LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-12-2005, 01:16 PM   #1
Alien#007
LQ Newbie
 
Registered: Apr 2004
Location: Slovenia
Distribution: Debian sid, Ubuntu 4.10
Posts: 27

Rep: Reputation: 15
iptables configuration help


I configured iptables with quicktables script which gave me next output:

#!/bin/sh
#
#
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
iptables="/sbin/iptables"

if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi

if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_irc.o ]; then modprobe ip_nat_irc; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_irc.o ]; then modprobe ip_conntrack_irc; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o ]; then modprobe ip_conntrack_ftp; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_ftp.o ]; then modprobe ip_nat_ftp; fi

$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT

$iptables -F FORWARD
$iptables -F -t nat
$iptables -P FORWARD DROP
$iptables -A FORWARD -i eth0 -j ACCEPT
$iptables -A INPUT -i eth0 -j ACCEPT
$iptables -A OUTPUT -o eth0 -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o ppp0 -j MASQUERADE

$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT

$iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT

$iptables -I INPUT -i ppp0 -s 10.0.0.0/8 -j DROP
$iptables -I INPUT -i ppp0 -s 172.16.0.0/12 -j DROP
$iptables -I INPUT -i ppp0 -s 192.168.0.0/16 -j DROP
$iptables -I INPUT -i ppp0 -s 127.0.0.0/8 -j DROP
$iptables -I FORWARD -i ppp0 -s 10.0.0.0/8 -j DROP
$iptables -I FORWARD -i ppp0 -s 172.16.0.0/12 -j DROP
$iptables -I FORWARD -i ppp0 -s 192.168.0.0/16 -j DROP
$iptables -I FORWARD -i ppp0 -s 127.0.0.0/8 -j DROP

$iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
$iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i ppp0 -j ACCEPT

$iptables -I INPUT -p icmp --icmp-type redirect -j DROP
$iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP
$iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-reply -j DROP

#porti za amule
$iptables -A FORWARD -i ppp0 -p tcp --dport 4662 -j ACCEPT
$iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 4662 -j DNAT --to-destination 192.168.2.2:4662
$iptables -A FORWARD -i ppp0 -p udp --dport 4672 -j ACCEPT
$iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 4672 -j DNAT --to-destination 192.168.2.2:4672
#sestrina emule
$iptables -A FORWARD -i ppp0 -p tcp --dport 7000 -j ACCEPT
$iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 7000 -j DNAT --to-destination 192.168.2.3:7000
$iptables -A FORWARD -i ppp0 -p udp --dport 7000 -j ACCEPT
$iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 7000 -j DNAT --to-destination 192.168.2.3:7000
#porti za bittorrent
$iptables -A FORWARD -i ppp0 -p tcp --dport 6881:6950 -j ACCEPT
$iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 6881:6950 -j DNAT --to-destination 192.168.2.2:6881:6950
#porti za web server
$iptables -A FORWARD -i ppp0 -p tcp --dport 80 -j ACCEPT
$iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination 192.168.2.4:80

$iptables -A INPUT -i ppp0 -p tcp --dport 0:65535 -j DROP
$iptables -A INPUT -i ppp0 -p udp --dport 0:65535 -j DROP

#tukaj so blokirani ip naslovi od useh sumljivih ljudi
iptables -I INPUT -s 193.77.19.93 -j DROP
iptables -I INPUT -s 64.240.232.95 -j DROP
I am using this machine as router/firewall.
Like you can see i forwarded port 80 on my web server which is behind NAT. Port forwarding is working for other users, bot not for me(i am behind NAT too). If i try to connect to http://my.external.address i get the massage that connection is refused, but if i connect to http://192.168.2.4 i can connect. Does anyone know how could i set my iptables script so it will allow machines behind NAT to connect to the web server trough external ip.
 
Old 08-12-2005, 01:32 PM   #2
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
For reasons deep within the intricacies of the TCP protocol, this is not possible without using your firewall as a proxy.

Basically, your computer opens the connection to your firewall, which forwards the packet to the webserver. The webserver then responds to the local IP of your desktop... but the desktop sees the incoming packet NOT coming from the firewall and resets the connection.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables configuration props666999 Linux - Security 3 08-28-2005 02:32 PM
IPTables Configuration shaileshjain Linux - Networking 2 04-07-2005 12:16 AM
iptables configuration tungaw2001 Linux - Networking 2 04-15-2004 03:01 PM
Iptables configuration Salihou Linux - Networking 2 09-24-2003 02:26 PM
iptables configuration know Linux - Networking 2 05-25-2003 04:55 PM


All times are GMT -5. The time now is 01:38 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration