LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   iptables port forwarding (https://www.linuxquestions.org/questions/linux-networking-3/iptables-port-forwarding-131721/)

MadTurki 01-05-2004 11:04 AM
iptables port forwarding
 
I'm fairly new to iptables, they dont seem too complicated but I am new. I followed a sample setup in the RedHat Bible and then added the seventh line from a posted suggestion. I need to forward in-coming requests on eth0 (X.X.X.X) to a web server. I also need to use this as a proxy but nether seem to work! I can ping the machine, I can ping out of it, and I can browse the web out of it. The file is printed below. Thanks for your help - again!

Quote:
# Generated by iptables-save v1.2.8 on Mon Jan 5 15:52:38 2004
*nat
:PREROUTING ACCEPT [36:3374]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [1:70]
-A POSTROUTING -o eth0 -j SNAT --to-source X.X.X.X
-A PREROUTING --dst X.X.X.X -p tcp -j DNAT --to-destination 192.168.1.12
COMMIT
# Completed on Mon Jan 5 15:52:38 2004
# Generated by iptables-save v1.2.8 on Mon Jan 5 15:52:38 2004
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:okay - [0:0]
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -j ACCEPT
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -s 192.168.1.4 -i lo -j ACCEPT
-A INPUT -s X.X.X.X -i lo -j ACCEPT
-A INPUT -d 192.168.1.255 -i eth1 -j ACCEPT
-A INPUT -d X.X.X.X -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 2401 -j okay
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 192.168.1.4 -j ACCEPT
-A OUTPUT -s X.X.X.X -j ACCEPT
COMMIT
# Completed on Mon Jan 5 15:52:38 2004

dubman 01-05-2004 11:32 AM
The issue is you don't have any nat or pre-routing statements. Here is a good site on linux FW design.

http://eressea.pikus.net/~pikus/plug...all/page0.html

MadTurki 01-05-2004 11:42 AM
Thanks for the link. I'm looking over it - I dont want to sound lazy in any way cause I know I need to read this, but, I'm horrible at reading manuals. Can you point me to a more specific page? Or show me what to do? I'll keep reading....

dubman 01-05-2004 12:12 PM
here is an example of a port-forwarding rule set:


$IPT -t nat -A PREROUTING -i $PUBIF -p tcp --dport 80 -j DNAT --to $DMZIP:80
$IPT -A FORWARD -i $PUBIF -o $DMZIF -p tcp -d $DMZIP --dport 80 -j ACCEPT

the first line will take care of your pre-routing nat. The second line is what actually forwards the port.

Here is a sample iptables script...this may be rather helpful. I'm sorry I can't be more specific, but FW design is different for everyone's needs. Iptables is much too broad of a subject for us to walk you through. This example below should get you off to a good start though.

#!/bin/bash

####################################
####################################
# #
# #
# --** Dub's Firewall Script **-- #
# #
# #
####################################
####################################

#Set Variables
IPT=/sbin/iptables
PUBIF="eth0"
PRIVIF="eth1"
DMZIF="eth2"
PUBIP=""
PRIVIP="192.168.100.100/24"
DMZIP="192.168.200.100/24"
PRIVNET="192.168.100.0/24"
DMZNET="192.168.200.0/24"
PUBNET=""
LOG_OPTIONS="-m limit --limit 5/minute --log-level 3 --log-prefix "
LOG_OPTIONS_MORE="-m limit --limit 20/minute --log-level 3 --log-prefix"
LOG_OPTIONS_LESS="-m limit --limit 1/minute --log-level 3 --log-prefix"
PLACE_WE_HATE="www.aol.com"

#Load Modules
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

#Clean Start
$IPT -F INPUT
$IPT -F FORWARD
$IPT -F OUTPUT
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F

#Define Policy
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

#Allow Loopback
$IPT -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPT -A OUTPUT -o lo -s 0/0 -d 0/0 -j ACCEPT

#Allow Conenctions Between Firewall and Internal Network
$IPT -A OUTPUT -o $PRIVIF -j ACCEPT
$IPT -A INPUT -i $PRIVIF -j ACCEPT

#No Cross-Forwarding
$IPT -A FORWARD -i $PUBIF -o $PUBIF -j LOG $LOG_OPTIONS "IPTABLES-X-FORWARD: "
$IPT -A FORWARD -i $PUBIF -o $PUBIF -j DROP

#No Spoofed Source Addresses
$IPT -A INPUT -s "0.0.0.0" -i $PUBIF -j LOG $LOG_OPTIONS "IPTABLES-SPOOF: "
$IPT -A INPUT -s "0.0.0.0" -i $PUBIF -j DROP
$IPT -A INPUT -s "10.0.0.0/8" -i $PUBIF -j LOG $LOG_OPTIONS "IPTABLES-SPOOF: "
$IPT -A INPUT -s "10.0.0.0/8" -i $PUBIF -j DROP
$IPT -A INPUT -s "192.168.0.0/16" -i $PUBIF -j LOG $LOG_OPTIONS "IPTABLES-SPOOF: "
$IPT -A INPUT -s "192.168.0.0/16" -i $PUBIF -j DROP
$IPT -A INPUT -s "172.16.0.0/12" -i $PUBIF -j LOG $LOG_OPTIONS "IPTABLES-SPOOF: "
$IPT -A INPUT -s "172.16.0.0/12" -i $PUBIF -j DROP

#Port Scans
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j LOG $LOG_OPTIONS "IPTABLES-PORT-SCAN: "
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP

#NAMP FIN/URG/PSH
$IPT -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j LOG $LOG_OPTIONS "IPTABLES-SYN-FIN: "
$IPT -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

#SYN/FIN
$IPT -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN, FIN -j LOG $LOG_OPTIONS_MORE "IPTABLES-FIN: "
$IPT -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN, FIN -j DROP

echo INPUT

#################################################################
# #
# INPUT #
# #
#################################################################

#Accept DHCP Lease
$IPT -A INPUT -i $PUBIF -p udp --source-port 67 --dport 68 -j ACCEPT
$IPT -A OUTPUT -i $PUBIF -p udp --source-port 68 --dport 67 -j ACCEPT

#Silently Drop Broadcast and Mulitcast Traffic
$IPT -A INPUT -i $PUBIF -d 255.255.255.255 -j DROP
$IPT -A INPUT -i $PUBIF -d 224.0.0.0/4 -j DROP

#Drop All Invalid Incoming Packets
$IPT -A INPUT -m unclean -j LOG $LOG_OPTIONS "IPTABLES-UNCLEAN: "
$IPT -A INPUT -m unclean -j DROP
$IPT -A INPUT -m state --state INVALID -j DROP

#Allow Outgoing Echo Request/Reply
$IPT -A OUTPUT -o $PUBIF -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A INPUT -i $PUBIF -p icmp --icmp-type echo-reply -j ACCEPT
$IPT -A INPUT -i $PUBIF -p icmp --icmp-type destination-unreachable -j ACCEPT

#Allow Outgoing Traceroute
$IPT -A OUTPUT -o $PUBIF -p udp -j ACCEPT
$IPT -A INPUT -i $PUBIF -p icmp --icmp-type time-exceeded -j ACCEPT

#Specific Nasty Ports
#MS- Networking
$IPT -A INPUT -p tcp -i $PUBIF --dport 135:139 -j LOG $LOG_OPTIONS "IPTABLES-MS-NETWORKING: "
$IPT -A INPUT -p udp -i $PUBIF --dport 135:139 -j LOG $LOG_OPTIONS "IPTABLES-MS-NETWORKING: "
$IPT -A INPUT -p tcp -i $PUBIF --dport 135:139 -j DROP
$IPT -A INPUT -p udp -i $PUBIF --dport 135:139 -j DROP

#NFS
$IPT -A INPUT -p tcp -i $PUBIF --dport 2049 -j LOG $LOG_OPTIONS "IPTABLES-NFS: "
$IPT -A INPUT -p udp -i $PUBIF --dport 2049 -j LOG $LOG_OPTIONS "IPTABLES-NFS: "
$IPT -A INPUT -p tcp -i $PUBIF --dport 2049 -j DROP
$IPT -A INPUT -p udp -i $PUBIF --dport 2049 -j DROP

#X-Windows
$IPT -A INPUT -p tcp -i $PUBIF --dport 5999:6003 -j LOG $LOG_OPTIONS "IPTABLES-X-WINDOWS: "
$IPT -A INPUT -p udp -i $PUBIF --dport 5999:6003 -j LOG $LOG_OPTIONS "IPTABLES-X-WINDOWS: "
$IPT -A INPUT -p tcp -i $PUBIF --dport 5999:6003 -j DROP
$IPT -A INPUT -p udp -i $PUBIF --dport 5999:6003 -j DROP

#X Font Server
$IPT -A INPUT -p tcp -i $PUBIF --dport 7100 -j LOG $LOG_OPTIONS "IPTABLES-XFS: "
$IPT -A INPUT -p udp -i $PUBIF --dport 7100 -j LOG $LOG_OPTIONS "IPTABLES-XFS: "
$IPT -A INPUT -p tcp -i $PUBIF --dport 7100 -j DROP
$IPT -A INPUT -p udp -i $PUBIF --dport 7100 -j DROP

#Back Oriface
$IPT -A INPUT -p tcp -i $PUBIF --dport 31337 -j LOG $LOG_OPTIONS "IPTABLES-BACK-ORIFACE: "
$IPT -A INPUT -p udp -i $PUBIF --dport 31337 -j LOG $LOG_OPTIONS "IPTABLES-BACK-ORIFACE: "
$IPT -A INPUT -p tcp -i $PUBIF --dport 31337 -j DROP
$IPT -A INPUT -p udp -i $PUBIF --dport 31337 -j DROP

#Netbus
$IPT -A INPUT -p tcp -i $PUBIF --dport 12345:12346 -j LOG $LOG_OPTIONS "IPTABLES-NETBUS: "
$IPT -A INPUT -p udp -i $PUBIF --dport 12345:12346 -j LOG $LOG_OPTIONS "IPTABLES-NETBUS: "
$IPT -A INPUT -p tcp -i $PUBIF --dport 12345:12346 -j DROP
$IPT -A INPUT -p udp -i $PUBIF --dport 12345:12346 -j DROP

#Subseven
$IPT -A INPUT -p tcp -i $PUBIF --dport 27374 -j LOG $LOG_OPTIONS "IPTABLES-SUBSEVEN: "
$IPT -A INPUT -p udp -i $PUBIF --dport 27374 -j LOG $LOG_OPTIONS "IPTABLES-SUBSEVEN: "
$IPT -A INPUT -p tcp -i $PUBIF --dport 27374 -j DROP
$IPT -A INPUT -p udp -i $PUBIF --dport 27374 -j DROP

echo FORWARDING

#################################################################
# #
# FORWARDING #
# #
#################################################################

#Drop All Invalid Incoming Packets
$IPT -A FORWARD -m unclean -j LOG $LOG_OPTIONS "IPTABLES-UNCLEAN-FORWARD: "
$IPT -A FORWARD -m unclean -j DROP
$IPT -A FORWARD -m state --state INVALID -j LOG $LOG_OPTIONS "IPTABLES-INVALID-FORWARD: "
$IPT -A FORWARD -m state --state INVALID -j DROP

#Block Outgoing Connections to Places We HATE
$IPT -A FORWARD -i $PRIVIF -d $PLACE_WE_HATE -j DROP

#Block Outgoing Connections by PORT (Last Resort Against DoS)
$IPT -A FORWARD -i $PRIVIF -p tcp --dport 135:139 -j DROP
$IPT -A FORWARD -i $PRIVIF -p udp --dport 135:139 -j DROP

#Allow Otherwise Unrestriced Outgoing Connections
$IPT -A FORWARD -i $PRIVIF -o $PUBIF -j ACCEPT
$IPT -A FORWARD -i $PRIVIF -o $DMZIF -j ACCEPT
$IPT -A FORWARD -i $PUBIF -o $PRIVIF -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i $PUBIF -o $DMZIF -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i $DMZIF -o $PRIVIF -m state --state RELATED,ESTABLISHED -j ACCEPT

#Allow DMZ Outgoing DNS lookups
$IPT -A FORWARD -i $DMZIF -o $PUBIF -p udp --dport 53 -j ACCEPT

#NAT Postrouting SNAT
$IPT -t nat -A POSTROUTING -o $PUBIF -s $PRIVNET -j MASQUERADE
$IPT -t nat -A POSTROUTING -o $PUBIF -s $DMZNET -j MASQUERADE

echo PORT FORWARDING
#################################################################
# #
# PORT FORWARDING #
# #
#################################################################

#Web
$IPT -t nat -A PREROUTING -i $PUBIF -p tcp --dport 80 -j DNAT --to $DMZIP:80
$IPT -A FORWARD -i $PUBIF -o $DMZIF -p tcp -d $DMZIP --dport 80 -j ACCEPT

#FTP
$IPT -t nat -A PREROUTING -i $PUBIF -p tcp --dport 21 -j DNAT --to $DMZIP:21
$IPT -A FORWARD -i $PUBIF -o $DMZIF -p tcp -d $DMZIP --dport 21 -j ACCEPT

#Mail
$IPT -t nat -A PREROUTING -i $PUBIF -p tcp --dport 110 -j DNAT --to $DMZIP:110
$IPT -A FORWARD -i $PUBIF -o $DMZIF -p tcp -d $DMZIP --dport 110 -j ACCEPT
$IPT -t nat -A PREROUTING -i $PUBIF -p tcp --dport 25 -j DNAT --to $DMZIP:25
$IPT -A FORWARD -i $PUBIF -o $DMZIF -p tcp -d $DMZIP --dport 25 -j ACCEPT

#SSH
$IPT -t nat -A PREROUTING -i $PUBIF -p tcp --dport 22 -j DNAT --to $DMZIP:22
$IPT -A FORWARD -i $PUBIF -o $DMZIF -p tcp -d $DMZIP --dport 22 -j ACCEPT

#Waste
$IPT -t nat -A PREROUTING -i $PUBIF -p tcp --dport 55555 -j DNAT --to $DMZIP:55555
$IPT -A FORWARD -i $PUBIF -o $DMZIF -p tcp -d $DMZIP --dport 55555 -j ACCEPT

#See No Evil, Foward No Evil
#MS Networking
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 135:139 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-MSNETWORKING: "
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 135:139 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-MSNETWORKING: "
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 135:139 -j DROP
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 135:139 -j DROP
#NFS
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 2049 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-NFS: "
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 2049 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-NFS: "
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP
#X- Windows
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 5999:6003 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-XWINDOWS: "
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 5999:6003 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-XWINDOWS: "
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 5999:6003 -j DROP
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 5999:6003 -j DROP
#X Font Server
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 7100 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-XFONTSERVER: "
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 7100 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-XFONTSERVER "
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 7100 -j DROP
#Back Oriface
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 31337 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-BACKORIFACE: "
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 31337 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-BACKORIFACE: "
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 31337 -j DROP
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 31337 -j DROP
#Netbus
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 12345:12346 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-NETBUS: "
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 12345:12346 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-NETBUS: "
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 12345:12346 -j DROP
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 12345:123456 -j DROP

#Set SSH, DNS, and FTP for minimum delay
$IPT -t mangle -A PREROUTING -i PRIVIF -p tcp --dport 53 -j TOS --set-tos Minimize-Delay
$IPT -t mangle -A PREROUTING -i PRIVIF -p tcp --dport 22 -j TOS --set-tos Minimize-Delay

#Set FTP Data abd Web Traffic for Maximum Throughput
#$IPT -t mangle -A PREROUTING -i $PRIVIF -p tcp --dport 80 -j TOS --set-tos Maximize-Throughput
#$IPT -t mangle -A PREROUTING -i $PRIVIF -p tcp --dport 20 -j TOS --set-tos Maximize-Throughput

#Deny ICMP Redirects
$IPT -A FORWARD -p icmp --icmp-type redirect -i $PUBIF -j LOG $LOG_OPTIONS "IPTABLES-ICMP-REDIRECT: "
$IPT -A FORWARD -p icmp --icmp-type redirect -i $PUBIF -j DROP

#Allow All Pingy and all Outgoing Traceroutes
$IPT -A FORWARD -i $PRIVIF -o $PUBIF -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A FORWARD -i $PUBIF -o $PRIVIF -p icmp --icmp-type echo-reply -j ACCEPT
$IPT -A FORWARD -i $PUBIF -o $PRIVIF -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A FORWARD -i $PUBIF -o $PRIVIF -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -A FORWARD -i $DMZIF -o $PUBIF -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A FORWARD -i $PUBIF -o $DMZIF -p icmp --icmp-type echo-reply -j ACCEPT
$IPT -A FORWARD -i $PUBIF -o $DMZIF -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A FORWARD -i $PRIVIF -o $DMZIF -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A FORWARD -i $DMZIF -o $PUBIF -p icmp --icmp-type echo-reply -j ACCEPT
$IPT -A FORWARD -i $DMZIF -o $PUBIF -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A FORWARD -i $DMZIF -o $PUBIF -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -A FORWARD -i $DMZIF -o $PRIVIF -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A FORWARD -i $PRIVIF -o $DMZIF -p icmp --icmp-type echo-reply -j ACCEPT
$IPT -A FORWARD -i $PRIVIF -o $DMZIF -p icmp --icmp-type destination-unreachable -j ACCEPT

#Do Not Allow Any Other Connections on the Extrenal Interface, Including Traceroute
$IPT -A FORWARD -i $PUBIF -o $PRIVIF -j LOG $LOG_OPTIONS "IPTABLES-CONN-PRIVIF-FORWARD: "
$IPT -A FORWARD -i $PUBIF -o $PRIVIF -j DROP
$IPT -A FORWARD -i $PUBIF -o $DMZIF -j LOG $LOG_OPTIONS "IPTABLES-CONN-DMZIF-FORWARD: "
$IPT -A FORWARD -i $PUBIF -o $DMZIF -j DROP

echo Firewall Script Complete
#################################################################
# #
# All Infidels Have Been Denied! #
# Script Complete #
# #
#################################################################

MadTurki 01-05-2004 12:32 PM
Is the dmz what I specify as to where my web server is?

MadTurki 01-05-2004 01:02 PM
"The issue is you don't have any nat or pre-routing statements."

Isn't that what
"-A PREROUTING --dst X.X.X.X -p tcp -j DNAT --to-destination 192.168.1.12" is?

dubman 01-05-2004 01:03 PM
Right. In the above example, the DMZ is running web services and the PRIVNET is a secured network, unaccesable from the outside. Both are on differnet networks using the linux box as a FW/router. Each network is on a different interface/nic.


All times are GMT -5. The time now is 05:41 PM.