LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 06-07-2010, 11:06 PM   #1
packets
Member
 
Registered: Oct 2005
Posts: 285

Rep: Reputation: 30
iptables port forwarding


I've been Googling about port forwarding iptables and even though there's result and I've applied it in my script, I can't make iptables forwading request to another machine so I decided to ask help.

eth0 is my Internet Interface (1.2.3.4 is the public ip)
eth1 is my Lan Interface
eth2 is my DMZ Interface

My Apache test server is 10.0.1.150

Below is my script:

Quote:
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT
$iptables -F FORWARD
$iptables -F -t nat
$iptables -P FORWARD DROP
$iptables -A FORWARD -i eth1 -j ACCEPT
$iptables -A INPUT -i eth1 -j ACCEPT
$iptables -A OUTPUT -o eth1 -j ACCEPT
$iptables -A FORWARD -i eth2 -j ACCEPT
$iptables -A INPUT -i eth2 -j ACCEPT
$iptables -A OUTPUT -o eth2 -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A POSTROUTING -s 0.0.0.0/0 -o eth0 -j SNAT --to-source 1.2.3.4
$iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -o eth2 -j MASQUERADE
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
$iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -I FORWARD -i eth1 -p tcp -m multiport --dport 0:79 -j REJECT
$iptables -I FORWARD -i eth1 -p tcp -m multiport --dport 81:65535 -j REJECT
$iptables -I FORWARD -i eth1 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
$iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i eth0 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
$iptables -A INPUT -p tcp -i eth0 --dport 3500 -j ACCEPT
$iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
$iptables -I FORWARD -i eth0 -p tcp -m state --state NEW -d 10.0.1.150 --dport 80 -j ACCEPT
$iptables -t nat -I PREROUTING -i eth0 -p tcp -d 1.2.3.4 --dport 80 -j DNAT --to-destination 10.0.1.150:80
$iptables -A INPUT -i eth0 -p tcp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "tcp connection: "
$iptables -A INPUT -i eth0 -p udp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "udp connection: "
$iptables -A INPUT -i eth0 -p tcp --dport 0:65535 -j DROP
$iptables -A INPUT -i eth0 -p udp --dport 0:65535 -j DROP
The relevant line here as far as I know is:

Quote:
$iptables -I FORWARD -i eth0 -p tcp -m state --state NEW -d 10.0.1.150 --dport 80 -j ACCEPT
$iptables -t nat -I PREROUTING -i eth0 -p tcp -d 1.2.3.4 --dport 80 -j DNAT --to-destination 10.0.1.150:80
I can telnet port 80 of 10.0.1.150 on the server. I can even view test page using links on the server.

Can anyone tell me what's my mistake here. Linux newbie in iptables.

Last edited by packets; 06-07-2010 at 11:17 PM.
 
Old 06-08-2010, 01:18 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Looks to me like it should work as it is. Maybe place a LOG rule at the end of the FORWARD chain so we can see if your test packet is getting filtered there (and if so, what the packet's headers look like)?
Code:
iptables -A FORWARD -j LOG --log-prefix "FORWARD DROP: "
With these types of issues, it's also a good idea to post the output of:
Code:
/sbin/route -n
 
Old 06-08-2010, 01:44 AM   #3
packets
Member
 
Registered: Oct 2005
Posts: 285

Original Poster
Rep: Reputation: 30
Quote:
place a LOG rule at the end of the FORWARD chain so we can see if your test packet is getting filtered there
I put $iptables -A FORWARD -j LOG --log-prefix "FORWARD DROP: " but doesn't see any packets on syslog. All I can see is the "tcp connection:" which came from limit.

Quote:
With these types of issues, it's also a good idea to post the output of:
Quote:
[root@test ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
202.1.0.24 0.0.0.0 255.255.255.192 U 0 0 0 eth0
10.0.1.0 10.0.1.1 255.255.255.0 UG 0 0 0 eth1
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth2
0.0.0.0 202.1.0.1 0.0.0.0 UG 0 0 0 eth0
202.1.0.24 is just a sample ip and 202.1.0.1 is just a sample gw from the isp.

10.0.1.1 is the gateway of 10.0.1.150
 
Old 06-08-2010, 01:48 AM   #4
packets
Member
 
Registered: Oct 2005
Posts: 285

Original Poster
Rep: Reputation: 30
I tried to install http and remove lines related to port 80 interface eth0, run script and I can see apache.

So probably culprit is somewhere on the script or routing issue but is it possible routing issue even I could telnet the service (http)??? Server can connect to the private lan server where apache is installed.
 
Old 06-08-2010, 01:50 AM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
What interface is the Apache server on?
 
Old 06-08-2010, 02:04 AM   #6
packets
Member
 
Registered: Oct 2005
Posts: 285

Original Poster
Rep: Reputation: 30
Quote:
What interface is the Apache server on?
Apache was installed on the different server not on itself. Apache server was on the private lan

On the FW server, eth1 is the private lan interface
 
Old 06-08-2010, 10:34 AM   #7
SuperJediWombat!
Member
 
Registered: Apr 2009
Location: Perth, Australia
Distribution: Ubuntu/CentOS
Posts: 208

Rep: Reputation: 50
Have you enabled ip forwarding?
Run this to check:
Code:
cat /proc/sys/net/ipv4/ip_forward
If the output is 0 then you need to run this:
Code:
echo "1" > /proc/sys/net/ipv4/ip_forward

If that is not the issue, please run the following commands and post the output to us:
Code:
ip route
ifconfig 
iptables-save
 
Old 06-08-2010, 07:42 PM   #8
packets
Member
 
Registered: Oct 2005
Posts: 285

Original Poster
Rep: Reputation: 30
Quote:
Have you enabled ip forwarding?
Yes. It was already on top of the script I just didn't included it.

Will post later the output of those requested commands.

Thanks!
 
Old 06-08-2010, 08:37 PM   #9
packets
Member
 
Registered: Oct 2005
Posts: 285

Original Poster
Rep: Reputation: 30
ip route NOTE:

Quote:
[root@test ~]# ip route
202.80.2.0/26 dev eth0 proto kernel scope link src 202.80.2.57
10.0.1.0/24 dev eth1 proto kernel scope link src 10.0.1.210
192.168.1.0/24 via 10.0.1.151 dev eth1
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2
169.254.0.0/16 dev eth2 scope link
10.0.0.0/8 dev eth2 proto kernel scope link src 10.4.0.100
default via 202.84.20.3 dev eth0
iptables-save

Quote:
[root@test ~]# iptables-save
# Generated by iptables-save v1.3.5 on Wed Jun 9 08:46:33 2010
*nat
:PREROUTING ACCEPT [26774:2237252]
:POSTROUTING ACCEPT [3584:431485]
:OUTPUT ACCEPT [3717:440300]
-A PREROUTING -s 192.168.1.200 -i eth1 -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A PREROUTING -d 202.80.2.57 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.1.150:80
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A POSTROUTING -o eth0 -j SNAT --to-source 202.80.2.57
-A POSTROUTING -s 10.0.1.0/255.255.255.0 -o eth2 -j MASQUERADE
COMMIT
# Completed on Wed Jun 9 08:46:33 2010
# Generated by iptables-save v1.3.5 on Wed Jun 9 08:46:33 2010
*filter
:INPUT DROP [17:1156]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1281:194076]
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth2 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 3500 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m limit --limit 1/sec -m tcp -j LOG --log-prefix "tcp connection: "
-A INPUT -i eth0 -p udp -m limit --limit 1/sec -m udp -j LOG --log-prefix "udp connection: "
-A INPUT -i eth0 -p tcp -m tcp -j DROP
-A INPUT -i eth0 -p udp -m udp -j DROP
-A FORWARD -d 10.0.1.150 -i eth0 -o eth1 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A FORWARD -i eth1 -p tcp -m multiport --dports 81:65535 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth1 -p tcp -m multiport --dports 0:79 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth2 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG --log-prefix "FORWARD DROP: "
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth2 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -m state --state NEW -j ACCEPT
COMMIT
# Completed on Wed Jun 9 08:46:33 2010
ifconfig

Quote:
eth0 Link encap:Ethernet HWaddr 00:1B:FC:56:51:88
inet addr:202.80.2.57 Bcast:202.80.2.63 Mask:255.255.255.192
inet6 addr: fe80::21b:fcff:fe56:5188/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3065022 errors:0 dropped:0 overruns:0 frame:100
TX packets:1043939 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1561485718 (1.4 GiB) TX bytes:181875508 (173.4 MiB)
Interrupt:193 Base address:0x2c00

eth1 Link encap:Ethernet HWaddr 00:0E:2E:54:FFE
inet addr:10.0.1.210 Bcast:10.0.1.255 Mask:255.255.255.0
inet6 addr: fe80::20e:2eff:fe54:ffde/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1299132 errors:0 dropped:0 overruns:0 frame:0
TX packets:1416915 errors:1 dropped:0 overruns:0 carrier:2
collisions:181467 txqueuelen:1000
RX bytes:207653966 (198.0 MiB) TX bytes:1462420227 (1.3 GiB)
Interrupt:201 Base address:0x4000

eth1:1 Link encap:Ethernet HWaddr 00:0E:2E:54:FFE
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:201 Base address:0x4000

eth2 Link encap:Ethernet HWaddr 00:0D:88:CAD:8B
inet addr:10.4.0.100 Bcast:10.4.0.255 Mask:255.0.0.0
inet6 addr: fe80::20d:88ff:feca:dd8b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:88956 errors:0 dropped:0 overruns:0 frame:0
TX packets:11047 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:7075999 (6.7 MiB) TX bytes:959796 (937.3 KiB)
Interrupt:185 Base address:0xe400

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1270120 errors:0 dropped:0 overruns:0 frame:0
TX packets:1270120 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:224792304 (214.3 MiB) TX bytes:224792304 (214.3 MiB)
 
Old 06-09-2010, 07:43 AM   #10
SuperJediWombat!
Member
 
Registered: Apr 2009
Location: Perth, Australia
Distribution: Ubuntu/CentOS
Posts: 208

Rep: Reputation: 50
EDIT: I didn't look at your routing table very closely...

Run these commands and see how it goes..
Code:
ip route delete 192.168.1.0/24 via 10.0.1.151 dev eth1
ip route delete 10.0.0.0/8 dev eth2 proto kernel scope link src 10.4.0.100
Assuming that does not fix your problem, can you post the output of:
Code:
cat /proc/sys/net/ipv4/ip_forward

Last edited by SuperJediWombat!; 06-09-2010 at 09:42 AM.
 
Old 06-09-2010, 09:13 PM   #11
packets
Member
 
Registered: Oct 2005
Posts: 285

Original Poster
Rep: Reputation: 30
Does it make sense if I know I can telnet to the DMZ server on the port I'm trying to forward, do I need to think that problem might still be on the network side? Even if I can trace route succesfully to the dmz server?

Quote:
[root@test rc.d]# traceroute 10.0.1.150
traceroute to 10.0.1.150 (10.0.1.150), 30 hops max, 40 byte packets
1 10.0.1.1 (10.0.1.1) 7.825 ms 7.788 ms 7.842 ms
2 10.0.1.150 (10.0.1.150) 10.501 ms 10.578 ms 1.918 ms
BTW, here's the output

Quote:
[root@test rc.d]# cat /proc/sys/net/ipv4/ip_forward
1
 
Old 06-10-2010, 04:35 AM   #12
packets
Member
 
Registered: Oct 2005
Posts: 285

Original Poster
Rep: Reputation: 30
Problem fix!

It seems when I added the ff I can now forward ports

Quote:
iptables -I FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -i eth0 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -I PREROUTING 1 -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.4.0.236:80
Here is the complete script:

Quote:
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t nat
/sbin/iptables -P FORWARD DROP
/sbin/iptables -A FORWARD -i eth1 -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth1 -j ACCEPT
/sbin/iptables -A FORWARD -i eth2 -j ACCEPT
/sbin/iptables -A INPUT -i eth2 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth2 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -s 0.0.0.0/0 -o eth0 -j SNAT --to-source 1.2.3.4
/sbin/iptables -I FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -I FORWARD -i eth0 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -I FORWARD -i eth1 -p tcp -m multiport --dport 0:79 -j REJECT
/sbin/iptables -I FORWARD -i eth1 -p tcp -m multiport --dport 81:65535 -j REJECT
/sbin/iptables -I FORWARD -i eth1 -o eth2 -p tcp -m state --state NEW,ESTABLISHED,RELATED -s 10.0.1.156 -d 10.4.0.0/24 -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i eth0 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 3500 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
/sbin/iptables -t nat -I PREROUTING 1 -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.4.0.236:80
/sbin/iptables -A INPUT -i eth0 -p tcp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "tcp connection: "
/sbin/iptables -A INPUT -i eth0 -p udp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "udp connection: "
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 0:65535 -j DROP
/sbin/iptables -A INPUT -i eth0 -p udp --dport 0:65535 -j DROP
Is this secure enough to use for servers?

Last edited by packets; 06-10-2010 at 04:36 AM.
 
Old 06-10-2010, 05:01 AM   #13
SuperJediWombat!
Member
 
Registered: Apr 2009
Location: Perth, Australia
Distribution: Ubuntu/CentOS
Posts: 208

Rep: Reputation: 50
I would be happy to look at your firewall script and give you an idea of how secure it is, but please post it again from the output of this command:
Code:
iptables-save
 
Old 06-10-2010, 05:10 AM   #14
packets
Member
 
Registered: Oct 2005
Posts: 285

Original Poster
Rep: Reputation: 30
Here it is. Please inform me if there's any flaw or changes that need to do. Thanks!

Quote:
[root@test rc.d]# iptables-save
# Generated by iptables-save v1.3.5 on Thu Jun 10 17:20:16 2010
*filter
:INPUT DROP [3:571]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [31:9007]
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth2 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 3500 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp -j DROP
-A INPUT -i eth0 -p udp -m udp -j DROP
-A FORWARD -s 10.0.1.156 -d 10.4.0.0/255.255.255.0 -i eth1 -o eth2 -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -p tcp -m multiport --dports 81:65535 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth1 -p tcp -m multiport --dports 0:79 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth0 -o eth2 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth2 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth2 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -m state --state NEW -j ACCEPT
COMMIT
# Completed on Thu Jun 10 17:20:16 2010
# Generated by iptables-save v1.3.5 on Thu Jun 10 17:20:16 2010
*nat
:PREROUTING ACCEPT [3739:351485]
:POSTROUTING ACCEPT [64:3840]
:OUTPUT ACCEPT [68:4056]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.4.0.236:80
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A POSTROUTING -o eth0 -j SNAT --to-source 1.2.3.4
-A POSTROUTING -o eth2 -j MASQUERADE
COMMIT
# Completed on Thu Jun 10 17:20:16 2010
 
Old 06-10-2010, 10:45 AM   #15
SuperJediWombat!
Member
 
Registered: Apr 2009
Location: Perth, Australia
Distribution: Ubuntu/CentOS
Posts: 208

Rep: Reputation: 50
You do not need this line, it is covered by the one above
Code:
-A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
If you wanted to allow ping requests into the
The one should be deleted, port 80 is being routed so it is covered by the FORWARD chain
Code:
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
The 'multiport' module is only for non-sequential numbers (like 25,110,143.) If you are doing a continuous range, it works with the standard '--dport' match. So replace those two rules with this one:
Code:
-A FORWARD -i eth1 -p tcp --dport 81:65535 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth1 -p tcp --dport 0:79 -j REJECT --reject-with icmp-port-unreachable
Hrmm... It will take me to long to do this line by line, here is my suggestion. Test it to check that it works and ask if you have any questions:

Code:
#
# Generated by SuperJediWombat v1.3.3.7 on Thu Jun 10 22:40:16 2010
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth2 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 3500 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth2 -o eth0 -j ACCEPT
-A FORWARD -i eth1 -o eth2 -p tcp -s 10.0.1.156 -d 10.4.0.0/24 -j ACCEPT
-A FORWARD -o eth0 -p tcp --dport 80 -j ACCEPT
-A FORWARD ! -i eth0 -p tcp -j REJECT --reject-with icmp-port-unreachable
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp -d 1.2.3.4 --dport 80 -j DNAT --to-destination 10.4.0.236:80
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A POSTROUTING -o eth0 -j SNAT --to-source 1.2.3.4
-A POSTROUTING -o eth2 -j MASQUERADE
COMMIT
Most of what I cut out was redundant. Covered by either your default policy (drop, except for outbound) or by other rules.

You need to remember that packets that are being routed are covered by the FORWARD chain. INPUT and OUTPUT are only for packets that are addressed directly to or from the firewall itself. If you don't understand that you really need to ask for more clarification.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables - port forwarding to blocked port? spangberg Linux - Networking 2 03-26-2010 05:48 AM
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 08:35 PM
IPTables port forwarding.. NeoTech Linux - Networking 2 01-03-2005 12:27 PM
iptables port forwarding MadTurki Linux - Networking 6 01-05-2004 02:03 PM
iptables port forwarding hawk4eye Linux - Security 2 02-07-2003 05:47 AM


All times are GMT -5. The time now is 11:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration