|
Modifying this iptables script for non router use.
Ok - just got myself a wireless router.
Anyway I have know moved my Linux box behind the router. The Linux box was being used as firewall web/ftp/ and email server as had 2 NICS in it and is running Redhat9. NIC1 is the one I would like to plug into the router and has a static ip of 192.168.0.1 On the router - I have port forwarded port 80 for web, 21 for ftp, 25 for email to 192.168.0.1 The question is - it dont work. I can browse the web pages on the linux box via 192.168.0.1 BUT not via the outside as I use dyndns to point to my dynamic ip. I have tried it out with a windows pc and IIS - so I know the port forwarding on the router works. Am I correct it could be to do with my iptables - if so can somone advise me on what I need to modify in it. Here is it:- #This is my Iptables script. Used as firewall, routing, and filtering #it script replaces /etc/init.d/iptables in RedHat 7.2. I also #recommend making sym-links in /etc/rc.d/rc3.d, rc4.d, rc5.d. #Make sure it loads before your network loads, that way you're #always covered! # #This script may be used by anyone for any reason in accordance to the #GNU License stuff #---------------------------------------------------------------------- # Sources | #---------------------------------------- . /etc/init.d/functions . /etc/sysconfig/network #---------------------------------------------------------- #CODE|||||||||||||||||||||||||||||||||||||||||||||||||||||| #---------------------------------------------------------- #Check that network is up. | #---------------------------------------- if [ ${NETWORKING} = "no" ] then exit 0 fi if [ ! -x /sbin/iptables ]; then exit 0 fi #---------------------------------------- #Case {start|stop|status|restart|reload} | #---------------------------------------- case "$1" in start) echo -n "Starting Firewall/Router: " #---------------------------------------- #Variable Definitions | #---------------------------------------- EXTINT="eth0" # External network device LOOP="lo" # Loopback device INTINT="eth1" # Internal network device INTRA="192.168.0.1/24" # Private Internal Network IP Range #---------------------------------------- #Iptables Module Loading | /sbin/modprobe ip_tables /sbin/modprobe iptable_nat /sbin/modprobe ip_conntrack /sbin/modprobe ipt_state /sbin/modprobe ipt_MASQUERADE /sbin/modprobe iptable_mangle #End Module Loading | #---------------------------------------- #END CODE|||||||||||||||||||||||||||||||||||||||||||||||||| #---------------------------------------------------------- # RULES #---------------------------------------- #Initializing Tables | #---------------------------------------- iptables -F #Flushing Rules for INPUT, OUTPUT, FORWARD iptables -F -t nat #Flushing Rules for PREROUTING, POSTROUTING iptables -X #Flushing User Defined Tables #---------------------------------------- #Setting Default Policy-> DROP | #---------------------------------------- iptables -P INPUT DROP #Drop all undefined incoming packets iptables -P OUTPUT DROP #Drop all undefined outgoing packets iptables -P FORWARD DROP #Drop all undefined forwarded packets #---------------------------------------- #---------------------------------------- #Unrestricting Loopback Device | #---------------------------------------- iptables -A INPUT -i $LOOP -j ACCEPT iptables -A OUTPUT -o $LOOP -j ACCEPT #---------------------------------------- #Unrestrict Local Network | #---------------------------------------- iptables -A INPUT -i $INTINT -s $INTRA -j ACCEPT iptables -A OUTPUT -o $INTINT -d $INTRA -j ACCEPT #---------------------------------------- #Routing Internal -> Out | #---------------------------------------- iptables -A OUTPUT -o $EXTINT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $INTINT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #---------------------------------------- #Routing Related External -> In | #---------------------------------------- iptables -A INPUT -i $EXTINT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $INTINT -m state --state ESTABLISHED,RELATED -j ACCEPT #---------------------------------------- #Forwarding to/from Internal Network | #---------------------------------------- iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -i ! $EXTINT -j ACCEPT #---------------------------------------- #Masquerading Internal to External | #---------------------------------------- iptables -t nat -A POSTROUTING -o $EXTINT -j MASQUERADE #---------------------------------------- #Allow DHCP Server, Port 67 | #---------------------------------------- #iptables -A INPUT -p tcp -i $INTINT --dport 67 -j ACCEPT #iptables -A INPUT -p udp -i $INTINT --dport 67 -j ACCEPT #iptables -A OUTPUT -p tcp -o $INTINT --sport 67 -j ACCEPT #iptables -A OUTPUT -p udp -o $INTINT --sport 67 -j ACCEPT #---------------------------------------- #Allow FTP Server, Port 21 #---------------------------------------- iptables -A INPUT -i $EXTINT -p tcp -d 0/0 --dport 21 -j ACCEPT iptables -A INPUT -i $EXTINT -p tcp -s 0/0 --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $EXTINT -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT #---------------------------------------- #Allow SQLlog Server, Port 3306 | #---------------------------------------- iptables -A INPUT -p tcp -i $EXTINT --dport 3306 -j ACCEPT iptables -A OUTPUT -p tcp -o $EXTINT --sport 3306 -j ACCEPT iptables -A INPUT -p tcp -i $INTINT --dport 3306 -j ACCEPT iptables -A OUTPUT -p tcp -o $INTINT --sport 3306 -j ACCEPT #---------------------------------------- #Allow HTTP Server, Port 80 | #---------------------------------------- iptables -A INPUT -p tcp -i $EXTINT --dport 80 -j ACCEPT iptables -A INPUT -p udp -i $EXTINT --dport 80 -j ACCEPT iptables -A OUTPUT -p tcp -o $EXTINT --sport 80 -j ACCEPT iptables -A OUTPUT -p udp -o $EXTINT --sport 80 -j ACCEPT #---------------------------------------- #Allow Postfix Server, Port 25 | #---------------------------------------- iptables -A INPUT -p tcp -i $EXTINT --dport 25 -j ACCEPT iptables -A OUTPUT -p tcp -o $EXTINT --sport 25 -j ACCEPT iptables -A INPUT -p tcp -i $INTINT --dport 25 -j ACCEPT iptables -A OUTPUT -p tcp -o $INTINT --sport 25 -j ACCEPT iptables -A OUTPUT -p icmp -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT #---------------------------------------- #Allow IMAP Server, Port 143/993 | #---------------------------------------- iptables -A INPUT -p tcp -i $EXTINT --dport 143 -j ACCEPT iptables -A OUTPUT -p tcp -o $EXTINT --sport 143 -j ACCEPT iptables -A INPUT -p tcp -i $INTINT --dport 143 -j ACCEPT iptables -A OUTPUT -p tcp -o $INTINT --sport 143 -j ACCEPT #---------------------------------------- #---------------------------------------- #Allow Webmin Server, Port 10000 | #---------------------------------------- iptables -A INPUT -p tcp -i $INTINT --dport 10000 -j ACCEPT iptables -A INPUT -p udp -i $INTINT --dport 10000 -j ACCEPT iptables -A OUTPUT -p tcp -o $INTINT--sport 10000 -j ACCEPT iptables -A OUTPUT -p udp -o $INTINT --sport 10000 -j ACCEPT #---------------------------------------- #Allow SSH Server, Port 22 | #---------------------------------------- iptables -A INPUT -p tcp -i $EXTINT --dport 22 -j ACCEPT iptables -A OUTPUT -p tcp -o $EXTINT --sport 22 -j ACCEPT iptables -A INPUT -p udp -i $EXTINT --dport 22 -j ACCEPT iptables -A OUTPUT -p udp -o $EXTINT --sport 22 -j ACCEPT #---------------------------------------- #SAMBA Connectivity | #---------------------------------------- iptables -A INPUT -p tcp -s $INTRA --destination-port 139 -j ACCEPT iptables -A INPUT -p udp -s $INTRA --destination-port 139 -j ACCEPT #---------------------------------------- #Drop Spoofed packets with internal IP's | #---------------------------------------- iptables -t nat -A PREROUTING -i $EXTINT -s 192.168.0.0/16 -j DROP iptables -t nat -A PREROUTING -i $EXTINT -s 10.0.0.0/8 -j DROP iptables -t nat -A PREROUTING -i $EXTINT -s 172.16.0.0/12 -j DROP #---------------------------------------- #Uncomment for debugging or logging | # Log is in /var/log/messages | #---------------------------------------- #iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: " #iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP: " #----------------------------------------------------------- #################################################-----#END RULES #CODE------------------------------------------------------- #Activate IP-Forwarding | #---------------------------------------- echo "1" > /proc/sys/net/ipv4/ip_forward #---------------------------------------- #Activate TCPsyncookies | #---------------------------------------- echo "2" > /proc/sys/net/ipv4/tcp_syncookies #---------------------------------------- #Activate lock file touch /var/lock/subsys/iptables #----------------------------------------------------------- #STOP Module ||||||||||||||||||| #----------------------------------------------------------- ;; stop) echo -n "Shutting Firewall Down: " #---------------------------------------- #Flush all coded chains | #---------------------------------------- iptables -F #---------------------------------------- #Delete all user defined chains | #---------------------------------------- iptables -X #---------------------------------------- #Set the firewall wide open | #---------------------------------------- iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT #---------------------------------------- #Remove file lock | #---------------------------------------- rm -f /var/lock/subsys/iptables #----------------------------------------------------------- #STATUS Module ||||||||||||||||||| #----------------------------------------------------------- ;; status) tables=`cat /proc/net/ip_tables_names 2 >/dev/null` for table in $tables; do echo $"Table: $table" iptables -t $table --list done #----------------------------------------------------------- #RESTART Module ||||||||||||||||||| #----------------------------------------------------------- ;; restart|reload) $0 stop $0 start #----------------------------------------------------------- #UNKNOWN Module ||||||||||||||||||| #----------------------------------------------------------- ;; *) echo "Try iptables {start|stop|status|restart|reload}" exit 1 esac echo "DONE" exit 0 Thanks in advance, Scott |
To start with - there isn't a great need for a software firewall behind a natted router since the router should provide the firewalling. Try to disable the software firewall and try again:
iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -F -t nat iptables -F When you say it doesn't work - is that from both external and internal ip addresses? Does the dns entry resolve to the external or internal address? |
It works internally eg if I browse via 192.168.0.1 - but not via the dynsdns option.
The dyndns does resolve as to test it I set up IIS on my xp box - and that mapped to it ok. Scott |
Also, just tried that script - no go - still dont work.
Everything works internally - as just tested everything. Dyndns is routing to the ip of my router - fine. I know the mapping works as tested it on my xp pc. So - why wont the LInux box accept anything? All I am trying to do inmtially is to map port 80 - once that is done I can do the rest. Scott |
Check that your router is set to forward the port correctly.
|
Ok - been playing with the ICS.
Now - I have routered port 80, 25 and 21 for the web, email and ftp server to the ip I want as the Linux box - 192.168.0.1 - which was the NIC in the Linux box I was using internally (connected to my main pc). So, I hook it all up to the router - the ip shows in the connected devices part of the router - but no hostname - but the mac address shows. I can browse the web pages etc if I use the internal ip - BUT I cannot get to it from outside - via the ip address of NTL. So - I Ithen plug the NIC that I was using for my cable modem in the Linux box into the router, configured the DHCP server on the router as this nic was getting its ip via DHCP as did have a NTL cable modem hooked up to it. Now - I can browse the web pages vi my external ip BUT not the internal one - (its been allocated 192.168.0.2). Under the router status - it shows its ip - its been given a host name of HOST1, and its mac address. So - its routing ok So - whats gone screwey. I need to be able to access the Linux box by both its internal ip - aswell as the routed ports externally. Any ideas whats gone wrong? Scott |
Sorry for the late reply - I have been on holiday for a week.
When you tried the internal IP did you try the new internal IP - ie .2? If so then what error did you get - timed out or apache? |
| All times are GMT -5. The time now is 07:48 PM. |