IPTABLES (linux 2.4) - Is the prerouting table the first to be checked?

From: Tony Kambourakis (akambour.spamfree@mbox.com.au)
Date: 05/02/02


From: "Tony Kambourakis" <akambour.spamfree@mbox.com.au>
Date: Thu, 2 May 2002 23:11:12 +1000

Hi all,

Firstly, some very useful information in this newsgroup. Thankyou!

Environment: Redhat 7.2, iptables 1.2.4 on an old Pentium 133 (two NICs)
acting as a firewall/gateway for
small home network.

Having trouble with the line:

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to
10.1.1.17:80

where eth0 = external internet connection (cable) and 10.1.1.17 is the
internal web server.

I'm trying to port map 80 to an internal server.

"iptables -L --line-numbers -v -t nat -n" shows the following.....

Chain PREROUTING (policy ACCEPT 9448 packets, 1167K bytes)
num pkts bytes target prot opt in out source
destination
1 0 0 DNAT tcp -- eth0 *
0.0.0.0/0 0.0.0.0/ tcp dpt:80 to:10.1.1.17:80

when trying to hit port 80 from the internet, the "pkts" column does not
seem to increment. The "policy ACCEPT" does though.

Would this rule not be the first that is checked before all other iptable
rules?
Is my assumption that the "pkts" column will increment when there is a match
correct?
Or could something more sinister be at play here? Perhaps another rule is
getting in the way.

If this is all gibberish and not enough information, i've provided the
script i'm trying to get working below.

Thanks.
Tony.

-------------------------
*Naturally, the real IP addresses have been changed to protect the innocent*
(-:
* This is quite a mixture of tutorials and other ppls scripts in an effort
to try and grasp the concept of "iptables".
* It is a shemozzle of fragments

#!/bin/sh
#test
FWVER=0.63
echo -e "\n\nLINUX GATEWAY FIREWALL $FWVER.\n"

#Assign the path and name of the iptables program to a variable
IPTABLES=/sbin/iptables

#Assign the interfaces
EXTIF="eth0"
INTIF="eth1"
echo "External Inteface: $EXTIF"
echo "Internal Interface: $INTIF"
EXTIP="198.54.210.20"
INTIP="10.1.1.1/24"
INTNET="10.1.1.0/24"
UNIVERSE="0.0.0.0/0"
PORTFWIP="10.1.1.17"

echo -en "loading modules.."
echo "Verifying that all kernel modules are ok"
/sbin/depmod -a

#to enable active FTP (non-PASV), uncomment the next line
#/sbin/insmod ip_nat_ftp

echo "Enabling IP FORWARDING.."
echo "1" > /proc/sys/net/ipv4/ip_forward

#to enable dynamic IP, uncomment the next line
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "Clearing existing rules and resetting default policies.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
#delete user defined chains
$IPTABLES -F
$IPTABLES -X
#zero IPTABLES counters
$IPTABLES -Z

#define "drop" user chain
echo "Creating user defined chain - drop"
$IPTABLES -N dropit
#$IPTABLES -A dropit -j LOG --log-level info --log-prefix LGFWALL
$IPTABLES -A dropit -j DROP

#load INPUT rulesets
echo "Loading INPUT rulesets..."
echo "- local loopback"
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
echo "- local loopback local allow"
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
echo "- local loopback spoofing detection"
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j dropit
echo "- external ping allow"
#should switch this off later or at least add Ping of Death protection
$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
echo "- external related traffic allow"
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state
ESTABLISHED,RELATED -j ACCEPT
echo "- catch all deny"
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j dropit

#load OUTPUT rulesets
echo "Loading OUTPUT rulesets..."
echo "- local loopback"
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
echo "- local loopback local allow (external ip)"
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
echo "- local loopback local allow (internal ip)"
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
echo "- outgoing to local network on remote interface block?"
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j dropit
echo "- catch all allow - normal traffic"
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
echo "- catch all deny"
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j dropit

#load FORWARD rulesets
echo "Loading FORWARD rulesets..."
echo "- PORTFW forwarding port 80 to 10.1.1.17"
$IPTABLES -A FORWARD -o $INTIF -p tcp --dport 80 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT

echo "- allow all connections OUT, existing/related IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
echo "- catch all deny"
$IPTABLES -A FORWARD -j dropit

#enable DNAT (Destination NAT) port forwarding
echo "Enabling DNAT port forwarding..."
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j
DNAT --to-destination 10.1.1.17:80
#enable SNAT (Source NAT) masquerading on external interface
echo "Enabling SNAT..."
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
echo "Complete."



Relevant Pages

  • FTP nightmare
    ... The computer that's directly connected to the internet is able ... # 0.63 - Added support for the IRC IPTABLES module ... echo " External Interface: $EXTIF" ... echo " - Verifying that all kernel modules are ok" ...
    (comp.os.linux.networking)
  • iptables -> masquerade/ snat or dnat problems..
    ... while I was surfing the internet, I got a rapidshare warning, ... echo " External Interface: $EXTIF" ... $MODPROBE ip_conntrack ... $IPTABLES -P INPUT ACCEPT ...
    (comp.security.firewalls)
  • Re: passive ftp problem
    ... echo " External Interface: $EXTIF" ... # If your Linux distribution came with a copy of iptables, ... Outgoing traffic from various internfaces. ...
    (comp.os.linux.security)
  • RE: IPtables router / gateway
    ... Subject: IPtables router / gateway ... You need to change the default gateway on your servers to be the new ... echo " External Interface: $EXTIF $EXTIP" ...
    (RedHat)
  • Re: IPtables router / gateway
    ... Subject: IPtables router / gateway ... You need to change the default gateway on your servers to be the new ... echo " External Interface: $EXTIF $EXTIP" ...
    (RedHat)