LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-25-2005, 07:07 AM   #1
deadlydemon
LQ Newbie
 
Registered: Apr 2005
Posts: 2

Rep: Reputation: 0
IPTables port forwarding problem


Hello

I've made a firewall script for my network using bits from other scripts i found . I need to forward some ports (21,22,25,80,110) to my server, but when i use the command "iptables -A FORWARD -p tcp -i eth0 -d 192.168.2.2 --dport 80 -j ACCEPT" the port does not get forwarded.

can any one help me?

#!/bin/bash
#
#-------------------------------------------------------------------
# - Paths to files - |
#-------------------------------------------------------------------
FLUSH="/usr/local/bin/iptables-flush"
DEPMOD=/sbin/depmod
IPTABLES=/sbin/iptables
IPTABLES_SAVE="/sbin/iptables-save"
IPTABLES_RESTORE="/sbin/iptables-restore"
SYSCTL="/sbin/sysctl -w"

#-------------------------------------------------------------------
# - IP Address config - |
#-------------------------------------------------------------------
# Internet IP :-
INET_IP="`ifconfig eth0|grep "inet addr"|grep -v grep|cut -c21-100|cut -d ' ' -f1`"
#
# DMZ IP :-
DMZ_IP="192.168.2.1"
#
# LAN IP :-
LAN_IP="192.168.1.1"
# Loopback IP :-
LO_IP="127.0.0.1"

#-------------------------------------------------------------------
# - Net Interface config - |
#-------------------------------------------------------------------
# External Interface :-
INETIF="eth0"
#
# DMZ Interface :-
DMZIF="eth1"
#
# LAN Interface :-
LANIF="eth2"
# Loopback Interface :-
LOIF="lo"

#-------------------------------------------------------------------
# - Network Rage - |
#-------------------------------------------------------------------
# DMZ :-
DMZ_NET="192.168.2.0/24"
#
# LAN :-
LAN_NET="192.168.1.0/24"

#-------------------------------------------------------------------
# - Broadcast Info - |
#-------------------------------------------------------------------
# DMZ broadcast :-
DMZ_BCAST="192.168.2.255"
#
# LAN broadcast :-
LAN_BCAST="192.168.1.255"

#-------------------------------------------------------------------
# - Servers on DMZ - |
#-------------------------------------------------------------------
DMZ_SERVER1="192.168.2.2"

#-------------------------------------------------------------------
# - Module Config - |
#-------------------------------------------------------------------
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe ip_nat_irc
modprobe iptable_mangle
modprobe ipt_LOG
modprobe ipt_mac
modprobe ipt_state
modprobe ip_tables
modprobe iptable_filter
modprobe ipt_limit
modprobe ipt_MASQUERADE
modprobe ipt_REJECT

ENABLE=Y
#-------------------------------------------------------------------
#- DO NOT EDIT BEYOND THIS POINT UNLESS YOU KNOW WHAT YOUR DOING - |
#-------------------------------------------------------------------
#
if [ "$ENABLE" = "N" ]
then
echo "Please edit the firewall and change ENABLE to Y"
exit 1
fi

if [ "$1" = "save" ]
then
echo -n "Saving firewall to /etc/sysconfig/iptables ... "
$IPTABLES_SAVE > /etc/sysconfig/iptables
echo "done"
exit 0
elif [ "$1" = "restore" ]
then
echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
$IPTABLES_RESTORE < /etc/sysconfig/iptables
echo "done"
exit 0
fi

echo "Config Info :-"
echo "Internet Interface: $INETIF"
echo "Internet IP: $INET_IP"
echo " "
echo "DMZ Interface: $DMZIF"
echo "DMZ IP: $DMZ_IP"
echo " "
echo "LAN Interface: $LANIF"
echo "LAN IP: $LAN_IP"
echo " "

# Need to verify that all modules have all required dependencies
#
echo "Verifying that all kernel modules are ok"

$DEPMOD -a &> /var/log/firewall.log
if [ $? -eq 1 ] ; then
echo "kernel modules = FAILED"
exit 1
else
echo "kernel modules = OK"
fi

#---------
echo " "
echo "Starting firewall. Please wait...."
echo "|- Flushing current rules"
$FLUSH

if [ "$1" = "stop" ]
then
echo "|- Firewall completely flushed! Now running with no firewall."
exit 0
fi

#---------
#echo "|- Seting default policies for packets going through firewall"
#iptables -t nat -P PREROUTING ACCEPT
#iptables -t nat -P POSTROUTING ACCEPT
#iptables -P FORWARD ACCEPT

#---------
echo "|- Seting default policies for packets entering this box"

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

###############################################################################
#
# User-Specified Chains
#
# Create user chains to reduce the number of rules each packet
# must traverse.

echo "|- Creating custom rule chains ..."
# Create a chain to filter INVALID packets

$IPTABLES -N bad_packets

# Create another chain to filter bad tcp packets

$IPTABLES -N bad_tcp_packets

# Create separate chains for icmp, tcp (incoming and outgoing),
# and incoming udp packets.

$IPTABLES -N icmp_packets

# Used for UDP packets inbound from the Internet
$IPTABLES -N udp_inbound

# Used to block outbound UDP services from internal network
# Default to allow all
$IPTABLES -N udp_outbound

# Used to allow inbound services if desired
# Default fail except for established sessions
$IPTABLES -N tcp_inbound

# Used to block outbound services from internal network
# Default to allow all
$IPTABLES -N tcp_outbound

###############################################################################
#
# Populate User Chains
#

echo "|- Populating custom rule chains ..."

# bad_packets chain
#
# Drop INVALID packets immediately

$IPTABLES -A bad_packets -p ALL -m state --state INVALID -j LOG \
--log-prefix "Invalid packet: "

$IPTABLES -A bad_packets -p ALL -m state --state INVALID -j DROP

# Then check the tcp packets for additional problems
$IPTABLES -A bad_packets -p tcp -j bad_tcp_packets

# All good, so return
$IPTABLES -A bad_packets -p ALL -j RETURN

# bad_tcp_packets chain
#
# All tcp packets will traverse this chain.
# Every new connection attempt should begin with
# a syn packet. If it doesn't, it is likely a
# port scan. This drops packets in state
# NEW that are not flagged as syn packets.

# Return to the calling chain if the bad packets originate
# from the local interface. This maintains the approach
# throughout this firewall of a largely trusted internal
# network.
$IPTABLES -A bad_tcp_packets -p tcp -i $LANIF -j RETURN
$IPTABLES -A bad_tcp_packets -p tcp -i $DMZIF -j RETURN

# However, I originally did apply this filter to the forward chain
# for packets originating from the internal network. While I have
# not conclusively determined its effect, it appears to have the
# interesting side effect of blocking some of the ad systems.
# Apparently some ad systems have the browser initiate a NEW
# connection that is not flagged as a syn packet to retrieve
# the ad image. If you wish to experiment further comment the
# rule above. If you try it, you may also wish to uncomment the
# rule below. It will keep those packets from being logged.
# There are a lot of them.
# $IPTABLES -A bad_tcp_packets -p tcp -i $LANIF ! --syn -m state \
# --state NEW -j DROP
# $IPTABLES -A bad_tcp_packets -p tcp -i $DMZIF ! --syn -m state \
# --state NEW -j DROP

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn: "
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

# All good, so return
$IPTABLES -A bad_tcp_packets -p tcp -j RETURN

# icmp_packets chain
#
# This chain is for inbound (from the Internet) icmp packets only.
# Type 8 (Echo Request) is not accepted by default
# Enable it if you want remote hosts to be able to reach you.
# 11 (Time Exceeded) is the only one accepted
# that would not already be covered by the established
# connection rule. Applied to INPUT on the external interface.
#
#
# Note that the stateful settings allow replies to ICMP packets.
# These rules allow new packets of the specified types.

# ICMP packets should fit in a Layer 2 frame, thus they should
# never be fragmented. Fragmented ICMP packets are a typical sign
# of a denial of service attack.
$IPTABLES -A icmp_packets --fragment -p ICMP -j LOG \
--log-prefix "ICMP Fragment: "
$IPTABLES -A icmp_packets --fragment -p ICMP -j DROP

# Echo - uncomment to allow your system to be pinged.
# Uncomment the LOG command if you also want to log PING attempts
#
# $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j LOG \
# --log-prefix "Ping detected: "
# $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT

# By default, however, drop pings without logging. Blaster
# and other worms have infected systems blasting pings.
# Comment the line below if you want pings logged, but it
# will likely fill your logs.
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP

# Time Exceeded
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# Not matched, so return so it will be logged
$IPTABLES -A icmp_packets -p ICMP -j RETURN

# TCP & UDP

# udp_inbound chain
#
# This chain describes the inbound UDP packets it will accept.
# It's applied to INPUT on the external or Internet interface.
# Note that the stateful settings allow replies.
# These rules are for new requests.
# It drops netbios packets (windows) immediately without logging.

# Drop netbios calls
# Please note that these rules do not really change the way the firewall
# treats netbios connections. Connections from the localhost and
# internal interface (if one exists) are accepted by default.
# Responses from the Internet to requests initiated by or through
# the firewall are also accepted by default. To get here, the
# packets would have to be part of a new request received by the
# Internet interface. You would have to manually add rules to
# accept these. I added these rules because some network connections,
# such as those via cable modems, tend to be filled with noise from
# unprotected Windows machines. These rules drop those packets
# quickly and without logging them. This prevents them from traversing
# the whole chain and keeps the log from getting cluttered with
# chatter from Windows systems.
$IPTABLES -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPTABLES -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP


# Not matched, so return for logging
$IPTABLES -A udp_inbound -p UDP -j RETURN

# udp_outbound chain
#
# This chain is used with a private network to prevent forwarding for
# UDP requests on specific protocols. Applied to the FORWARD rule from
# the internal network. Ends with an ACCEPT


# No match, so ACCEPT
$IPTABLES -A udp_outbound -p UDP -s 0/0 -j ACCEPT

# tcp_inbound chain
#
# This chain is used to allow inbound connections to the
# system/gateway. Use with care. It defaults to none.
# It's applied on INPUT from the external or Internet interface.


# Not matched, so return so it will be logged
$IPTABLES -A tcp_inbound -p TCP -j RETURN

# tcp_outbound chain
#
# This chain is used with a private network to prevent forwarding for
# requests on specific protocols. Applied to the FORWARD rule from
# the internal network. Ends with an ACCEPT


# No match, so ACCEPT
$IPTABLES -A tcp_outbound -p TCP -s 0/0 -j ACCEPT

###############################################################################
#
# INPUT Chain
#

echo "|- Process INPUT chain ..."

# Allow all on localhost interface
$IPTABLES -A INPUT -p ALL -i $LOIF -j ACCEPT

# Drop bad packets
$IPTABLES -A INPUT -p ALL -j bad_packets

# DOCSIS compliant cable modems
# Some DOCSIS compliant cable modems send IGMP multicasts to find
# connected PCs. The multicast packets have the destination address
# 224.0.0.1. You can accept them. If you choose to do so,
# Uncomment the rule to ACCEPT them and comment the rule to DROP
# them The firewall will drop them here by default to avoid
# cluttering the log. The firewall will drop all multicasts
# to the entire subnet (224.0.0.1) by default. To only affect
# IGMP multicasts, change '-p ALL' to '-p 2'. Of course,
# if they aren't accepted elsewhere, it will only ensure that
# multicasts on other protocols are logged.
# Drop them without logging.
$IPTABLES -A INPUT -p ALL -d 224.0.0.1 -j DROP
# The rule to accept the packets.
# $IPTABLES -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT

route add -net 239.0.0.0 netmask 255.0.0.0 $LANIF 2> /dev/null
iptables -A INPUT -i $LANIF -s $LAN_NET -d 239.255.255.250 -j ACCEPT
iptables -A INPUT -i $LANIF -p udp --dport 1900 -j ACCEPT
iptables -A INPUT -i $LANIF -p tcp --dport 2869 -j ACCEPT

# Rules for the private network (accessing gateway system itself)
$IPTABLES -A INPUT -p ALL -i $LANIF -s $LAN_NET -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LANIF -d $LAN_BCAST -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $DMZIF -s $DMZ_NET -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $DMZIF -d $DMZ_BCAST -j ACCEPT

# Inbound Internet Packet Rules

# Accept Established Connections
$IPTABLES -A INPUT -p ALL -i $INETIF -m state --state ESTABLISHED,RELATED \
-j ACCEPT

# Route the rest to the appropriate user chain
$IPTABLES -A INPUT -p TCP -i $INETIF -j tcp_inbound
$IPTABLES -A INPUT -p UDP -i $INETIF -j udp_inbound
$IPTABLES -A INPUT -p ICMP -i $INETIF -j icmp_packets

# Drop without logging broadcasts that get this far.
# Cuts down on log clutter.
# Comment this line if testing new rules that impact
# broadcast protocols.
$IPTABLES -A INPUT -p ALL -d 255.255.255.255 -j DROP

# Kill malformed packets

# Block XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP

# NMAP FIN/URG/PSH
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

# SYN/RST
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# SYN/FIN -- Scan(probably)
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# NMAP FIN Stealth
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN -j DROP

# ALL/ALL Scan
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# NMAP Null Scan
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# Drop invalid packets
$IPTABLES -A INPUT -m state --state INVALID -j DROP

# Drop fragmented packets
$IPTABLES -A INPUT -f -j DROP

# Drop packets with bad tcp flags
$IPTABLES -A INPUT -p tcp --tcp-option 64 -j DROP
$IPTABLES -A INPUT -p tcp --tcp-option 128 -j DROP

# Block ident (auth) requests
$IPTABLES -I INPUT -p tcp --syn --dport 113 -j REJECT --reject-with tcp-reset

# Block NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP

# Log packets that still don't match
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "INPUT packet died: "

###############################################################################
#
# FORWARD Chain
#

echo "|- Process FORWARD chain ..."

# Used if forwarding for a private network

# Drop bad packets
$IPTABLES -A FORWARD -p ALL -j bad_packets

$IPTABLES -A FORWARD -p udp -i $INETIF -o $LANIF -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $INETIF -o $LANIF -j ACCEPT

# Accept TCP packets we want to forward from internal sources
$IPTABLES -A FORWARD -p tcp -i $LANIF -j tcp_outbound
$IPTABLES -A FORWARD -p tcp -i $DMZIF -j tcp_outbound

# Accept UDP packets we want to forward from internal sources
$IPTABLES -A FORWARD -p udp -i $LANIF -j udp_outbound
$IPTABLES -A FORWARD -p udp -i $DMZIF -j udp_outbound

# If not blocked, accept any other packets from the internal interface
$IPTABLES -A FORWARD -p ALL -i $LANIF -j ACCEPT
$IPTABLES -A FORWARD -p ALL -i $DMZIF -j ACCEPT

# Deal with responses from the internet
$IPTABLES -A FORWARD -i $INETIF -m state --state ESTABLISHED,RELATED \
-j ACCEPT

# Anything coming from the Internet should have a real Internet address
$IPTABLES -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
$IPTABLES -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
$IPTABLES -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP
$IPTABLES -A FORWARD -i eth0 -s 169.254.0.0/16 -j DROP
$IPTABLES -A FORWARD -i eth0 -s 224.0.0.0/4 -j DROP
$IPTABLES -A FORWARD -i eth0 -s 240.0.0.0/5 -j DROP

# Anything coming from our internal network should have only our addresses!
$IPTABLES -A FORWARD -i eth2 -s ! $LAN_NET -j DROP

# Anything coming from our DMZ network should have only our addresses!
$IPTABLES -A FORWARD -i eth1 -s ! $DMZ_NET -j DROP

# Block outgoing network filesharing protocols that aren't designed
# to leave the LAN

# SMB / Windows filesharing
iptables -A FORWARD -p tcp --sport 137:139 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -j DROP
# NFS Mount Service (TCP/UDP 635)
iptables -A FORWARD -p tcp --sport 635 -j DROP
iptables -A FORWARD -p udp --sport 635 -j DROP
# NFS (TCP/UDP 2049)
iptables -A FORWARD -p tcp --sport 2049 -j DROP
iptables -A FORWARD -p udp --sport 2049 -j DROP
# Portmapper (TCP/UDP 111)
iptables -A FORWARD -p tcp --sport 111 -j DROP
iptables -A FORWARD -p udp --sport 111 -j DROP

# Block incoming syslog, lpr, rsh, rexec...
iptables -A FORWARD -i eth0 -p udp --dport syslog -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 515 -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 514 -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 512 -j DROP

# Log packets that still don't match
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "FORWARD packet died: "

###############################################################################
#
# OUTPUT Chain
#

echo "|- Process OUTPUT chain ..."

# Generally trust the firewall on output

# However, invalid icmp packets need to be dropped
# to prevent a possible exploit.
$IPTABLES -A OUTPUT -m state -p icmp --state INVALID -j DROP

# Localhost
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $LOIF -j ACCEPT

# To internal network
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $LANIF -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $DMZ_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $DMZIF -j ACCEPT

# To internet
$IPTABLES -A OUTPUT -p ALL -o $INETIF -j ACCEPT

# Log packets that still don't match
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "OUTPUT packet died: "

###############################################################################
#
# nat table
#
###############################################################################

# The nat table is where network address translation occurs if there
# is a private network. If the gateway is connected to the Internet
# with a static IP, snat is used. If the gateway has a dynamic address,
# masquerade must be used instead. There is more overhead associated
# with masquerade, so snat is better when it can be used.
# The nat table has a builtin chain, PREROUTING, for dnat and redirects.
# Another, POSTROUTING, handles snat and masquerade.

echo "|- Load rules for nat table ..."

###############################################################################
#
# PREROUTING chain
#

echo "|- Transparently proxying all web-surfing through Squid Proxy"
SQUID="192.168.1.1:8080"
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j DNAT --to $SQUID

$IPTABLES -t nat -A PREROUTING -p TCP -i $INETIF -d $INET_IP --dport 80 \
-j DNAT --to-destination $DMZ_SERVER1

###############################################################################
#
# POSTROUTING chain
#

$IPTABLES -t nat -A POSTROUTING -o $INETIF \
-j SNAT --to-source $INET_IP

###############################################################################
#
# mangle table
#
###############################################################################

# The mangle table is used to alter packets. It can alter or mangle them in
# several ways. For the purposes of this generator, we only use its ability
# to alter the TTL in packets. However, it can be used to set netfilter
# mark values on specific packets. Those marks could then be used in another
# table like filter, to limit activities associated with a specific host, for
# instance. The TOS target can be used to set the Type of Service field in
# the IP header. Note that the TTL target might not be included in the
# distribution on your system. If it is not and you require it, you will
# have to add it. That may require that you build from source.

echo "|- Load rules for mangle table ..."

###############################################################################

# Kill spoofed packets
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done

# Source NAT to get Internet traffic through
#$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $INET_IP

if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/ip_forward
else
$SYSCTL net.ipv4.ip_forward="1"
fi

if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
$SYSCTL net.ipv4.tcp_syncookies="1"
fi

if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
else
$SYSCTL net.ipv4.conf.all.proxy_arp="1"
fi

if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
fi

if [ "$SYSCTL" = "" ]
then
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
$SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi

if [ "$SYSCTL" = "" ]
then
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
else
$SYSCTL net.ipv4.conf.all.accept_redirects="0"
fi

if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
$SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi

# This option logs packets from impossible addresses.
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
else
$SYSCTL net.ipv4.conf.all.log_martians="1"
fi

echo "Firewall Activated"
 
Old 04-25-2005, 03:43 PM   #2
TheLinuxDuck
Member
 
Registered: Sep 2002
Location: Tulsa, OK
Distribution: Slack, baby!
Posts: 349

Rep: Reputation: 33
Re: IPTables port forwarding problem

Quote:
Originally posted by deadlydemon
I've made a firewall script for my network using bits from other scripts i found.
I need to forward some ports (21,22,25,80,110) to my server, but when i use the command
Code:
iptables -A FORWARD -p tcp -i eth0 -d 192.168.2.2 --dport 80 -j ACCEPT
the port does not get forwarded. can any one help me?
This firewall rule is saying:
Allow all TCP packets: -p tcp -j ACCEPT
coming from the eth0 NIC: -i eth0
that are going to the IP address 192.168.2.2: -d 192.168.2.2
on port 80: --dport 80

The only thing that this rules is doing is saying "yes, it's ok to let this packet through".
My impression is that you're thinking "if a packet comes from eth0 for port 80, forward
it to 192.168.2.2", which is not correct.

How many NICS are in this machine? If more than one, which is the internal, which is
the external, etc? Are you trying to accept an internal IP addy from a public IP?
 
Old 04-25-2005, 04:43 PM   #3
deadlydemon
LQ Newbie
 
Registered: Apr 2005
Posts: 2

Original Poster
Rep: Reputation: 0
i hav 3 NICs
eth0 is my internet interface
eth1 is DMZ interface (doesnt really act like a dmz yet)
eth2 is my local lan

I want to forward the ports to the server on the DMZ

I looked on google on more sites on how to forward ports and it says :

iptables -t nat -A PREROUTING -p tcp -d $INET_IP --dport 25 -j DNAT --to $DMZ_SERVER1:80

is this command correct?

thanks for your reply

EDIT:
no worried thanks again for your reply fixed it. USed these commands

$IPTABLES -A FORWARD -p tcp -i $INETIF --destination-port 80 --destination 192.168.2.2 -j ACCEPT

$IPTABLES -t nat -A PREROUTING -p tcp -i $INETIF --destination-port 80 -j DNAT --to-destination 192.168.2.2:80

Last edited by deadlydemon; 04-25-2005 at 05:35 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 07:35 PM
Iptables -- Port Forwarding slack_baby Linux - Networking 3 06-03-2004 02:29 PM
iptables + NAT + Port forwarding problem SirGertrude Linux - Networking 9 05-14-2004 04:02 AM
iptables and port forwarding jamesws Linux - Networking 0 02-10-2002 06:57 PM
IPTables Port Forwarding Problem delusi0n Linux - Networking 0 10-02-2001 01:34 AM


All times are GMT -5. The time now is 02:34 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration