Debian User Forums

[rabbagast]

Hello folks.

I'm trying to build a firewall using Debian 10.1. I got several interfaces (many of them VLANS).

Now I'm trying to allow http access from internet to my internal web server. But I'm not able to do this.
This is the rules I have been trying to add using iptables:

iptables -A FORWARD -p tcp -d 192.168.2.22 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.2.22 --sport 80 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d 1.2.3.4 --dport 80 -j DNAT --destination 192.168.2.22:80

And here it fails with:
iptables v1.8.2 (fn_tables): unknown option "DNAT"

I have searched internet to try to find a solution, but nothing came up. I got a lot of examples of how to do this, and all are using -j DNAT

What is wrong? Please help...

[p.H]

"--destination" is wrong. The correct option is "--to-destination" or "--to".

PS : the 2nd rule is the wrong way of allowing return packets. Consider using connection tracking instead.

[rabbagast]

Did not work. Same result.

[rabbagast]

"--destination" is wrong. The correct option is "--to-destination" or "--to".

PS : the 2nd rule is the wrong way of allowing return packets. Consider using connection tracking instead.

What do you mean by using connection tracking? I do not know iptables that much. Just started to work with it.

[rabbagast]

This is the latest version of my firewall script (fw.sh). Hope it can help solving my problem.

Code: Select all

#!/usr/bin/sh -v
PATH=/usr/sbin

# Define the physical interfaces:
INTERNET=enp4s5
VLAN=enp2s0
LOCAL=enp4s6

# Other definitions.
PUBLICIP=1.2.3.4

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
iptables -X
iptables --delete-chain
iptables --table nat --delete-chain
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP

iptables -t nat -A POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables -A FORWARD --in-interface $INTERNET -j ACCEPT

iptables -A FORWARD -i $INTERNET -o $LOCAL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTERNET -o $VLAN.102 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTERNET -o $VLAN.104 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTERNET -o $VLAN.105 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTERNET -o $VLAN.106 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTERNET -o $VLAN.107 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTERNET -o $VLAN.108 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTERNET -o $VLAN.109 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.102 -o $VLAN.104 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.102 -o $VLAN.105 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.102 -o $VLAN.106 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.102 -o $VLAN.107 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.102 -o $VLAN.108 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.102 -o $VLAN.109 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.102 -o $LOCAL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.102 -o $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.104 -o $VLAN.102 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.104 -o $VLAN.105 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.104 -o $VLAN.106 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.104 -o $VLAN.107 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.104 -o $VLAN.108 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.104 -o $VLAN.109 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.104 -o $LOCAL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.104 -o $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.105 -o $VLAN.102 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.105 -o $VLAN.104 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.105 -o $VLAN.106 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.105 -o $VLAN.107 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.105 -o $VLAN.108 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.105 -o $VLAN.109 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.105 -o $LOCAL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.105 -o $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.106 -o $VLAN.102 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.106 -o $VLAN.104 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.106 -o $VLAN.105 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.106 -o $VLAN.107 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.106 -o $VLAN.108 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.106 -o $VLAN.109 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.106 -o $LOCAL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.106 -o $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.107 -o $VLAN.102 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.107 -o $VLAN.104 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.107 -o $VLAN.105 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.107 -o $VLAN.106 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.107 -o $VLAN.108 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.107 -o $VLAN.109 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.107 -o $LOCAL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.107 -o $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.108 -o $VLAN.102 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.108 -o $VLAN.104 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.108 -o $VLAN.105 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.108 -o $VLAN.106 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.108 -o $VLAN.107 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.108 -o $VLAN.109 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.108 -o $LOCAL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.108 -o $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.109 -o $VLAN.102 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.109 -o $VLAN.104 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.109 -o $VLAN.105 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.109 -o $VLAN.106 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.109 -o $VLAN.107 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.109 -o $VLAN.108 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.109 -o $LOCAL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.109 -o $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LOCAL -o $VLAN.102 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LOCAL -o $VLAN.104 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LOCAL -o $VLAN.105 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LOCAL -o $VLAN.106 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LOCAL -o $VLAN.107 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LOCAL -o $VLAN.108 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LOCAL -o $VLAN.109 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LOCAL -o $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j ACCEPT

# Incoming HTTP traffic to web server.
iptables -A FORWARD -p tcp -d 192.168.2.22 --dport 80 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d $PUBLICIP --dport 80 -j DNAT -–to 192.168.2.22:80
# Here I get the message: iptables v1.8.2 (nt_tables): unknown option "DNAT"

iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT


[p.H]

It seems that one of the dashes in "-–to" is not a standard dash.

Connection tracking is this kind of stuff :

Code: Select all

iptables -A FORWARD -i $LOCAL -o $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

Note that iptables is being replaced with nftables, so if you are starting with it maybe you should learn to use nftables instead.

[rabbagast]

It seems that one of the dashes in "-–to" is not a standard dash.

Connection tracking is this kind of stuff :

Code: Select all

iptables -A FORWARD -i $LOCAL -o $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

Note that iptables is being replaced with nftables, so if you are starting with it maybe you should learn to use nftables instead.

You're right. vi did not show that until I searched for --to. TANKS!

But now I get: Bad argumnet '--dport'
Update: It was on different rule. It seems like a lot of -- did not contain a regular -

[p.H]

What editor did you use to write the script ?

[rabbagast]

What editor did you use to write the script ?

The first version was written using Notepad++ on a windows machine.
When I installed vim I got syntax coloring and every place where one of the - was 'of the wrong type', I could see it easily (gray color, should have been red).

So far the syntax of the firewall script is OK.

BUT - I'm not able to get traffic through the firewall. I turned on logging and it show that something is f**d up.
When trying to go from ip 192.168.3.2 to a website on internet, I see

SRC=192.168.3.2 DST=192.168.3.31

The destination IP is the broadcast IP for that net. I have chekced 'ip route' and it say it has default GW to the Cisco router connecting the firewall to Internet.

[p.H]

Please show the full packet trace.
What do these subnet and address belong to ?

[rabbagast]

Please show the full packet trace.
What do these subnet and address belong to ?

Do you mean traceroute or?
Traceroute from one host to a host on a different NIC say

Code: Select all

# from 192.168.3.3
$ traceroute 192.168.2.22
1    firewall (192.168.3.1) ....
2    firewall (192.168.3.1) ....


I'm able to reach all linux servers on the different NICs from the Firewall and visa versa. But no ssh traffic through the firewall.

Here is my /etc/network/interfaces file:

Code: Select all

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
# This is the interface to Internet
allow-hotplug enp4s5
iface enp4s5 inet static
  address 213.145.181.14
  netmask 255.255.255.252
  gateway 213.145.181.13

# DMZ-1
allow-hotplug enp4s6
iface enp4s6 inet static
  address 192.168.2.1
  netmask 255.255.255.0

auto enp2s0.104
iface enp2s0.104 inet static
  address 192.168.3.1
  netmask 255.255.255.224
  vlan-raw-device enp2s0

auto enp2s0.105
iface enp2s0.105 inet static
  address 192.168.3.33
  netmask 255.255.255.224
  vlan-raw-device enp2s0

auto enp2s0.106
iface enp2s0.106 inet static
  address 192.168.3.65
  netmask 255.255.255.224
  vlan-raw-device enp2s0

auto enp2s0.107
iface enp2s0.107 inet static
  address 192.168.3.97
  netmask 255.255.255.224
  vlan-raw-device enp2s0

auto enp2s0.108
iface enp2s0.108 inet static
  address 192.168.3.129
  netmask 255.255.255.224
  vlan-raw-device enp2s0

auto enp2s0.109
iface enp2s0.109 inet static
  address 192.168.4.1
  netmask 255.255.255.224
  vlan-raw-device enp2s0

# iface enp4s5 inet6 auto


[p.H]

Do you mean traceroute or?

No, I mean the full message which included "SRC=192.168.3.2 DST=192.168.3.31".

But no ssh traffic through the firewall.

Of course not. Your FORWARD rules do not allow packets in the NEW state (except from $INTERNET, which is just insane).

[rabbagast]

Do you mean traceroute or?

No, I mean the full message which included "SRC=192.168.3.2 DST=192.168.3.31".

But no ssh traffic through the firewall.

Of course not. Your FORWARD rules do not allow packets in the NEW state (except from $INTERNET, which is just insane).

I have removed the -m --state part of the FORWARD rules between the interfaces. That did not help.

Part of the kern.log file (note, I previously wrote I tried from 192.168.3.2 but the correct is 192.168.3.3):

Code: Select all

Sep 10 14:11:37 firewall kernel: [17315.727664] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40537 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.728240] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40538 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.728293] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40539 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.728375] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40540 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.728624] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40541 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.728652] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40542 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.728873] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40543 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.728899] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40544 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.729120] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40545 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.729173] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40546 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.729371] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40547 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.729399] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40548 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.729620] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40549 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.729674] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40550 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.729871] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40551 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.729904] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40552 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.730122] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40553 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.730370] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40554 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.730619] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40555 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.730872] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40556 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.731125] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40557 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.731379] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40558 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.731626] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40559 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.731876] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40560 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.732124] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40561 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.732377] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=104 TOS=0x10 PREC=0x00 TTL=64 ID=40562 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK PSH URGP=0


[p.H]

There is no LOG rule in your script, so how come there are iptables messages in the kernel log ?
I do not see DST=192.168.3.31 in these messages. Also they do not show forwarded traffic but packets sent to the firewall itself (DST=192.168.3.1), and are part of an established SSH connection (ACK), not connection requests (SYN).

Does the routing work properly at least if you remove all filtering and accept all packets ?

[rabbagast]

There is no LOG rule in your script, so how come there are iptables messages in the kernel log ?
I do not see DST=192.168.3.31 in these messages. Also they do not show forwarded traffic but packets sent to the firewall itself (DST=192.168.3.1), and are part of an established SSH connection (ACK), not connection requests (SYN).

Does the routing work properly at least if you remove all filtering and accept all packets ?

Because I have modified and tried things in the script. I also use -j LOGACCEPT, LOGREJECT or LOGDROP.

The good news now is that things seem to work better (and don't ask what I did because as a novice on iptables I'm not usre - I'm used to work with CheckPoint FireWalls)

I'm able to ssh between hosts and I have incoming HTTP traffic to my web server. Not sure about my mail server yet, but when I try to send email from one of my internal hosts to another, I do not see anything in the mailservers log.
I first tried a rule:

iptables -A INPUT -p tcp -d 192.168.4.10 --dport 25 -m state --state NEW -j LOGACCEPT

Later I tried

iptables -A INPUT -p tcp -s 192.168.2.22 -d 192.168.4.10 --dport 25 -m state --state NEW -j LOGACCEPT
iptables -A INPUT -p tcp -s 192.168.3,3 -d 192.168.4.10 --dport 25 -m state --state NEW -j LOGACCEPT

I guess I have to try other things...

Note: All my postings has been done from a laptop using a mobil phone as accesspoint. Most of the text has been copied by writing what's on the firewalls monitor. So please excuse me for any typos.