LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 01-16-2004, 09:52 AM   #1
leandrok
LQ Newbie
 
Registered: Oct 2003
Posts: 1

Rep: Reputation: 0
Unhappy iptables - change port and forward to a internal server


Hi all,

I have one firewall Red Hat 9 Linux Box with 2 nics: eth0 connected to internet and eth1 to lan (192.168.0.x).

The lan can access internet ok and the internet can access ftp and web server on the firewall box redirecting ports ok.

The problem is:
One database server is running on internal server (192.168.0.2) using tcp 1972 port. I am tring to redirect connections from the internet using port 8892 to this internal database server running on 192.168.0.2 and 1972 port.

What is wrong on the script bellow ??

ps: If I do not change the port (only redirect de addres on dnat) it works.

tahnks.


### Script - firewall

# internet configuration
INET_IFACE="eth0"
#INET_IP="xxx.xxx.xxx.xxx"

# lan configuration
LAN_IP="192.168.0.1"
LAN_IP_RANGE="192.168.0.0/24"
LAN_IFACE="eth1"
LAN_SERV1="192.168.0.2" # internal server

# localhost configuration
LO_IFACE="lo"
LO_IP="127.0.0.1"

# clear
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X

# set policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# bad_tcp_packets chain
iptables -N bad_tcp_packets
iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
#iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
#--log-prefix "Firewall-New not syn: "
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

# allowed chain
iptables -N allowed
iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p TCP -j DROP

# tcp rules
iptables -N tcp_packets
iptables -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

# udp rules
iptables -N udp_packets
iptables -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
#iptables -A udp_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
iptables -A udp_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
iptables -A udp_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

# icmp rules
iptables -N icmp_packets
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -m limit --limit 1/S -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# INPUT chain #########

# bad TCP packets we don't want
iptables -A INPUT -p tcp -j bad_tcp_packets

# rules for special networks not part of the Internet
iptables -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

# special rule for DHCP requests from LAN, which are not caught properly otherwise
iptables -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT

# rules for incoming packets from the internet
iptables -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
iptables -A INPUT -p UDP -i $INET_IFACE -j udp_packets
iptables -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

# log weird packets that don't match the above
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "Firewall-INPUT died: "


# FORWARD chain ######

# bad TCP packets we don't want
iptables -A FORWARD -p tcp -j bad_tcp_packets

# accept the packets we actually want to forward
iptables -A FORWARD -i $LAN_IFACE -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

### used by DNAT -------------------
iptables -A FORWARD -i $INET_IFACE -p tcp --dport 1972 -j ACCEPT

# log weird packets that don't match the above.
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "Firewall-FORWARD died: "


# OUTPUT chain ######

# bad TCP packets we don't want
iptables -A OUTPUT -p tcp -j bad_tcp_packets

# special OUTPUT rules to decide which IP's to allow
iptables -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
iptables -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
#iptables -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

# log weird packets that don't match the above
iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "Firewall-OUTPUT died: "


# nat table #######

# static internet ip
iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

# or dhcp
#iptables -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

# port redirect
iptables -t nat -A PREROUTING -p tcp --dport 8888 -j REDIRECT --to-ports 80
iptables -t nat -A PREROUTING -p tcp --dport 8889 -j REDIRECT --to-ports 21
iptables -t nat -A PREROUTING -p tcp --dport 8890 -j REDIRECT --to-ports 22

# DNAT -- ????????????
iptables -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport 8892 -j DNAT --to-destination $LAN_SERV1:1972

# save the rules
iptables-save > /etc/sysconfig/iptables
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables forward one port on same IP baetmaen Linux - Networking 2 01-27-2005 08:47 AM
IPtables Forward 1 Port to another on the same IP KevinB Linux - Networking 2 01-13-2005 10:56 PM
IPTABLES port forward wanaka Linux - Security 3 09-28-2004 07:07 PM
Port forward blocking internal lan clients dulaus Linux - Security 1 06-06-2003 06:38 PM
Port Forward with iptables nymig94 Linux - Networking 5 12-02-2001 09:22 PM


All times are GMT -5. The time now is 07:12 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration