iptables port forwarding
I'm fairly new to iptables, they dont seem too complicated but I am new. I followed a sample setup in the RedHat Bible and then added the seventh line from a posted suggestion. I need to forward in-coming requests on eth0 (X.X.X.X) to a web server. I also need to use this as a proxy but nether seem to work! I can ping the machine, I can ping out of it, and I can browse the web out of it. The file is printed below. Thanks for your help - again!
Quote:
|
The issue is you don't have any nat or pre-routing statements. Here is a good site on linux FW design.
http://eressea.pikus.net/~pikus/plug...all/page0.html |
Thanks for the link. I'm looking over it - I dont want to sound lazy in any way cause I know I need to read this, but, I'm horrible at reading manuals. Can you point me to a more specific page? Or show me what to do? I'll keep reading....
|
here is an example of a port-forwarding rule set:
$IPT -t nat -A PREROUTING -i $PUBIF -p tcp --dport 80 -j DNAT --to $DMZIP:80 $IPT -A FORWARD -i $PUBIF -o $DMZIF -p tcp -d $DMZIP --dport 80 -j ACCEPT the first line will take care of your pre-routing nat. The second line is what actually forwards the port. Here is a sample iptables script...this may be rather helpful. I'm sorry I can't be more specific, but FW design is different for everyone's needs. Iptables is much too broad of a subject for us to walk you through. This example below should get you off to a good start though. #!/bin/bash #################################### #################################### # # # # # --** Dub's Firewall Script **-- # # # # # #################################### #################################### #Set Variables IPT=/sbin/iptables PUBIF="eth0" PRIVIF="eth1" DMZIF="eth2" PUBIP="" PRIVIP="192.168.100.100/24" DMZIP="192.168.200.100/24" PRIVNET="192.168.100.0/24" DMZNET="192.168.200.0/24" PUBNET="" LOG_OPTIONS="-m limit --limit 5/minute --log-level 3 --log-prefix " LOG_OPTIONS_MORE="-m limit --limit 20/minute --log-level 3 --log-prefix" LOG_OPTIONS_LESS="-m limit --limit 1/minute --log-level 3 --log-prefix" PLACE_WE_HATE="www.aol.com" #Load Modules /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_ftp #Clean Start $IPT -F INPUT $IPT -F FORWARD $IPT -F OUTPUT $IPT -F -t nat $IPT -F -t mangle $IPT -F #Define Policy $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT DROP #Allow Loopback $IPT -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT $IPT -A OUTPUT -o lo -s 0/0 -d 0/0 -j ACCEPT #Allow Conenctions Between Firewall and Internal Network $IPT -A OUTPUT -o $PRIVIF -j ACCEPT $IPT -A INPUT -i $PRIVIF -j ACCEPT #No Cross-Forwarding $IPT -A FORWARD -i $PUBIF -o $PUBIF -j LOG $LOG_OPTIONS "IPTABLES-X-FORWARD: " $IPT -A FORWARD -i $PUBIF -o $PUBIF -j DROP #No Spoofed Source Addresses $IPT -A INPUT -s "0.0.0.0" -i $PUBIF -j LOG $LOG_OPTIONS "IPTABLES-SPOOF: " $IPT -A INPUT -s "0.0.0.0" -i $PUBIF -j DROP $IPT -A INPUT -s "10.0.0.0/8" -i $PUBIF -j LOG $LOG_OPTIONS "IPTABLES-SPOOF: " $IPT -A INPUT -s "10.0.0.0/8" -i $PUBIF -j DROP $IPT -A INPUT -s "192.168.0.0/16" -i $PUBIF -j LOG $LOG_OPTIONS "IPTABLES-SPOOF: " $IPT -A INPUT -s "192.168.0.0/16" -i $PUBIF -j DROP $IPT -A INPUT -s "172.16.0.0/12" -i $PUBIF -j LOG $LOG_OPTIONS "IPTABLES-SPOOF: " $IPT -A INPUT -s "172.16.0.0/12" -i $PUBIF -j DROP #Port Scans $IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j LOG $LOG_OPTIONS "IPTABLES-PORT-SCAN: " $IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP #NAMP FIN/URG/PSH $IPT -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j LOG $LOG_OPTIONS "IPTABLES-SYN-FIN: " $IPT -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP #SYN/FIN $IPT -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN, FIN -j LOG $LOG_OPTIONS_MORE "IPTABLES-FIN: " $IPT -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN, FIN -j DROP echo INPUT ################################################################# # # # INPUT # # # ################################################################# #Accept DHCP Lease $IPT -A INPUT -i $PUBIF -p udp --source-port 67 --dport 68 -j ACCEPT $IPT -A OUTPUT -i $PUBIF -p udp --source-port 68 --dport 67 -j ACCEPT #Silently Drop Broadcast and Mulitcast Traffic $IPT -A INPUT -i $PUBIF -d 255.255.255.255 -j DROP $IPT -A INPUT -i $PUBIF -d 224.0.0.0/4 -j DROP #Drop All Invalid Incoming Packets $IPT -A INPUT -m unclean -j LOG $LOG_OPTIONS "IPTABLES-UNCLEAN: " $IPT -A INPUT -m unclean -j DROP $IPT -A INPUT -m state --state INVALID -j DROP #Allow Outgoing Echo Request/Reply $IPT -A OUTPUT -o $PUBIF -p icmp --icmp-type echo-request -j ACCEPT $IPT -A INPUT -i $PUBIF -p icmp --icmp-type echo-reply -j ACCEPT $IPT -A INPUT -i $PUBIF -p icmp --icmp-type destination-unreachable -j ACCEPT #Allow Outgoing Traceroute $IPT -A OUTPUT -o $PUBIF -p udp -j ACCEPT $IPT -A INPUT -i $PUBIF -p icmp --icmp-type time-exceeded -j ACCEPT #Specific Nasty Ports #MS- Networking $IPT -A INPUT -p tcp -i $PUBIF --dport 135:139 -j LOG $LOG_OPTIONS "IPTABLES-MS-NETWORKING: " $IPT -A INPUT -p udp -i $PUBIF --dport 135:139 -j LOG $LOG_OPTIONS "IPTABLES-MS-NETWORKING: " $IPT -A INPUT -p tcp -i $PUBIF --dport 135:139 -j DROP $IPT -A INPUT -p udp -i $PUBIF --dport 135:139 -j DROP #NFS $IPT -A INPUT -p tcp -i $PUBIF --dport 2049 -j LOG $LOG_OPTIONS "IPTABLES-NFS: " $IPT -A INPUT -p udp -i $PUBIF --dport 2049 -j LOG $LOG_OPTIONS "IPTABLES-NFS: " $IPT -A INPUT -p tcp -i $PUBIF --dport 2049 -j DROP $IPT -A INPUT -p udp -i $PUBIF --dport 2049 -j DROP #X-Windows $IPT -A INPUT -p tcp -i $PUBIF --dport 5999:6003 -j LOG $LOG_OPTIONS "IPTABLES-X-WINDOWS: " $IPT -A INPUT -p udp -i $PUBIF --dport 5999:6003 -j LOG $LOG_OPTIONS "IPTABLES-X-WINDOWS: " $IPT -A INPUT -p tcp -i $PUBIF --dport 5999:6003 -j DROP $IPT -A INPUT -p udp -i $PUBIF --dport 5999:6003 -j DROP #X Font Server $IPT -A INPUT -p tcp -i $PUBIF --dport 7100 -j LOG $LOG_OPTIONS "IPTABLES-XFS: " $IPT -A INPUT -p udp -i $PUBIF --dport 7100 -j LOG $LOG_OPTIONS "IPTABLES-XFS: " $IPT -A INPUT -p tcp -i $PUBIF --dport 7100 -j DROP $IPT -A INPUT -p udp -i $PUBIF --dport 7100 -j DROP #Back Oriface $IPT -A INPUT -p tcp -i $PUBIF --dport 31337 -j LOG $LOG_OPTIONS "IPTABLES-BACK-ORIFACE: " $IPT -A INPUT -p udp -i $PUBIF --dport 31337 -j LOG $LOG_OPTIONS "IPTABLES-BACK-ORIFACE: " $IPT -A INPUT -p tcp -i $PUBIF --dport 31337 -j DROP $IPT -A INPUT -p udp -i $PUBIF --dport 31337 -j DROP #Netbus $IPT -A INPUT -p tcp -i $PUBIF --dport 12345:12346 -j LOG $LOG_OPTIONS "IPTABLES-NETBUS: " $IPT -A INPUT -p udp -i $PUBIF --dport 12345:12346 -j LOG $LOG_OPTIONS "IPTABLES-NETBUS: " $IPT -A INPUT -p tcp -i $PUBIF --dport 12345:12346 -j DROP $IPT -A INPUT -p udp -i $PUBIF --dport 12345:12346 -j DROP #Subseven $IPT -A INPUT -p tcp -i $PUBIF --dport 27374 -j LOG $LOG_OPTIONS "IPTABLES-SUBSEVEN: " $IPT -A INPUT -p udp -i $PUBIF --dport 27374 -j LOG $LOG_OPTIONS "IPTABLES-SUBSEVEN: " $IPT -A INPUT -p tcp -i $PUBIF --dport 27374 -j DROP $IPT -A INPUT -p udp -i $PUBIF --dport 27374 -j DROP echo FORWARDING ################################################################# # # # FORWARDING # # # ################################################################# #Drop All Invalid Incoming Packets $IPT -A FORWARD -m unclean -j LOG $LOG_OPTIONS "IPTABLES-UNCLEAN-FORWARD: " $IPT -A FORWARD -m unclean -j DROP $IPT -A FORWARD -m state --state INVALID -j LOG $LOG_OPTIONS "IPTABLES-INVALID-FORWARD: " $IPT -A FORWARD -m state --state INVALID -j DROP #Block Outgoing Connections to Places We HATE $IPT -A FORWARD -i $PRIVIF -d $PLACE_WE_HATE -j DROP #Block Outgoing Connections by PORT (Last Resort Against DoS) $IPT -A FORWARD -i $PRIVIF -p tcp --dport 135:139 -j DROP $IPT -A FORWARD -i $PRIVIF -p udp --dport 135:139 -j DROP #Allow Otherwise Unrestriced Outgoing Connections $IPT -A FORWARD -i $PRIVIF -o $PUBIF -j ACCEPT $IPT -A FORWARD -i $PRIVIF -o $DMZIF -j ACCEPT $IPT -A FORWARD -i $PUBIF -o $PRIVIF -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A FORWARD -i $PUBIF -o $DMZIF -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A FORWARD -i $DMZIF -o $PRIVIF -m state --state RELATED,ESTABLISHED -j ACCEPT #Allow DMZ Outgoing DNS lookups $IPT -A FORWARD -i $DMZIF -o $PUBIF -p udp --dport 53 -j ACCEPT #NAT Postrouting SNAT $IPT -t nat -A POSTROUTING -o $PUBIF -s $PRIVNET -j MASQUERADE $IPT -t nat -A POSTROUTING -o $PUBIF -s $DMZNET -j MASQUERADE echo PORT FORWARDING ################################################################# # # # PORT FORWARDING # # # ################################################################# #Web $IPT -t nat -A PREROUTING -i $PUBIF -p tcp --dport 80 -j DNAT --to $DMZIP:80 $IPT -A FORWARD -i $PUBIF -o $DMZIF -p tcp -d $DMZIP --dport 80 -j ACCEPT #FTP $IPT -t nat -A PREROUTING -i $PUBIF -p tcp --dport 21 -j DNAT --to $DMZIP:21 $IPT -A FORWARD -i $PUBIF -o $DMZIF -p tcp -d $DMZIP --dport 21 -j ACCEPT $IPT -t nat -A PREROUTING -i $PUBIF -p tcp --dport 110 -j DNAT --to $DMZIP:110 $IPT -A FORWARD -i $PUBIF -o $DMZIF -p tcp -d $DMZIP --dport 110 -j ACCEPT $IPT -t nat -A PREROUTING -i $PUBIF -p tcp --dport 25 -j DNAT --to $DMZIP:25 $IPT -A FORWARD -i $PUBIF -o $DMZIF -p tcp -d $DMZIP --dport 25 -j ACCEPT #SSH $IPT -t nat -A PREROUTING -i $PUBIF -p tcp --dport 22 -j DNAT --to $DMZIP:22 $IPT -A FORWARD -i $PUBIF -o $DMZIF -p tcp -d $DMZIP --dport 22 -j ACCEPT #Waste $IPT -t nat -A PREROUTING -i $PUBIF -p tcp --dport 55555 -j DNAT --to $DMZIP:55555 $IPT -A FORWARD -i $PUBIF -o $DMZIF -p tcp -d $DMZIP --dport 55555 -j ACCEPT #See No Evil, Foward No Evil #MS Networking $IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 135:139 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-MSNETWORKING: " $IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 135:139 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-MSNETWORKING: " $IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 135:139 -j DROP $IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 135:139 -j DROP #NFS $IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 2049 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-NFS: " $IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 2049 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-NFS: " $IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP $IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP #X- Windows $IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 5999:6003 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-XWINDOWS: " $IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 5999:6003 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-XWINDOWS: " $IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 5999:6003 -j DROP $IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 5999:6003 -j DROP #X Font Server $IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 7100 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-XFONTSERVER: " $IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 7100 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-XFONTSERVER " $IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP $IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 7100 -j DROP #Back Oriface $IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 31337 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-BACKORIFACE: " $IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 31337 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-BACKORIFACE: " $IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 31337 -j DROP $IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 31337 -j DROP #Netbus $IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 12345:12346 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-NETBUS: " $IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 12345:12346 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-NETBUS: " $IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 12345:12346 -j DROP $IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 12345:123456 -j DROP #Set SSH, DNS, and FTP for minimum delay $IPT -t mangle -A PREROUTING -i PRIVIF -p tcp --dport 53 -j TOS --set-tos Minimize-Delay $IPT -t mangle -A PREROUTING -i PRIVIF -p tcp --dport 22 -j TOS --set-tos Minimize-Delay #Set FTP Data abd Web Traffic for Maximum Throughput #$IPT -t mangle -A PREROUTING -i $PRIVIF -p tcp --dport 80 -j TOS --set-tos Maximize-Throughput #$IPT -t mangle -A PREROUTING -i $PRIVIF -p tcp --dport 20 -j TOS --set-tos Maximize-Throughput #Deny ICMP Redirects $IPT -A FORWARD -p icmp --icmp-type redirect -i $PUBIF -j LOG $LOG_OPTIONS "IPTABLES-ICMP-REDIRECT: " $IPT -A FORWARD -p icmp --icmp-type redirect -i $PUBIF -j DROP #Allow All Pingy and all Outgoing Traceroutes $IPT -A FORWARD -i $PRIVIF -o $PUBIF -p icmp --icmp-type echo-request -j ACCEPT $IPT -A FORWARD -i $PUBIF -o $PRIVIF -p icmp --icmp-type echo-reply -j ACCEPT $IPT -A FORWARD -i $PUBIF -o $PRIVIF -p icmp --icmp-type destination-unreachable -j ACCEPT $IPT -A FORWARD -i $PUBIF -o $PRIVIF -p icmp --icmp-type time-exceeded -j ACCEPT $IPT -A FORWARD -i $DMZIF -o $PUBIF -p icmp --icmp-type echo-request -j ACCEPT $IPT -A FORWARD -i $PUBIF -o $DMZIF -p icmp --icmp-type echo-reply -j ACCEPT $IPT -A FORWARD -i $PUBIF -o $DMZIF -p icmp --icmp-type destination-unreachable -j ACCEPT $IPT -A FORWARD -i $PRIVIF -o $DMZIF -p icmp --icmp-type echo-request -j ACCEPT $IPT -A FORWARD -i $DMZIF -o $PUBIF -p icmp --icmp-type echo-reply -j ACCEPT $IPT -A FORWARD -i $DMZIF -o $PUBIF -p icmp --icmp-type destination-unreachable -j ACCEPT $IPT -A FORWARD -i $DMZIF -o $PUBIF -p icmp --icmp-type time-exceeded -j ACCEPT $IPT -A FORWARD -i $DMZIF -o $PRIVIF -p icmp --icmp-type echo-request -j ACCEPT $IPT -A FORWARD -i $PRIVIF -o $DMZIF -p icmp --icmp-type echo-reply -j ACCEPT $IPT -A FORWARD -i $PRIVIF -o $DMZIF -p icmp --icmp-type destination-unreachable -j ACCEPT #Do Not Allow Any Other Connections on the Extrenal Interface, Including Traceroute $IPT -A FORWARD -i $PUBIF -o $PRIVIF -j LOG $LOG_OPTIONS "IPTABLES-CONN-PRIVIF-FORWARD: " $IPT -A FORWARD -i $PUBIF -o $PRIVIF -j DROP $IPT -A FORWARD -i $PUBIF -o $DMZIF -j LOG $LOG_OPTIONS "IPTABLES-CONN-DMZIF-FORWARD: " $IPT -A FORWARD -i $PUBIF -o $DMZIF -j DROP echo Firewall Script Complete ################################################################# # # # All Infidels Have Been Denied! # # Script Complete # # # ################################################################# |
Is the dmz what I specify as to where my web server is?
|
"The issue is you don't have any nat or pre-routing statements."
Isn't that what "-A PREROUTING --dst X.X.X.X -p tcp -j DNAT --to-destination 192.168.1.12" is? |
Right. In the above example, the DMZ is running web services and the PRIVNET is a secured network, unaccesable from the outside. Both are on differnet networks using the linux box as a FW/router. Each network is on a different interface/nic.
|
All times are GMT -5. The time now is 05:41 PM. |