Visit the LQ Articles and Editorials section
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


Search this Thread
Old 01-05-2006, 11:08 AM   #1
LQ Newbie
Registered: Dec 2005
Posts: 5

Rep: Reputation: 0
Problem with my iptables script please help

I am writing a script to translate my packets(DNAT works fine)the SNAT doesnt seem to be. Much help appreciated.

# This bash script configures the Asterisk iptables for Routing.
# and saves the results. ( turned off )

# Stop iptables (need clean restart)
# I like this however it releases port 22 connections - ka
# service iptables stop

# Devices


# Hosts

# Kernel flags

echo 1 > /proc/sys/net/ipv4/ip_forward
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# # For Dynamic PPP: echo 1 > /proc/sys/net/ipv4/ip_dynaddr

# Flush all tables

iptables -t filter -F
iptables -t filter -X
iptables -t filter -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z

# Set default policies

iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
# iptables -t filter -P FORWARD ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT

# Chain for bad tcp packets

iptables -N badTCP

# Stop sequence prediction attacks
iptables -A badTCP -p tcp --tcp-flags SYN,ACK SYN,ACK -m state \
--state NEW -j REJECT --reject-with tcp-reset

# Drop new packets that are not connection requests
iptables -A badTCP -p tcp ! --syn -m state --state NEW -j DROP

# Blocklist to deal with "special people"

# iptables -N blockList

# for ip in `<blocklist.txt`; do
# iptables -A blockList -i $netDev -s $ip -j DROP
# done

# Accept a tcp connection

iptables -N tcpConnect
# iptables -A tcpConnect -p tcp -j blockList
iptables -A tcpConnect -p tcp --syn -j ACCEPT

# Allowed TCP connections

iptables -N tcpAllow
iptables -A tcpAllow -p tcp -m tcp --dport 22 -j tcpConnect
iptables -A tcpAllow -p tcp -m tcp --sport 22 -j tcpConnect
iptables -A tcpAllow -p tcp -m tcp --dport 631 -j tcpConnect
iptables -A tcpAllow -p tcp -m tcp --sport 631 -j tcpConnect

iptables -A tcpAllow -p tcp --dport ssh -j tcpConnect
iptables -A tcpAllow -p tcp --dport http -j tcpConnect
iptables -A tcpAllow -p tcp --dport https -j tcpConnect
iptables -A tcpAllow -p tcp --dport smtp -j tcpConnect
iptables -A tcpAllow -p tcp --dport ftp -j tcpConnect
iptables -A tcpAllow -p tcp -j REJECT --reject-with tcp-reset

# iptables -A tcpAllow -p tcp --dport imap -j tcpConnect
# iptables -A tcpAllow -p tcp --dport imaps -j tcpConnect
# iptables -A tcpAllow -p tcp --dport pop3 -j tcpConnect
# iptables -A tcpAllow -p tcp --dport pop3s -j tcpConnect
# iptables -A tcpAllow -p tcp --dport telnet -j tcpConnect

# Allowed UDP packets

iptables -N udpAllow
# iptables -A udpAllow -p udp --dport domain -j ACCEPT
# Nothing right now.

# Allowed icmp packets

iptables -N icmpAllow
iptables -A icmpAllow -p icmp --icmp-type echo-request -j ACCEPT
iptables -A icmpAllow -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A icmpAllow -p icmp --icmp-type echo-reply -j ACCEPT

# Main firewall configuration

iptables -A INPUT -p tcp -j badTCP
iptables -A INPUT -i $lanDev -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i $netDev -p tcp -j tcpAllow
# iptables -A INPUT -i $netDev -p udp -j udpAllow
iptables -A INPUT -i $netDev -p icmp -j icmpAllow

iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

# Network address translation

# SNAT is preferred over MASQUERADE if $netDev is constant

# iptables -t nat -A POSTROUTING -o $netDev \
# -j SNAT --to-source $thisServer

# Forwarding

# Packets that arrive on the server with destinations
# on other hosts do not pass through the INPUT chain.
# They go directly to FORWARD:

iptables -A FORWARD -p tcp -j badTCP
# iptables -A FORWARD -i $netDev -j ACCEPT
# iptables -A FORWARD -o $lanDev -j ACCEPT
# iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# The packets accepted by FORWARD are determined by the
# remoteLAN() function. See below.

{ target=$1

iptables -t nat -A POSTROUTING -o $lanDev -s $remlan -j SNAT --to-source $target
# does not work! iptables -t nat -A PREROUTING -i $netDev -s $remlan -j SNAT --to-source $target

# iptables -A FORWARD -o $netDev -s $target -j ACCEPT
# iptables -t nat -A PREROUTING -i $netDev -s $remlan -j SNAT --to-source $target
# ok iptables -A FORWARD -i $netDev -d $target -j ACCEPT

iptables -t nat -A PREROUTING -i $netDev -d $target -j DNAT --to-destination $remlan
# iptables -A FORWARD -i $netDev -d $remlan -j ACCEPT
# ok iptables -A FORWARD -i $netDev -s $remlan -j ACCEPT


# Remote LAN convertions for the VoIP Network (See abovefor NAT changes)
remoteLAN 172.x.x.211 10.x.x.211
# remoteLAN 172.x.x.212 10.x.x.212
# remoteLAN 172.x.x.213 10.x.x.213
# remoteLAN 172.x.x.214 10.x.x.214
# remoteLAN 172.x.x.215 10.x.x215

# Example of logging:

# Use the rule: -j LOG --log-prefix "A prefix:"
# iptables -A OUTPUT -j LOG --log-prefix "Output :"
# iptables -A INPUT -j LOG --log-prefix "Input :"
iptables -A FORWARD -i $netDev -j LOG --log-prefix "F I eth0:"
iptables -A FORWARD -o $netDev -j LOG --log-prefix "F O eth0:"
iptables -A FORWARD -i $lanDev -j LOG --log-prefix "F I eth1:"
iptables -A FORWARD -o $lanDev -j LOG --log-prefix "F O eth1:"

# Save the firewall settings

# service iptables save

# Clean up & follow through info for testing

service iptables status
# iptables -nvL
# iptables -nvL -t nat
iptables -nvL -t filter

Old 01-07-2006, 06:51 AM   #2
Registered: Apr 2005
Location: Jordan
Distribution: Debian (Sarge), Ubuntu (6.06)
Posts: 271

Rep: Reputation: 30
Only thing i see is a missing ";" in the for/done loop. But that's commented out

Last edited by Notwerk; 01-07-2006 at 07:05 AM.
Old 01-14-2006, 05:50 PM   #3
Registered: Sep 2003
Location: Colorado
Posts: 85

Rep: Reputation: 15
It is hard to understand what you are trying to accomplish from your script with regards to NAT. Are you trying to do a 1:1 mapping? Post some more information on what you are trying to accomplish.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
problem loading iptables script on startup manicajk Linux - General 8 04-12-2009 11:37 AM
iptables problem script thuns Linux - Security 4 02-13-2005 07:35 AM
Iptables script problem carlosruiz Linux - Security 3 01-30-2005 09:09 PM
iptables problem in a very simple script max_sipos Linux - Security 2 08-10-2004 06:58 AM
iptables script problem valo Linux - Security 5 08-19-2003 10:16 AM

All times are GMT -5. The time now is 11:26 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration