Nat Question

keyboard1973 · 05-24-2009, 01:28 PM

Hello,

I am running Linux version 2.6.18-92.1.22.el5xen (mockbuild@builder16.centos.org) (gcc version 4.1.2 20071124 (Red Hat 4.1.2-42)) with 2 network interface cards set up as a linux nat. My lan is working fine, all boxes can hit the internet, and each other fine. The only issue I am having is the nat box can't get out to the internet, I can ping google.com fine but I can't resolve anything. I have tried to load google with links which stops at making connection. I checked my resolv.conf it is the same as all the other boxes on my network which get out fine. This is leading me to believe I am missing a configuration in iptables.

Here is my iptables

# Generated by iptables-save v1.3.5 on Wed Jan 7 03:53:36 2009
*nat
:PREROUTING ACCEPT [41:3406]
:POSTROUTING ACCEPT [62:3180]
:OUTPUT ACCEPT [17:1020]
-A PREROUTING -d 76.180.209.213 -i eth0 -p tcp -m tcp --dport 200 -j DNAT --to-destination 192.168.2.101:22
-A PREROUTING -d 76.180.209.213 -i eth0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.2.101:3389
-A PREROUTING -d 76.180.209.213 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.2.101:80
-A PREROUTING -d 76.180.209.213 -i eth0 -p tcp -m tcp --dport 8000 -j DNAT --to-destination 192.168.2.151:8000
-A PREROUTING -d 76.180.209.213 -i eth0 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 192.168.2.151:5900
-A PREROUTING -d 76.180.209.213 -i eth0 -p tcp -m tcp --dport 5901 -j DNAT --to-destination 192.168.2.101:5901
-A PREROUTING -d 76.180.209.213 -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.2.101:8080
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Jan 7 03:53:36 2009
# Generated by iptables-save v1.3.5 on Wed Jan 7 03:53:36 2009
*filter
:INPUT ACCEPT [1455:126056]
:FORWARD ACCEPT [897:157706]
:OUTPUT ACCEPT [17:1020]
-A INPUT -i eth0 -p tcp -j DROP
#-A INPUT -p udp -m udp --dport 123 -j ACCEPT
##-A FORWARD --in-interface eth1 -j ACCEPT
##-A FORWARD -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
##A FORWARD -i eth0 -p tcp -m tcp --dport 8000 -j ACCEPT
##A FORWARD -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
##A FORWARD -d 192.168.2.101 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
##A FORWARD -d 192.168.2.151 -i eth0 -p tcp -m tcp --dport 8000 -j ACCEPT
##A FORWARD -d 192.168.2.101 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
#A FORWARD -d 192.168.2.101 -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
##-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#-A OUTPUT -p udp -m udp --sport 123 -j ACCEPT
COMMIT

Any help and suggestions would be appreciated.

Thanks again

janhe · 05-24-2009, 01:44 PM

You drop all tcp connection that come through eth0.
You should at least allow related and established connections.
I used this command to make that happen on my box:

Code:

iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

I don't know how to configure the firewall on Red Hat, but you probably do ;-)

another remark: your firewall seems to let through everything except tcp. I would recommend dropping all traffic exept related connections and some services. Especially on the internet interface.

keyboard1973 · 05-24-2009, 02:46 PM

Hello,

That rule did the trick I have to read more about the input rules on the firewall. If I allow input for the services I would like which reflect the open ports, then add a rule to drop all others at the end iptables will only allow services on those ports correct? or am I looking at this wrong.

Thanks again.

janhe · 05-24-2009, 03:17 PM

Quote:

Originally Posted by keyboard1973

Hello,

That rule did the trick I have to read more about the input rules on the firewall. If I allow input for the services I would like which reflect the open ports, then add a rule to drop all others at the end iptables will only allow services on those ports correct? or am I looking at this wrong.

Thanks again.

The firewall rules are processed from top to bottom.
Each packet is compared to the rules. If it matches, it is sent to the target that belongs to that rule. Once they are sent to a DROP or to a ACCEPT target, they are dropped directly, and no more rules will be compared to them.

So basically you create accept rules for each port on wich you have a service running.
The last rule is to drop all packets.

That way only the packets for the ports that you have opened are allowed.

I think this is what you said, but I'm not sure.

keyboard1973 · 05-24-2009, 03:27 PM

Hello,

I set up my list of input rules in my fire wall and I put -A INPUT -j DROP at the very end of the config which dropped my ssh connection after I restarted iptables and could not ssh back in. I want to drop everything else except for what I specified with my input rules.

Thanks again

janhe · 05-24-2009, 04:25 PM

do you have a rule that looks like this one somewhere?

Code:

iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

keyboard1973 · 05-24-2009, 04:28 PM

Hello,

Here are what I have for input rules so far.

:INPUT ACCEPT [5868:1133049]
:FORWARD ACCEPT [119558:154645241]
:OUTPUT ACCEPT [295:18153]
#-A INPUT -i eth0 -p tcp -j DROP
#-A INPUT -j DROP
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8000 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5900 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3389 -j ACCEPT

Thank you

Keith

janhe · 05-25-2009, 01:49 AM

Try allowing related and established connections for all interfaces, not just eth0