LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-24-2006, 12:51 PM   #1
MercurioBlue
LQ Newbie
 
Registered: Aug 2006
Location: Marin County
Distribution: Fedora Core 3
Posts: 1

Rep: Reputation: 0
SSH Port Forwarding with IPTables & DNAT and port 80


Hi all,

I want to forward external SSH requests from a gateway server, to a content server that's inside a local network using DNAT. I'm using IPTABLES with PREROUTING but it doesn't seem to work the way I would expect it to (it blocks all SSH connections from the outside).

#!/bin/bash

/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe iptable_filter
echo "1" > /proc/sys/net/ipv4/ip_forward

# clear configuration

/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -F INPUT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -F OUTPUT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -F FORWARD
/sbin/iptables -t nat -F

# allow loopback connection
/sbin/iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT

# set up wi-line
/sbin/iptables -A FORWARD -i eth0 -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $ext_ip

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $ext_ip --dport 26 -j DNAT --to 192.168.0.2:25

#forward port 22 to internal server
/sbin/iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.132 --dport 22 -j ACCEPT
/sbin/iptables -A FORWARD -p udp -i eth0 -d 192.168.0.132 --dport 22 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $ext_ip --dport 22 -j DNAT --to 192.168.0.132:22
/sbin/iptables -t nat -A PREROUTING -p udp -i eth0 -d $ext_ip --dport 22 -j DNAT --to 192.168.0.132:22


Also, on another machine (web server running Apache), I want to block all ports but 80. I tried typing this:
/sbin/iptables -P INPUT DROP

/sbin/iptables -A INPUT -s 0/0 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -s 0/0 -i eth0 -p udp -m udp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -s 0/0 -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -s 0/0 -i eth1 -p udp -m udp --dport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p udp -m udp --sport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth1 -p tcp -m tcp --sport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth1 -p udp -m udp --sport 80 -j ACCEPT

But when I start IPTables the webpage will not show up, until I shut off IPTables.

Any help would be appreciated. Thanks!

Mike

Last edited by MercurioBlue; 08-24-2006 at 12:57 PM.
 
Old 08-24-2006, 07:12 PM   #2
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
Most servers resolve the incoming connections to get hostnames.
You don't have any rules in the FORWARD chain to allow dns.

With FORWARD rules, don't add extra check unless they are necessary, eg,
don't specify both -i & -o interfaces. Also, -d ip numbers are unecessary as the interface has only one ip address..

Also, with an ACCEPT policy for INPUT & OUTPUT, you don't need to write ACCEPT rules (unless you have a DROP following).

When you DNAT, the port number is retained unless you specify a different one.. so --to-dest x.x.x.x:22 is unecessary.
I suggest you have a good read of the BIG Iptables tutorial

Last edited by peter_robb; 08-25-2006 at 03:48 AM.
 
Old 08-24-2006, 11:17 PM   #3
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
welcome to LQ!!!

Quote:
Originally Posted by MercurioBlue
Hi all,

I want to forward external SSH requests from a gateway server, to a content server that's inside a local network using DNAT. I'm using IPTABLES with PREROUTING but it doesn't seem to work the way I would expect it to (it blocks all SSH connections from the outside).

#!/bin/bash

/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe iptable_filter
echo "1" > /proc/sys/net/ipv4/ip_forward

# clear configuration

/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -F INPUT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -F OUTPUT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -F FORWARD
/sbin/iptables -t nat -F

# allow loopback connection
/sbin/iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT

# set up wi-line
/sbin/iptables -A FORWARD -i eth0 -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $ext_ip

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $ext_ip --dport 26 -j DNAT --to 192.168.0.2:25

#forward port 22 to internal server
/sbin/iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.132 --dport 22 -j ACCEPT
/sbin/iptables -A FORWARD -p udp -i eth0 -d 192.168.0.132 --dport 22 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $ext_ip --dport 22 -j DNAT --to 192.168.0.132:22
/sbin/iptables -t nat -A PREROUTING -p udp -i eth0 -d $ext_ip --dport 22 -j DNAT --to 192.168.0.132:22


Also, on another machine (web server running Apache), I want to block all ports but 80. I tried typing this:
/sbin/iptables -P INPUT DROP

/sbin/iptables -A INPUT -s 0/0 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -s 0/0 -i eth0 -p udp -m udp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -s 0/0 -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -s 0/0 -i eth1 -p udp -m udp --dport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p udp -m udp --sport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth1 -p tcp -m tcp --sport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth1 -p udp -m udp --sport 80 -j ACCEPT

But when I start IPTables the webpage will not show up, until I shut off IPTables.

Any help would be appreciated. Thanks!

Mike
i cleaned-up your port-forwarding script... try it...

make sure you replace $WAN_IP's x.x.x.x with your actual IP:
Code:
#!/bin/sh

IPT="/sbin/iptables"

WAN_IFACE="eth0"
WAN_IP="x.x.x.x"

LAN_IFACE="eth2"
LAN_NET="192.168.0.0/24"

# Disable forwarding while we set-up:
echo "0" > /proc/sys/net/ipv4/ip_forward

# Set policies for the filter table:
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

# Set policies for the mangle table:
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

# Set policies for the nat table:
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

# Flush all rules:
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

# Delete all user-built chains:
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A INPUT -i lo -j ACCEPT

$IPT -t nat -A PREROUTING -p TCP -i $WAN_IFACE --dport 22 \
-j DNAT --to-destination 192.168.0.132

$IPT -t nat -A PREROUTING -p UDP -i $WAN_IFACE --dport 22 \
-j DNAT --to-destination 192.168.0.132

$IPT -t nat -A PREROUTING -p TCP -i $WAN_IFACE --dport 26 \
-j DNAT --to-destination 192.168.0.2:25

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -s $LAN_NET \
-m state --state NEW -j ACCEPT

$IPT -A FORWARD -p TCP -i $WAN_IFACE -o $LAN_IFACE -d 192.168.0.132 \
--dport 22 -m state --state NEW -j ACCEPT

$IPT -A FORWARD -p UDP -i $WAN_IFACE -o $LAN_IFACE -d 192.168.0.132 \
--dport 22 -m state --state NEW -j ACCEPT

$IPT -A FORWARD -p TCP -i $WAN_IFACE -o $LAN_IFACE -d 192.168.0.2 \
--dport 25 -m state --state NEW -j ACCEPT

$IPT -t nat -A POSTROUTING -o $WAN_IFACE \
-j SNAT --to-source $WAN_IP

# Enable forwarding now that we are set-up:
echo "1" > /proc/sys/net/ipv4/ip_forward


as for the web server script, try like this:
Code:
#!/bin/sh

IPT="/sbin/iptables"
WAN_IFACE="eth0"
LAN_IFACE="eth1"

# Disable forwarding because this is not a router:
echo "0" > /proc/sys/net/ipv4/ip_forward

# Set policies for the filter table:
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

# Set policies for the mangle table:
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

# Set policies for the nat table:
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

# Flush all rules:
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

# Delete all user-built chains:
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT

$IPT -A INPUT -p TCP -i $WAN_IFACE --dport 80 \
-m state --state NEW -j ACCEPT

$IPT -A INPUT -p UDP -i $WAN_IFACE --dport 80 \
-m state --state NEW -j ACCEPT

$IPT -A INPUT -p TCP -i $LAN_IFACE --dport 80 \
-m state --state NEW -j ACCEPT

$IPT -A INPUT -p UDP -i $LAN_IFACE --dport 80 \
-m state --state NEW -j ACCEPT

# Uncomment this if you wanna be able to SSH from the LAN:
#$IPT -A INPUT -p TCP -i $LAN_IFACE --dport 22 \
#-m state --state NEW -j ACCEPT

$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -i lo -j ACCEPT
i hope this helps... just my ... good luck...

BTW, you probably don't need those UDP rules...

Last edited by win32sux; 08-24-2006 at 11:27 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Help with iptables/DNAT/forwarding lohb1ac Linux - Networking 2 12-05-2005 08:48 AM
IPTABLES & Port Forwarding wobbit Linux - Networking 2 05-06-2005 03:28 PM
Port Forwarding using iptables-DNAT radupastia Linux - Networking 2 07-18-2003 02:14 AM
IPTables - DNAT, SNAT, port forwarding FunkFlex Linux - Security 2 01-15-2002 07:18 PM
DNAT Help(port forwarding) jrmann1999 Linux - Networking 1 08-09-2001 10:58 PM


All times are GMT -5. The time now is 10:35 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration