Re: [PLUG] Iptables/Port Forwarding

LeRoy Cressy on Tue, 11 Mar 2003 07:19:07 -0500

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Iptables/Port Forwarding

From: LeRoy Cressy <leroy@lrcressy.com>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] Iptables/Port Forwarding

Date: Tue, 11 Mar 2003 06:52:54 -0500

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020623 Debian/1.0.0-0.woody.1

In your original post you stated that apachie was listening on port 8888. If this is so then apachie needs to be configured on port 80. Also, I think your line

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

is not correct and you should specify the ports that get mangled as follows. This will add a layer of security with only certain ports allowed to get to the outside.

Before you can use nat you need to accept the packet like as follows:

iptables -A block -m state --state NEW -p tcp -i eth0 --dport 80 -m limit --limit 1/hour -j LOG --log-level info --log-prefix "Web Acc ess Request "

iptables -A block -m state --state NEW -p tcp -i eth0 --dport 80 -j ACCEPT

Then you need to accept packets from eth1 which I am assuming is your lan like: for testing you can set up logging

# iptables -A block -m state --state NEW -i eth1 -m limit --limit 1/hour -j LOG --log-level info --log-prefix "Accepted Packets from eth1 "

iptables -A block -m state --state NEW -i eth1 -j ACCEPT

As stated abobe I do not like masquerading so I use this:

# Set up the ip forwarding for the local network to get to the outside:

iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport 20 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport 21 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport 22 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/16 --dport 25 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/16 --dport 465 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/16 --dport 53 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/16 --dport 80 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport 443 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport 110 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport 113 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport 119 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport 389 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport 873 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport 1024 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p udp -s 192.168.1.0/24 --dport 53 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p udp -s 192.168.1.0/24 --dport 1024 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p icmp -s 192.168.1.0/16 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport 43 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport 37 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport 9412 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport 11371 -j SNAT --to $RealIP

Finally, I've attached some experemental code I used when first setting up a firewall.

Naresh wrote:
LeRoy,

Its not working for some reason. I am pretty sure apache is running on 192.168.0.2 (I can get to it locally). BTW, I added your lines at the end of my script (modified eth0 -> eth1).

I did "links http://66.71.91.54:80"; and I get not found. "links 192.168.0.2:80" works

Wierd...

Naresh

On Mon, 10 Mar 2003, LeRoy Cressy wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

This is what I use:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \ - -m limit --limit 1/hour -j LOG --log-level info \ - --log-prefix "Forward WWW Request " iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \ - -j DNAT --to 192.168.10.1

- -i is the ethernet card connected to the Internet - -p tcp protocal - --dport 80 is the destination port. Most web requests are sent on port 80 and unless you are using a closed private system that you do not want the world to see then you should be using port 80 unless you mangle the packet in the router and change the destination port of the incoming packet.

I hope this helps

Naresh wrote:

Group:

I have 2 computers, 1 of them the gateway has 2 NICs (eth0 && eth1), and my other masqued client wants to be my webserver (port 80). I have my simple masq rules set like this. The client can ping the outside world, but when I do http://staticAddress:8888, I get an error.

----------------------------------------------------------------

IPTABLES=/sbin/iptables EXTIF="eth1" INTIF="eth0" echo "1" > /proc/sys/net/ipv4/ip_forward

#CLEAR THE RULES $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

#THE MAIN FORWARDING

$IPTABLES -t nat -A PREROUTING -p tcp -i eth1 -d 66.71.91.54 --dport 8888 -j DNAT --to 192.168.0.2:80

$IPTABLES -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 80 -j ACCEPT

Thanks, Naresh _________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce General Discussion -- http://lists.netisland.net/mailman/listinfo/plug

- -- Rev. LeRoy D. Cressy mailto:leroy@lrcressy.com /\_/\ http://lrcressy.com ( o.o ) Phone: 215-535-4037 > ^ <

gpg fingerprint: 62DE 6CAB CEE1 B1B3 359A 81D8 3FEF E6DA 8501 AFEA

Jesus saith unto him, I am the way, the truth, and the life: no man cometh unto the Father, but by me. (John 14:6) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQE+bHhCP+/m2oUBr+oRAk43AJ4vhMsY/rQCuyFbtCP97bEcSjc7LACeKnbe zlplUVqY9AYAcnMld9kHtk8= =x8LR -----END PGP SIGNATURE-----

_________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce General Discussion -- http://lists.netisland.net/mailman/listinfo/plug

_________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce General Discussion -- http://lists.netisland.net/mailman/listinfo/plug

-- Rev. LeRoy D. Cressy mailto:leroy@lrcressy.com /\_/\ http://lrcressy.com ( o.o ) Phone: 215-535-4037 > ^ <

gpg fingerprint: 62DE 6CAB CEE1 B1B3 359A 81D8 3FEF E6DA 8501 AFEA

Jesus saith unto him, I am the way, the truth, and the life: no man cometh unto the Father, but by me. (John 14:6)
Attachment: firewall-nat-experimental
Description: application/java-vm

Attachment: pgpy6dUDEp7Tv.pgp
Description: PGP signature

References:

[PLUG] Iptables/Port Forwarding
From: Naresh <nganta@myrealbox.com>

Re: [PLUG] Iptables/Port Forwarding
From: LeRoy Cressy <leroy@lrcressy.com>

Re: [PLUG] Iptables/Port Forwarding
From: Naresh <nganta@myrealbox.com>

Prev by Date: Re: [PLUG] System Clock

Next by Date: Re: [PLUG] "services" under Linux

Previous by thread: Re: [PLUG] Iptables/Port Forwarding

Next by thread: Re: [PLUG] Iptables/Port Forwarding

Index(es):

Date

Thread