Re: [PacketFence-users] Inline Routed Network - Traffic Dropped by IPtables

Lindsay, Ross M via PacketFence-users Tue, 15 Jan 2019 18:00:50 -0800

Hello Fabrice,

I’ve attached the requested files. Looking at the iptables configuration, am I 
reading this correctly that PacketFence is having iptables attempt to route the 
traffic out of em1 (the management interface)? If so, that’s probably my 
problem. Each of the two inline networks has a corresponding outside half via a 
point-to-point link to our campus core (p2p2.1926 and p2p2.1927 in the ip route 
output) which is where they need to go, rather than to em1.

Thanks!
Ross

From: Fabrice Durand via PacketFence-users 
<[email protected]>
Reply-To: "[email protected]" 
<[email protected]>
Date: Tuesday, January 15, 2019 at 11:27 AM
To: "[email protected]" 
<[email protected]>
Cc: Fabrice Durand <[email protected]>
Subject: Re: [PacketFence-users] Inline Routed Network - Traffic Dropped by 
IPtables

Hello Lindsay,

can you send the file /usr/local/pf/var/conf/iptables.conf and the result of 
the command "ip route"

Thanks

Regards

Fabrice

Le 19-01-14 à 10 h 03, Lindsay, Ross M via PacketFence-users a écrit :
Greetings, All!

We’re working on a pilot of PacketFence to replace a home-grown captive portal 
for two of the networks on our campus. Until we can migrate to VLAN 
enforcement, these two specific networks will be routed with PacketFence 
inline. There’s no NAT here – we’re using public address space. I believe we 
have everything configured properly, but traffic will not pass from a 
registered host on the inline network out to the internet. I’ve verified that 
the routing configuration (at the OS level, outside of PF) is correct – the 
devices behind PF can pass traffic just fine if I flush the iptables rules 
added by PF. I’ve also verified that the inline interface is not set to NAT in 
the web GUI. Is there anything else specific that I should check or that needs 
to be changed for this to work? We’re running 8.3.0 on CentOS 7 if that helps.

Thank you!
--Ross

Ross Lindsay | Systems/IT Architect Senior
Office of Information Technology - Network Engineering
Georgia Institute of Technology
Phone: (404) 385-7520<tel:4043857520> | Skype: 
[email protected]<sip:[email protected]>
Email: [email protected]<mailto:[email protected]>

_______________________________________________

PacketFence-users mailing list

[email protected]<mailto:[email protected]>

https://lists.sourceforge.net/lists/listinfo/packetfence-users

--

Fabrice Durand

[email protected]<mailto:[email protected]> ::  +1.514.447.4918 (x135) ::  
www.inverse.ca<http://www.inverse.ca>

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

# This file is generated from a template at /usr/local/pf/conf/iptables.conf
# Any changes made to this file will be lost on restart

# iptables template
# This file is manipulated on PacketFence's startup before being given to 
iptables
*filter

### INPUT ###
:INPUT DROP [0:0]
# accept loopback stuff
-A INPUT --in-interface lo --jump ACCEPT
# accept anything related
-A INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
# Accept Ping (easier troubleshooting)
-A INPUT --protocol icmp --icmp-type echo-request --jump ACCEPT

:input-management-if - [0:0]
# SSH
-A input-management-if --match state --state NEW --match tcp --protocol tcp 
--dport 22 --jump ACCEPT
# HTTP and HTTPS for the portal
-A input-management-if --protocol tcp --match tcp --dport 80 --jump ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 443 --jump ACCEPT
# Web Admin
-A input-management-if --protocol tcp --match tcp --dport 1443 --jump ACCEPT
# Webservices
-A input-management-if --protocol tcp --match tcp --dport 9090 --jump ACCEPT
# AAA
-A input-management-if --protocol tcp --match tcp --dport 7070 --jump ACCEPT
# Unified API
-A input-management-if --protocol tcp --match tcp --dport 9999 --jump ACCEPT
# httpd.portal modstatus
-A input-management-if --protocol tcp --match tcp --dport 1444 --jump ACCEPT
# httpd.collector
-A input-management-if --protocol tcp --match tcp --dport 9292 --jump ACCEPT
# haproxy stats (uncomment if activating the haproxy dashboard) - 1025 for 
haproxy-portal, 1026 for haproxy-db
#-A input-management-if --protocol tcp --match tcp --dport 1025 --jump ACCEPT
#-A input-management-if --protocol tcp --match tcp --dport 1026 --jump ACCEPT
# Netdata
-A input-management-if --protocol tcp --match tcp --dport 19999 --jump ACCEPT

# RADIUS
-A input-management-if --protocol tcp --match tcp --dport 1812 --jump ACCEPT
-A input-management-if --protocol udp --match udp --dport 1812 --jump ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 1813 --jump ACCEPT
-A input-management-if --protocol udp --match udp --dport 1813 --jump ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 1815 --jump ACCEPT
-A input-management-if --protocol udp --match udp --dport 1815 --jump ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 2083 --jump ACCEPT
# RADIUS (eduroam virtual-server)
# eduroam integration is not configured

# SNMP Traps
-A input-management-if --protocol udp --match udp --dport 162  --jump ACCEPT
# DHCP (for IP Helpers to mgmt to track users' IP in production VLANs)
-A input-management-if --protocol udp --match udp --dport 67  --jump ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 67  --jump ACCEPT
# OpenVAS Administration Interface
-A input-management-if --protocol tcp --match tcp --dport 9392 --jump ACCEPT
# Nessus Administration Interface
-A input-management-if --protocol tcp --match tcp --dport 8834 --jump ACCEPT
# PacketFence-PKI
# -A input-management-if --protocol tcp --match tcp --dport 9393 --jump ACCEPT
# -A input-management-if --protocol tcp --match tcp --dport 9292 --jump ACCEPT

# Fingerbank collector (replication + API)
-A input-management-if --protocol udp --match udp --dport 1192 --jump ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 4723 --jump ACCEPT

# VRRP
-A input-management-if -d 224.0.0.0/8 -j ACCEPT
-A input-management-if -p vrrp -j ACCEPT
# Mysql
-A input-management-if --protocol tcp --match tcp --dport 3306 --jump ACCEPT

# Syslog
-A input-management-if --protocol udp --match udp --dport 514 --jump ACCEPT

:input-portal-if - [0:0]
-A input-portal-if --protocol tcp --match tcp --dport 80  --jump ACCEPT
-A input-portal-if --protocol tcp --match tcp --dport 443 --jump ACCEPT

:input-radius-if - [0:0]
-A input-radius-if --protocol tcp --match tcp --dport 1812 --jump ACCEPT
-A input-radius-if --protocol udp --match udp --dport 1812 --jump ACCEPT
-A input-radius-if --protocol tcp --match tcp --dport 1813 --jump ACCEPT
-A input-radius-if --protocol udp --match udp --dport 1813 --jump ACCEPT
-A input-radius-if --protocol tcp --match tcp --dport 1815 --jump ACCEPT
-A input-radius-if --protocol udp --match udp --dport 1815 --jump ACCEPT
-A input-radius-if --protocol tcp --match tcp --dport 2083 --jump ACCEPT
# eduroam integration is not configured


:input-internal-vlan-if - [0:0]
# DNS
-A input-internal-vlan-if --protocol tcp --match tcp --dport 53  --jump ACCEPT
-A input-internal-vlan-if --protocol udp --match udp --dport 53  --jump ACCEPT
# HTTP (captive-portal)
-A input-internal-vlan-if --protocol tcp --match tcp --dport 80  --jump ACCEPT
-A input-internal-vlan-if --protocol tcp --match tcp --dport 443 --jump ACCEPT
-A input-internal-vlan-if --protocol tcp --match tcp --dport 647 --jump ACCEPT
# HTTP (parking portal)
-A input-internal-vlan-if --protocol tcp --match tcp --dport 5252 --jump ACCEPT



:input-internal-isol_vlan-if - [0:0]
# DNS
-A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 53  --jump 
ACCEPT
-A input-internal-isol_vlan-if --protocol udp --match udp --dport 53  --jump 
ACCEPT
# DHCP
-A input-internal-isol_vlan-if --protocol udp --match udp --dport 67  --jump 
ACCEPT
-A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 67  --jump 
ACCEPT
# HTTP (captive-portal)
-A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 80  --jump 
ACCEPT
-A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 443 --jump 
ACCEPT
-A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 647 --jump 
ACCEPT
# HTTP (parking portal)
-A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 5252 --jump 
ACCEPT


:input-internal-inline-if - [0:0]
# DNS
-A input-internal-inline-if --protocol tcp --match tcp --dport 53  --jump ACCEPT
-A input-internal-inline-if --protocol udp --match udp --dport 53  --jump ACCEPT
# HTTP (captive-portal)
# prevent registered users from reaching it
# TODO: Must work in dispatcher and Catalyst to redirect registered client out 
of the portal
#-A input-internal-inline-if --protocol tcp --match tcp --dport 80  --match 
mark --mark 0x1 --jump DROP
#-A input-internal-inline-if --protocol tcp --match tcp --dport 443 --match 
mark --mark 0x1 --jump DROP
# allow everyone else behind inline interface (not registered, isolated, etc.)
-A input-internal-inline-if --protocol tcp --match tcp --dport 80  --jump ACCEPT
-A input-internal-inline-if --protocol tcp --match tcp --dport 443 --jump ACCEPT
-A input-internal-inline-if --protocol tcp --match tcp --dport 647 --jump ACCEPT


:input-highavailability-if - [0:0]
#SSH
-A input-highavailability-if --match state --state NEW --match tcp --protocol 
tcp --dport 22 --jump ACCEPT
#Galera cluster
-A input-highavailability-if --protocol tcp --match tcp --dport 4444 --jump 
ACCEPT
-A input-highavailability-if --protocol tcp --match tcp --dport 4567 --jump 
ACCEPT
-A input-highavailability-if --protocol tcp --match tcp --dport 4568 --jump 
ACCEPT
#PacketFence MariaDB Quorum server
-A input-highavailability-if --protocol tcp --match tcp --dport 7890 --jump 
ACCEPT
-A input-highavailability-if --protocol tcp --match tcp --dport 7891 --jump 
ACCEPT
# Corosync
-A input-highavailability-if --protocol udp --match udp --dport 5405 --jump 
ACCEPT
-A input-highavailability-if --protocol udp --match udp --dport 5407 --jump 
ACCEPT
#DRBD
-A input-highavailability-if --protocol tcp --match tcp --dport 7788 --jump 
ACCEPT
# Heartbeat
-A input-highavailability-if --protocol udp --match udp --dport 694 --jump 
ACCEPT
#PCS
-A input-highavailability-if --protocol tcp --match tcp --dport 2224 --jump 
ACCEPT
-A input-highavailability-if --protocol tcp --match tcp --dport 3121 --jump 
ACCEPT
-A input-highavailability-if --protocol tcp --match tcp --dport 21064 --jump 
ACCEPT

# These will redirect to the proper chains based on conf/pf.conf's configuration
-A INPUT --in-interface p2p2.652 -d 224.0.0.0/8 -j ACCEPT
-A INPUT --in-interface p2p2.652 -p vrrp -j ACCEPT
# DHCP Sync
-A INPUT --in-interface p2p2.652 --protocol udp --match udp --dport 67 -j ACCEPT
-A INPUT --in-interface p2p2.652 -d 10.16.52.1 --jump input-internal-vlan-if
-A INPUT --in-interface p2p2.652 -d 255.255.255.255 --jump 
input-internal-vlan-if
-A INPUT --in-interface p2p2.653 -d 224.0.0.0/8 -j ACCEPT
-A INPUT --in-interface p2p2.653 -p vrrp -j ACCEPT
# DHCP Sync
-A INPUT --in-interface p2p2.653 --protocol udp --match udp --dport 67 -j ACCEPT
-A INPUT --in-interface p2p2.653 -d 10.16.53.1 --jump input-internal-vlan-if
-A INPUT --in-interface p2p2.653 -d 255.255.255.255 --jump 
input-internal-vlan-if
-A INPUT --in-interface p2p2.654 -d 224.0.0.0/8 -j ACCEPT
-A INPUT --in-interface p2p2.654 -p vrrp -j ACCEPT
# DHCP Sync
-A INPUT --in-interface p2p2.654 --protocol udp --match udp --dport 67 -j ACCEPT
-A INPUT --in-interface p2p2.654 --protocol udp --match udp --dport 53 --jump 
input-internal-inline-if
-A INPUT --in-interface p2p2.654 --protocol tcp --match tcp --dport 53 --jump 
input-internal-inline-if
-A INPUT --in-interface p2p2.654 -d 128.61.110.1 --jump input-internal-inline-if
-A INPUT --in-interface p2p2.654 -d 255.255.255.255 --jump 
input-internal-inline-if
-A INPUT --in-interface p2p2.654 -d 130.207.244.97 --protocol tcp --match tcp 
--dport 443 --jump ACCEPT
-A INPUT --in-interface p2p2.655 -d 224.0.0.0/8 -j ACCEPT
-A INPUT --in-interface p2p2.655 -p vrrp -j ACCEPT
# DHCP Sync
-A INPUT --in-interface p2p2.655 --protocol udp --match udp --dport 67 -j ACCEPT
-A INPUT --in-interface p2p2.655 --protocol udp --match udp --dport 53 --jump 
input-internal-inline-if
-A INPUT --in-interface p2p2.655 --protocol tcp --match tcp --dport 53 --jump 
input-internal-inline-if
-A INPUT --in-interface p2p2.655 -d 128.61.110.17 --jump 
input-internal-inline-if
-A INPUT --in-interface p2p2.655 -d 255.255.255.255 --jump 
input-internal-inline-if
-A INPUT --in-interface p2p2.655 -d 130.207.244.97 --protocol tcp --match tcp 
--dport 443 --jump ACCEPT
-A INPUT --in-interface em1 -d 224.0.0.0/8 -j ACCEPT
-A INPUT --in-interface em1 -p vrrp -j ACCEPT
-A INPUT --in-interface em1 --jump input-radius-if
-A INPUT --in-interface em1 -d 224.0.0.0/8 -j ACCEPT
-A INPUT --in-interface em1 -p vrrp -j ACCEPT
-A INPUT --in-interface em1 --jump input-radius-if
-A INPUT --in-interface em1 --jump input-management-if

### FORWARD ###
:FORWARD DROP [0:0]
:forward-internal-vlan-if - [0:0]
-A forward-internal-vlan-if -m set --match-set pfsession_passthrough dst,dst 
--jump ACCEPT
-A forward-internal-vlan-if -m set --match-set pfsession_passthrough src,src 
--jump ACCEPT


:forward-internal-isolvlan-if - [0:0]
-A forward-internal-isolvlan-if -m set --match-set pfsession_isol_passthrough 
dst,dst --jump ACCEPT
-A forward-internal-isolvlan-if -m set --match-set pfsession_isol_passthrough 
src,src --jump ACCEPT


:forward-internal-inline-if - [0:0]
-A forward-internal-inline-if --match mark --mark 0x3 -m set --match-set 
pfsession_passthrough dst,dst --jump ACCEPT
-A forward-internal-inline-if --match mark --mark 0x2 -m set --match-set 
pfsession_isol_passthrough dst,dst --jump ACCEPT
-A forward-internal-inline-if --match mark --mark 0x1 --jump ACCEPT

-A FORWARD --in-interface p2p2.652 --jump forward-internal-vlan-if
-A FORWARD --out-interface p2p2.652 --jump forward-internal-vlan-if
-A FORWARD --in-interface p2p2.654 --jump forward-internal-inline-if
-A FORWARD --in-interface p2p2.655 --jump forward-internal-inline-if
-A FORWARD -d 128.61.110.0/28 --in-interface em1 --jump ACCEPT
-A FORWARD -d 128.61.110.16/28 --in-interface em1 --jump ACCEPT
-A FORWARD --in-interface em1 --match state --state ESTABLISHED,RELATED --jump 
ACCEPT


-A FORWARD -o GTAD-b -j ACCEPT
-A FORWARD -i GTAD-b -j ACCEPT


:OUTPUT ACCEPT [0:0]

COMMIT

*mangle
:PREROUTING ACCEPT [0:0]
:prerouting-int-inline-if - [0:0]
-A prerouting-int-inline-if --jump MARK --set-mark 0x3
-A prerouting-int-inline-if -m set --match-set pfsession_Unreg_128.61.110.0 
src,src --jump MARK --set-mark 0x3
-A prerouting-int-inline-if -m set --match-set pfsession_Reg_128.61.110.0 
src,src --jump MARK --set-mark 0x1
-A prerouting-int-inline-if -m set --match-set pfsession_Isol_128.61.110.0 
src,src --jump MARK --set-mark 0x2
-A prerouting-int-inline-if -m set --match-set pfsession_Unreg_128.61.110.16 
src,src --jump MARK --set-mark 0x3
-A prerouting-int-inline-if -m set --match-set pfsession_Reg_128.61.110.16 
src,src --jump MARK --set-mark 0x1
-A prerouting-int-inline-if -m set --match-set pfsession_Isol_128.61.110.16 
src,src --jump MARK --set-mark 0x2
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:postrouting-int-inline-if - [0:0]
-A postrouting-int-inline-if -m set --match-set PF-iL2_ID1_128.61.110.0 src -j 
CLASSIFY --set-class 99:1
-A postrouting-int-inline-if -m set --match-set PF-iL2_ID1_128.61.110.0 dst -j 
CLASSIFY --set-class 1:1
-A postrouting-int-inline-if -m set --match-set PF-iL2_ID2_128.61.110.0 src -j 
CLASSIFY --set-class 99:2
-A postrouting-int-inline-if -m set --match-set PF-iL2_ID2_128.61.110.0 dst -j 
CLASSIFY --set-class 1:2
-A postrouting-int-inline-if -m set --match-set PF-iL2_ID3_128.61.110.0 src -j 
CLASSIFY --set-class 99:3
-A postrouting-int-inline-if -m set --match-set PF-iL2_ID3_128.61.110.0 dst -j 
CLASSIFY --set-class 1:3
-A postrouting-int-inline-if -m set --match-set PF-iL2_ID4_128.61.110.0 src -j 
CLASSIFY --set-class 99:4
-A postrouting-int-inline-if -m set --match-set PF-iL2_ID4_128.61.110.0 dst -j 
CLASSIFY --set-class 1:4
-A postrouting-int-inline-if -m set --match-set PF-iL2_ID5_128.61.110.0 src -j 
CLASSIFY --set-class 99:5
-A postrouting-int-inline-if -m set --match-set PF-iL2_ID5_128.61.110.0 dst -j 
CLASSIFY --set-class 1:5
-A postrouting-int-inline-if -m set --match-set PF-iL2_ID11_128.61.110.0 src -j 
CLASSIFY --set-class 99:11
-A postrouting-int-inline-if -m set --match-set PF-iL2_ID11_128.61.110.0 dst -j 
CLASSIFY --set-class 1:11
-A postrouting-int-inline-if -m set --match-set PF-iL2_ID1_128.61.110.16 src -j 
CLASSIFY --set-class 98:1
-A postrouting-int-inline-if -m set --match-set PF-iL2_ID1_128.61.110.16 dst -j 
CLASSIFY --set-class 2:1
-A postrouting-int-inline-if -m set --match-set PF-iL2_ID2_128.61.110.16 src -j 
CLASSIFY --set-class 98:2
-A postrouting-int-inline-if -m set --match-set PF-iL2_ID2_128.61.110.16 dst -j 
CLASSIFY --set-class 2:2
-A postrouting-int-inline-if -m set --match-set PF-iL2_ID3_128.61.110.16 src -j 
CLASSIFY --set-class 98:3
-A postrouting-int-inline-if -m set --match-set PF-iL2_ID3_128.61.110.16 dst -j 
CLASSIFY --set-class 2:3
-A postrouting-int-inline-if -m set --match-set PF-iL2_ID4_128.61.110.16 src -j 
CLASSIFY --set-class 98:4
-A postrouting-int-inline-if -m set --match-set PF-iL2_ID4_128.61.110.16 dst -j 
CLASSIFY --set-class 2:4
-A postrouting-int-inline-if -m set --match-set PF-iL2_ID5_128.61.110.16 src -j 
CLASSIFY --set-class 98:5
-A postrouting-int-inline-if -m set --match-set PF-iL2_ID5_128.61.110.16 dst -j 
CLASSIFY --set-class 2:5
-A postrouting-int-inline-if -m set --match-set PF-iL2_ID11_128.61.110.16 src 
-j CLASSIFY --set-class 98:11
-A postrouting-int-inline-if -m set --match-set PF-iL2_ID11_128.61.110.16 dst 
-j CLASSIFY --set-class 2:11

# These will redirect to the proper chains based on conf/pf.conf's configuration
-A PREROUTING --in-interface p2p2.654 --jump prerouting-int-inline-if
-A POSTROUTING --out-interface p2p2.654 --jump postrouting-int-inline-if
-A PREROUTING --in-interface p2p2.655 --jump prerouting-int-inline-if
-A POSTROUTING --out-interface p2p2.655 --jump postrouting-int-inline-if
-A POSTROUTING --out-interface em1 --jump postrouting-int-inline-if
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:prerouting-int-inline-if - [0:0]
:postrouting-inline-routed - [0:0]
:postrouting-int-inline-if - [0:0]
:prerouting-int-vlan-if - [0:0]

-A prerouting-int-inline-if --protocol udp --destination-port 53 -s 
128.61.110.0/255.255.255.240 --match mark --mark 0x3 --jump DNAT --to 
128.61.110.1
-A prerouting-int-inline-if --protocol udp --destination-port 53 -s 
128.61.110.0/255.255.255.240 --match mark --mark 0x2 --jump DNAT --to 
128.61.110.1
-A prerouting-int-inline-if --protocol udp --destination-port 53 -s 
128.61.110.16/255.255.255.240 --match mark --mark 0x3 --jump DNAT --to 
128.61.110.17
-A prerouting-int-inline-if --protocol udp --destination-port 53 -s 
128.61.110.16/255.255.255.240 --match mark --mark 0x2 --jump DNAT --to 
128.61.110.17
-A prerouting-int-inline-if -m set --match-set pfsession_passthrough dst,dst 
--match mark --mark 0x3 --jump ACCEPT
-A prerouting-int-inline-if -m set --match-set pfsession_isol_passthrough 
dst,dst --match mark --mark 0x2 --jump ACCEPT
-A prerouting-int-inline-if --protocol tcp --destination-port 80 -s 
128.61.110.0/255.255.255.240 --match mark --mark 0x2 --jump DNAT --to 
128.61.110.1
-A prerouting-int-inline-if --protocol tcp --destination-port 80 -s 
128.61.110.16/255.255.255.240 --match mark --mark 0x2 --jump DNAT --to 
128.61.110.17
-A prerouting-int-inline-if --protocol tcp --destination-port 443 -s 
128.61.110.0/255.255.255.240 --match mark --mark 0x2 --jump DNAT --to 
128.61.110.1
-A prerouting-int-inline-if --protocol tcp --destination-port 443 -s 
128.61.110.16/255.255.255.240 --match mark --mark 0x2 --jump DNAT --to 
128.61.110.17
-A prerouting-int-vlan-if --protocol udp --destination-port 53 -s 
10.16.52.0/255.255.255.0 --jump DNAT --to 10.16.52.1
-A prerouting-int-vlan-if --protocol tcp --destination-port 53 -s 
10.16.52.0/255.255.255.0 --jump DNAT --to 10.16.52.1
-A prerouting-int-vlan-if --protocol udp --destination-port 53 -s 
10.16.53.0/255.255.255.0 --jump DNAT --to 10.16.53.1
-A prerouting-int-vlan-if --protocol tcp --destination-port 53 -s 
10.16.53.0/255.255.255.0 --jump DNAT --to 10.16.53.1
-A PREROUTING -p tcp --dport 80 -m set --match-set parking src -j REDIRECT 
--to-port 5252
-A PREROUTING -p tcp --dport 443 -m set --match-set parking src -j REDIRECT 
--to-port 5252


:OUTPUT ACCEPT [0:0]
# These will redirect to the proper chains based on conf/pf.conf's configuration
-A PREROUTING --in-interface p2p2.654 --jump prerouting-int-inline-if
-A POSTROUTING --out-interface p2p2.654 --jump postrouting-int-inline-if
-A PREROUTING --in-interface p2p2.655 --jump prerouting-int-inline-if
-A POSTROUTING --out-interface p2p2.655 --jump postrouting-int-inline-if
-A POSTROUTING -s 128.61.110.0/28 --out-interface em1 --match mark --mark 0x3 
--jump postrouting-inline-routed
-A POSTROUTING -s 128.61.110.16/28 --out-interface em1 --match mark --mark 0x3 
--jump postrouting-inline-routed
-A POSTROUTING --out-interface em1 --match mark --mark 0x3 --jump 
postrouting-int-inline-if
-A POSTROUTING -s 128.61.110.0/28 --out-interface em1 --match mark --mark 0x1 
--jump postrouting-inline-routed
-A POSTROUTING -s 128.61.110.16/28 --out-interface em1 --match mark --mark 0x1 
--jump postrouting-inline-routed
-A POSTROUTING --out-interface em1 --match mark --mark 0x1 --jump 
postrouting-int-inline-if
-A POSTROUTING -s 128.61.110.0/28 --out-interface em1 --match mark --mark 0x2 
--jump postrouting-inline-routed
-A POSTROUTING -s 128.61.110.16/28 --out-interface em1 --match mark --mark 0x2 
--jump postrouting-inline-routed
-A POSTROUTING --out-interface em1 --match mark --mark 0x2 --jump 
postrouting-int-inline-if
-A PREROUTING --in-interface p2p2.652 --jump prerouting-int-vlan-if
-A PREROUTING --in-interface p2p2.653 --jump prerouting-int-vlan-if


:POSTROUTING ACCEPT [0:0]

-A postrouting-int-inline-if --jump MASQUERADE


#
# Chain to enable routing instead of NAT
#
-A postrouting-inline-routed --jump ACCEPT


#
# NAT out (PAT actually)
#
# If you want to do your own thing regarding NAT like for example:
# - allowing through instead of doing NAT (make sure you have the proper return 
route)
# - traffic out on some interface other than management
# - overloading on multiple IP addresses
# Comment the next two lines and do it here on the POSTROUTING chain.
# Make sure to adjust the FORWARD rules also to allow traffic back-in.
-A POSTROUTING -s 10.16.53.0/24 -o em1 -j SNAT --to 130.207.244.97
-A POSTROUTING -s 10.16.52.0/24 -o em1 -j SNAT --to 130.207.244.97


#
# Routing for the hidden domain network
#
-A POSTROUTING -s 169.254.0.0/16 -o em1 -j SNAT --to-source 130.207.244.97

COMMIT

default via 130.207.244.1 dev em1
10.16.52.0/24 dev p2p2.652 proto kernel scope link src 10.16.52.1
10.16.53.0/24 dev p2p2.653 proto kernel scope link src 10.16.53.1
128.61.110.0/28 dev p2p2.654 proto kernel scope link src 128.61.110.1
128.61.110.16/28 dev p2p2.655 proto kernel scope link src 128.61.110.17
130.207.244.0/24 dev em1 proto kernel scope link src 130.207.244.97
143.215.253.104/30 dev p2p1.1926 proto kernel scope link src 143.215.253.106
143.215.253.108/30 dev p2p1.1927 proto kernel scope link src 143.215.253.110
169.254.0.0/30 dev GTAD-b proto kernel scope link src 169.254.0.2
169.254.0.0/16 dev em1 scope link metric 1002
169.254.0.0/16 dev p2p1.1926 scope link metric 1010
169.254.0.0/16 dev p2p1.1927 scope link metric 1011
169.254.0.0/16 dev p2p2.652 scope link metric 1012
169.254.0.0/16 dev p2p2.653 scope link metric 1013
169.254.0.0/16 dev p2p2.654 scope link metric 1014
169.254.0.0/16 dev p2p2.655 scope link metric 1015

_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Inline Routed Network - Traffic Dropped by IPtables

Reply via email to