LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-08-2007, 01:38 AM   #1
jgtg32a
Member
 
Registered: Feb 2005
Posts: 53

Rep: Reputation: 15
IPtables Forward to Lan, and other Q


I may have figured out whats my big problem is but I still want to ask.

Not gonna lie I didn't write this got it from here http://iptables-tutorial.frozentux.n...-tutorial.html, was the DHCP example but DHCP made me cry so I just used a static IP.

I got most everything working I'm having one big problem and a few questions.
FIREWALL Server
########## ###### ###### ######
#Internet#<-------->#Eth1#<->#Eth0#<------->#Eth0#
########## ###### ###### ######

This is my basic set up currently most everything works except anything from the internet doesn't have access to the server. I run Wireshark on all interfaces (2 on fw and 1 server) and watch traffic, connections from server can go to web and traffic comes back, happy day. I don't have a web server up on the server, just an SSH, not really important though. I can SSH into the server from the server itself, and from the firewall only if I use the servers IP, if I try to SSH into the server from the internet it doesn't work (It doesn't matter that when I say internet I mean I use the IP of eth1 on the FW or the server does it).

Thats my real problem wireshark shows no traffic when I try it from the internet. There are a few other question inside the code itself, I think I may have figured it out but I've been doing this all day and I'm going to bed.

-Thank you so much for any help you can provide.


Code:
#!/bin/sh
WAN="eth1" #To internet DHCP assigned by ISP

LAN_IP="192.168.8.0"
LAN_IP_RANGE="192.168.8.0/254"
LAN="eth0"#to my "server" static IP of 192...103

LO_IFACE="lo"
LO_IP="127.0.0.1"

IPTABLES="/sbin/iptables"

echo "1" > /proc/sys/net/ipv4/ip_forward #proc conf

#default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP


#User Tables
#$IPTABLES -N bad_tcp_packets #still trying to fully understand this table
$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets


#$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset 
#Am I don't understand this rule, from what I can tell it rejects all TCP packets

#$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
#$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

$IPTABLES -A allowed -p TCP --syn -j ACCEPT #allow TCP with SYN set
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT #allow current connections
$IPTABLES -A allowed -p TCP -j DROP #drop everything else?

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed #TCP connection on these ports

$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT


#syn flood defence found on net and added first, seems like the best place to check for Syn flood is up front
$IPTABLES -A INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name synflood --set
$IPTABLES -A INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name synflood --update --seconds 1 --hitcount 60 -j DROP
#


#$IPTABLES -A INPUT -p tcp -j bad_tcp_packets 
$IPTABLES -A INPUT -p ALL -i $LAN -s $LAN_IP_RANGE -j ACCEPT #anything from the LAN is accepted
$IPTABLES -A INPUT -i $WAN -s 192.168.8.0/254 -j DROP #Ingress filtering
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT #local loopback is trusted

$IPTABLES -A INPUT -p ALL -i $WAN -m state --state ESTABLISHED,RELATED -j ACCEPT #if already allowed keep it coming

$IPTABLES -A INPUT -p TCP -i $WAN -j tcp_packets 
$IPTABLES -A INPUT -p UDP -i $WAN -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $WAN -j icmp_packets




#$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

$IPTABLES -A FORWARD -i $LAN -j ACCEPT #anything from lan is accepted
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #current connections are go
#I think my problem is around here there isn't a rule that will allow for forwarding of connections to my lan
#I would assume that I need one 

#$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $WAN -j ACCEPT


$IPTABLES -t nat -A POSTROUTING -o $WAN -j MASQUERADE

Last edited by jgtg32a; 12-08-2007 at 01:40 AM.
 
Old 12-08-2007, 02:58 AM   #2
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Here is a link to post on this site from a moderator:
http://www.linuxquestions.org/questi...037#post147037

You might want to go to that link if it is still there. You don't have a forwarding rule for port 22. You need to forward ingress port 22 traffic to the IP address of your server on the lan. That is your server's IP address, and not just the network address $LAN.

---

Update, the link to the netfilter doc in that post won't work, but if you go to the directory, you can find a number of similar docs:
http://www.netfilter.org/documentation/

Last edited by jschiwal; 12-08-2007 at 03:01 AM.
 
Old 12-08-2007, 02:57 PM   #3
jgtg32a
Member
 
Registered: Feb 2005
Posts: 53

Original Poster
Rep: Reputation: 15
Code:
$IPTABLES -A PREROUTING -t nat -p TCP -d 66.253.186.83 --dport 22 -j DNAT --to 192.168.8.103
$IPTABLES -A FORWARD -p TCP -s 0/0 --dport 22 -j allowed
I found these two on the forums but neither of them work.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
forward port 80 to internal LAN network PC kevint Linux - Security 4 04-24-2006 08:22 AM
Wireless won't forward me outside of the LAN on Slackware 10.2 Rocksnob Linux - Wireless Networking 2 02-23-2006 09:49 PM
iptables FORWARD Ipolit Slackware 16 06-09-2005 04:35 PM
iptables forward? Bambi Linux - Security 2 10-02-2003 10:15 AM
iptables FORWARD ArnaudVR Linux - Security 6 07-07-2003 05:05 PM


All times are GMT -5. The time now is 01:07 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration