| View previous topic :: View next topic |
| Author |
Message |
grummelbart
n00b
Joined: 30 Jul 2003
Posts: 24
|
 Posted: Sun Aug 01, 2004 6:37 pm Post subject: iptables forwarding, please help! |
 |
|
hy ppl,
i have a problem with setting up a firewall.
i dont know where the problem is , because its a simple forwarding-rule (im testing it with netcat).
i tried different thinks like "-P ACCEPT" for everything, adding POSTROUTING etc, but it still not works.
here is the code:
------------------------------------------------------------
#!/bin/bash
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "0" > /proc/sys/net/ipv4/tcp_ecn
echo "1" > /proc/sys/net/ipv6/conf/all/forwarding
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
printf " \e[1;32m*\e[0m Flushing all rules\n"
iptables -F
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
printf " \e[0;32m*\e[0m Dropping all packets...\n"
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
printf " \e[0;32m*\e[0m Setting ICMP rulez\n"
iptables -A INPUT -p icmp -j ACCEPT #allow ping answers
iptables -A OUTPUT -p icmp -j ACCEPT #allow ping requests
printf " \e[0;32m*\e[0m Opening ports for services...\n"
#SSH
printf " \e[0;37m*\e[0m SSH\n"
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
printf " \e[0;32m*\e[0m Activating forwarding...\n"
printf " \e[0;37m*\e[0m Port 6969 -> 192.168.1.2\n"
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 6969 -j DNAT --to-destination 192.168.1.2
iptables -A FORWARD -d 192.168.1.2 -p tcp --dport 6969 -j LOG --log-prefix "lalalala: "
iptables -A FORWARD -d 192.168.1.2 -p tcp --dport 6969 -j ACCEPT
iptables -A FORWARD -d 192.168.1.2 -m state --state ESTABLISHED,RELATED -j ACCEPT
------------------------------------------------------------
the logging of the etablished connections works :
Aug 1 20:31:31 plz-15 lalalala: IN=eth0 OUT=eth1 SRC=192.168.0.1 DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=24150 DF PROTO=TCP SPT=36401 DPT=6969 WINDOW=0 RES=0x00 RST URGP=0
but it still not comes to the netcat deamon listening on 192.168.1.2 
sorry for my bad english , hope u guys can help  |
|
| Back to top |
|
 |
r4d1x
Apprentice
Joined: 25 Nov 2003
Posts: 157
Location: Japan
|
| Posted: Mon Aug 02, 2004 5:03 am Post subject: |
|
|
| try giving it a source address first, then you destination address. I would post part of my firewall, but Im sitting at work and dont get off until tomorrow. Ill post it there. It looks to me like you need to specify a source and destination address rather than just a destination address. |
|
| Back to top |
|
|
jfave
Tux's lil' helper
Joined: 28 Jul 2004
Posts: 96
Location: Jacksonville, FL
|
|
| Back to top |
|
|
r4d1x
Apprentice
Joined: 25 Nov 2003
Posts: 157
Location: Japan
|
| Posted: Tue Aug 03, 2004 1:59 am Post subject: |
|
|
try something like this:
| Code: |
$iptables -A FORWARD -i eth0 -p tcp --dport 8131 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d 1.1.1.1 --dport 8131 -j DNAT --to-destination 0.0.0.0:8131 |
replacing 1.1.1.1 with your external ip and 0.0.0.0 with your internal ip. this is what i use, and havent had any problems. there maybe a cleaner way to do it, but hey, were not all guru's right? |
|
| Back to top |
|
|
legaultp
n00b
Joined: 31 Jul 2004
Posts: 28
|
| Posted: Tue Aug 17, 2004 2:26 am Post subject: Cleaner Way... Yes |
|
|
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8131 -j DNAT --to-destination 192.168.0.x:8131
just replace the 192.168.0.x with the ip the port should go
and replace 8131 with the port u need
i tested it because i needed it. i don't really have an static ip. it's whi i modded it to fit my needs |
|
| Back to top |
|
|
|
Networking & Security
