LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 12-13-2007, 03:29 AM   #1
sunlinux
Member
 
Registered: Feb 2006
Distribution: RHCL 5
Posts: 224

Rep: Reputation: 30
host exposing to internet using NAT


Hi, I have configured my adsl modem in Linux as ppp0, I am using NAT in linux to connect lan to internet.. ok fine.

Now, I want a lan server-192.168.2.3:80(http) to expose to internet directly, Pls guide me how can i do it.

I am pasting my nat confiuration:
------------------
INTIF="eth0"
EXTIF="ppp0"
EXTIP="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"

echo "Loading required stateful/NAT kernel modules..."

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc

echo " Enabling Kernal IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo " Flushing ip router through: $EXTIF"
echo " External interface IP address is: $EXTIP"

echo " Loading Kernal server rules..."

# Clearing any existing rules and setting default policy
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -F INPUT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -F OUTPUT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -F FORWARD
/sbin/iptables -t nat -F
/sbin/iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -j DROP
/sbin/iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
 
Old 12-13-2007, 07:02 AM   #2
testing
LQ Newbie
 
Registered: Nov 2007
Posts: 8

Rep: Reputation: 2
Put this in your nat file:
Code:
/sbin/iptables -t nat -A PREROUTING -p tcp --syn --dport 80 -j DNAT --to-destination 192.168.2.3
 
Old 12-13-2007, 11:58 PM   #3
sunlinux
Member
 
Registered: Feb 2006
Distribution: RHCL 5
Posts: 224

Original Poster
Rep: Reputation: 30
sorry dear above code didn't help me out, on checking open port it shows: port is showing but filtered

PORT STATE SERVICE
22/tcp filtered ssh
23/tcp filtered telnet
29/tcp filtered msg-icp
67/tcp filtered dhcps
80/tcp open http

Last edited by sunlinux; 12-14-2007 at 12:52 AM.
 
Old 12-14-2007, 02:37 AM   #4
sunlinux
Member
 
Registered: Feb 2006
Distribution: RHCL 5
Posts: 224

Original Poster
Rep: Reputation: 30
Pls. i help me guys..
 
Old 12-14-2007, 03:54 AM   #5
SiegeX
Member
 
Registered: Jul 2004
Location: Silicon Valley, CA
Distribution: Slackware
Posts: 171

Rep: Reputation: 38
Make sure that you set the "INTRANGE" variable to the correct network for your LAN; I just guessed based upon your web server IP. Also I allowed SSH and FTP into your firewall, I wanted you to see how to do multiple ports on one rule. Go ahead and remove (or add to) those those ports if you want. Oh yea, I simplified the command to get your EXTIP, you can do the whole thing with awk.

Code:
#!/bin/bash

# Setup Program Variables
IPTABLES=$(which iptables)
MODPROBE=$(which modprobe)

# Setup Interface & Network Variables
INTIF="eth0"
INTRANGE="192.168.2.0/24"
EXTIF="ppp0"

# Setup IP Variables
WEBSERVER="192.168.2.3"
EXTIP=$(ifconfig $EXTIF | awk '/inet/{split($2,arr,":");print arr[2]}')

echo "Loading required stateful/NAT kernel modules..."
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp
$MODPROBE ip_nat_irc
$MODPROBE ip_conntrack_irc

echo " Enabling Kernel IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo " Flushing ip router through: $EXTIF"
echo " External interface IP address is: $EXTIP"

echo " Loading IPTables rules..."

# Clearing any existing rules and setting default policy 
for table in filter nat mangle raw; do
      $IPTABLES -t $table --flush
      $IPTABLES -t $table --delete-chain
done

$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P FORWARD DROP
$IPTABLES -t filter -P OUTPUT ACCEPT

# Masquerade outgoing LAN traffic
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $INTRANGE -j MASQUERADE

# Port Forward HTTP
$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -m state --state NEW -j DNAT --to-destination $WEBSERVER
$IPTABLES -A FORWARD -o $INTIF -d $WEBSERVER -p tcp --dport 80 -j ACCEPT

# Allow SSH and FTP traffic to this box
$IPTABLES -A INPUT -i $EXTIF -p tcp -m state --state NEW -m multiport --dports 21,22 -j ACCEPT

# Allow all traffic from localhost
$IPTABLES -A INPUT -i lo -j ACCEPT

# Allow forwarding of all LAN traffic
$IPTABLES -A FORWARD -i $INTIF -s $INTRANGE -j ACCEPT

# Allow ESTABLISHED,RELATED Traffic
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Last edited by SiegeX; 12-14-2007 at 04:00 AM.
 
Old 12-14-2007, 05:11 AM   #6
sunlinux
Member
 
Registered: Feb 2006
Distribution: RHCL 5
Posts: 224

Original Poster
Rep: Reputation: 30
gr8 SiegeX,

But I would request you to give me scripts/lines so that I can edit in my already NAT file as pasted Above.

if your script, I run it will flush my preconfigured script, in which I customized access to lan n wan hosts.

Pls.
 
Old 12-14-2007, 03:18 PM   #7
SiegeX
Member
 
Registered: Jul 2004
Location: Silicon Valley, CA
Distribution: Slackware
Posts: 171

Rep: Reputation: 38
Your provided script had no such "customized access" rules therefore I did not provide them. My script is not written in stone, go ahead and add any extra rules you feel necessary.
 
Old 12-15-2007, 04:08 AM   #8
sunlinux
Member
 
Registered: Feb 2006
Distribution: RHCL 5
Posts: 224

Original Poster
Rep: Reputation: 30
Below is my customized nat script . pls tell whr I put your code to expose a host to internet,LAN: 192.168.2.3:80 to internet

INTIF="eth0"
EXTIF="ppp0"
EXTIP="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"

echo "Loading required stateful/NAT kernel modules..."

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc

echo " Enabling Kernal IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo " Flushing ip router through: $EXTIF"
echo " External interface IP address is: $EXTIP"

echo " Loading Kernal server rules..."

# Clearing any existing rules and setting default policy
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -F INPUT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -F OUTPUT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -F FORWARD
/sbin/iptables -t nat -F
/sbin/iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -I FORWARD -m tcp -p tcp --dport 995 -j ACCEPT
/sbin/iptables -I FORWARD -m tcp -p tcp --dport 465 -j ACCEPT
/sbin/iptables -I FORWARD -m udp -p udp --dport 53 -j ACCEPT

/sbin/iptables -I FORWARD -m iprange --dst-range 209.85.201.189-209.85.201.190 -p tcp -j REJECT
/sbin/iptables -I FORWARD -m tcp -p tcp -d 0/0 -m mac --mac-source 00:08:A1:68:CF:AF -j ACCEPT
/sbin/iptables -I FORWARD -m tcp -p tcp -d 0/0 -m mac --mac-source 00:13:CE:94:8A:B1 -j ACCEPT #
/sbin/iptables -I FORWARD -m tcp -p tcp -d 0/0 -m mac --mac-source 00:13:02:A4:6A:0C -j ACCEPT
/sbin/iptables -I FORWARD -m tcp -p tcp -d 0/0 -m mac --mac-source 00:0F:B0:88-5E:B5 -j ACCEPT
/sbin/iptables -I FORWARD -m tcp -p tcp -d 0/0 -m mac --mac-source 00:133:FD:49:A2 -j ACCEPT
/sbin/iptables -I FORWARD -m tcp -p tcp -d 0/0 -m mac --mac-source 00:0E:351:74:57 -j ACCEPT
/sbin/iptables -I FORWARD -m tcp -p tcp -d 0/0 -m mac --mac-source 00:192:1C:16:71 -j ACCEPT #
/sbin/iptables -I FORWARD -m tcp -p tcp -d 0/0 -m mac --mac-source 00:0E:351:74:57 -j ACCEPT #
/sbin/iptables -I FORWARD -m tcp -p tcp -d 0/0 -m mac --mac-source 00:16:17D:99:21 -j ACCEPT
/sbin/iptables -I FORWARD -m tcp -p tcp -d 0/0 -m mac --mac-source 00:1A:64:70:F2:12 -j ACCEPT
/sbin/iptables -I FORWARD -m tcp -p tcp -d 0/0 -m mac --mac-source 00:13:02:32:76:52 -j ACCEPT
#/sbin/iptables -I FORWARD -m tcp -p tcp -d 0/0 -m mac --mac-source 00:19:21:6E:5E:FA -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -s ! 192.168.123.4 -j DROP
#/sbin/iptables -A INPUT -s 192.168.123.43 -j DROP

/sbin/iptables -A FORWARD -s 192.168.123.55 -m iprange --dst-range 220.226.204.70-220.226.204.115 -p tcp --dport 80 -j ACCEPT/sbin/iptables -A FORWARD -s 192.168.123.55 -d 220.226.204.106 -p tcp --dport 443 -j ACCEPT

#/sbin/iptables -A INPUT -m iprange --src-range 192.168.123.10-192.168.123.11 -p tcp -j DROP
/sbin/iptables -A INPUT -m iprange --src-range 192.168.123.51-192.168.123.52 -p tcp -j DROP
#/sbin/iptables -A INPUT -m iprange --src-range 192.168.123.75-192.168.123.99 -p tcp -j DROP
/sbin/iptables -A INPUT -m iprange --src-range 192.168.123.100-192.168.123.107 -p tcp -j DROP
#/sbin/iptables -I FORWARD -m iprange --src-range 192.168.123.100-192.168.123.107 -p tcp -d 0/0 -j ACCEPT
/sbin/iptables -A INPUT -m iprange --src-range 192.168.123.162-192.168.123.250 -p tcp -j DROP
/sbin/iptables -A INPUT -m iprange --src-range 192.168.123.253-192.168.123.254 -p tcp -j DROP

/sbin/iptables -A FORWARD -j DROP
/sbin/iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

Last edited by sunlinux; 12-15-2007 at 04:10 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
NAT - 2 internet connections bzzz Linux - Networking 4 12-14-2007 04:22 PM
LXer: 10 things to do to your Linux PC before exposing it to the Internet LXer Syndicated Linux News 0 03-29-2007 04:01 PM
connecting a host to internet thru another host (both running suse9.3) rcbell Linux - Networking 1 12-17-2005 05:35 PM
Exposing BIND to the internet erics_acvw Linux - Security 8 11-18-2004 01:34 AM
LImiting bandwidth per-host...with a NAT router burntoutjoy Linux - Networking 1 11-10-2003 04:59 PM


All times are GMT -5. The time now is 06:34 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration