iptables

mrlinux2000 · 03-03-2008, 08:23 AM

this is the commands that i want to apply so from external ppl can get access to my http local port

iptables -A PREROUTING -t nat -p tcp -d int-ip --dport 23 -j DNAT --to-destination 198.168.1.12:23
iptables -A PREROUTING -t nat -p tcp -d int-ip --dport 80 -j DNAT --to-destination 198.168.1.12:80

and it is OK

but when i apply this commands before

IPTABLES -P INPUT DROP
IPTABLES -P FORWARD DROP

IPTABLES -F -t filter
IPTABLES -F -t nat
IPTABLES -F -t mangle

i cannot ping and no access to the local http or telnet even if i specify
external address
iptables -A PREROUTING -t nat -p tcp -s allowed-ip -d int-ip --dport 23 -j DNAT --to-destination 198.168.1.12:23

nothing and even no ping !

any help

mtimbro · 03-03-2008, 12:13 PM

Quote:

Originally Posted by mrlinux2000

this is the commands that i want to apply so from external ppl can get access to my http local port

iptables -A PREROUTING -t nat -p tcp -d int-ip --dport 23 -j DNAT --to-destination 198.168.1.12:23
iptables -A PREROUTING -t nat -p tcp -d int-ip --dport 80 -j DNAT --to-destination 198.168.1.12:80

and it is OK

but when i apply this commands before

IPTABLES -P INPUT DROP
IPTABLES -P FORWARD DROP

IPTABLES -F -t filter
IPTABLES -F -t nat
IPTABLES -F -t mangle

i cannot ping and no access to the local http or telnet even if i specify
external address
iptables -A PREROUTING -t nat -p tcp -s allowed-ip -d int-ip --dport 23 -j DNAT --to-destination 198.168.1.12:23

nothing and even no ping !

any help

The problem is you're dropping all packets regardless, as your default policy for the INPUT chain is DROP.

Under your PREROUTING rules you have to ACCEPT incoming packets for both your ports, i.e.:

iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i eth1 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW --dport 23 -i eth1 -j ACCEPT

Hope this helps.

archer · 03-03-2008, 02:56 PM

Hi I want to know how to disable/enable access to a site with iptables.
I have read many tutorials for iptables.Could someone tell me how to do it.(If it cannot be done reply me that it cannot be done).And something more:If what I asked for can be done how do we discover the ip of a site?

I am sorry if you became tired reading my post!
(please try to answer quickly)
thank you very much!

mrlinux2000 · 03-04-2008, 04:51 AM

sorry but this didnt work ...
thank you

rossonieri#1 · 03-04-2008, 05:17 AM

@ archer :

to enable or disable access : yes - both can be done.
to discover the IP : turn on iptables logging feature.

@ mrlinux :

dont just do the -P forward DROP without explicitly state what can be forward --> that will stop all forwarding function --> you will go nowhere.

HTH.

archer · 03-04-2008, 07:38 AM

Because I am new in iptables could you:
1)How to enable the iptables logging feauture?
2)How can I tell iptables not to have/don't have access in a site.

Sorry for the many questions!
Thank you for the quick answer!
archer

rossonieri#1 · 03-04-2008, 08:52 AM

Quote:

Originally Posted by archer

Because I am new in iptables could you:
1)How to enable the iptables logging feauture?

iptables -i <input_interface> -p <protocol> -j LOG

Quote:

2)How can I tell iptables not to have/don't have access in a site.

suppose you being the site :

iptables -i <input_interface> -p <protocol> -j ACCEPT -----> to allow access

iptables -i <input_interface> -p <protocol> -j DROP ----> to deny

Quote:

Sorry for the many questions!
Thank you for the quick answer!
archer

you are very welcome.

mrlinux2000 · 03-04-2008, 01:45 PM

please i created this thread to solve my problem , if you dont mind you can create your own

mrlinux2000 · 03-04-2008, 01:47 PM

and i still not have a solution,

if i apply iptables -p input drop

and after it
iptables -A PREROUTING -t nat -p tcp -d ext_adr --dport 23 -j DNAT --to-destination 10.10.5.2:23

nothing work even ping !!

rossonieri#1 · 03-04-2008, 10:16 PM

hi mrlinux :

you have to exclude your desired protocol on both INPUT and PREROUTING to get your redirection to function.

so you must allow first in PREROUTING - then in INPUT chain.

example :
iptables -t nat -I PREROUTING -i <outside> -p tcp --dport 23 -j DNAT --to <inside:23>
iptables -I INPUT -i <outside> -p tcp --dport 23 -m state --state NEW -j LOG
iptables -I INPUT -i <outside> -p tcp --dport 23 -m state --state NEW -j ACCEPT

HTH.

mrlinux2000 · 03-05-2008, 03:19 AM

as always after iptables -p input drop , i cant ping or do anything

rossonieri#1 · 03-05-2008, 04:43 AM

hi

OK - lets see what you have in your iptables rules shall we?
so we will not guessing why?

mrlinux2000 · 03-05-2008, 05:48 AM

ext_ip : net ip
192.168.1.11: ip of the eth0 card
192.168.1.2 pc that i want to access from the net

iptables -A PREROUTING -t nat -p tcp -d ext_ip --dport 23 -j DNAT --to-destination 192.168.1.2:23
iptables -A OUTPUT -t nat -p tcp -d ext_ip --dport 23 -j DNAT --to-destination 192.168.1.2:23
iptables -A POSTROUTING -t nat -p tcp -d 192.168.1.2 -j SNAT --to-source 192.168.1.11
iptables -I INPUT -i ext_ip -p tcp --dport 23 -m state --state NEW -j LOG
iptables -I INPUT -i ext_ip -p tcp --dport 23 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp -d 10.10.5.208 --dport 23 -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED
it is wrking ...
but everything is open and i see attack on my eth1 so when i add :
iptables -p input drop
iptables -p output drop
it does not work

rossonieri#1 · 03-05-2008, 07:31 AM

hi mrlinux

Quote:

ext_ip : net ip
192.168.1.11: ip of the eth0 card
192.168.1.2 pc that i want to access from the net

iptables -A PREROUTING -t nat -p tcp -d ext_ip --dport 23 -j DNAT --to-destination 192.168.1.2:23
iptables -A OUTPUT -t nat -p tcp -d ext_ip --dport 23 -j DNAT --to-destination 192.168.1.2:23
iptables -A POSTROUTING -t nat -p tcp -d 192.168.1.2 -j SNAT --to-source 192.168.1.11
iptables -I INPUT -i ext_ip -p tcp --dport 23 -m state --state NEW -j LOG
iptables -I INPUT -i ext_ip -p tcp --dport 23 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp -d 10.10.5.208 --dport 23 -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED
it is wrking ...
but everything is open and i see attack on my eth1 so when i add :
iptables -p input drop
iptables -p output drop
it does not work

sorry, i got so tired today - and not too comfortable reading.
but your iptables seems not in order.

actually simple - that is because you did not allow localhost 127.0.0.1/8 to communicate also.

Code:

iptables -I INPUT -i lo -s 127.0.0.1/8 -j ACCEPT # allow localhost
iptables -I INPUT -i LAN_IF -s LAN_IP -d LAN_IP -j ACCEPT # allow LAN
iptables -I INPUT -i WAN_IF -m state --state RELATED,ESTABLISHED -j ACCEPT # allow established session from WAN
iptables -I INPUT -i WAN_IF -m state ! --state RELATED,ESTABLISHED -j DROP # drop new or invalid session from WAN

iptables -t nat -I PREROUTING -i WAN_IF -p tcp --dport 23 -j DNAT --to LAN_IP:23 # redirecting telnet to inside
iptables -t nat -I POSTROUTING -o WAN_IF -j MASQUERADE # basic masquerade

iptables -P INPUT DROP

and you dont need to DROP the FORWARD and OUTPUT chain unless you already mastered the iptables. no offense

try step by step - analyze how it works - then customize once you get familier with it.

HTH.

mrlinux2000 · 03-05-2008, 08:14 AM

thank you for helping but it works , because there was no forwarding between two cards

"iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED"
thank you