Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I have an old firewall script that I wrote a couple years ago. I really don't remember how this works, but I can't seem to get port forwarding to function properly. If I remember correctly, this used to work. Anyay, here is the iptables command I'm using in the script:
ip=<internal ip of my email server>
I'm trying to telnet to the email server from an outside host, and it's not answering. I've got a tcpdump looking for all packets in which the dst port is 25 on both interfaces. I see the packets coming in on eth0 (external) but not eth1 (internal). What am I doing wrong?
I'm thinking that the problem is with my order of chains... I'm assuming that this will start on the INPUT chain...
Looking from top to bottom, the rules for the INPUT chain should send the packet to the spoofed chain first. This will simply check for a private source IP being sent from the outside. This will not catch the packets in question, so they will not be blocked.
After the spoofed chain, the packet should move on to my ext_input chain. This basically jumps to accept for any ports that should be accepted by the iptables machine itself.
If there are no matches after that, it appears the packet should hit the default policy for INPUT. The line I have listed in my original post (the rule to forward) is in a chain I created that will only be jumped to from FORWARD. How do I know if the packet is getting to the FORWARD chain (and thus jumping to my chain with the rule in my original post)?
I'm afraid I'm a bit rusty with all this stuff. I'm also curious how I can look at my logs to find out what is happening with the packets.
iptables -N LOG_DROP
iptables -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
iptables -A LOG_DROP -j DROP
iptables -N LOG_ACCEPT
iptables -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
iptables -A LOG_ACCEPT -j ACCEPT
these are the chain I use... you only have to use -j LOG_ACCEPT instead of -j ACCEPT so that the matching packets are loged.
of course you may have to define these chains in the table which interests you (nat).
since iptables is used by the kernel, the logs go into /var/log/messages and /var/log/kernel.log
be carefull: the logs are usually very verbose if you enable it for all packets (you'll have an entry per packet!).
I think I may have figured out the issue here. I have the rule listed in my first post in my in_forward chain. After that rule I placed another rule saying to jump to the log_drop. After rebuilding the chains and testing a connection, I saw dropped packets saying they were destined for the email server's IP. So, they had already been natted by that first rule. I figured that after they were NAT'd, the packets were automatically accepted. Do I need to make my default policy in my FORWARD chain to be accept? Or should I create a rule to accept anything that has been NAT'd to a valid internal IP?
as you figured out, packets that are (de)nated go in the forward chain... so you have to add specific rule for them (if you want your linux box to be a firewall) or to accept everything (if it just act as a Nat router). The first being, to my mind, better, but it depends whether security is important or not.
you should have a quick look at http://iptables-tutorial.frozentux.n...RSINGOFTABLES, there's a picture that explains quite well the way packets go from a chain to another.
I have a variable for each port forwarding target that has a space-delineated list of values starting with the IP address of the target followed by the ports to be forwarded. I just added at the end of this loop the following rule:
$ipt -A in_forward -d $ip -j ACCEPT
This should be secure because by this time it should have already been through the spoof chain. If it was spoofed, it would have already been dropped. If not, then it must have already been NAT'd.