| View previous topic :: View next topic |
| Author |
Message |
gondolin
Apprentice
Joined: 09 Apr 2003
Posts: 158
|
 Posted: Mon Dec 04, 2006 7:39 pm Post subject: iptables forwarding to dmz fails [SOLVED] |
 |
|
I'm trying to forward http traffic from the internet ETH2 towards my dmz server ETH0 , but no luck.
| Code: | ## Incomming rules
# Allow only existing connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Forward port 8080 from from Internet (eth2) to DMZ (eth0)
iptables -A PREROUTING -t nat -i eth2 -p tcp --dport 8080 -j DNAT --to IP-DMZ-SERVER:8080
# Allow only NEW from the internal network
#iptables -A INPUT -m state --state NEW -i ! eth1 -j LOG
iptables -A INPUT -m state --state NEW -i ! eth2 -j ACCEPT
# Allow only NEW on port 8080 from Internet (eth2) to DMZ (eth0)
iptables -A INPUT -p tcp -m state --state NEW --dport 8080 -i eth2 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW --dport 8080 -i eth0 -j ACCEPT
## Internal to External rules
# Enable masquerading (natting) to allow LAN internet access
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
# Forward LAN traffic from eth0 to internet interface eth2
iptables -I FORWARD -i eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Deny outgoing traffic for following IP's
# Drop all the rest
iptables -P INPUT DROP |
Anyone that can help ?
Last edited by gondolin on Sun Dec 10, 2006 10:19 am; edited 1 time in total |
|
| Back to top |
|
 |
erik258
Advocate
Joined: 12 Apr 2005
Posts: 2650
Location: Twin Cities, Minnesota, USA
|
| Posted: Mon Dec 04, 2006 8:19 pm Post subject: |
|
|
what's going on? that is, what is the symptom? which rules aren't working?
_________________
Configuring a Firewall? Try my iptables configuration
LinuxCommando.com is my blog for linux-related scraps and tidbits. Stop by for a visit! |
|
| Back to top |
|
|
gondolin
Apprentice
Joined: 09 Apr 2003
Posts: 158
|
| Posted: Tue Dec 05, 2006 1:29 pm Post subject: |
|
|
I supose those two because i can't connect from the internet to my DMZ machine
iptables -A PREROUTING -t nat -i eth2 -p tcp --dport 8080 -j DNAT --to IP-DMZ-SERVER:8080
# Allow only NEW on port 8080 from Internet (eth2) to DMZ (eth0)
iptables -A INPUT -p tcp -m state --state NEW --dport 8080 -i eth2 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW --dport 8080 -i eth0 -j ACCEPT |
|
| Back to top |
|
|
erik258
Advocate
Joined: 12 Apr 2005
Posts: 2650
Location: Twin Cities, Minnesota, USA
|
| Posted: Tue Dec 05, 2006 6:23 pm Post subject: |
|
|
have you tried from outside your network? what's your ip, let me hit port 8080 from here.
_________________
Configuring a Firewall? Try my iptables configuration
LinuxCommando.com is my blog for linux-related scraps and tidbits. Stop by for a visit! |
|
| Back to top |
|
|
erik258
Advocate
Joined: 12 Apr 2005
Posts: 2650
Location: Twin Cities, Minnesota, USA
|
| Posted: Tue Dec 05, 2006 6:25 pm Post subject: |
|
|
did you enable ip forwarding in kernel?
_________________
Configuring a Firewall? Try my iptables configuration
LinuxCommando.com is my blog for linux-related scraps and tidbits. Stop by for a visit! |
|
| Back to top |
|
|
gondolin
Apprentice
Joined: 09 Apr 2003
Posts: 158
|
| Posted: Wed Dec 06, 2006 5:56 pm Post subject: |
|
|
Yes i have tried it from work, and forwording is enabled in the kernel, it works between Internet and LAN.
I'm checkpoint used at work so iptables at home, for the lan of but forwarding to dmz  |
|
| Back to top |
|
|
pteppic
l33t
Joined: 28 Nov 2005
Posts: 781
|
| Posted: Wed Dec 06, 2006 6:21 pm Post subject: |
|
|
What do you have in your FORWARD chain?
Try it (FORWARD) with these two too | Code: | iptables -A INPUT -p tcp -m state --state NEW --dport 8080 -i eth2 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW --dport 8080 -i eth0 -j ACCEPT |
|
|
| Back to top |
|
|
gondolin
Apprentice
Joined: 09 Apr 2003
Posts: 158
|
| Posted: Wed Dec 06, 2006 7:18 pm Post subject: |
|
|
yes i tried this already:
| Code: | INT="eth2"
DMZ="eth0"
LAN="eth1"
DMZ_SRV="192.xxx.xxx.xxx"
# Flush all rules
iptables -F; iptables -t nat -F; iptables -t mangle -F
## Incomming rules
# Allow only existing connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Forward port 8080 from from Internet to DMZ
iptables -A PREROUTING -t nat -i ${INT} -p tcp --dport 8080 -j DNAT --to ${DMZ_SRV}:8080
# Allow only NEW from the LAN & DMZ network
iptables -A INPUT -m state --state NEW -i ! ${INT} -j ACCEPT
# Allow only NEW on port 8080 from Internet to DMZ
iptables -A INPUT -p tcp -m state --state NEW --dport 8080 -i ${INT} -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW --dport 8080 -i ${DMZ} -j ACCEPT
## Internal to External rules
# Enable masquerading (natting) to allow LAN internet access
iptables -t nat -A POSTROUTING -o ${INT} -j MASQUERADE
# Forward LAN traffic from eth0 to internet interface eth2
iptables -I FORWARD -i ${INT} -m state --state ESTABLISHED,RELATED -j ACCEPT
# Drop all the rest
iptables -P INPUT DROP
|
|
|
| Back to top |
|
|
pteppic
l33t
Joined: 28 Nov 2005
Posts: 781
|
| Posted: Wed Dec 06, 2006 8:11 pm Post subject: |
|
|
You misunderstand, I mean use the rules in your FORWARD chain
| Code: | iptables -A FORWARD -p tcp -m state --state NEW --dport 8080 -i ${INT} -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW --dport 8080 -i ${DMZ} -j ACCEPT |
|
|
| Back to top |
|
|
erik258
Advocate
Joined: 12 Apr 2005
Posts: 2650
Location: Twin Cities, Minnesota, USA
|
| Posted: Thu Dec 07, 2006 11:26 pm Post subject: |
|
|
why not post the output of iptables -L -v and iptables -t nat -L -v so that we all can see which chains are matching packets?
_________________
Configuring a Firewall? Try my iptables configuration
LinuxCommando.com is my blog for linux-related scraps and tidbits. Stop by for a visit! |
|
| Back to top |
|
|
gondolin
Apprentice
Joined: 09 Apr 2003
Posts: 158
|
| Posted: Fri Dec 08, 2006 4:58 pm Post subject: |
|
|
Here we go, and still no luck.
But i don't see any traffic !!
| Code: | Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
61 4570 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
36 2884 ACCEPT all -- !eth2 any anywhere anywhere state NEW
Chain FORWARD (policy ACCEPT 43M packets, 21G bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth2 eth0 anywhere gondor tcp dpt:http-alt
0 0 ACCEPT tcp -- eth2 any anywhere anywhere state NEW tcp dpt:http-alt
0 0 ACCEPT tcp -- eth0 any anywhere anywhere state NEW tcp dpt:http-alt
Chain OUTPUT (policy ACCEPT 1331K packets, 254M bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 960K packets, 79M bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- eth2 any anywhere anywhere tcp dpt:http-alt to:172.16.0.2:8080
Chain POSTROUTING (policy ACCEPT 192K packets, 14M bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- any eth2 anywhere anywhere
Chain OUTPUT (policy ACCEPT 108K packets, 8443K bytes)
pkts bytes target prot opt in out source destination
|
Last edited by gondolin on Fri Dec 08, 2006 8:05 pm; edited 1 time in total |
|
| Back to top |
|
|
erik258
Advocate
Joined: 12 Apr 2005
Posts: 2650
Location: Twin Cities, Minnesota, USA
|
| Posted: Fri Dec 08, 2006 6:19 pm Post subject: |
|
|
| Code: | davey ~ # iptables -L -v
Chain INPUT (policy ACCEPT 2317K packets, 485M bytes)
pkts bytes target prot opt in out source destination
20460 7396K ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:smtp
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:smtp
89 17986 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:smtp
737K 402M ACCEPT all -- lo any anywhere anywhere
128K 11M ACCEPT all -- ath0 any anywhere anywhere
26M 3633M ACCEPT all -- eth1 any anywhere anywhere
0 0 REJECT udp -- eth0 any anywhere anywhere udp dpt:bootps reject-with icmp-port-unreachable
0 0 REJECT udp -- eth0 any anywhere anywhere udp dpt:domain reject-with icmp-port-unreachable
388 35104 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:ssh
37195 1805K DROP tcp -- eth0 any anywhere anywhere tcp dpts:0:1023
630K 219M DROP udp -- eth0 any anywhere anywhere udp dpts:0:1023
Chain FORWARD (policy DROP 2828 packets, 174K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth1 eth1 anywhere anywhere
140M 90G ACCEPT all -- any any 192.168.0.0/16 anywhere
0 0 ACCEPT all -- eth1 any 192.168.0.0/16 anywhere
0 0 ACCEPT all -- ath0 any 192.168.0.0/16 anywhere
113M 97G ACCEPT all -- eth0 any anywhere 192.168.0.0/16
0 0 ACCEPT all -- any any davey.spore.ath.cx anywhere
Chain OUTPUT (policy ACCEPT 29M packets, 4987M bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any eth0 localhost anywhere tcp dpt:courier |
and for nat...
| Code: | davey ~ # iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 7137K packets, 940M bytes)
pkts bytes target prot opt in out source destination
36749 2203K DNAT tcp -- eth0 any anywhere anywhere tcp dpt:ssh to:192.168.1.99:22
2720 152K DNAT tcp -- eth0 any anywhere anywhere tcp dpt:http to:192.168.1.99:80
7 356 DNAT tcp -- eth0 any anywhere anywhere tcp dpt:222 to:192.168.1.1:22
17 844 DNAT tcp -- eth0 any anywhere anywhere tcp dpt:223 to:192.168.1.100:22
Chain POSTROUTING (policy ACCEPT 206K packets, 12M bytes)
pkts bytes target prot opt in out source destination
2825K 226M MASQUERADE all -- any eth0 anywhere anywhere
Chain OUTPUT (policy ACCEPT 157K packets, 9386K bytes)
pkts bytes target prot opt in out source destination |
_________________
Configuring a Firewall? Try my iptables configuration
LinuxCommando.com is my blog for linux-related scraps and tidbits. Stop by for a visit! |
|
| Back to top |
|
|
gondolin
Apprentice
Joined: 09 Apr 2003
Posts: 158
|
| Posted: Sun Dec 10, 2006 10:18 am Post subject: |
|
|
| Its working, i have run my firewall script again and now i can login, thanks all for helping me |
|
| Back to top |
|
|
|
Networking & Security
