IPTables port forwarding issues
- From: fubar2007@xxxxxxxxxxxxxx
- Date: 27 Mar 2007 02:14:19 -0700
Hi all,
Sorry i know this is covered on the net in various places, but i
cannot seem to get what seems straight forward stuff working, by
trying various different solutions. Below is a unfinished firewall
script that is currently used in a test setup. I cannot however get
port 9023 to port forward from the firewall to an internal boxes ip
address. When I used nmap it returns filtered? Any suggestions on what
im missing here? In the test setup this box is providing natted
internet access.
I have marked the latest attempted lines i have been attempting to use
with !!! in the comment line. Please help this is driving me insane :(
Thanks in advance
(Trying to forward port 9023 from interface eth6, to an ip attached to
interface eth5). Ethername conventions below MAIN and WAN.
echo Flushing everything in the current setup
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
echo Setup default policies to handle unmatched traffic to drop all
traffic
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
echo Setup ethernet name conventions
export MAIN=eth5
export NET1=eth4
export NET2=eth0
export WAN=eth6
export LOOPBACK=lo
#export VPN=tap0
#export VPNBR=br0
export IPVPNMAIN=192.168.1.6
export IPVPNBRIDGE=192.168.1.7
export EXTERNALIP=xxx.yyy.zzz.ttt
echo Allowing incomming links from all network adapters to SSHD -
Seperate rules
iptables -A INPUT --protocol tcp --dport 10589 -i ${MAIN} -j ACCEPT
iptables -A INPUT --protocol tcp --dport 10589 -i ${NET1} -j ACCEPT
iptables -A INPUT --protocol tcp --dport 10589 -i ${NET2} -j ACCEPT
iptables -A INPUT --protocol tcp --dport 10589 -i ${WAN} -j ACCEPT
echo Open external port to be forwarded next, for OpenVPN SSH Remote
Access
iptables -A INPUT --protocol tcp --dport 9023 -i ${WAN} -j ACCEPT
echo Allowing incomming links porwarded to VPN Machine for SSH Links
#iptables -t nat -A PREROUTUING --protocol tcp --dport 9023 -j DNAT --
to ${IPVPNMAIN}:9023
echo Setup Logging and destruction of Spoofed Internal packets, not
created from external networks
iptables -A INPUT -j LOG -i ${MAIN} \! -s 192.168.1.0/24
iptables -A INPUT -j LOG -i ${NET1} \! -s 192.168.11.0/24
iptables -A INPUT -j LOG -i ${NET2} \! -s 192.168.12.0/24
iptables -A INPUT -j DROP -i ${MAIN} \! -s 192.168.1.0/24
iptables -A INPUT -j DROP -i ${NET1} \! -s 192.168.11.0/24
iptables -A INPUT -j DROP -i ${NET2} \! -s 192.168.12.0/24
echo Block packets from network addresses outside of the source
address range - IP Spoofing
iptables -A INPUT -j LOG \! -i ${MAIN} -s 192.168.1.0/24
iptables -A INPUT -j LOG \! -i ${NET1} -s 192.168.11.0/24
iptables -A INPUT -j LOG \! -i ${NET2} -s 192.168.12.0/24
iptables -A INPUT -j DROP \! -i ${MAIN} -s 192.168.1.0/24
iptables -A INPUT -j DROP \! -i ${NET1} -s 192.168.11.0/24
iptables -A INPUT -j DROP \! -i ${NET2} -s 192.168.12.0/24
echo Protect loopback systems from IP Spoofing
iptables -A INPUT -j DROP -i \! ${LOOPBACK} -s 127.0.0.0/255.0.0.0
echo Allowing previously initiated and accepted exchanges bypass
remaining rule checking
iptables -A INPUT -m state --state ESTABLISHED,RELATED -i ${WAN} -p \!
icmp -j ACCEPT
echo Allow all connections from the localhost
iptables -A INPUT -j ACCEPT -i ${LOOPBACK}
echo Allowing connections to Squid Proxy Server from dialer networks
iptables -A INPUT --protocol tcp --dport 3128 -i ${NET1} -j ACCEPT
iptables -A INPUT --protocol tcp --dport 3128 -i ${NET2} -j ACCEPT
echo Allowing DNS Forwarder and Caching hosted by this server to be
accessed by everyone but not WAN
iptables -A INPUT -p UDP --dport 53 -i ${MAIN} -j ACCEPT
iptables -A INPUT -p UDP --dport 53 -i ${NET1} -j ACCEPT
iptables -A INPUT -p UDP --dport 53 -i ${NET2} -j ACCEPT
echo Allow all connections from the Network Servers
iptables -A INPUT -s 192.168.1.5 -j ACCEPT
iptables -A INPUT -s 192.168.11.5 -j ACCEPT
iptables -A INPUT -s 192.168.12.5 -j ACCEPT
### NOTE NOT REQUIRED ALL OUTGOING ALLOWED ### -> To be corrected
later
# echo Allow DNS Resolution
# iptables -A OUTPUT -o ${WAN} -p udp --destination-port 53 -m state --
state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o ${WAN} -p tcp --destination-port 53 -m state --
state NEW,ESTABLISHED -j ACCEPT
echo Lock down system services to the main network only
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i ${MAIN} -j ACCEPT
iptables -A INPUT -p UDP --dport bootps -i ! ${MAIN} -j REJECT
iptables -A INPUT -p UDP --dport domain -i ! ${MAIN} -j REJECT
echo Dropping any other outside generated connections
iptables -A INPUT -m state --state NEW -i ${WAN} -j DROP
#echo Enabling IP Masq to enable NAT style internet IP Redirection
Access
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
# !!! THESE ARE ATTEMPTED PORT FORWARDING RULES CURRENTLY NOT WORKING :
(
iptables -A FORWARD -i ${WAN} -o ${MAIN} -p tcp --dport 9023 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d ${EXTERNALIP} --dport 9023 -m
state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${IPVPNMAIN}:9023
iptables -t nat -A POSTROUTING -d ${IPVPNMAIN} -s 192.168.1.0 -p tcp --
dport 9023 -m state --state NEW,ESTABLISHED,RELATED -j SNAT --to $
{IPVPNMAIN}
.
- Follow-Ups:
- Re: IPTables port forwarding issues
- From: Ansgar -59cobalt- Wiechers
- Re: IPTables port forwarding issues
- Prev by Date: Re: Linksys WRT54G and Firewall software
- Next by Date: Re: Sonicwall PRO 3060 SYN flood attacks
- Previous by thread: Game Server & Voice Server
- Next by thread: Re: IPTables port forwarding issues
- Index(es):
Relevant Pages
|
