Register a domain and help support LQ
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


LinkBack Search this Thread
Old 01-16-2004, 09:52 AM   #1
LQ Newbie
Registered: Oct 2003
Posts: 1

Rep: Reputation: 0
Unhappy iptables - change port and forward to a internal server

Hi all,

I have one firewall Red Hat 9 Linux Box with 2 nics: eth0 connected to internet and eth1 to lan (192.168.0.x).

The lan can access internet ok and the internet can access ftp and web server on the firewall box redirecting ports ok.

The problem is:
One database server is running on internal server ( using tcp 1972 port. I am tring to redirect connections from the internet using port 8892 to this internal database server running on and 1972 port.

What is wrong on the script bellow ??

ps: If I do not change the port (only redirect de addres on dnat) it works.


### Script - firewall

# internet configuration

# lan configuration
LAN_SERV1="" # internal server

# localhost configuration

# clear
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X

# set policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# bad_tcp_packets chain
iptables -N bad_tcp_packets
iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
#iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
#--log-prefix "Firewall-New not syn: "
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

# allowed chain
iptables -N allowed
iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p TCP -j DROP

# tcp rules
iptables -N tcp_packets
iptables -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

# udp rules
iptables -N udp_packets
iptables -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
#iptables -A udp_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
iptables -A udp_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
iptables -A udp_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

# icmp rules
iptables -N icmp_packets
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -m limit --limit 1/S -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# INPUT chain #########

# bad TCP packets we don't want
iptables -A INPUT -p tcp -j bad_tcp_packets

# rules for special networks not part of the Internet
iptables -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

# special rule for DHCP requests from LAN, which are not caught properly otherwise
iptables -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT

# rules for incoming packets from the internet
iptables -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
iptables -A INPUT -p UDP -i $INET_IFACE -j udp_packets
iptables -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

# log weird packets that don't match the above
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "Firewall-INPUT died: "

# FORWARD chain ######

# bad TCP packets we don't want
iptables -A FORWARD -p tcp -j bad_tcp_packets

# accept the packets we actually want to forward
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

### used by DNAT -------------------
iptables -A FORWARD -i $INET_IFACE -p tcp --dport 1972 -j ACCEPT

# log weird packets that don't match the above.
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "Firewall-FORWARD died: "

# OUTPUT chain ######

# bad TCP packets we don't want
iptables -A OUTPUT -p tcp -j bad_tcp_packets

# special OUTPUT rules to decide which IP's to allow
iptables -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
iptables -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
#iptables -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

# log weird packets that don't match the above
iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "Firewall-OUTPUT died: "

# nat table #######

# static internet ip

# or dhcp
#iptables -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

# port redirect
iptables -t nat -A PREROUTING -p tcp --dport 8888 -j REDIRECT --to-ports 80
iptables -t nat -A PREROUTING -p tcp --dport 8889 -j REDIRECT --to-ports 21
iptables -t nat -A PREROUTING -p tcp --dport 8890 -j REDIRECT --to-ports 22

# DNAT -- ????????????
iptables -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport 8892 -j DNAT --to-destination $LAN_SERV1:1972

# save the rules
iptables-save > /etc/sysconfig/iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables forward one port on same IP baetmaen Linux - Networking 2 01-27-2005 08:47 AM
IPtables Forward 1 Port to another on the same IP KevinB Linux - Networking 2 01-13-2005 10:56 PM
IPTABLES port forward wanaka Linux - Security 3 09-28-2004 07:07 PM
Port forward blocking internal lan clients dulaus Linux - Security 1 06-06-2003 06:38 PM
Port Forward with iptables nymig94 Linux - Networking 5 12-02-2001 09:22 PM

All times are GMT -5. The time now is 07:24 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration