I have used this tutorial (http://www.howtoforge.com/home-gatew...haring-centos5) to setup ip masquerading and dhcp server and i have looked at a few other tutorials to try and figure out how i can forward ports from eth0 to eth1 to ip address 192.168.0.254 , what i have tried so far is iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 192.168.0.254 and still doesnt work using http://www.utorrent.com/testport.php?port=80 any ideas?
Thanks

You need a rules in the forward chain allowing the forwarded traffic to pass through and your kernel should be configured for packet forwarding.

Thanks for the post back unfortuantly i didnt understand a word of it could you go into more depth please or point me some where that might help ?
Thanks again!

Hi there.
I made a iptables file and in that I put all the rules and stuff I need. What datopdog is talking about in the kernel passing through traffic is that in /etc/sysctl.conf (at least in Fedora) there is a line like this:
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
If your line ends with a 0 you can't get any traffic through.
Hope this will be some help.

The internet connection sharing works fine now thanks to that tutorial but my problem is now my computers are completely unprotected because i dont how to do the firewall rules i have tried a few examples out there and they block traffic but then i cant forward any ports , any ideas ?
thanks

Hi there.
I'll post a script here. This is what I use. I name it something like rc.myscript.iptables and save it in /etc/rc.d

#!/bin/bash

####################
# Here we create names and connect it to interfaces and subnets
# then we don't have to change IP here and there, just all in one place
# Because of that we can use this as a template, only one place to change.

LAN1="eth1"
#LAN2="eth2"
#LAN3="eth3"
WAN="eth0"
VPN1="ipsec0"
LAN_SUB1="192.168.1.0/24"
#LAN_SUB2="192.168.2.0/24"
#LAN_SUB3="192.168.3.0/24"
VPN_SUB1="192.168.10.0/24"
WANIP1="xxx.xxx.xxx.xxx"
#WANIP2=

####################
# What is left:
# * Reject everything, not just tcp connections
# *

modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_nat_irc

iptables -Z # Reset counters

iptables -t filter -F # clear filter table
iptables -t filter -X

iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP

iptables -t nat -F # clear nat table
iptables -t nat -X

iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

####################
# Packet spoofing protection
iptables -t filter -N EVILNETS
iptables -t filter -A EVILNETS -s 192.168.0.0/16 -j REJECT
iptables -t filter -A EVILNETS -s 10.0.0.0/8 -j REJECT
iptables -t filter -A EVILNETS -s 172.16.0.0/20 -j REJECT

# Kill "standard-evil" stuff
iptables -t filter -N STDEVILSTUFF
iptables -t filter -A STDEVILSTUFF -p igmp -j REJECT
iptables -t filter -A STDEVILSTUFF -p icmp --icmp-type 13 -j DROP

# Speed bumps
iptables -t filter -N SPEEDBUMPS

####################
# Apply the evilnetstuff and standard evil stuff to out interfaces
iptables -t filter -N OUT_INTERFACES
iptables -t filter -A OUT_INTERFACES -i $WAN -j EVILNETS # Spoofing protection
iptables -t filter -A OUT_INTERFACES -i $WAN -j STDEVILSTUFF # Kill evil crap

####################
# Not all Mac Adresses are allowed to travel through eth2
# This will allow us to limit traffic to specific MAC addresses
# The formatid needs to be xx:xx:xx:xx:xx:xx for this to work.
# Then you have to uncomment the lines

#iptables -t filter -N MAC_FILTER

#iptables -t filter -A MAC_FILTER -i $LAN2 --match mac --mac-source 00:00:00:00:00:00 -j ACCEPT

# OK HiJacker! HiJack This!
#iptables -t filter -A MAC_FILTER -i $LAN2 -j DROP


####################
# Forwards
# Here we say which traffic is allowed between interfaces
iptables -t filter -N FORWARDS

# LAN1
iptables -t filter -A FORWARDS -s $LAN_SUB1 -i $LAN1 -o $WAN -j ACCEPT
iptables -t filter -A FORWARDS -d $LAN_SUB1 -i $WAN -o $LAN1 -j ACCEPT
iptables -t filter -A OUTPUT -s $LAN_SUB1 -o $WAN -j ACCEPT

# LAN2
#iptables -t filter -A FORWARDS -s $LAN_SUB2 -i $LAN2 -o $WAN -j ACCEPT
#iptables -t filter -A FORWARDS -d $LAN_SUB2 -i $WAN -o $LAN2 -j ACCEPT
#iptables -t filter -A OUTPUT -s $LAN_SUB2 -o $WAN -j ACCEPT


####################
# Portforward
# Here is a portforward example
# For this to work you have to uncomment the lines

#iptables -t nat -N DNATS

#iptables -t nat -A DNATS -s xxx -d xxx -p tcp -m tcp --dport xx -j DNAT --to xxx

####################
# Protection for local machine applied.
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A INPUT -j OUT_INTERFACES # Kill evil packets
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 21 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 8080 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 161 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 3389 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 3389 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 3390 -j ACCEPT
#iptables -t filter -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 1149 -j ACCEPT
#iptables -t filter -A INPUT -p udp --dport 500 -j ACCEPT
#iptables -t filter -A INPUT -p udp --dport 3390 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 9000 -j ACCEPT # radius-db
iptables -t filter -A INPUT -p tcp --syn -j REJECT # Reject incoming connections

####################
# DNAT, MASQ and FORWARDS
# Toflur virkjadar
iptables -t filter -A FORWARD -j SPEEDBUMPS
#iptables -t filter -A FORWARD -j MAC_FILTER
iptables -t filter -A FORWARD -j FORWARDS

#iptables -t nat -A PREROUTING -j DNATS # portforwards

iptables -t nat -A POSTROUTING -o lo -j ACCEPT
iptables -t nat -A POSTROUTING -o $WAN -s $LAN_SUB1 -j SNAT --to $WANIP1
#iptables -t nat -A POSTROUTING -o $WAN -s $LAN_SUB2 -j SNAT --to $WANIP1
iptables -t nat -A POSTROUTING -o $WAN -j ACCEPT


####################

Then you have to edit /etc/rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

/etc/rc.d/rc.myscript


And make a file under /etc/rc.d called rc.myscript
#!/bin/bash

# This file is used to run things that is hard to run from kernel or
# won't start at all

echo "Sleeping for 10 seconds to lets things settle."
echo "I can be disabled from /etc/rc.myscript, but do it only temporarly!"

sleep 10

INITTY=/dev/tty[1-8]
for tty in $INITTY ; do
setleds -D +num < $tty
done

echo "Did you see the flashing light on your keyboard? :-)"

# GRR. Damn DMA!
#hdparm -d 0 /dev/hdc

/etc/rc.d/rc.myscript.iptables


Then you restart iptables: service iptables restart
To check if it works you do service iptables status and if you see something about evilnets then everything is rocking. If not you might have to run it manually lik bash rc.myscript.iptables

I hope this will help you.

wow cant thank you enough!!! i ran service iptables status amd this is what it said
service iptables status
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
2 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:20
2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:21
3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20000
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
15 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
16 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

does that look ok to you ? havnt tried forwarding yet but will try it now
once again thanks so much !

Hi there.
It looks to me like it's ipchains. I'm not good at ipchains. But, if you use what I posted I'm pretty sure it will work. What distro are you using? I'm using Fedora 6 and 7 and this works on Fedora, not sure if things are stored in different places in other distros.

yea i followed what you did to the word? has it not worked? i am using centos 5 btw, once again so thankfull for your help

Ok i did all that but didnt run bash rc.myscript.iptables,then i ran this everything went rong the forwarding stoped working. just to clarify i am using iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE, and echo 1 > /proc/sys/net/ipv4/ip_forward to get the forwarding working aswell as DHCP server for my other computers,, dont no if that makes any difference,Here are the files i created. did i miss anything stupidly simple ?

This is /etc/rc.d/rc.myscript.iptables
#!/bin/bash

####################
# Here we create names and connect it to interfaces and subnets
# then we don't have to change IP here and there, just all in one place
# Because of that we can use this as a template, only one place to change.

LAN1="eth1"
#LAN2="eth2"
#LAN3="eth3"
WAN="eth0"
VPN1="ipsec0"
LAN_SUB1="192.168.1.0/24"
#LAN_SUB2="192.168.2.0/24"
#LAN_SUB3="192.168.3.0/24"
VPN_SUB1="192.168.10.0/24"
WANIP1="mywanip"
#WANIP2=

####################
# What is left:
# * Reject everything, not just tcp connections
# *

modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_nat_irc

iptables -Z # Reset counters

iptables -t filter -F # clear filter table
iptables -t filter -X

iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP

iptables -t nat -F # clear nat table
iptables -t nat -X

iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

####################
# Packet spoofing protection
iptables -t filter -N EVILNETS
iptables -t filter -A EVILNETS -s 192.168.0.0/16 -j REJECT
iptables -t filter -A EVILNETS -s 10.0.0.0/8 -j REJECT
iptables -t filter -A EVILNETS -s 172.16.0.0/20 -j REJECT

# Kill "standard-evil" stuff
iptables -t filter -N STDEVILSTUFF
iptables -t filter -A STDEVILSTUFF -p igmp -j REJECT
iptables -t filter -A STDEVILSTUFF -p icmp --icmp-type 13 -j DROP

# Speed bumps
iptables -t filter -N SPEEDBUMPS

####################
# Apply the evilnetstuff and standard evil stuff to out interfaces
iptables -t filter -N OUT_INTERFACES
iptables -t filter -A OUT_INTERFACES -i $WAN -j EVILNETS # Spoofing protection
iptables -t filter -A OUT_INTERFACES -i $WAN -j STDEVILSTUFF # Kill evil crap

####################
# Not all Mac Adresses are allowed to travel through eth2
# This will allow us to limit traffic to specific MAC addresses
# The formatid needs to be xx:xx:xx:xx:xx:xx for this to work.
# Then you have to uncomment the lines

#iptables -t filter -N MAC_FILTER

#iptables -t filter -A MAC_FILTER -i $LAN2 --match mac --mac-source 00:00:00:00:00:00 -j ACCEPT

# OK HiJacker! HiJack This!
#iptables -t filter -A MAC_FILTER -i $LAN2 -j DROP


####################
# Forwards
# Here we say which traffic is allowed between interfaces
iptables -t filter -N FORWARDS

# LAN1
iptables -t filter -A FORWARDS -s $LAN_SUB1 -i $LAN1 -o $WAN -j ACCEPT
iptables -t filter -A FORWARDS -d $LAN_SUB1 -i $WAN -o $LAN1 -j ACCEPT
iptables -t filter -A OUTPUT -s $LAN_SUB1 -o $WAN -j ACCEPT

# LAN2
#iptables -t filter -A FORWARDS -s $LAN_SUB2 -i $LAN2 -o $WAN -j ACCEPT
#iptables -t filter -A FORWARDS -d $LAN_SUB2 -i $WAN -o $LAN2 -j ACCEPT
#iptables -t filter -A OUTPUT -s $LAN_SUB2 -o $WAN -j ACCEPT


####################
# Portforward
# Here is a portforward example
# For this to work you have to uncomment the lines

#iptables -t nat -N DNATS

#iptables -t nat -A DNATS -s xxx -d xxx -p tcp -m tcp --dport xx -j DNAT --to xxx

####################
# Protection for local machine applied.
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A INPUT -j OUT_INTERFACES # Kill evil packets
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 21 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 8080 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 161 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 3389 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 3389 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 3390 -j ACCEPT
#iptables -t filter -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 1149 -j ACCEPT
#iptables -t filter -A INPUT -p udp --dport 500 -j ACCEPT
#iptables -t filter -A INPUT -p udp --dport 3390 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 9000 -j ACCEPT # radius-db
iptables -t filter -A INPUT -p tcp --syn -j REJECT # Reject incoming connections

####################
# DNAT, MASQ and FORWARDS
# Toflur virkjadar
iptables -t filter -A FORWARD -j SPEEDBUMPS
#iptables -t filter -A FORWARD -j MAC_FILTER
iptables -t filter -A FORWARD -j FORWARDS

#iptables -t nat -A PREROUTING -j DNATS # portforwards

iptables -t nat -A POSTROUTING -o lo -j ACCEPT
iptables -t nat -A POSTROUTING -o $WAN -s $LAN_SUB1 -j SNAT --to $WANIP1
#iptables -t nat -A POSTROUTING -o $WAN -s $LAN_SUB2 -j SNAT --to $WANIP1
iptables -t nat -A POSTROUTING -o $WAN -j ACCEPT

and then edited rc.local to say this

#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

/etc/rc.d/rc.myscript

Then made this file called rc.myscript
#!/bin/bash

# This file is used to run things that is hard to run from kernel or
# won't start at all

echo "Sleeping for 10 seconds to lets things settle."
echo "I can be disabled from /etc/rc.myscript, but do it only temporarly!"

sleep 10

INITTY=/dev/tty[1-8]
for tty in $INITTY ; do
setleds -D +num < $tty
done

echo "Did you see the flashing light on your keyboard? :-)"

# GRR. Damn DMA!
#hdparm -d 0 /dev/hdc

/etc/rc.d/rc.myscript.iptables

Hi there.
Few things I saw I should have comment out.
VPN1 and VPN_SUB1, I don't think you'll need that. I suppose that instead of WANIP1="mywanip" you use original IP?
Do you get any errors while trying to run the script? I may have forgot to mention that all files are under /etc/rc.d except rc.local is under /etc and /etc/rc.d.
How may network cards are in your firewall? For this to work you'll need (at least) 2 network cards, 1 for internet and 1 for your intranet (home network).
LAN1="eth1" - You will do it like that if your home network connects to interface eth1
WAN="eth0" - This will work if your internet connection is connected to interface eth0
LAN_SUB1="192.168.1.0/24" - Is this your subnet? If not you'll have to change it here.

This here is supposed to be in one line:
#iptables -t filter -A MAC_FILTER -i $LAN2 --match mac --mac-source 00:00:00:00:00:00 -j ACCEPT
If not you will get some errors.
If you use other interfaces or if your interface doesn't have the same name like here then you'll have to change the names here so it'll match your interface.

You talked about portforwarding.

# Portforward
# Here is a portforward example
# For this to work you have to uncomment the lines

iptables -t nat -N DNATS

iptables -t nat -A DNATS -d $WANIP1 -p tcp -m tcp --dport 89 -j DNAT --to 192.168.0.254

Then you have to uncomment this line:
#iptables -t nat -A PREROUTING -j DNATS # portforwards
so it will be like this:
iptables -t nat -A PREROUTING -j DNATS # portforwards

I hope this will help you.

when i run bash rc.myscript it comes up with this error?
rc.myscript: line 21: /etc/rc.d/rc.myscript.iptables: Permission denied so i just ran rc.myscript.iptables which ran fine checked for error messages in var/logs/messages
My other computer is connected and can ping the linux router box but cannot ping the outside world
any ideas?

UPDATE
Other computers can now connect to internet, acheived this by clear all the old rules within iptables tried using flush but didnt work, so used webmin , although port forwarding still isnt workingi uncommented these lines to make it work

iptables -t nat -N DNATS

iptables -t nat -A DNATS -d $WANIP1 -p tcp -m tcp --dport 89 -j DNAT --to 192.168.0.24

have looked at the NAT part of the firewall on webmin and there is only a few rules there and nothing to do with port 89