LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-24-2009, 02:28 PM   #1
keyboard1973
Member
 
Registered: Jun 2008
Posts: 52

Rep: Reputation: 15
Nat Question


Hello,

I am running Linux version 2.6.18-92.1.22.el5xen (mockbuild@builder16.centos.org) (gcc version 4.1.2 20071124 (Red Hat 4.1.2-42)) with 2 network interface cards set up as a linux nat. My lan is working fine, all boxes can hit the internet, and each other fine. The only issue I am having is the nat box can't get out to the internet, I can ping google.com fine but I can't resolve anything. I have tried to load google with links which stops at making connection. I checked my resolv.conf it is the same as all the other boxes on my network which get out fine. This is leading me to believe I am missing a configuration in iptables.

Here is my iptables

# Generated by iptables-save v1.3.5 on Wed Jan 7 03:53:36 2009
*nat
:PREROUTING ACCEPT [41:3406]
:POSTROUTING ACCEPT [62:3180]
:OUTPUT ACCEPT [17:1020]
-A PREROUTING -d 76.180.209.213 -i eth0 -p tcp -m tcp --dport 200 -j DNAT --to-destination 192.168.2.101:22
-A PREROUTING -d 76.180.209.213 -i eth0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.2.101:3389
-A PREROUTING -d 76.180.209.213 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.2.101:80
-A PREROUTING -d 76.180.209.213 -i eth0 -p tcp -m tcp --dport 8000 -j DNAT --to-destination 192.168.2.151:8000
-A PREROUTING -d 76.180.209.213 -i eth0 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 192.168.2.151:5900
-A PREROUTING -d 76.180.209.213 -i eth0 -p tcp -m tcp --dport 5901 -j DNAT --to-destination 192.168.2.101:5901
-A PREROUTING -d 76.180.209.213 -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.2.101:8080
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Jan 7 03:53:36 2009
# Generated by iptables-save v1.3.5 on Wed Jan 7 03:53:36 2009
*filter
:INPUT ACCEPT [1455:126056]
:FORWARD ACCEPT [897:157706]
:OUTPUT ACCEPT [17:1020]
-A INPUT -i eth0 -p tcp -j DROP
#-A INPUT -p udp -m udp --dport 123 -j ACCEPT
##-A FORWARD --in-interface eth1 -j ACCEPT
##-A FORWARD -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
##A FORWARD -i eth0 -p tcp -m tcp --dport 8000 -j ACCEPT
##A FORWARD -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
##A FORWARD -d 192.168.2.101 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
##A FORWARD -d 192.168.2.151 -i eth0 -p tcp -m tcp --dport 8000 -j ACCEPT
##A FORWARD -d 192.168.2.101 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
#A FORWARD -d 192.168.2.101 -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
##-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#-A OUTPUT -p udp -m udp --sport 123 -j ACCEPT
COMMIT



Any help and suggestions would be appreciated.

Thanks again
 
Old 05-24-2009, 02:44 PM   #2
janhe
Member
 
Registered: Jul 2007
Location: Belgium
Distribution: slackware64 13.1, slackware 13.1
Posts: 369

Rep: Reputation: 49
You drop all tcp connection that come through eth0.
You should at least allow related and established connections.
I used this command to make that happen on my box:
Code:
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
I don't know how to configure the firewall on Red Hat, but you probably do ;-)

another remark: your firewall seems to let through everything except tcp. I would recommend dropping all traffic exept related connections and some services. Especially on the internet interface.
 
Old 05-24-2009, 03:46 PM   #3
keyboard1973
Member
 
Registered: Jun 2008
Posts: 52

Original Poster
Rep: Reputation: 15
Fixed

Hello,

That rule did the trick I have to read more about the input rules on the firewall. If I allow input for the services I would like which reflect the open ports, then add a rule to drop all others at the end iptables will only allow services on those ports correct? or am I looking at this wrong.

Thanks again.
 
Old 05-24-2009, 04:17 PM   #4
janhe
Member
 
Registered: Jul 2007
Location: Belgium
Distribution: slackware64 13.1, slackware 13.1
Posts: 369

Rep: Reputation: 49
Quote:
Originally Posted by keyboard1973 View Post
Hello,

That rule did the trick I have to read more about the input rules on the firewall. If I allow input for the services I would like which reflect the open ports, then add a rule to drop all others at the end iptables will only allow services on those ports correct? or am I looking at this wrong.

Thanks again.
The firewall rules are processed from top to bottom.
Each packet is compared to the rules. If it matches, it is sent to the target that belongs to that rule. Once they are sent to a DROP or to a ACCEPT target, they are dropped directly, and no more rules will be compared to them.

So basically you create accept rules for each port on wich you have a service running.
The last rule is to drop all packets.

That way only the packets for the ports that you have opened are allowed.

I think this is what you said, but I'm not sure.
 
Old 05-24-2009, 04:27 PM   #5
keyboard1973
Member
 
Registered: Jun 2008
Posts: 52

Original Poster
Rep: Reputation: 15
Connection dropped

Hello,

I set up my list of input rules in my fire wall and I put -A INPUT -j DROP at the very end of the config which dropped my ssh connection after I restarted iptables and could not ssh back in. I want to drop everything else except for what I specified with my input rules.

Thanks again
 
Old 05-24-2009, 05:25 PM   #6
janhe
Member
 
Registered: Jul 2007
Location: Belgium
Distribution: slackware64 13.1, slackware 13.1
Posts: 369

Rep: Reputation: 49
do you have a rule that looks like this one somewhere?
Code:
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
 
Old 05-24-2009, 05:28 PM   #7
keyboard1973
Member
 
Registered: Jun 2008
Posts: 52

Original Poster
Rep: Reputation: 15
Inpute Rules

Hello,

Here are what I have for input rules so far.

:INPUT ACCEPT [5868:1133049]
:FORWARD ACCEPT [119558:154645241]
:OUTPUT ACCEPT [295:18153]
#-A INPUT -i eth0 -p tcp -j DROP
#-A INPUT -j DROP
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8000 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5900 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3389 -j ACCEPT


Thank you

Keith
 
Old 05-25-2009, 02:49 AM   #8
janhe
Member
 
Registered: Jul 2007
Location: Belgium
Distribution: slackware64 13.1, slackware 13.1
Posts: 369

Rep: Reputation: 49
Try allowing related and established connections for all interfaces, not just eth0
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Nat Question keefaz Linux - Networking 3 08-25-2008 04:55 AM
nat question gubak Linux - Networking 2 03-01-2005 07:54 AM
please confirm NAT question. musicman_ace Linux - Networking 3 06-02-2004 03:43 AM
Simple NAT question Obscure Linux - Networking 7 01-28-2004 12:56 PM
NAT startup question WorldBuilder Linux - Networking 4 05-15-2003 11:47 AM


All times are GMT -5. The time now is 03:11 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration