS0_DPFWD_UDP udp -- any any anywhere smtp.domain-py.com udp dpt:openvpn state NEW

0 0 AS0_DPFWD_TCP tcp -- any any anywhere smtp.domain-py.com tcp dpt:openvpn state NEW

6209 273K DNAT tcp -- any any anywhere mail.domain-py.com tcp dpt:31272 to:192.168.0.4:31272

59 11548 DNAT udp -- any any anywhere mail.domain-py.com udp dpt:31272 to:192.168.0.4:31272

169 8372 DNAT tcp -- any any anywhere mx.domain-py.com tcp dpt:webcache to:192.168.0.4:8080

1114 58416 DNAT tcp -- any any anywhere mx.domain-py.com tcp dpt:ddi-tcp-1 to:192.168.0.4:80

9 436 DNAT tcp -- any any anywhere mx.domain-py.com tcp dpt:irdmi to:192.168.0.7:8080

9 480 DNAT tcp -- any any anywhere smtp.domain-py.com tcp dpt:fde to:192.168.0.41:3389

0 0 DNAT tcp -- any any anywhere smtp.domain-py.com tcp dpt:xfs to:192.168.0.5:80

Chain POSTROUTING (policy ACCEPT 41302 packets, 2834K bytes)

pkts bytes target prot opt in out source destination

4 240 AS0_NAT_POST_REL_EST all -- any any anywhere anywhere state RELATED,ESTABLISHED

29 5329 AS0_NAT_PRE all -- any any anywhere anywhere MARK match 0x2000000/0x2000000

139K 10M MASQUERADE all -- any any 192.168.0.0/24 anywhere

Chain OUTPUT (policy ACCEPT 35565 packets, 2745K bytes)

pkts bytes target prot opt in out source destination

Chain AS0_DPFWD_TCP (1 references)

pkts bytes target prot opt in out source destination

0 0 DNAT tcp -- any any anywhere anywhere to:201.217.4X.17X:914

0 0 ACCEPT all -- any any anywhere anywhere

Chain AS0_DPFWD_UDP (1 references)

pkts bytes target prot opt in out source destination

0 0 DNAT udp -- any any anywhere anywhere to:201.217.4X.17X:916

0 0 ACCEPT all -- any any anywhere anywhere

Chain AS0_NAT (2 references)

pkts bytes target prot opt in out source destination

24 5024 SNAT all -- any eth1 anywhere anywhere to:192.168.0.1

0 0 SNAT all -- any eth0 anywhere anywhere to:192.168.1.10

0 0 SNAT all -- any ppp1 anywhere anywhere to:190.23.18.51

5 305 SNAT all -- any ppp0 anywhere anywhere to:190.23.151.161

0 0 ACCEPT all -- any any anywhere anywhere

Chain AS0_NAT_POST_REL_EST (1 references)

pkts bytes target prot opt in out source destination

4 240 ACCEPT all -- any any anywhere anywhere

Chain AS0_NAT_PRE (1 references)

pkts bytes target prot opt in out source destination

24 5024 AS0_NAT_TEST all -- any any anywhere 192.168.0.0/16

0 0 AS0_NAT_TEST all -- any any anywhere 172.16.0.0/12

0 0 AS0_NAT_TEST all -- any any anywhere 10.0.0.0/8

5 305 AS0_NAT all -- any any anywhere anywhere

Chain AS0_NAT_PRE_REL_EST (1 references)

pkts bytes target prot opt in out source destination

4 240 ACCEPT all -- any any anywhere anywhere

Chain AS0_NAT_TEST (3 references)

pkts bytes target prot opt in out source destination

0 0 ACCEPT all -- any as0t+ anywhere anywhere

0 0 ACCEPT all -- any any anywhere 10.215.11.0/24

24 5024 AS0_NAT all -- any any anywhere anywhere

Some IP and Domains has been masked for security questions. Thanks for your understanding..

Bhushan

unread,

May 19, 2015, 1:00:07 PM5/19/15

to vg...@googlegroups.com

Hi José,

Thats good I am glad it helped. Apart from this looking at your configuration, there are many iptables rules. You can reduce it with ipset and few other modules like multiport in order to optimize packet traversal.

Regards,
Bhushan Karia

Reply all

Reply to author

Forward

0 new messages