LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-10-2003, 04:41 PM   #1
a3d
LQ Newbie
 
Registered: Mar 2003
Posts: 1

Rep: Reputation: 0
Angry Nat/dnat Hell!! Help Please...


Hi,

I've look and tried every single post on the forum and I can't get it working. What is wrong???

I have a small network and I need to access my WebServer (10.10.1.1) through my proxy/firewall (10.10.1.2). But when I hit my external IP address it doesn't get through.

Please help me.

Thanks.

What do I need to do. This my firewall file:

-----------------------------------------------------

#!/bin/sh
# description: nat
# chkconfig: 2345 99 00

case "$1" in
'start')
#!/bin/bash
# Do iptables based masquerading and firewalling.

# Set default PATH
export PATH=/sbin:/usr/sbin:/bin:/usr/bin

# Load NAT modules
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_nat_irc

# Load connection-tracking modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc

# Disable response to broadcasts.
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Don't accept source routed packets.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Disable ICMP redirect acceptance.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Log spoofed packets, source routed packets, redirect packets
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward


# Clean old iptables
iptables -F
iptables -X
iptables -Z

# Allow forwarding through the internal interface
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Default forward policy to DROP
iptables -P FORWARD DROP

# Do masquerading through eth0
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


# Port Forwarding
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.10.1.1:22
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 222 -j DNAT --to-destination 10.10.1.1:22
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.10.1.1:21
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.10.1.1:25
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 10.10.1.1:110
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.1.1:80
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 10.10.1.1:8080

# Firewall Rules

# Loopback - Allow unlimited traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# SYN-Flooding Protection
iptables -N syn-flood
iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP

# Make sure that new TCP connections are SYN packets
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP

# Fragments : Don't trust the little buggers. Send 'em to hell.
iptables -A INPUT -i eth0 -f -j LOG --log-level debug --log-prefix "IPTABLES FRAGMENTS: "
iptables -A INPUT -i eth0 -f -j DROP

# Refuse spoofed packets claiming to be the loopback
iptables -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP

# Allow BootP/DHCP UDP requests
iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 67:68 -j ACCEPT

# DNS
# Allow UDP and TCP packets in for DNS client from nameservers
iptables -A INPUT -i eth0 -p udp -s 0/0 --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 53 -j ACCEPT

# SSH
# allow all sshd incoming connections (including the port fw)
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 2222 -j ACCEPT

# HTTP
# allow all http/https incoming/return connections
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 443 -j ACCEPT

# FTP
# allow all ftpd incoming connections
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 21 -j ACCEPT

# Enable active ftp transfers
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Enable passive ftp transfers
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Enable ident probes (IRC)
iptables -t filter -A INPUT -i eth0 -p tcp -d 0/0 --dport 113 -j ACCEPT

# Allow ICMP in if it is related to other connections
iptables -A INPUT -i eth0 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow bot traffic through
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 8676 -j ACCEPT

# enable dcc
iptables -A INPUT -i eth0 -p tcp -m state --state RELATED -j ACCEPT

# LOGGING:

# UDP, log & drop
iptables -A INPUT -i eth0 -p udp -j LOG --log-level debug --log-prefix "IPTABLES UDP-IN: "
iptables -A INPUT -i eth0 -p udp -j DROP

# ICMP, log & drop
iptables -A INPUT -i eth0 -p icmp -j LOG --log-level debug --log-prefix "IPTABLES ICMP-IN: "
iptables -A INPUT -i eth0 -p icmp -j DROP

# Windows NetBIOS noise, log & drop
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j LOG --log-level debug --log-prefix "IPTABLES NETBIOS-IN: "
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j DROP

# IGMP noise, log & drop
iptables -A INPUT -i eth0 -p 2 -j LOG --log-level debug --log-prefix "IPTABLES IGMP-IN: "
iptables -A INPUT -i eth0 -p 2 -j DROP

# TCP, log & drop
iptables -A INPUT -i eth0 -p tcp -j LOG --log-level debug --log-prefix "IPTABLES TCP-IN: "
iptables -A INPUT -i eth0 -p tcp -j DROP

# Anything else not allowed, log & drop
# iptables -A INPUT -i eth0 -j LOG --log-level debug --log-prefix "IPTABLES UNKNOWN-IN: "
# iptables -A INPUT -i eth0 -j DROP


touch /var/lock/subsys/nat
;;
'stop')
rm -f /var/lock/subsys/nat
;;
*)
echo "Usage: $0 { start | stop }"
;;
esac
exit 0


-----------------------------------------------------
 
Old 03-10-2003, 05:54 PM   #2
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
You don't have any rules to FORWARD NEW connections from eth0 to eth1.
You only have a default DROP policy, so everything is getting munched.

INPUT is only for packets for the firewall itself.
FORWARD is for the local LAN.

May I suggest this iptables tutorial

Last edited by peter_robb; 03-10-2003 at 05:57 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
DNAT not working stevesl Linux - Networking 13 05-16-2005 11:22 PM
dnat kapcreations Linux - Networking 1 12-28-2004 04:12 PM
Susefirewall2 Nat Problem / nat 1:1 trubi Linux - Distributions 0 07-20-2004 05:50 AM
What's the difference between Linux-NAT and Sygate-NAT? yuzuohong Linux - Networking 0 08-07-2002 04:07 AM
DNAT won't work taylor Linux - Security 0 10-02-2001 06:36 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:27 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration