Nat/dnat Hell!! Help Please...
Hi,
I've look and tried every single post on the forum and I can't get it working. What is wrong??? I have a small network and I need to access my WebServer (10.10.1.1) through my proxy/firewall (10.10.1.2). But when I hit my external IP address it doesn't get through. Please help me. Thanks. What do I need to do. This my firewall file: ----------------------------------------------------- #!/bin/sh # description: nat # chkconfig: 2345 99 00 case "$1" in 'start') #!/bin/bash # Do iptables based masquerading and firewalling. # Set default PATH export PATH=/sbin:/usr/sbin:/bin:/usr/bin # Load NAT modules modprobe iptable_nat modprobe ip_nat_ftp modprobe ip_nat_irc # Load connection-tracking modules modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_conntrack_irc # Disable response to broadcasts. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Don't accept source routed packets. echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Disable ICMP redirect acceptance. echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Enable bad error message protection echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Log spoofed packets, source routed packets, redirect packets echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # Turn on IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # Clean old iptables iptables -F iptables -X iptables -Z # Allow forwarding through the internal interface iptables -A FORWARD -i eth1 -j ACCEPT iptables -A FORWARD -o eth1 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Default forward policy to DROP iptables -P FORWARD DROP # Do masquerading through eth0 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Port Forwarding iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.10.1.1:22 iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 222 -j DNAT --to-destination 10.10.1.1:22 iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.10.1.1:21 iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.10.1.1:25 iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 10.10.1.1:110 iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.1.1:80 iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 10.10.1.1:8080 # Firewall Rules # Loopback - Allow unlimited traffic iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # SYN-Flooding Protection iptables -N syn-flood iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A syn-flood -j DROP # Make sure that new TCP connections are SYN packets iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP # Fragments : Don't trust the little buggers. Send 'em to hell. iptables -A INPUT -i eth0 -f -j LOG --log-level debug --log-prefix "IPTABLES FRAGMENTS: " iptables -A INPUT -i eth0 -f -j DROP # Refuse spoofed packets claiming to be the loopback iptables -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP # Allow BootP/DHCP UDP requests iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 67:68 -j ACCEPT # DNS # Allow UDP and TCP packets in for DNS client from nameservers iptables -A INPUT -i eth0 -p udp -s 0/0 --sport 53 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 53 -j ACCEPT iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 53 -j ACCEPT # SSH # allow all sshd incoming connections (including the port fw) iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 22 -j ACCEPT iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 2222 -j ACCEPT # HTTP # allow all http/https incoming/return connections iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 80 -j ACCEPT iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 443 -j ACCEPT # FTP # allow all ftpd incoming connections iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 21 -j ACCEPT # Enable active ftp transfers iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT # Enable passive ftp transfers iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT # Enable ident probes (IRC) iptables -t filter -A INPUT -i eth0 -p tcp -d 0/0 --dport 113 -j ACCEPT # Allow ICMP in if it is related to other connections iptables -A INPUT -i eth0 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow bot traffic through iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 8676 -j ACCEPT # enable dcc iptables -A INPUT -i eth0 -p tcp -m state --state RELATED -j ACCEPT # LOGGING: # UDP, log & drop iptables -A INPUT -i eth0 -p udp -j LOG --log-level debug --log-prefix "IPTABLES UDP-IN: " iptables -A INPUT -i eth0 -p udp -j DROP # ICMP, log & drop iptables -A INPUT -i eth0 -p icmp -j LOG --log-level debug --log-prefix "IPTABLES ICMP-IN: " iptables -A INPUT -i eth0 -p icmp -j DROP # Windows NetBIOS noise, log & drop iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j LOG --log-level debug --log-prefix "IPTABLES NETBIOS-IN: " iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j DROP # IGMP noise, log & drop iptables -A INPUT -i eth0 -p 2 -j LOG --log-level debug --log-prefix "IPTABLES IGMP-IN: " iptables -A INPUT -i eth0 -p 2 -j DROP # TCP, log & drop iptables -A INPUT -i eth0 -p tcp -j LOG --log-level debug --log-prefix "IPTABLES TCP-IN: " iptables -A INPUT -i eth0 -p tcp -j DROP # Anything else not allowed, log & drop # iptables -A INPUT -i eth0 -j LOG --log-level debug --log-prefix "IPTABLES UNKNOWN-IN: " # iptables -A INPUT -i eth0 -j DROP touch /var/lock/subsys/nat ;; 'stop') rm -f /var/lock/subsys/nat ;; *) echo "Usage: $0 { start | stop }" ;; esac exit 0 ----------------------------------------------------- |
You don't have any rules to FORWARD NEW connections from eth0 to eth1.
You only have a default DROP policy, so everything is getting munched. INPUT is only for packets for the firewall itself. FORWARD is for the local LAN. May I suggest this iptables tutorial |
All times are GMT -5. The time now is 12:49 PM. |