| View previous topic :: View next topic |
| Author |
Message |
bl00dlust
n00b
Joined: 26 Jan 2004
Posts: 22
|
 Posted: Mon Mar 22, 2004 4:18 pm Post subject: iptables port forwarding |
 |
|
hi!
i got a problem there with forwarding a port. i have a freshly setup linux gateway, and i use masquerading (see rules below). what did i miss? everything i tried until now didn't work (it rejects connections). could you also give me some advice about security with iptables, since i am very new to this.
| Code: |
#flush
$iptables --flush
$iptables --table nat --flush
$iptables --delete-chain
$iptables --table nat --delete-chain
#masq
$iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
$iptables --append FORWARD --in-interface eth1 -j ACCEPT
#port
$iptables --append INPUT -p tcp --dport 80 -j ACCEPT
$iptables --table nat --append PREROUTING -p tcp -i ppp0 --dport 80 -j DNAT --to 192.168.2$
|
_________________
Silent Night, Bodom Night ... |
|
| Back to top |
|
 |
db_404
Guru
Joined: 05 Dec 2002
Posts: 336
|
| Posted: Mon Mar 22, 2004 5:03 pm Post subject: Re: iptables port forwarding |
|
|
| bl00dlust wrote: | hi!
| Code: |
$iptables --append INPUT -p tcp --dport 80 -j ACCEPT
$iptables --table nat --append PREROUTING -p tcp -i ppp0 --dport 80 -j DNAT --to 192.168.2$
|
|
I'm assuming the '$' on the end of the last line is a typo (otherwise that might be the source of your problem).
I have (for forwarding to an internal machine):
| Code: |
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.25
:2456
|
I had to add an additional rule to my FORWARD chain as I have some fairly restrictive rules there (I only forward from known IPs so I had to explicitly allow stuff inbound to .25:2456 from any IP).
As for additional steps you can take, it makes sense to tighten up both the inbound and outbound side (for example only your mail server really _needs_ to be sending traffic on port 25). Also make sure that your firewall box doesn't have anything you don't want available exposed to the internet (nmap or the like can be good for that). Adding some logging would help give you some warning of attacks, and also help with debugging the firewall rules - I log (and drop) all packets that end up not being explicitly handled by a rule. |
|
| Back to top |
|
|
bl00dlust
n00b
Joined: 26 Jan 2004
Posts: 22
|
| Posted: Tue Mar 23, 2004 1:14 pm Post subject: |
|
|
actually it wasn't a typo just a line wrap of nano cause i did a copy+paste 
this problem is absolutely driving me nuts, i tried everything i found on the net and nothing is working! let me show you my current rules, as for my setup, i have a PPPoE connection on ppp0, and the internal nic is eth1. i nmaped the 192.168.22.254 box and the 80 port is definitely open and listened on. what could be wrong? i'm just about to teach my box to fly if i don't find a solution ... 
my rules:
| Code: |
#flush
$iptables --flush
$iptables --table nat --flush
$iptables --delete-chain
$iptables --table nat --delete-chain
#masq
$iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
$iptables --append FORWARD --in-interface eth1 -j ACCEPT
$iptables --table nat --append POSTROUTING -s 192.168.22.0/24 -j SNAT --to-source $extip
#port
$iptables -A FORWARD -i ppp0 -o eth1 -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 80 -j DNAT --to-destination 192.168.22.254:80
|
pleeeeease help me with this guys 
_________________
Silent Night, Bodom Night ... |
|
| Back to top |
|
|
aifex
n00b
Joined: 11 Mar 2004
Posts: 6
Location: Sweden
|
| Posted: Wed Mar 24, 2004 2:37 pm Post subject: |
|
|
I'm no expert at iptables but i tried this
http://easyfwgen.morizot.net/gen/index.php
and it works fine for me. You might use it and then compare your script with this. |
|
| Back to top |
|
|
db_404
Guru
Joined: 05 Dec 2002
Posts: 336
|
| Posted: Wed Mar 24, 2004 6:50 pm Post subject: |
|
|
The above link is great - it does a good job of setting up a firewall, I'll have to borrow some of those ideas.
Also I did notice that you have a line with -j SNAT in it, I'm not sure you need that if you are already doing MASQUERADE. |
|
| Back to top |
|
|
|
Networking & Security
