iptables - change port and forward to a internal server

leandrok · 01-16-2004, 09:52 AM

Hi all,

I have one firewall Red Hat 9 Linux Box with 2 nics: eth0 connected to internet and eth1 to lan (192.168.0.x).

The lan can access internet ok and the internet can access ftp and web server on the firewall box redirecting ports ok.

The problem is:
One database server is running on internal server (192.168.0.2) using tcp 1972 port. I am tring to redirect connections from the internet using port 8892 to this internal database server running on 192.168.0.2 and 1972 port.

What is wrong on the script bellow ??

ps: If I do not change the port (only redirect de addres on dnat) it works.

tahnks.

### Script - firewall

# internet configuration
INET_IFACE="eth0"
#INET_IP="xxx.xxx.xxx.xxx"

# lan configuration
LAN_IP="192.168.0.1"
LAN_IP_RANGE="192.168.0.0/24"
LAN_IFACE="eth1"
LAN_SERV1="192.168.0.2" # internal server

# localhost configuration
LO_IFACE="lo"
LO_IP="127.0.0.1"

# clear
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X

# set policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# bad_tcp_packets chain
iptables -N bad_tcp_packets
iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
#iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
#--log-prefix "Firewall-New not syn: "
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

# allowed chain
iptables -N allowed
iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p TCP -j DROP

# tcp rules
iptables -N tcp_packets
iptables -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

# udp rules
iptables -N udp_packets
iptables -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
#iptables -A udp_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
iptables -A udp_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
iptables -A udp_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

# icmp rules
iptables -N icmp_packets
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -m limit --limit 1/S -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# INPUT chain #########

# bad TCP packets we don't want
iptables -A INPUT -p tcp -j bad_tcp_packets

# rules for special networks not part of the Internet
iptables -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

# special rule for DHCP requests from LAN, which are not caught properly otherwise
iptables -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT

# rules for incoming packets from the internet
iptables -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
iptables -A INPUT -p UDP -i $INET_IFACE -j udp_packets
iptables -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

# log weird packets that don't match the above
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "Firewall-INPUT died: "

# FORWARD chain ######

# bad TCP packets we don't want
iptables -A FORWARD -p tcp -j bad_tcp_packets

# accept the packets we actually want to forward
iptables -A FORWARD -i $LAN_IFACE -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

### used by DNAT -------------------
iptables -A FORWARD -i $INET_IFACE -p tcp --dport 1972 -j ACCEPT

# log weird packets that don't match the above.
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "Firewall-FORWARD died: "

# OUTPUT chain ######

# bad TCP packets we don't want
iptables -A OUTPUT -p tcp -j bad_tcp_packets

# special OUTPUT rules to decide which IP's to allow
iptables -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
iptables -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
#iptables -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

# log weird packets that don't match the above
iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "Firewall-OUTPUT died: "

# nat table #######

# static internet ip
iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

# or dhcp
#iptables -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

# port redirect
iptables -t nat -A PREROUTING -p tcp --dport 8888 -j REDIRECT --to-ports 80
iptables -t nat -A PREROUTING -p tcp --dport 8889 -j REDIRECT --to-ports 21
iptables -t nat -A PREROUTING -p tcp --dport 8890 -j REDIRECT --to-ports 22

# DNAT -- ????????????
iptables -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport 8892 -j DNAT --to-destination $LAN_SERV1:1972

# save the rules
iptables-save > /etc/sysconfig/iptables