Nat/dnat Hell!! Help Please...
Hi,
I've look and tried every single post on the forum and I can't get it working. What is wrong???
I have a small network and I need to access my WebServer (10.10.1.1) through my proxy/firewall (10.10.1.2). But when I hit my external IP address it doesn't get through.
Please help me.
Thanks.
What do I need to do. This my firewall file:
-----------------------------------------------------
#!/bin/sh
# description: nat
# chkconfig: 2345 99 00
case "$1" in
'start')
#!/bin/bash
# Do iptables based masquerading and firewalling.
# Set default PATH
export PATH=/sbin:/usr/sbin:/bin:/usr/bin
# Load NAT modules
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_nat_irc
# Load connection-tracking modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
# Disable response to broadcasts.
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Don't accept source routed packets.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Disable ICMP redirect acceptance.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Log spoofed packets, source routed packets, redirect packets
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Clean old iptables
iptables -F
iptables -X
iptables -Z
# Allow forwarding through the internal interface
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Default forward policy to DROP
iptables -P FORWARD DROP
# Do masquerading through eth0
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Port Forwarding
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.10.1.1:22
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 222 -j DNAT --to-destination 10.10.1.1:22
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.10.1.1:21
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.10.1.1:25
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 10.10.1.1:110
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.1.1:80
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 10.10.1.1:8080
# Firewall Rules
# Loopback - Allow unlimited traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# SYN-Flooding Protection
iptables -N syn-flood
iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
# Make sure that new TCP connections are SYN packets
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
# Fragments : Don't trust the little buggers. Send 'em to hell.
iptables -A INPUT -i eth0 -f -j LOG --log-level debug --log-prefix "IPTABLES FRAGMENTS: "
iptables -A INPUT -i eth0 -f -j DROP
# Refuse spoofed packets claiming to be the loopback
iptables -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP
# Allow BootP/DHCP UDP requests
iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 67:68 -j ACCEPT
# DNS
# Allow UDP and TCP packets in for DNS client from nameservers
iptables -A INPUT -i eth0 -p udp -s 0/0 --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 53 -j ACCEPT
# SSH
# allow all sshd incoming connections (including the port fw)
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 2222 -j ACCEPT
# HTTP
# allow all http/https incoming/return connections
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 443 -j ACCEPT
# FTP
# allow all ftpd incoming connections
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 21 -j ACCEPT
# Enable active ftp transfers
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Enable passive ftp transfers
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Enable ident probes (IRC)
iptables -t filter -A INPUT -i eth0 -p tcp -d 0/0 --dport 113 -j ACCEPT
# Allow ICMP in if it is related to other connections
iptables -A INPUT -i eth0 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow bot traffic through
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 8676 -j ACCEPT
# enable dcc
iptables -A INPUT -i eth0 -p tcp -m state --state RELATED -j ACCEPT
# LOGGING:
# UDP, log & drop
iptables -A INPUT -i eth0 -p udp -j LOG --log-level debug --log-prefix "IPTABLES UDP-IN: "
iptables -A INPUT -i eth0 -p udp -j DROP
# ICMP, log & drop
iptables -A INPUT -i eth0 -p icmp -j LOG --log-level debug --log-prefix "IPTABLES ICMP-IN: "
iptables -A INPUT -i eth0 -p icmp -j DROP
# Windows NetBIOS noise, log & drop
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j LOG --log-level debug --log-prefix "IPTABLES NETBIOS-IN: "
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j DROP
# IGMP noise, log & drop
iptables -A INPUT -i eth0 -p 2 -j LOG --log-level debug --log-prefix "IPTABLES IGMP-IN: "
iptables -A INPUT -i eth0 -p 2 -j DROP
# TCP, log & drop
iptables -A INPUT -i eth0 -p tcp -j LOG --log-level debug --log-prefix "IPTABLES TCP-IN: "
iptables -A INPUT -i eth0 -p tcp -j DROP
# Anything else not allowed, log & drop
# iptables -A INPUT -i eth0 -j LOG --log-level debug --log-prefix "IPTABLES UNKNOWN-IN: "
# iptables -A INPUT -i eth0 -j DROP
touch /var/lock/subsys/nat
;;
'stop')
rm -f /var/lock/subsys/nat
;;
*)
echo "Usage: $0 { start | stop }"
;;
esac
exit 0
-----------------------------------------------------
|