IpTables DNating
Hello all,
So I've been trying to get a few iptables dnat rules to work. No success. I have a firewall with 2 nics. eth0 is outside IP, eth1 is inside with a dhcp server running on it. I want all http requests that go the outside ip of the firewall to redirect to a machine that is inside my firewall (192.168.10.35), which is running apache. I tried doing the following: iptables -A INPUT -p TCP --dport 80 -i eth0 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.10.35:80 but, that made it so that all trafic that the goes to 80 from inside the firewall goes to 192.168.10.35:80. So going to google goes to the box inside the firewall. I don't understand why.:scratch: Any help that anyone can provide would be most appreciated. Here is my firewall script: ################################################################################ #!/bin/sh echo "0" > /proc/sys/net/ipv4/ip_forward #----------------------------------------------------------------- # Flushing the chains. iptables -F iptables -t nat -F iptables -X iptables -Z # zero all counters #----------------------------------------------------------------- # Policy for chains DROP everything # Note: Turning this on, causes: "ping: sendto: operation not permitted" bug iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # Allow local device trafic iptables -A OUTPUT -p ALL -o lo -j ACCEPT iptables -A OUTPUT -p ALL -o eth0 -j ACCEPT iptables -A INPUT -p ALL -i eth0 -j DROP #SSH Forward iptables -A INPUT -p TCP --dport 22 -i eth0 -j REJECT iptables -A INPUT -p TCP --dport 314 -i eth0 -j ACCEPT iptables -t nat -A PREROUTING -p TCP --dport 314 -j DNAT --to 192.168.10.244:22 #HTTP Forward iptables -A INPUT -p TCP --dport 80 -i eth0 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.10.35:80 # NAT Stuff iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE # Accept anything from the inside. (needed for DHCP) iptables -A INPUT -i eth1 -j ACCEPT iptables -A OUTPUT -o eth1 -j ACCEPT # Forward Packets (needed to ping outside networks) iptables -A FORWARD -i eth1 -j ACCEPT iptables -A FORWARD -o eth1 -j ACCEPT # Some Logging iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " # We would like to ask for names from our box iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # And, some attempt to get interactive sesions a bit more interactive under load: iptables -A PREROUTING -t mangle -p tcp --sport ssh -j TOS --set-tos Minimize-Delay iptables -A PREROUTING -t mangle -p tcp --sport ftp -j TOS --set-tos Minimize-Delay iptables -A PREROUTING -t mangle -p tcp --sport ftp-data -j TOS --set-tos Maximize-Throughput # Keep state. iptables -A FORWARD -m state --state NEW -i eth1 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW,INVALID -i eth0 -j DROP #----------------------------------------------------------------- echo 7 > /proc/sys/net/ipv4/ip_dynaddr echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/tcp_syncookies ################################################################################ Thanks, -LostAgain |
Hello LostAgain,
# NAT Stuff iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE You only want to do MASQUERADE on the internet side (eth0). Get rid of the eth1. This one took me a while to notice ;) The DNAT to another host is going to pass through the FORWARD chain, not INPUT. Also, you seem to be using append (-A), but you should be doing an insert (-I) So: iptables -A INPUT -p TCP --dport 80 -i eth0 -j ACCEPT should be iptables -I FORWARD -p TCP --dport 80 -i eth0 -j ACCEPT Take a look at the output from iptables -L and remember that this is the order of execution. Once a packet is dropped, it cant be accepted later :) Good Luck, chris |
try this rule pls,
iptables -t nat -A OUTPUT --proto tcp --dport 80 -j DNAT --to-destination 192.168.10.35:80 |
Nope,
still having problems. Just doesn't want to work. Is the order of my rules correct ? Where should I be putting DNAT rules, before or after MASQUERADE Stuff ? -LostAgain |
Post the output of "iptables -L -t nat" and "iptables -L"
Did you remove "iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE"? Order of rules is important inside the chain (FORWARD, OUTPUT, INPUT, etc.) |
I did remove "iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE",
but when I did that ssh wasn't being forwarded anymore. So I put it back in. Very confusing. the following is the output of iptables -L and iptables -L -t nat ################################################################# Chain INPUT (policy DROP) target prot opt source destination DROP all -- anywhere anywhere REJECT tcp -- anywhere anywhere tcp dpt:ssh reject-with icmp-port-unreachable ACCEPT tcp -- anywhere anywhere tcp dpt:314 ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state NEW ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED DROP all -- anywhere anywhere state INVALID,NEW Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level debug prefix `IPT OUTPUT packet died: ' ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- anywhere anywhere tcp dpt:314 redir ports 22 DNAT tcp -- anywhere anywhere tcp dpt:314 to:192.168.10.244:22 Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- anywhere anywhere MASQUERADE all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ################################################################# And here is the script that made those rules: ################################################################# #!/bin/sh #----------------------------------------------------------------- echo "0" > /proc/sys/net/ipv4/ip_forward #----------------------------------------------------------------- # Flushing the chains. iptables -F iptables -t nat -F iptables -X iptables -Z # zero all counters #----------------------------------------------------------------- # Policy for chains DROP everything # Note: Turning this on, causes: "ping: sendto: operation not permitted" bug iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # Allow local device trafic iptables -A OUTPUT -p ALL -o lo -j ACCEPT iptables -A OUTPUT -p ALL -o eth0 -j ACCEPT iptables -A INPUT -p ALL -i eth0 -j DROP #SSH Forward iptables -A INPUT -p TCP --dport 22 -i eth0 -j REJECT iptables -A INPUT -p TCP --dport 314 -i eth0 -j ACCEPT iptables -t nat -A PREROUTING -i eth0 -p TCP --dport 314 -j REDIRECT --to-port 22 iptables -t nat -A PREROUTING -p TCP --dport 314 -j DNAT --to 192.168.10.244:22 #HTTP Forward #iptables -I FORWARD -p TCP --dport 80 -i eth0 -j ACCEPT #iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.10.35:80 #iptables -t nat -A OUTPUT --proto tcp --dport 80 -j DNAT --to-destinations 192.168.10.35:80 # NAT Stuff iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE # Accept anything from the inside. (needed for DHCP) iptables -A INPUT -i eth1 -j ACCEPT iptables -A OUTPUT -o eth1 -j ACCEPT # Forward Packets (needed to ping outside networks) iptables -A FORWARD -i eth1 -j ACCEPT iptables -A FORWARD -o eth1 -j ACCEPT # Some Logging iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " # We would like to ask for names from our box iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # And, some attempt to get interactive sesions a bit more interactive under load: iptables -A PREROUTING -t mangle -p tcp --sport ssh -j TOS --set-tos Minimize-Delay iptables -A PREROUTING -t mangle -p tcp --sport ftp -j TOS --set-tos Minimize-Delay iptables -A PREROUTING -t mangle -p tcp --sport ftp-data -j TOS --set-tos Maximize-Throughput # Keep state. iptables -A FORWARD -m state --state NEW -i eth1 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW,INVALID -i eth0 -j DROP #----------------------------------------------------------------- echo 7 > /proc/sys/net/ipv4/ip_dynaddr echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/tcp_syncookies ################################################################# -LostAgain |
Remove the eth1 MASQUERADE. It's just plain wrong. Packets coming from the internet to the internal machines are made to look like they are coming from the gateway (local) machine.
The reason the REDIRECT (You are moving ssh from port 22 to 314 on the local machine) isn't working is that you are doing a DROP on eth0 INPUT ( "iptables -A INPUT -p ALL -i eth0 -j DROP"). Since your ssh rule is "appended" after the DROP rule, it is never seen. The fix would be to leave off that rule and let it be caught by the chain's policy. Or you can use -I to insert the ssh/http rules instead of -A to put it at the bottom. This as a decent map of how the packets traverse the tables/chains: http://iptables-tutorial.frozentux.n...VERSINGGENERAL and scroll down a little bit. If you are still having problems, I can post back with a modified script, but that would take the fun out of it, eh? (and I might not get to it today) Hope this helps, chris |
No luck,
I removed the eth1 MASQUERADE thing, and removed "iptables -A INPUT -p ALL -i eth0 -j DROP" now my rule looks like this: iptables -I FORWARD -p TCP --dport 80 -i eth0 -j ACCEPT iptables -t nat -A PREROUTING -p tcp -d $FW_IP --dport 80 -i eth0 -j DNAT --to 192.168.10.35:80 Still not working. I would like to see your modified version of this script. I'm still new to iptables, don't quite understand it all. In the mean time, I'll keep working at it... -LostAgain |
Ok,
here is my new firewall script. But I still can't get DNAt to function correctly. What am I doing wrong? Even my ssh forwarding doesn't work. I don't understand, I've done this before, almost exactly the same way and it worked then. But now, *shrug*. Any ideas ? FireWall.sh Script #################################################################################################### ######################### #!/bin/sh # Rules not set, we should disable forwarding in the kernel. echo "0" > /proc/sys/net/ipv4/ip_forward # Flushing the chains. iptables -F iptables -t nat -F iptables -X iptables -Z # zero all counters #----------------------------------------------------------------- # Policy for chains DROP everything iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP #----------------------------------------------------------------- ## Allow local device trafic iptables -A OUTPUT -p ALL -o lo -j ACCEPT iptables -A OUTPUT -p ALL -o eth0 -j ACCEPT iptables -A OUTPUT -p ALL -o eth1 -j ACCEPT # Accept anything from the inside. (needed for DHCP) iptables -A INPUT -i eth1 -j ACCEPT iptables -A OUTPUT -o eth1 -j ACCEPT # Forward Packets (needed to ping outside networks) iptables -A FORWARD -i eth1 -j ACCEPT iptables -A FORWARD -o eth1 -j ACCEPT #----------------------------------------------------------------- # Ping and friends. iptables -A OUTPUT -p icmp -j ACCEPT # to both sides. iptables -A INPUT -p icmp -j ACCEPT #----------------------------------------------------------------- # Good old masquerading. NAT Stuff iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # # Forwarding outside ports to an internal server. # SSH: iptables -A PREROUTING -t nat -p tcp -d ${FIREWALL_IP} --dport 314 -j DNAT --to 192.168.10.244:22 iptables -A FORWARD -p tcp -d 192.168.10.244 --dport 22 -o eth1 -j ACCEPT # Web: iptables -A PREROUTING -t nat -p tcp -d ${FIREWALL_IP} --dport 80 -j DNAT --to 192.168.10.35:80 iptables -A FORWARD -p tcp -d 192.168.10.35 --dport 80 -o eth1 -j ACCEPT #----------------------------------------------------------------- # Keep state. iptables -A FORWARD -m state --state NEW -i eth1 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW,INVALID -i eth0 -j DROP #----------------------------------------------------------------- iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu #----------------------------------------------------------------- # And, some attempt to get interactive sesions a bit more interactive under load: iptables -A PREROUTING -t mangle -p tcp --sport ssh -j TOS --set-tos Minimize-Delay iptables -A PREROUTING -t mangle -p tcp --sport ftp -j TOS --set-tos Minimize-Delay iptables -A PREROUTING -t mangle -p tcp --sport ftp-data -j TOS --set-tos Maximize-Throughput # Some Logging iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " # We would like to ask for names from our box iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #----------------------------------------------------------------- # This enables dynamic IP address following echo 7 > /proc/sys/net/ipv4/ip_dynaddr # Rules set, we can enable forwarding in the kernel. echo "Enabling IP forwarding." echo "1" > /proc/sys/net/ipv4/ip_forward echo "Enabling TCP SynCookies" echo "1" > /proc/sys/net/ipv4/tcp_syncookies #################################################################################################### ######################### Iptables -L and iptables -L -t nat Output: #################################################################################################### ######################### Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere 192.168.10.244 tcp dpt:ssh ACCEPT tcp -- anywhere 192.168.10.35 tcp dpt:http ACCEPT all -- anywhere anywhere state NEW ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED DROP all -- anywhere anywhere state INVALID,NEW TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level debug prefix `IPT OUTPUT packet died: ' ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere XXX.XXX.XXX.XXX tcp dpt:314 to:192.168.10.244:22 DNAT tcp -- anywhere XXX.XXX.XXX.XXX tcp dpt:http to:192.168.10.35:80 Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination #################################################################################################### ######################### -LostAgain :confused: |
Code:
#!/bin/sh |
All right,
Now I am getting annoyed. Here is my simple ass firewall script that I am using just to test if DNAT is even working... And still it does not. What am I doing wrong ? From everything I have read, my script below should work. Yet it does not. Anyone know why ? #################################################################################################### ##### #!/bin/sh # IPTables FireWall Setup #Grabbing the configs. . /etc/brunowall/functions.sh . /etc/brunowall/config ############################################################################### ### Variables ############################################################################### INET_IFACE="eth0" LAN_IFACE="eth1" LAN_IP="192.168.10.1" LAN_NET="192.168.10.0/24" LO_IFACE="lo" LO_IP="127.0.0.1" FW_IP="xxx.xxx.xxx.xxx" ############################################################################### ### Kernel Parameters ############################################################################### echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/tcp_syncookies echo "0" > /proc/sys/net/ipv4/tcp_timestamps echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects echo "1" > /proc/sys/net/ipv4/conf/all/log_martians ############################################################################### ### Flush Chains and Set Policies ############################################################################### iptables -F iptables -F -t nat iptables -F -t mangle iptables -X iptables -X -t nat iptables -X -t mangle iptables -Z #Zero all counters iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT ############################################################################### ### MINE ############################################################################### ## Allow local device trafic iptables -A OUTPUT -p ALL -o lo -j ACCEPT iptables -A OUTPUT -p ALL -o eth0 -j ACCEPT iptables -A OUTPUT -p ALL -o eth1 -j ACCEPT # Accept anything from the inside. (needed for DHCP) iptables -A INPUT -i eth1 -j ACCEPT iptables -A OUTPUT -o eth1 -j ACCEPT # Forward Packets (needed to ping outside networks) iptables -A FORWARD -i eth1 -j ACCEPT iptables -A FORWARD -o eth1 -j ACCEPT #----------------------------------------------------------------- # Ping and friends. iptables -A OUTPUT -p icmp -j ACCEPT # to both sides. iptables -A INPUT -p icmp -j ACCEPT iptables -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport 80 -j DNAT --to-dest 192.168.10.35:80 iptables -t nat -A PREROUTING -j ACCEPT iptables -A FORWARD -i $INET_IFACE -o $LAN_IFACE -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -i $INET_IFACE -s $LAN_NET -j DROP iptables -A FORWARD -i $INET_IFACE -o $INET_IFACE -j DROP iptables -A FORWARD -i $INET_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $LAN_IFACE -o $INET_IFACE -j ACCEPT iptables -A FORWARD -j DROP iptables -t nat -A POSTROUTING -p ALL -o $INET_IFACE -j MASQUERADE iptables -t nat -A POSTROUTING -j ACCEPT #----------------------------------------------------------------- # This enables dynamic IP address following echo 7 > /proc/sys/net/ipv4/ip_dynaddr # Rules set, we can enable forwarding in the kernel. echo "Enabling IP forwarding." echo "1" > /proc/sys/net/ipv4/ip_forward echo "Enabling TCP SynCookies" echo "1" > /proc/sys/net/ipv4/tcp_syncookies echo "Firewall Init: Done" #################################################################################################### ###### -LostAgain |
Quote:
Quote:
Quote:
|
Yes,
I did try the script you made for me. Unfortunately, it did not work. I used your exact script, but still had the same results. I was attempting to write a minimal firewall script to do 1 simple dnat. But I guess I got it wrong. Hehe, that's what you get for playing with things you don't understand well. I will try your script again, and see if that works. I probably goofed the last time I ran it. As for the ./etc/brunowall/functions and config stuff, you can ignore that. They don't do anything relevent to the firewall. Just configuration files and functions.... -LostAgain. |
No dice :scratch:
I tried the script you made for me word for word. Except that I changed $IPT -A PREROUTING -p TCP -i $INET_IFACE --dport 314 -j DNAT --to-destination 192.168.10.244:22 $IPT -A PREROUTING -p TCP -i $INET_IFACE --dport 80 -j DNAT --to-destination 192.168.10.35:80 to $IPT -t nat -A PREROUTING -p TCP -i $INET_IFACE --dport 314 -j DNAT --to-destination 192.168.10.244:22 $IPT -t nat -A PREROUTING -p TCP -i $INET_IFACE --dport 80 -j DNAT --to-destination 192.168.10.35:80 And still DNAT does not appear to work. This is very unusual since I've had it working before. I though that my version of iptables was bad, so I upgraded, but still I am getting the same results. I don't understand. :mad: -LostAgain |
|
All times are GMT -5. The time now is 07:25 PM. |