Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: ACF on May 03, 2004, 04:27:11 PM
-
I have an SME 6.0 box with CLAM AV, Spamassassin EZMLM and Mambo 4.5.1.07 running. I seem to have a block on on particular range of IPO adresses I need to reach.
Behind my mitel if I try to reach 207.103.198.x
I get no website, no ping, tracert says destination not reachable.
From outside the Mitel, on my network I can reach the destination fine.
Everywhere else on the web seems to work fine and be accessible.
I have reviewed all the fragments in /etc/e-smith/templates/etc/rc.d/init.d/masq (and templates-custom)
I cannot find any specific reference to DENY any IP address of this range. Can anyone suggest where or what I might look for to debug this?
Thank you! :-o
-
Hi - list all the firewall rules with iptables -L or install the unfinished firewall contrib which also lists them. Post here if you cant find a rule blocking.
Regards
Brian K
-
Here are the firewall rules: Thanks for any advice
FILTER
Chain INPUT (policy DROP)
target prot opt source destination
state_chk all -- anywhere anywhere
local_chk all -- anywhere anywhere
PPPconn all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/4
InboundICMP icmp -- anywhere anywhere
denylog icmp -- anywhere anywhere
InboundTCP tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
denylog tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
InboundUDP udp -- anywhere anywhere
denylog udp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spts:bootps:bootpc
gre-in gre -- anywhere anywhere
denylog gre -- anywhere anywhere
denylog all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
state_chk all -- anywhere anywhere
local_chk all -- anywhere anywhere
ForwardedTCP tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
ForwardedUDP udp -- anywhere anywhere
denylog all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PPPconn all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/4
OutboundICMP icmp -- anywhere anywhere
denylog icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain ForwardedTCP (1 references)
target prot opt source destination
ForwardedTCP_26922 all -- anywhere anywhere
denylog tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
Chain ForwardedTCP_26922 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 10.6.18.2 tcp dpt:www
ACCEPT tcp -- anywhere 10.6.17.3 tcp dpt:smtp
ACCEPT tcp -- anywhere 10.6.17.3 tcp dpt:www
Chain ForwardedUDP (1 references)
target prot opt source destination
ForwardedUDP_26922 all -- anywhere anywhere
denylog udp -- anywhere anywhere
Chain ForwardedUDP_26922 (1 references)
target prot opt source destination
Chain InboundICMP (1 references)
target prot opt source destination
InboundICMP_26922 all -- anywhere anywhere
denylog icmp -- anywhere anywhere
Chain InboundICMP_26922 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
denylog all -- anywhere anywhere
Chain InboundTCP (1 references)
target prot opt source destination
InboundTCP_26922 all -- anywhere anywhere
denylog tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
Chain InboundTCP_26922 (1 references)
target prot opt source destination
denylog all -- anywhere !10.6.17.2
ACCEPT tcp -- anywhere anywhere tcp dpt:auth
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:https
denylog tcp -- anywhere anywhere tcp dpt:imap2
denylog tcp -- anywhere anywhere tcp dpt:ldap
denylog tcp -- anywhere anywhere tcp dpt:pop3
denylog tcp -- anywhere anywhere tcp dpt:1723
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
denylog tcp -- anywhere anywhere tcp dpt:telnet
Chain InboundUDP (1 references)
target prot opt source destination
InboundUDP_26922 all -- anywhere anywhere
denylog udp -- anywhere anywhere
Chain InboundUDP_26922 (1 references)
target prot opt source destination
denylog all -- anywhere !10.6.17.2
Chain OutboundICMP (1 references)
target prot opt source destination
OutboundICMP_26922 all -- anywhere anywhere
denylog icmp -- anywhere anywhere
Chain OutboundICMP_26922 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
denylog all -- anywhere anywhere
Chain PPPconn (2 references)
target prot opt source destination
PPPconn_1 all -- anywhere anywhere
Chain PPPconn_1 (1 references)
target prot opt source destination
Chain denylog (24 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain gre-in (1 references)
target prot opt source destination
denylog all -- anywhere !10.6.17.2
denylog all -- anywhere anywhere
Chain local_chk (2 references)
target prot opt source destination
local_chk_26922 all -- anywhere anywhere
Chain local_chk_26922 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- 10.6.18.0/24 anywhere
Chain state_chk (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
NAT
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
PortForwarding all -- anywhere anywhere
SMTPProxy tcp -- anywhere anywhere tcp dpt:smtp
TransProxy tcp -- anywhere anywhere tcp dpt:www
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
PostroutingOutbound all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain PortForwarding (1 references)
target prot opt source destination
PortForwarding_26922 all -- anywhere 10.6.17.2
Chain PortForwarding_26922 (1 references)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:3453 to:10.6.18.2:80
DNAT tcp -- anywhere anywhere tcp dpt:smtp to:10.6.17.3:25
DNAT tcp -- anywhere anywhere tcp dpt:234 to:10.6.17.3:80
Chain PostroutingOutbound (1 references)
target prot opt source destination
ACCEPT all -- 10.6.17.2 anywhere
MASQUERADE all -- anywhere anywhere
Chain SMTPProxy (1 references)
target prot opt source destination
ACCEPT all -- anywhere localhost
ACCEPT all -- anywhere www.mydomain.com
ACCEPT all -- anywhere 10.6.17.2
DNAT tcp -- anywhere anywhere to:10.6.18.1:25
Chain TransProxy (1 references)
target prot opt source destination
ACCEPT all -- anywhere localhost
ACCEPT all -- anywhere www.mydomain.com
ACCEPT all -- anywhere 10.6.17.2
DNAT tcp -- anywhere anywhere to:10.6.18.1:3128
MANGLE
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
TOS tcp -- anywhere anywhere tcp dpt:ftp TOS set Minimize-Delay
TOS tcp -- anywhere anywhere tcp dpt:ssh TOS set Minimize-Delay
TOS tcp -- anywhere anywhere tcp dpt:telnet TOS set Minimize-Delay
TOS tcp -- anywhere anywhere tcp dpt:smtp TOS set Minimize-Delay
TOS tcp -- anywhere anywhere tcp dpt:www TOS set Minimize-Delay
TOS tcp -- anywhere anywhere tcp dpt:pop3 TOS set Minimize-Delay
TOS tcp -- anywhere anywhere tcp dpt:ftp-data TOS set Maximize-Throughput
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
-
Well nothing there seems to be the problem. With virtually the same rules I can ping 207.103.198.1
Did it used to work?
If so what have you installed since?
What is between the SME & internet?
You might like to turn on verbose logging of firewall temporarily and check the message log for clues
sbin/e-smith/db configuration setprop masq Logging all
/sbin/e-smith/signal-event remoteaccess-update
The message file will grow qiute quickly :(
Good luck
brian k