Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hallo,
I have strange(?) port forwarding problem.
I need to automate backups from my 5 web servers. I can backup the servers from my office (since I do not have a dedicated pc(!) for that job but at my home office I am stucked.
The configuration:
ADSL Router <-->eth1 Linux firewall eth0<-->LAN
Now, the ADSL Router is configured with 192.168.1.1 as the internal IP and the static IP I have from my provider.
Linux firewall has 2 ethernet cards eth1:192.168.1.2 and eth0:192.168.0.1.
I do forward all incoming connections to AAA.AAA.AAA.AAA:22 to 192.168.1.2:22 from the router's NAT table, where AAA is the static IP of the adsl router.
In the linux firewall I have the following lines inside the iptables rules file:
Code:
EXTINT="eth1" # Internet connected interface
LOOPBACK_INTERFACE="lo" # local naming convention
LCINT="eth0" # LAN Connector
IPADDR="192.168.0.1"
LCLAN="192.168.0.0/16"
LOOPBACK="127.0.0.0/8" # reserved loopback address range
echo -n " -Reset iptables..."
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
echo "$rc_done"
#FULL NAT.
echo -n " -NAT..."
iptables -A FORWARD -s 192.168.0.0/16 -j ACCEPT
iptables -A FORWARD -d 192.168.0.0/16 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp -d ! 192.168.0.0/16 --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -o $EXTINT -j MASQUERADE
##SSH SERVER Forward!
iptables -t nat -A PREROUTING -i $EXTINT -p tcp --dport 22 -j DNAT --to 192.168.0.1:22
iptables -A FORWARD -i $EXTINT -o $LCINT -d 192.168.0.1 -p tcp --dport 22 -j ACCEPT
##SSH server end
echo "$rc_done"
Theoretically, I should be able to ssh my firewall using the ssh xxx.xxx.xxx.xxx -l username but instead of the password prompt I have a "Connection timed out" message.
If I delete the port forward rule from the adsl router's NAT table I get a "connection refused" reply. Thus the problem is not the router. The sshd is accepting connection from any host, the host.allow file is the default (any:any), so I suppose that the problem is on the iptables configuration. I would be very gratefull If somene could help me...
Are you trying to ssh the server from local network or from outside? If from local, try to ssh to 192.168.1.2. WIth current rules (your forward only connections from outside) it looks like the only way.
I try from the outside. From the local lan I can ssh the firewall (we are talking about a headless pc). I just didn't post the other rules about the local traffic.
A small note:
When I shutdown the firewall (not the IP forwarding though), I can ssh my firewall from the internet.
Then I tried to apply the rules one by one. No luck. It seems that I miss something, but I do not know what.
I even added the
iptables -A INPUT -i $EXTINT -p tcp --sport 22 -j ACCEPT
iptables -A INPUT -i $EXTINT -p tcp --dport 22 -j ACCEPT
Why do you need to do DNAT, if 192.168.0.1 is an interface on the same box?
Nevertheless if this is how you want to do it, you need to accept ssh connection on eth0
but no luck too. Thus, I suppose that I have to rewrite the firewall. What I cannot understand is that whe I apply the same rules (the DNAT), at the FTP ports it is working fine(!!!). I know that it's not an daemon problem since I can connect to my server when the firewall is down.
OK, but I warn you, it is a large file!
BTW the firewall is based on an old version of the ipchains firewall that was availiable at www.linux-firewall-tools.com
Code:
echo "Starting server firewall..."
EXTINT="eth1" # Internet connected interface
LOOPBACK_INTERFACE="lo" # local naming convention
LCINT="eth0" # LAN Connector
IPADDR="192.168.0.1"
LCLAN="192.168.0.0/16"
ANYWHERE="any/0" # match any IP address
DNS_SERVER="any/0" # everyone must have at least one
NAMESERVER_1="AAA.AAA.AAA"
SMTP1="AAA.AAA.AAA.AAA"
SMTP2="AAA.AAA.AAA.AAA"
NEWS1="AAA.AAA.AAA.AAA"
NEWS2="BBB.BBB.BBB.BBB"
PROXY="192.168.0.1" #Proxy Server
echo " -DNS: $NAMESERVER_1, SMTP: $SMTP1, $SMTP2"
echo " -NEWS: $NEWS1, $NEWS2 "
echo "$rc_done"
LOOPBACK="127.0.0.0/8" # reserved loopback address range
CLASS_A="10.0.0.0/8" # class A private networks
CLASS_B="172.16.0.0/12" # class B private networks
CLASS_C="192.168.0.0/16" # class C private networks
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address
PRIVPORTS="0:1023" # well known, privileged port range
UNPRIVPORTS="1024:65534" # unprivileged port range
NFS_PORT="2049" # (TCP/UDP) NFS
SOCKS_PORT="1080" # (TCP) Socks
XWINDOW_PORTS="6000:6063" # (TCP) X windows
SSH_LOCAL_PORTS="1022:65535" # port range for local clients
SSH_REMOTE_PORTS="513:65535" # port range for remote clients
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
echo -n " -Reset iptables..."
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
echo "$rc_done"
modprobe ip_conntrack_proto_gre
modprobe ip_nat_pptp
modprobe ip_nat_proto_gre
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
#FULL NAT.
echo -n " -NAT..."
iptables -A FORWARD -s 192.168.0.0/16 -j ACCEPT
iptables -A FORWARD -d 192.168.0.0/16 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp -d ! 192.168.0.0/16 --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -o $EXTINT -j MASQUERADE
echo "$rc_done"
##SSH SERVER Forward!
iptables -A INPUT -i $EXTINT -p tcp --dport 22 -j ACCEPT
##END SSH server
# Enable bad error message Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
echo -n " -Various protections..."
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
# LOOPBACK
# Unlimited traffic on the loopback interface.
iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
# Unlimited traffic within the local network.
# All internal machines have access to the firewall machine.
iptables -A INPUT -i $LCINT -s $LCLAN -j ACCEPT
iptables -A OUTPUT -o $LCINT -d $LCLAN -j ACCEPT
iptables -A FORWARD -s $LCLAN -d $LCLAN -j ACCEPT
echo "$rc_done"
iptables -A INPUT -s $IPADDR -j DROP
iptables -A INPUT -s $IPADDR -j LOG --log-prefix "FW: Fake In pack:"
echo -n " -UDP NFS on external Interface..."
iptables -A INPUT -i $EXTINT -p udp --dport $NFS_PORT -j DROP
iptables -A INPUT -i $EXTINT -p udp --dport $NFS_PORT -j LOG --log-prefix "FW: In NFS:"
echo "$rc_done"
echo -n " -UDP LAN INCOMING TRACEROUTE..."
# traceroute usually uses -S 32769:65535 -D 33434:33523
iptables -A INPUT -i $EXTINT -p udp -s 192.168.0.0/16 --sport $TRACEROUTE_SRC_PORTS -d $IPADDR --dport $TRACEROUTE_DEST_PO
RTS -j ACCEPT
iptables -A INPUT -i $EXTINT -p udp --sport $TRACEROUTE_SRC_PORTS --dport $TRACEROUTE_DEST_PORTS -j DROP
iptables -A INPUT -i $EXTINT -p tcp ! --syn -d $IPADDR -j ACCEPT
echo "$rc_done"
echo -n " -DNS client (53)..."
iptables -A OUTPUT -o $EXTINT -p udp --sport $UNPRIVPORTS -d $DNS_SERVER --dport 53 -j ACCEPT
iptables -A INPUT -i $EXTINT -p udp -s $DNS_SERVER --sport 53 --dport $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTINT -p tcp --sport $UNPRIVPORTS -d $DNS_SERVER --dport 53 -j ACCEPT
echo "$rc_done"
echo -n " -HTTP client (80)..."
iptables -A OUTPUT -o $EXTINT -p tcp --sport $UNPRIVPORTS --dport 80 -j ACCEPT
iptables -A INPUT -i $EXTINT -p tcp ! --syn --sport 80 --dport $UNPRIVPORTS -j ACCEPT
echo "$rc_done"
echo -n " -HTTPS client..."
iptables -A OUTPUT -o $EXTINT -p tcp -s $IPADDR --sport $UNPRIVPORTS --destination-port 443 -j ACCEPT
iptables -A INPUT -i $EXTINT -p tcp ! --syn --sport 443 -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
echo "$rc_done"
echo -n " -SQUID Requests..."
iptables -A INPUT -i $EXTINT -p tcp ! --syn -s $PROXY --sport 3128 -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTINT -p tcp -s $IPADDR --sport $UNPRIVPORTS -d $PROXY --dport 3128 -j ACCEPT
echo "$rc_done"
echo -n " -SSH client (22)"
iptables -A OUTPUT -o $EXTINT -p tcp -s $IPADDR --sport $SSH_LOCAL_PORTS --dport 22 -j ACCEPT
iptables -A INPUT -i $EXTINT -p tcp ! --syn --sport 22 -d $IPADDR --dport $SSH_LOCAL_PORTS -j ACCEPT
echo "$rc_done"
echo -n " -OUTGOING TRACEROUTE..."
iptables -A OUTPUT -o $EXTINT -p udp --sport $TRACEROUTE_SRC_PORTS --dport $TRACEROUTE_DEST_PORTS -j ACCEPT
iptables -A OUTPUT -o $EXTINT -p udp --sport $TRACEROUTE_SRC_PORTS --dport $TRACEROUTE_DEST_PORTS -j LOG --log-prefix "FW:
traceroute:"
echo "$rc_done"
echo -n " -NEWS client (119)"
iptables -A OUTPUT -o $EXTINT -p tcp --sport $UNPRIVPORTS -d $NEWS1 --dport 119 -j ACCEPT
iptables -A INPUT -i $EXTINT -p tcp ! --syn -s $NEWS1 --sport 119 --dport $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTINT -p tcp --sport $UNPRIVPORTS -d $NEWS2 --dport 119 -j ACCEPT
iptables -A INPUT -i $EXTINT -p tcp ! --syn -s $NEWS2 --sport 119 --dport $UNPRIVPORTS -j ACCEPT
echo "$rc_done"
echo -n " -POP3, SMTP client (25, 110)"
iptables -A OUTPUT -o $EXTINT -p tcp -s $IPADDR --sport $UNPRIVPORTS -d $SMTP1 --dport 25 -j ACCEPT
iptables -A OUTPUT -o $EXTINT -p tcp -s $IPADDR --sport $UNPRIVPORTS -d $SMTP2 --dport 25 -j ACCEPT
iptables -A INPUT -i $EXTINT -p tcp ! --syn -s $SMTP1 --sport 25 -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $EXTINT -p tcp ! --syn -s $SMTP2 --sport 25 -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTINT -p tcp -s $IPADDR --sport $UNPRIVPORTS -d $SMTP1 --dport 110 -j ACCEPT
iptables -A INPUT -i $EXTINT -p tcp ! --syn -s $SMTP1 --sport 110 -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $EXTINT -p tcp ! --syn -s $SMTP2 --sport 110 -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
#iptables -A INPUT -i $EXTINT -p tcp ! --syn -s $SMTP3 --sport 110 -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
echo "$rc_done"
iptables -A FORWARD -i $EXTINT -p tcp -d $CLIENTIP/32 --dport $CLIENTPORT -j ACCEPT
iptables -A FORWARD -i $EXTINT -p udp -d $CLIENTIP/32 --dport $EXCHANGEPORT -j ACCEPT
iptables -A FORWARD -i $EXTINT -p tcp -d $CLIENTIP/32 --dport $WEBPORT -j ACCEPT
iptables -A FORWARD -i $EXTINT -p tcp -s $CLIENTIP/32 --dport $SERVERPORT -j ACCEPT
iptables -A FORWARD -i $EXTINT -p tcp -s $CLIENTIP/32 --dport $CLIENTPORT -j ACCEPT
iptables -A FORWARD -i $EXTINT -p udp -s $CLIENTIP/32 --dport $EXCHANGEPORT -j ACCEPT
iptables -A FORWARD -i $EXTINT -p tcp -s $CLIENTIP/32 --dport $WEBPORT -j ACCEPT
iptables -A FORWARD -i $EXTINT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "$rc_done"
echo -n " -echo-reply"
iptables -A INPUT -i $EXTINT -p icmp --icmp-type echo-reply -d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTINT -p icmp --icmp-type destination-unreachable -d $IPADDR -j ACCEPT
echo "$rc_done"
echo -n " -source-quench"
iptables -A INPUT -i $EXTINT -p icmp --icmp-type source-quench -d $IPADDR -j ACCEPT
echo "$rc_done"
echo -n " -time-exceeded"
iptables -A INPUT -i $EXTINT -p icmp --icmp-type time-exceeded -d $IPADDR -j ACCEPT
echo "$rc_done"
echo -n " -parameter-problem"
iptables -A INPUT -i $EXTINT -p icmp --icmp-type parameter-problem -d $IPADDR -j ACCEPT
echo "$rc_done"
echo -n " -echo-request, echo-reply"
#iptables -A INPUT -i $EXTINT -p icmp -s 192.168.0.0/16 --icmp-type echo-request -d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTINT -p icmp --icmp-type echo-request -j REJECT
iptables -A INPUT -i $EXTINT -p icmp --icmp-type echo-request -j LOG --log-prefix "FW: Input echo:"
iptables -A OUTPUT -o $EXTINT -p icmp --icmp-type echo-request -j REJECT
iptables -A OUTPUT -o $EXTINT -p icmp --icmp-type echo-request -j LOG --log-prefix "FW: Output echo:"
#iptables -A OUTPUT -o $EXTINT -p icmp -s $IPADDR --icmp-type echo-reply -d 192.168.0.0/16 -j ACCEPT
iptables -A OUTPUT -o $EXTINT -p icmp --icmp-type echo-reply -j REJECT
iptables -A OUTPUT -o $EXTINT -p icmp --icmp-type echo-reply -j LOG --log-prefix "FW: echo rpl:"
echo "$rc_done"
echo -n " -destination-unreachable"
iptables -A OUTPUT -o $EXTINT -p icmp -s $IPADDR --icmp-type destination-unreachable -j ACCEPT
echo "$rc_done"
echo -n " -source-quench, echo-request"
iptables -A OUTPUT -o $EXTINT -p icmp -s $IPADDR --icmp-type source-quench -j ACCEPT
#iptables -A OUTPUT -o $EXTINT -p icmp -s $IPADDR --icmp-type echo-request -j ACCEPT
echo "$rc_done"
echo -n " -parameter-problem, time-exceeded"
iptables -A OUTPUT -o $EXTINT -p icmp -s $IPADDR --icmp-type parameter-problem -j ACCEPT
iptables -A OUTPUT -o $EXTINT -p icmp -s $IPADDR --icmp-type time-exceeded -d 192.168.0.0/16 -j ACCEPT
echo "$rc_done"
echo -n " -Enable logging for selected denied packets..."
iptables -A INPUT -i $EXTINT -p tcp -j DROP
iptables -A INPUT -i $EXTINT -p tcp -j LOG --log-prefix "FW: IN from ppp"
iptables -A INPUT -i $EXTINT -p udp --dport $PRIVPORTS -j DROP
iptables -A INPUT -i $EXTINT -p udp --dport $PRIVPORTS -j LOG --log-prefix "FW: udp priv port"
iptables -A INPUT -i $EXTINT -p udp --dport $UNPRIVPORTS -j DROP
iptables -A INPUT -i $EXTINT -p udp --dport $UNPRIVPORTS -j LOG --log-prefix "FW: udp in unpriv"
iptables -A INPUT -i $EXTINT -p icmp --icmp-type 5 -j DROP
iptables -A INPUT -i $EXTINT -p icmp --icmp-type 5 -j LOG --log-prefix "FW: icmp type 5:"
iptables -A INPUT -i $EXTINT -p icmp --icmp-type 13 -j DROP
iptables -A INPUT -i $EXTINT -p icmp --icmp-type 13 -j LOG --log-prefix "FW: icmp-type 13:"
for i in 14.. 255; do
iptables -A INPUT -i $EXTINT -p icmp --icmp-type f -j DROP
iptables -A INPUT -i $EXTINT -p icmp --icmp-type f -j LOG --log-prefix "FW: icmp type $i:"
done
iptables -A OUTPUT -o $EXTINT -j REJECT
iptables -A OUTPUT -o $EXTINT -j LOG --log-prefix "FW: output:"
echo "$rc_done"
echo "Finished..."
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.