Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

iptables + dnat help
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
geforce
l33t
l33t


Joined: 29 Dec 2003
Posts: 654
Location: Canada
PostPosted: Tue Nov 20, 2007 3:11 am    Post subject: iptables + dnat help Reply with quote
Hi,

Okay, so I have a linux server that I want to use , as a firewall, with iptables. This server has 5 interfaces (2 onboard + 4 on a intel quad-port (everyting's working fine))

On the last interface (eth5), which I connect on the internet, and assign all my server's IPs

My servers are on a private network, behind the first card.

There is a script i built to automagically set iptables (i removed the variables for security sake)


Code:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


iptables -N SCANS
iptables -A SCANS -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
iptables -A SCANS -p tcp --tcp-flags ALL ALL -j DROP
iptables -A SCANS -p tcp --tcp-flags ALL NONE -j DROP
iptables -A SCANS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

iptables -A INPUT -j SCANS

iptables -N KEEP_STATE
iptables -A KEEP_STATE -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A KEEP_STATE -m state --state INVALID -j DROP

iptables -A INPUT -j KEEP_STATE
iptables -A OUTPUT -j KEEP_STATE


# ICMP (PING)
iptables -A INPUT -p icmp -j ACCEPT

# IGMP (multicast)
iptables -A INPUT -p igmp -j ACCEPT

# Services ports
iptables -A INPUT -p tcp -i $NIC_INTERNET --dport 2200 -j ACCEPT
iptables -A INPUT -p tcp -i $NIC_INTERNET --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -i $NIC_INTERNET --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -i $NIC_INTERNET --dport 10000 -j ACCEPT


#########
# NAT
#########


# PC
# =======================================

# Masquerade 1
iptables -t nat -A POSTROUTING -s $RANGE_ADMIN -o $NIC_INTERNET -j MASQUERADE

# Masquerade 2
iptables -t nat -A POSTROUTING -s $RANGE_PUBLIC -o $NIC_INTERNET -j MASQUERADE

iptables -A FORWARD -i $NIC_ADMIN -j KEEP_STATE
iptables -A FORWARD -i $NIC_ADMIN -o $NIC_VIRTUEL -j ACCEPT


# SERVERS
# =============================

# ROOMALERT
iptables -A INPUT -p tcp -i eth5 -d $IP_EXT_ROOMALERT --dport 80 -j ACCEPT

iptables -t nat -A PREROUTING -i eth5 -p tcp -d $IP_EXT_ROOMALERT --dport 80 -j DNAT --to-destination $IP_INT_ROOMALERT:80

# outgoing connections
iptables -A FORWARD -i $NIC_SERVICES -j KEEP_STATE
iptables -A FORWARD -i $NIC_SERVICES -o $NIC_VIRTUEL -j ACCEPT

# Log and drop all the other packets

iptables -A OUTPUT -j LOG
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
 
iptables -A OUTPUT -j DROP
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
iptables -Z


With the default policies, it works perfectly if I enter those commands:
Code:

iptables -A INPUT -p tcp -i eth5 -d $IP_EXT_ROOMALERT --dport 80 -j ACCEPT

iptables -t nat -A PREROUTING -i eth5 -p tcp -d $IP_EXT_ROOMALERT --dport 80 -j DNAT --to-destination $IP_INT_ROOMALERT:80


However, using my script, it doesn't work, and I can see the packets in my logs.

Code:
Nov 19 12:01:45 firewallLinux kernel: [767569.195697] IN=eth5 OUT=eth4 SRC=199.202.104.233 DST=%The server's internal IP (192.168..)% LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=52928 DF PROTO=TCP SPT=31909 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0



I really don't see the problem.

Thank you for any help !

--GeForce
_________________
http://tilde.club/~geforce/
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 23082
PostPosted: Wed Nov 21, 2007 3:20 am    Post subject: Reply with quote
If you are trying to forward traffic for ROOMALERT to an internal host, you need to put the allow rule in FORWARD, not INPUT. INPUT is for packets destined for the local machine. FORWARD is for packets which are being routed by the local machine to another host.
Back to top
View user's profile Send private message
geforce
l33t
l33t


Joined: 29 Dec 2003
Posts: 654
Location: Canada
PostPosted: Wed Nov 21, 2007 4:57 am    Post subject: Reply with quote
It works !!!

Thank you !
_________________
http://tilde.club/~geforce/
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy