LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 09-11-2003, 03:27 PM   #1
slewis1972
Member
 
Registered: Jan 2003
Posts: 30

Rep: Reputation: 15
Modifying this iptables script for non router use.


Ok - just got myself a wireless router.

Anyway I have know moved my Linux box behind the router.

The Linux box was being used as firewall web/ftp/ and email server as had 2 NICS in it and is running Redhat9. NIC1 is the one I would like to plug into the router and has a static ip of 192.168.0.1

On the router - I have port forwarded port 80 for web, 21 for ftp, 25 for email to 192.168.0.1

The question is - it dont work. I can browse the web pages on the linux box via 192.168.0.1 BUT not via the outside as I use dyndns to point to my dynamic ip. I have tried it out with a windows pc and IIS - so I know the port forwarding on the router works.

Am I correct it could be to do with my iptables - if so can somone advise me on what I need to modify in it.

Here is it:-

#This is my Iptables script. Used as firewall, routing, and filtering
#it script replaces /etc/init.d/iptables in RedHat 7.2. I also
#recommend making sym-links in /etc/rc.d/rc3.d, rc4.d, rc5.d.
#Make sure it loads before your network loads, that way you're
#always covered!
#
#This script may be used by anyone for any reason in accordance to the
#GNU License stuff
#----------------------------------------------------------------------
# Sources |
#----------------------------------------
. /etc/init.d/functions
. /etc/sysconfig/network
#----------------------------------------------------------
#CODE||||||||||||||||||||||||||||||||||||||||||||||||||||||
#----------------------------------------------------------
#Check that network is up. |
#----------------------------------------
if [ ${NETWORKING} = "no" ]
then
exit 0
fi

if [ ! -x /sbin/iptables ]; then
exit 0
fi

#----------------------------------------
#Case {start|stop|status|restart|reload} |
#----------------------------------------
case "$1" in
start)
echo -n "Starting Firewall/Router: "
#----------------------------------------
#Variable Definitions |
#----------------------------------------
EXTINT="eth0" # External network device
LOOP="lo" # Loopback device
INTINT="eth1" # Internal network device
INTRA="192.168.0.1/24" # Private Internal Network IP Range
#----------------------------------------
#Iptables Module Loading |

/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack
/sbin/modprobe ipt_state
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe iptable_mangle

#End Module Loading |
#----------------------------------------
#END CODE||||||||||||||||||||||||||||||||||||||||||||||||||
#----------------------------------------------------------
# RULES
#----------------------------------------
#Initializing Tables |
#----------------------------------------
iptables -F #Flushing Rules for INPUT, OUTPUT, FORWARD
iptables -F -t nat #Flushing Rules for PREROUTING, POSTROUTING
iptables -X #Flushing User Defined Tables
#----------------------------------------
#Setting Default Policy-> DROP |
#----------------------------------------
iptables -P INPUT DROP #Drop all undefined incoming packets
iptables -P OUTPUT DROP #Drop all undefined outgoing packets
iptables -P FORWARD DROP #Drop all undefined forwarded packets
#----------------------------------------
#----------------------------------------
#Unrestricting Loopback Device |
#----------------------------------------
iptables -A INPUT -i $LOOP -j ACCEPT
iptables -A OUTPUT -o $LOOP -j ACCEPT
#----------------------------------------
#Unrestrict Local Network |
#----------------------------------------
iptables -A INPUT -i $INTINT -s $INTRA -j ACCEPT
iptables -A OUTPUT -o $INTINT -d $INTRA -j ACCEPT
#----------------------------------------
#Routing Internal -> Out |
#----------------------------------------
iptables -A OUTPUT -o $EXTINT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $INTINT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#----------------------------------------
#Routing Related External -> In |
#----------------------------------------
iptables -A INPUT -i $EXTINT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $INTINT -m state --state ESTABLISHED,RELATED -j ACCEPT
#----------------------------------------
#Forwarding to/from Internal Network |
#----------------------------------------
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -i ! $EXTINT -j ACCEPT
#----------------------------------------
#Masquerading Internal to External |
#----------------------------------------
iptables -t nat -A POSTROUTING -o $EXTINT -j MASQUERADE
#----------------------------------------
#Allow DHCP Server, Port 67 |
#----------------------------------------
#iptables -A INPUT -p tcp -i $INTINT --dport 67 -j ACCEPT
#iptables -A INPUT -p udp -i $INTINT --dport 67 -j ACCEPT
#iptables -A OUTPUT -p tcp -o $INTINT --sport 67 -j ACCEPT
#iptables -A OUTPUT -p udp -o $INTINT --sport 67 -j ACCEPT
#----------------------------------------
#Allow FTP Server, Port 21
#----------------------------------------
iptables -A INPUT -i $EXTINT -p tcp -d 0/0 --dport 21 -j ACCEPT
iptables -A INPUT -i $EXTINT -p tcp -s 0/0 --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $EXTINT -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
#----------------------------------------
#Allow SQLlog Server, Port 3306 |
#----------------------------------------
iptables -A INPUT -p tcp -i $EXTINT --dport 3306 -j ACCEPT
iptables -A OUTPUT -p tcp -o $EXTINT --sport 3306 -j ACCEPT

iptables -A INPUT -p tcp -i $INTINT --dport 3306 -j ACCEPT
iptables -A OUTPUT -p tcp -o $INTINT --sport 3306 -j ACCEPT

#----------------------------------------
#Allow HTTP Server, Port 80 |
#----------------------------------------
iptables -A INPUT -p tcp -i $EXTINT --dport 80 -j ACCEPT
iptables -A INPUT -p udp -i $EXTINT --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -o $EXTINT --sport 80 -j ACCEPT
iptables -A OUTPUT -p udp -o $EXTINT --sport 80 -j ACCEPT
#----------------------------------------
#Allow Postfix Server, Port 25 |
#----------------------------------------
iptables -A INPUT -p tcp -i $EXTINT --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp -o $EXTINT --sport 25 -j ACCEPT
iptables -A INPUT -p tcp -i $INTINT --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp -o $INTINT --sport 25 -j ACCEPT

iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
#----------------------------------------
#Allow IMAP Server, Port 143/993 |
#----------------------------------------
iptables -A INPUT -p tcp -i $EXTINT --dport 143 -j ACCEPT
iptables -A OUTPUT -p tcp -o $EXTINT --sport 143 -j ACCEPT
iptables -A INPUT -p tcp -i $INTINT --dport 143 -j ACCEPT
iptables -A OUTPUT -p tcp -o $INTINT --sport 143 -j ACCEPT
#----------------------------------------
#----------------------------------------
#Allow Webmin Server, Port 10000 |
#----------------------------------------
iptables -A INPUT -p tcp -i $INTINT --dport 10000 -j ACCEPT
iptables -A INPUT -p udp -i $INTINT --dport 10000 -j ACCEPT
iptables -A OUTPUT -p tcp -o $INTINT--sport 10000 -j ACCEPT
iptables -A OUTPUT -p udp -o $INTINT --sport 10000 -j ACCEPT
#----------------------------------------
#Allow SSH Server, Port 22 |
#----------------------------------------
iptables -A INPUT -p tcp -i $EXTINT --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -o $EXTINT --sport 22 -j ACCEPT
iptables -A INPUT -p udp -i $EXTINT --dport 22 -j ACCEPT
iptables -A OUTPUT -p udp -o $EXTINT --sport 22 -j ACCEPT
#----------------------------------------
#SAMBA Connectivity |
#----------------------------------------
iptables -A INPUT -p tcp -s $INTRA --destination-port 139 -j ACCEPT
iptables -A INPUT -p udp -s $INTRA --destination-port 139 -j ACCEPT
#----------------------------------------
#Drop Spoofed packets with internal IP's |
#----------------------------------------
iptables -t nat -A PREROUTING -i $EXTINT -s 192.168.0.0/16 -j DROP
iptables -t nat -A PREROUTING -i $EXTINT -s 10.0.0.0/8 -j DROP
iptables -t nat -A PREROUTING -i $EXTINT -s 172.16.0.0/12 -j DROP
#----------------------------------------
#Uncomment for debugging or logging |
# Log is in /var/log/messages |
#----------------------------------------
#iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: "
#iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP: "
#-----------------------------------------------------------
#################################################-----#END RULES
#CODE-------------------------------------------------------
#Activate IP-Forwarding |
#----------------------------------------
echo "1" > /proc/sys/net/ipv4/ip_forward
#----------------------------------------
#Activate TCPsyncookies |
#----------------------------------------
echo "2" > /proc/sys/net/ipv4/tcp_syncookies
#----------------------------------------
#Activate lock file
touch /var/lock/subsys/iptables
#-----------------------------------------------------------
#STOP Module |||||||||||||||||||
#-----------------------------------------------------------
;;
stop)
echo -n "Shutting Firewall Down: "
#----------------------------------------
#Flush all coded chains |
#----------------------------------------
iptables -F
#----------------------------------------
#Delete all user defined chains |
#----------------------------------------
iptables -X
#----------------------------------------
#Set the firewall wide open |
#----------------------------------------
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#----------------------------------------
#Remove file lock |
#----------------------------------------
rm -f /var/lock/subsys/iptables
#-----------------------------------------------------------
#STATUS Module |||||||||||||||||||
#-----------------------------------------------------------
;;
status)
tables=`cat /proc/net/ip_tables_names 2 >/dev/null`
for table in $tables; do
echo $"Table: $table"
iptables -t $table --list
done
#-----------------------------------------------------------
#RESTART Module |||||||||||||||||||
#-----------------------------------------------------------
;;
restart|reload)
$0 stop
$0 start
#-----------------------------------------------------------
#UNKNOWN Module |||||||||||||||||||
#-----------------------------------------------------------
;;
*)
echo "Try iptables {start|stop|status|restart|reload}"
exit 1
esac
echo "DONE"
exit 0



Thanks in advance,

Scott
 
Old 09-11-2003, 04:49 PM   #2
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 65
To start with - there isn't a great need for a software firewall behind a natted router since the router should provide the firewalling. Try to disable the software firewall and try again:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F -t nat
iptables -F

When you say it doesn't work - is that from both external and internal ip addresses? Does the dns entry resolve to the external or internal address?
 
Old 09-12-2003, 02:43 AM   #3
slewis1972
Member
 
Registered: Jan 2003
Posts: 30

Original Poster
Rep: Reputation: 15
It works internally eg if I browse via 192.168.0.1 - but not via the dynsdns option.

The dyndns does resolve as to test it I set up IIS on my xp box - and that mapped to it ok.

Scott
 
Old 09-12-2003, 02:56 AM   #4
slewis1972
Member
 
Registered: Jan 2003
Posts: 30

Original Poster
Rep: Reputation: 15
Also, just tried that script - no go - still dont work.

Everything works internally - as just tested everything.

Dyndns is routing to the ip of my router - fine.

I know the mapping works as tested it on my xp pc.

So - why wont the LInux box accept anything?

All I am trying to do inmtially is to map port 80 - once that is done I can do the rest.

Scott
 
Old 09-12-2003, 01:47 PM   #5
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 65
Check that your router is set to forward the port correctly.
 
Old 09-12-2003, 02:16 PM   #6
slewis1972
Member
 
Registered: Jan 2003
Posts: 30

Original Poster
Rep: Reputation: 15
Ok - been playing with the ICS.

Now - I have routered port 80, 25 and 21 for the web, email and ftp server to the ip I want as the Linux box - 192.168.0.1 - which was the NIC in the Linux box I was using internally (connected to my main pc).

So, I hook it all up to the router - the ip shows in the connected devices part of the router - but no hostname - but the mac address shows. I can browse the web pages etc if I use the internal ip - BUT I cannot get to it from outside - via the ip address of NTL.

So - I Ithen plug the NIC that I was using for my cable modem in the Linux box into the router, configured the DHCP server on the router as this nic was getting its ip via DHCP as did have a NTL cable modem hooked up to it.

Now - I can browse the web pages vi my external ip BUT not the internal one - (its been allocated 192.168.0.2). Under the router status - it shows its ip - its been given a host name of HOST1, and its mac address.

So - its routing ok

So - whats gone screwey.

I need to be able to access the Linux box by both its internal ip - aswell as the routed ports externally.

Any ideas whats gone wrong?

Scott
 
Old 09-21-2003, 09:46 AM   #7
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 65
Sorry for the late reply - I have been on holiday for a week.

When you tried the internal IP did you try the new internal IP - ie .2? If so then what error did you get - timed out or apache?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables (with masq) troubleshooting, very simple script attached script and logs. xinu Linux - Networking 13 11-01-2007 05:19 AM
NAT/router iptables script don_wombat Linux - Networking 9 09-16-2005 11:11 AM
startup script modifying my XF86Config bads Linux - Newbie 5 09-07-2005 10:29 AM
iptables behind a router matador Linux - Networking 1 08-25-2004 11:09 AM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 08:36 AM


All times are GMT -5. The time now is 01:39 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration