LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   simple Iptables. Linux receives internet but can reroute to computer in router (http://www.linuxquestions.org/questions/linux-networking-3/simple-iptables-linux-receives-internet-but-can-reroute-to-computer-in-router-911162/)

edotom 10-31-2011 06:53 PM

simple Iptables. Linux receives internet but can reroute to computer in router
 
Hi
i have the following scenario.
I have an Isp which provides me internet which I receive on my ubuntu 11 box on my eth0. I share internet to my router using eth1 which has 10.10.10.1 / 255.255.255.0 with gateway 0.0.0.0 So far so good. All computers in my lan have internet. I have my svn working on my linux and all of my computers can reach to it. The problem. My pcs are on 192.168.1.0 and I can't get to redirect http 8080 to one of them. It was working with firestarter until I had to reinstall my former ubuntu 10 to ubuntu 11. I tried a lot of stuff with no luck.

Please take a pick at my iptables:

# Generated by iptables-save v1.4.10 on Mon Oct 31 18:41:48 2011
*nat
:PREROUTING ACCEPT [34:2544]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [4:197]
:POSTROUTING ACCEPT [3:132]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.1.5:80
-A PREROUTING -i eth0 -p tcp -m tcp --dport 3690 -j DNAT --to-destination 10.10.10.1:3690
-A PREROUTING -i eth0 -p udp -m udp --dport 3690 -j DNAT --to-destination 10.10.10.1:3690
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Oct 31 18:41:48 2011
# Generated by iptables-save v1.4.10 on Mon Oct 31 18:41:48 2011
*mangle
:PREROUTING ACCEPT [122:9281]
:INPUT ACCEPT [33:2279]
:FORWARD ACCEPT [85:6758]
:OUTPUT ACCEPT [29:2121]
:POSTROUTING ACCEPT [93:7115]
COMMIT
# Completed on Mon Oct 31 18:41:48 2011
# Generated by iptables-save v1.4.10 on Mon Oct 31 18:41:48 2011
*filter
:INPUT DROP [22:1716]
:FORWARD DROP [0:0]
:OUTPUT DROP [21:1764]
:INBOUND - [0:0]
:LOG_FILTER - [0:0]
:LSI - [0:0]
:LSO - [0:0]
:OUTBOUND - [0:0]
-A INPUT -s 200.75.51.132/32 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 200.75.51.132/32 -p udp -j ACCEPT
-A INPUT -s 200.75.51.133/32 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 200.75.51.133/32 -p udp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m limit --limit 10/sec -j ACCEPT
-A INPUT -d 255.255.255.255/32 -i eth0 -j DROP
-A INPUT -d 190.24.226.47/32 -j DROP
-A INPUT -s 224.0.0.0/8 -j DROP
-A INPUT -d 224.0.0.0/8 -j DROP
-A INPUT -s 255.255.255.255/32 -j DROP
-A INPUT -d 0.0.0.0/32 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -f -m limit --limit 10/min -j LSI
-A INPUT -i eth0 -j INBOUND
-A INPUT -d 10.10.10.1/32 -i eth1 -j INBOUND
-A INPUT -d 190.24.226.46/32 -i eth1 -j INBOUND
-A INPUT -d 10.10.10.255/32 -i eth1 -j INBOUND
-A INPUT -d 192.168.1.6/32 -i eth2 -j INBOUND
-A INPUT -j LOG_FILTER
-A INPUT -j LOG --log-prefix "Unknown Input" --log-level 6
-A FORWARD -d 192.168.1.5/32 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A FORWARD -p icmp -m limit --limit 10/sec -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -d 10.10.10.1/32 -i eth0 -p tcp -m tcp --dport 3690 -j ACCEPT
-A FORWARD -d 10.10.10.1/32 -i eth0 -p udp -m udp --dport 3690 -j ACCEPT
-A FORWARD -i eth1 -j OUTBOUND
-A FORWARD -d 10.10.10.0/24 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.10.10.0/24 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG_FILTER
-A FORWARD -j LOG --log-prefix "Unknown Forward" --log-level 6
-A OUTPUT -s 190.24.226.46/32 -d 200.75.51.132/32 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -s 190.24.226.46/32 -d 200.75.51.132/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -s 190.24.226.46/32 -d 200.75.51.133/32 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -s 190.24.226.46/32 -d 200.75.51.133/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 224.0.0.0/8 -j DROP
-A OUTPUT -d 224.0.0.0/8 -j DROP
-A OUTPUT -s 255.255.255.255/32 -j DROP
-A OUTPUT -d 0.0.0.0/32 -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o eth0 -j OUTBOUND
-A OUTPUT -o eth1 -j OUTBOUND
-A OUTPUT -j LOG_FILTER
-A OUTPUT -j LOG --log-prefix "Unknown Output" --log-level 6
-A INBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INBOUND -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INBOUND -p tcp -m tcp --dport 22 -j ACCEPT
-A INBOUND -p udp -m udp --dport 22 -j ACCEPT
-A INBOUND -p tcp -m tcp --dport 3690 -j ACCEPT
-A INBOUND -p udp -m udp --dport 3690 -j ACCEPT
-A INBOUND -p tcp -m tcp --dport 80 -j ACCEPT
-A INBOUND -p udp -m udp --dport 80 -j ACCEPT
-A INBOUND -p tcp -m tcp --dport 5900 -j ACCEPT
-A INBOUND -p udp -m udp --dport 5900 -j ACCEPT
-A INBOUND -j LSI
-A LSI -j LOG_FILTER
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A LSI -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -p icmp -m icmp --icmp-type 8 -j DROP
-A LSI -m limit --limit 5/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -j DROP
-A LSO -j LOG_FILTER
-A LSO -m limit --limit 5/sec -j LOG --log-prefix "Outbound " --log-level 6
-A LSO -j REJECT --reject-with icmp-port-unreachable
-A OUTBOUND -p icmp -j ACCEPT
-A OUTBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTBOUND -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTBOUND -j ACCEPT
COMMIT
# Completed on Mon Oct 31 18:41:49 2011

I'm in despair.

regards

edotom

lqman 11-01-2011 12:48 AM

What is your eth0 ip address? it is static or dynamic?
Where is your PC 192.168.1.5 position regarding ilustration below?

{internet from ISP}-----[eth0:?]{ubuntu}[eth1:10.10.10.1/24]-----{LAN}

ceyx 11-01-2011 01:16 AM

Line 5 ...

-A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.1.5:80

should be

-A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.1.5:8080

??


All times are GMT -5. The time now is 02:49 AM.