Iptables w/port forwarding

claytonj25 · 12-19-2001, 01:29 PM

Hello everyone. I'm a extreme linux newbie. I've known of linux for years but never fooled with it. Here's my question/problem. I have a friend that is fairly knowledgeable with linux and I waited to setup a firewall using Red Hat 7.2. Well he went through the install and showed me things I understood things I didn't. He got the iptable script up and running. I'm on a DHCP cable modem so we used a DHCP script. So far so good my clients could get the net and so on. We setup port forwarding and it worked for 1 1/2 days now I can't seem to get it working again. Here's my script I hope someone cann help me out. I got this from Linuxhelp.net and made my IP adjustments.
Thanks...

#!/bin/sh

IPTABLES="/sbin/iptables"

#Time to clean house

#Clear out any existing firewall rules, and any chains that might have
#been created
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X

#Setup our policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

#This enables ip forwarding, and thus by extension, NAT
#Turn this on if you're going to be doing NAT or Masquerading
#echo 1 > /proc/sys/net/ipv4/ip_forward

#Our actual rules

#Our NAT stuff

#Source NAT everything heading out the eth0 (external) interface to be the
#given IP. If you have a dynamic ip or a DHCP ip that changes
#semi-regularly, comment this and uncomment the second line
#
#Remember to change the ip address to your static ip
#
#$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4

$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#These are port-forwarding examples for several different cases.
#These map the specified ports to the specified ip address.
#
#This one maps port 80 to 192.168.1.40. Anything incoming over eth0 to
#the server will be redirected invisibly to port 80 on 192.168.1.40
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.40
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -j DNAT --to 192.168.1.40
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 3379 -j DNAT --to 192.168.1.40
#
#These two redirect a block of ports, in both udp and tcp.
#$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 2300:2400 -j DNAT --to 192.168.1.1
#$IPTABLES -t nat -A PREROUTING -i eth0 -p udp --dport 2300:2400 -j DNAT --to 192.168.1.1

#Now, our firewall chain
#We use the limit commands to cap the rate at which it alerts to 15
#log messages per minute
$IPTABLES -N firewall
$IPTABLES -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
$IPTABLES -A firewall -j DROP

#Now, our dropwall chain, for the final catchall filter
$IPTABLES -N dropwall
$IPTABLES -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall:
$IPTABLES -A dropwall -j DROP

#Our "hey, them's some bad tcp flags!" chain
$IPTABLES -N badflags
$IPTABLES -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
$IPTABLES -A badflags -j DROP

#And our silent logging chain
$IPTABLES -N silent
$IPTABLES -A silent -j DROP

#Accept ourselves (loopback interface), 'cause we're all warm and friendly
$IPTABLES -A INPUT -i lo -j ACCEPT

#Drop those nasty packets!
#These are all TCP flag combinations that should never, ever occur in the
#wild. All of these are illegal combinations that are used to attack a box
#in various ways, so we just drop them and log them here.
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags

#Drop icmp, but only after letting certain types through
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j firewall

#Accept SSH connections from everywhere.
#Uncomment this if you're running SSH and want to be able to access it
#from the outside world.
#
#$IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 22 -j ACCEPT

#Lets do some basic state-matching
#This allows us to accept related and established connections, so
#client-side things like ftp work properly, for example.
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#Uncomment to drop port 137 netbios packets silently. We don't like
#that netbios stuff, and it's #way too spammy with windows machines on
#the network.
#
$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j silent

#Our final trap. Everything on INPUT goes to the dropwall so we don't get silent drops
$IPTABLES -A INPUT -j dropwall

raz · 12-21-2001, 06:49 AM

ok try this:

delete the lines in your script that say:
ps. I assume the ip address of the internal system can be pinged from the firewall its self.

#This one maps port 80 to 192.168.1.40. Anything incoming over eth0 to
#the server will be redirected invisibly to port 80 on 192.168.1.40
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.40
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -j DNAT --to 192.168.1.40
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 3379 -j DNAT --to 192.168.1.40
#

change to:

# ok to have -d 0/0 as long as you have eth0 as the card connected to the internet and not virtual ip addresses on the same card.
$IPTABLES -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 -d 0/0 --dport 80 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 -d 0/0 --dport 21 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 -d 0/0 --dport 3379 -j ACCEPT
# forward bit
iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.1.40:80
# only works with passive FTP not active.
iptables -t nat -A PREROUTING -p tcp --dport 21 -i eth0 -j DNAT --to 192.168.1.40:21
iptables -t nat -A PREROUTING -p tcp --dport 3379 -i eth0 -j DNAT --to 192.168.1.40:3379

That's it.
/Raz

claytonj25 · 12-21-2001, 07:30 AM

Thanks Raz.

How secure is that script? I also need to open up a few ports for online gaming. Can you help with that? This is all so new to me and I'm learning more everyday.

Thanks!

raz · 12-21-2001, 09:14 AM

it's not secure.
Basically if your http or ftp service on the remote system has a security bug then it needs to be patched.

If you setup your script correctly then as long as you don't host the games, you should be able to connect to online game servers with stateful firewall inspection and NAT.

/Raz

claytonj25 · 12-21-2001, 09:23 AM

Do you know where I can get a sample strong script? I'd like to see one so I can try to figure this stuff out. Since I'm a

Thanks for your help on this.

raz · 12-21-2001, 10:32 AM

Ok here's a secure script I wrote for one of my test systems.
Please note I've only just started using iptables.

but it's secure as far as I can see, if anyone can spot something I've missed please tell me.

# internet
INET_IP="198.81.129.100"
INET_IFACE="eth0"
# internal
LAN_IP="192.168.0.2"
LAN_IFACE="eth1"
LAN_SUB=”192.168.0/24”
# DNS's
DNS1=”198.6.1.202”
DNS2=”198.6.2.203”
iptables -F
iptables -X
iptables -F -t nat
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.tcp_max_syn_backlog=256
sysctl -w net.ipv4.tcp_syn_retries=5
sysctl -w net.ipv4.route.mtu_expires=512
sysctl -w net.ipv4.tcp_keepalive_time=7600
sysctl -w net.ipv4.icmp_echoreply_rate=10
sysctl -w net.ipv4.tcp_fin_timeout=360
sysctl -w net.ipv4.tcp_rfc1337=1
echo 8176 > /proc/sys/net/ipv4/ip_conntrack_max
echo 0 > /proc/sys/net/ipv4/ip_no_pmtu_disc
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 128 > /proc/sys/net/ipv4/ip_default_ttl
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 262144 > /proc/sys/net/core/rmem_default
echo 262144 > /proc/sys/net/core/rmem_max
echo 262144 > /proc/sys/net/core/wmem_default
echo 262144 > /proc/sys/net/core/wmem_max
/sbin/depmod -a
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
/sbin/modprobe ipt_owner
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
# MASQ for eth0 to outside
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $INET_IP
echo ”NAT enabled for internal network on eth0"
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A FORWARD -i eth0 -p igmp -j DROP
iptables -t mangle -A OUTPUT -p tcp --dport 80 -j TOS --set-tos 8
iptables -t mangle -A OUTPUT -p tcp --dport 443 -j TOS --set-tos 8
iptables -t mangle -A OUTPUT -p tcp --dport 8080 -j TOS --set-tos 8
iptables -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos 8
echo ”Priority delay set for DNS"
iptables -t mangle -A OUTPUT -p tcp --dport 53 -j TOS --set-tos 16
# drop nasty flags:
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-level info --log-prefix “BAD FLAG !! L1"
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-level info --log-prefix “BAD FLAG !! L2"
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-level info --log-prefix “BAD FLAG !! L3"
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level info --log-prefix “BAD FLAG !! L4"
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level info --log-prefix “BAD FLAG !! L5"
# SYN flood stuff
iptables -N syn-flood
iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j LOG --log-level info --log-prefix “SYN Flood stopped “
iptables -A syn-flood -j DROP
# Drop Private
iptables -A INPUT -i eth0 -p tcp --sport 1:1024 --dport 1:1024 -j LOG --log-level info --log-prefix “PRIVATE PORT L1”
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 --dport 1:1024 -j LOG --log-level info --log-prefix “PRIVATE PORT L2”
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 --dport 6000 -j LOG --log-level info --log-prefix “PRIVATE X PORT “
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 --dport 1:1024 -j DROP
iptables -A INPUT -i eth0 -p tcp --sport 1:1024 --dport 1:1024 -j DROP
iptables -A INPUT -i eth0 -p tcp --sport 1:1024 --dport 6000 -j DROP
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 --dport 6000 -j DROP
# SYN dropped
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j LOG --log-level info --log-prefix “SYN DROPPED “
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
# spoofing protection
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.0/16 -j LOG --log-level info --log-prefix “FAKE CLASS C”
iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.0/16 -j DROP
iptables -t nat -A PREROUTING -i eth0 -s 10.0.0.0/8 -j LOG --log-level info --log-prefix “FAKE CLASS A “
iptables -t nat -A PREROUTING -i eth0 -s 10.0.0.0/8 -j DROP
iptables -t nat -A PREROUTING -i eth0 -s 172.16.0.0/12 -j LOG --log-level info --log-prefix “FAKE CLASS B “
iptables -t nat -A PREROUTING -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-level info --log-prefix “FAKE CLASS C “
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-level info --log-prefix “FAKE CLASS A “
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-level info --log-prefix “FAKE CLASS B “
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth0 -s 255.255.255.255 -j LOG --log-level info --log-prefix “FAKE CLASS E “
iptables -A INPUT -i eth0 -s 255.255.255.255 -j DROP
iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j LOG --log-level info --log-prefix “FAKE LOCAL 127 “
iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 0.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 169.254.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 224.0.0.0/4 -j DROP
iptables -A INPUT -i eth0 -s 240.0.0.0/5 -j DROP
iptables -A INPUT -i eth0 -s 248.0.0.0/5 -j DROP
iptables -A INPUT -i eth0 -f -j LOG --log-level info --log-prefix “PACKET FRAGMENTED “
iptables -A INPUT -i eth0 -f -j DROP
# full access to eth1 nic
iptables -A INPUT -p ALL -i eth1 -s $LAN_SUB -j ACCEPT
iptables -A OUTPUT -p ALL -s $LAN_SUB -j ACCEPT
# The weakest link
iptables -A INPUT -i eth0 -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
# Active FTP
iptables -A INPUT -i eth0 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -s $DNS1 --sport 53 -d $INET_IP --dport 1023:65535 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -s $DNS2 --sport 53 -d $INET_IP --dport 1023:65535 -j ACCEPT
iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -s 0/0 --sport 53 -d $INET_IP --dport 1023:65535 -j ACCEPT
iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -s 0/0 --sport 53 -d 10.50.28.4 --dport 1023:65535 -j ACCEPT
# ICMP
iptables -A OUTPUT -o eth0 -p icmp -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type address-mask-reply -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type required-option-missing -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type ip-header-bad -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type TOS-host-unreachable -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type source-route-failed -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type network-unknown -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT
# Deny ICMP types inbound
iptables -A INPUT -i eth0 -p icmp --icmp-type destination-unreachable -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type network-unreachable -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type host-unreachable -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type protocol-unreachable -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type port-unreachable -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type fragmentation-needed -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type host-unknown -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type network-prohibited -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type host-prohibited -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type TOS-network-unreachable -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type communication-prohibited -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type host-precedence-violation -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type precedence-cutoff -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type source-quench -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type redirect -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type network-redirect -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type host-redirect -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type TOS-network-redirect -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type TOS-host-redirect -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 1 -j LOG --log-level info --log-prefix “PING REQUEST “
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type router-advertisement -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type router-solicitation -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type ttl-zero-during-transit -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type ttl-zero-during-reassembly -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type timestamp-reply -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type address-mask-request -j DROP

claytonj25 · 12-21-2001, 10:37 AM

One more question then I'll leave you alone for now. I'm on a DHCP cable modem how would I setup the script for that?

Thanks

I've got plenty to play with over the holidays.

pofoyz · 12-22-2001, 01:49 AM

thanks !

raz · 12-22-2001, 08:30 AM

ok last question, I'm off for a few days for Xmas.

Replace the line that says:

# internet
INET_IP="198.81.129.100"

with............

INET_IP="`/sbin/ifconfig eth0 2> /dev/null | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"

That will get your DHCP ip address.

/Raz