My scenario:
Clearos 6.5
Gateway Mode
Multiwan
ETH0 LAN 192.168.0.51
ETH1 WAN Static IP
ETH2/PPPoE WAN DHCP (PPPoE)
Firewall enabled = no ping, no trace, no connection
If firewall disabled (service firewall stop) I can ping, trace, etc
The weird thing is that I have a backup server with the same configuration of firewall and runs smoothly.
If I install it from scratch everything works, but when I restore a backup (which was running on the same server a week ago) I have no connection.
(sorry my english)
iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- 80.82.78.170 anywhere
DROP all -- anywhere anywhere state INVALID
REJECT tcp -- anywhere anywhere tcp flags:SYN,ACK/SYN,ACK state NEW reject-with tcp-reset
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP all -- loopback/8 anywhere
DROP all -- link-local/16 anywhere
DROP all -- loopback/8 anywhere
DROP all -- link-local/16 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ACCEPT tcp -- anywhere anywhere tcp spt:bootps dpt:bootpc
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ACCEPT tcp -- anywhere anywhere tcp spt:bootps dpt:bootpc
ACCEPT tcp -- anywhere 200-42-61-75.prima.net.ar tcp dpt:xfer
ACCEPT tcp -- anywhere 200-42-61-75.prima.net.ar tcp dpt:6911
ACCEPT tcp -- anywhere 200-42-61-75.prima.net.ar tcp dpt:ftp-data
ACCEPT tcp -- anywhere 200-42-61-75.prima.net.ar tcp dpt:ftp
ACCEPT tcp -- anywhere 200-42-61-75.prima.net.ar tcp dpt:http
ACCEPT tcp -- anywhere 200-42-61-75.prima.net.ar tcp dpt:https
ACCEPT tcp -- anywhere 200-42-61-75.prima.net.ar tcp dpt:mysql
ACCEPT tcp -- anywhere 200-42-61-75.prima.net.ar tcp dpt:webcache
ACCEPT tcp -- anywhere 200-42-61-75.prima.net.ar tcp dpts:directplay:foliocorp
ACCEPT tcp -- anywhere 200-42-61-75.prima.net.ar tcp dpt:ssh
ACCEPT tcp -- anywhere 200-42-61-75.prima.net.ar tcp dpt:vnc-server
ACCEPT tcp -- anywhere 200-42-61-75.prima.net.ar tcp dpt:ndmp
ACCEPT tcp -- anywhere 200-42-61-75.prima.net.ar tcp dpt:81
ACCEPT gre -- anywhere 200-42-61-75.prima.net.ar
ACCEPT tcp -- anywhere 200-42-61-75.prima.net.ar tcp dpt
ptp
ACCEPT udp -- anywhere anywhere udp dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpts:1024:65535 state RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:https STRING match "youtube" ALGO name bm TO 65535
DROP tcp -- anywhere anywhere tcp dpt:https STRING match "wistia" ALGO name bm TO 65535
ACCEPT tcp -- 192.168.0.182 anywhere tcp dpt:https STRING match "facebook" ALGO name bm TO 65535
ACCEPT tcp -- 192.168.0.181 anywhere tcp dpt:https STRING match "facebook" ALGO name bm TO 65535
DROP tcp -- anywhere anywhere tcp dpt:https STRING match "facebook" ALGO name bm TO 65535
DROP all -- 80.82.78.170 anywhere
ACCEPT udp -- anywhere cpuelles udp dpt:h323hostcall
ACCEPT tcp -- anywhere camaras tcp dpt:xfer
ACCEPT tcp -- anywhere camaras tcp dpt:6911
ACCEPT tcp -- anywhere sirius tcp dpt:webcache
ACCEPT tcp -- anywhere server.labdominguez.local tcp dpt:mysql
ACCEPT tcp -- anywhere sirius tcp dpt:vnc-server
ACCEPT tcp -- anywhere cpuelles tcp dpts:52362:52363
ACCEPT tcp -- anywhere presea.labdominguez.local tcp dpt:ms-wbt-server
DROP tcp -- 192.168.0.0/24 anywhere tcp dpt:macromedia-fcs
DROP all -- 192.168.0.0/24 178.33.52.36
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere 80.82.78.170
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp spt:bootpc dpt:bootps
ACCEPT icmp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp spt:bootpc dpt:bootps
ACCEPT tcp -- 200-42-61-75.prima.net.ar anywhere tcp spt:xfer
ACCEPT tcp -- 200-42-61-75.prima.net.ar anywhere tcp spt:6911
ACCEPT tcp -- 200-42-61-75.prima.net.ar anywhere tcp spt:ftp-data
ACCEPT tcp -- 200-42-61-75.prima.net.ar anywhere tcp spt:ftp
ACCEPT tcp -- 200-42-61-75.prima.net.ar anywhere tcp spt:http
ACCEPT tcp -- 200-42-61-75.prima.net.ar anywhere tcp spt:https
ACCEPT tcp -- 200-42-61-75.prima.net.ar anywhere tcp spt:mysql
ACCEPT tcp -- 200-42-61-75.prima.net.ar anywhere tcp spt:webcache
ACCEPT tcp -- 200-42-61-75.prima.net.ar anywhere tcp spts:directplay:foliocorp
ACCEPT tcp -- 200-42-61-75.prima.net.ar anywhere tcp spt:ssh
ACCEPT tcp -- 200-42-61-75.prima.net.ar anywhere tcp spt:vnc-server
ACCEPT tcp -- 200-42-61-75.prima.net.ar anywhere tcp spt:ndmp
ACCEPT tcp -- 200-42-61-75.prima.net.ar anywhere tcp spt:81
ACCEPT gre -- 200-42-61-75.prima.net.ar anywhere
ACCEPT tcp -- 200-42-61-75.prima.net.ar anywhere tcp sptptp
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain drop-lan (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Clearos 6.5
Gateway Mode
Multiwan
ETH0 LAN 192.168.0.51
ETH1 WAN Static IP
ETH2/PPPoE WAN DHCP (PPPoE)
Firewall enabled = no ping, no trace, no connection
If firewall disabled (service firewall stop) I can ping, trace, etc
The weird thing is that I have a backup server with the same configuration of firewall and runs smoothly.
If I install it from scratch everything works, but when I restore a backup (which was running on the same server a week ago) I have no connection.
(sorry my english)
iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- 80.82.78.170 anywhere
DROP all -- anywhere anywhere state INVALID
REJECT tcp -- anywhere anywhere tcp flags:SYN,ACK/SYN,ACK state NEW reject-with tcp-reset
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP all -- loopback/8 anywhere
DROP all -- link-local/16 anywhere
DROP all -- loopback/8 anywhere
DROP all -- link-local/16 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ACCEPT tcp -- anywhere anywhere tcp spt:bootps dpt:bootpc
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ACCEPT tcp -- anywhere anywhere tcp spt:bootps dpt:bootpc
ACCEPT tcp -- anywhere 200-42-61-75.prima.net.ar tcp dpt:xfer
ACCEPT tcp -- anywhere 200-42-61-75.prima.net.ar tcp dpt:6911
ACCEPT tcp -- anywhere 200-42-61-75.prima.net.ar tcp dpt:ftp-data
ACCEPT tcp -- anywhere 200-42-61-75.prima.net.ar tcp dpt:ftp
ACCEPT tcp -- anywhere 200-42-61-75.prima.net.ar tcp dpt:http
ACCEPT tcp -- anywhere 200-42-61-75.prima.net.ar tcp dpt:https
ACCEPT tcp -- anywhere 200-42-61-75.prima.net.ar tcp dpt:mysql
ACCEPT tcp -- anywhere 200-42-61-75.prima.net.ar tcp dpt:webcache
ACCEPT tcp -- anywhere 200-42-61-75.prima.net.ar tcp dpts:directplay:foliocorp
ACCEPT tcp -- anywhere 200-42-61-75.prima.net.ar tcp dpt:ssh
ACCEPT tcp -- anywhere 200-42-61-75.prima.net.ar tcp dpt:vnc-server
ACCEPT tcp -- anywhere 200-42-61-75.prima.net.ar tcp dpt:ndmp
ACCEPT tcp -- anywhere 200-42-61-75.prima.net.ar tcp dpt:81
ACCEPT gre -- anywhere 200-42-61-75.prima.net.ar
ACCEPT tcp -- anywhere 200-42-61-75.prima.net.ar tcp dpt
ptp ACCEPT udp -- anywhere anywhere udp dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpts:1024:65535 state RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:https STRING match "youtube" ALGO name bm TO 65535
DROP tcp -- anywhere anywhere tcp dpt:https STRING match "wistia" ALGO name bm TO 65535
ACCEPT tcp -- 192.168.0.182 anywhere tcp dpt:https STRING match "facebook" ALGO name bm TO 65535
ACCEPT tcp -- 192.168.0.181 anywhere tcp dpt:https STRING match "facebook" ALGO name bm TO 65535
DROP tcp -- anywhere anywhere tcp dpt:https STRING match "facebook" ALGO name bm TO 65535
DROP all -- 80.82.78.170 anywhere
ACCEPT udp -- anywhere cpuelles udp dpt:h323hostcall
ACCEPT tcp -- anywhere camaras tcp dpt:xfer
ACCEPT tcp -- anywhere camaras tcp dpt:6911
ACCEPT tcp -- anywhere sirius tcp dpt:webcache
ACCEPT tcp -- anywhere server.labdominguez.local tcp dpt:mysql
ACCEPT tcp -- anywhere sirius tcp dpt:vnc-server
ACCEPT tcp -- anywhere cpuelles tcp dpts:52362:52363
ACCEPT tcp -- anywhere presea.labdominguez.local tcp dpt:ms-wbt-server
DROP tcp -- 192.168.0.0/24 anywhere tcp dpt:macromedia-fcs
DROP all -- 192.168.0.0/24 178.33.52.36
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere 80.82.78.170
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp spt:bootpc dpt:bootps
ACCEPT icmp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp spt:bootpc dpt:bootps
ACCEPT tcp -- 200-42-61-75.prima.net.ar anywhere tcp spt:xfer
ACCEPT tcp -- 200-42-61-75.prima.net.ar anywhere tcp spt:6911
ACCEPT tcp -- 200-42-61-75.prima.net.ar anywhere tcp spt:ftp-data
ACCEPT tcp -- 200-42-61-75.prima.net.ar anywhere tcp spt:ftp
ACCEPT tcp -- 200-42-61-75.prima.net.ar anywhere tcp spt:http
ACCEPT tcp -- 200-42-61-75.prima.net.ar anywhere tcp spt:https
ACCEPT tcp -- 200-42-61-75.prima.net.ar anywhere tcp spt:mysql
ACCEPT tcp -- 200-42-61-75.prima.net.ar anywhere tcp spt:webcache
ACCEPT tcp -- 200-42-61-75.prima.net.ar anywhere tcp spts:directplay:foliocorp
ACCEPT tcp -- 200-42-61-75.prima.net.ar anywhere tcp spt:ssh
ACCEPT tcp -- 200-42-61-75.prima.net.ar anywhere tcp spt:vnc-server
ACCEPT tcp -- 200-42-61-75.prima.net.ar anywhere tcp spt:ndmp
ACCEPT tcp -- 200-42-61-75.prima.net.ar anywhere tcp spt:81
ACCEPT gre -- 200-42-61-75.prima.net.ar anywhere
ACCEPT tcp -- 200-42-61-75.prima.net.ar anywhere tcp spt
ptp ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain drop-lan (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
In Multiwan
Share this post:
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »