linux + iptables + port forwarding
I'm currently using an old celeron machine with linux base system (ubuntu/debian) installed that i have a USB 3G modem and atheros wireless card installed in.
Along with this i have squid installed on the machine and have iptables rules in place for transparent proxying.
This machine connects automatically to the 3G service and shares it via wireless and uses squid to cache and also blocked certain web content.
I am currently trying to port forward from the WAN to an IP on the LAN and so far, it is not working at all.
Also, the syslog log of the rejected packets doesn't make sense.
This is my iptables script i have in place (and works fine for everything else except port forwarding):
Jun 15 03:50:03 ares kernel: [807508.564585] IN: IN=br0 OUT=ppp0 PHYSIN=wlan0 SRC=192.168.3.4 DST=220.233.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=24 DPT=58186 WINDOW=5792 RES=0x00 ACK SYN URGP=0
I have been thinking of using iptables-restore instead of my above script, but for the most part is has been working fine.
Can someone please take a look and tell me what rules i need to add/change/delete to allow the port forwarding to work.
Also if someone could give me any advice on some better rules to use (eg. specifing default rules of DROP and then ACCEPT'ing what i need)
My question is to port forwarding.
Thanks for your input though.
I think you have a lot more rules in there than you really need and that something is causing a rule conflict. Please post the output of iptables -L, to list the rules that are executing and in what order. With IPtables, order is important. Consider starting with a clean slate. If your rules are saved and loaded at reboot, you can temporarily clear things with an iptables -F command.
Here is what I am currently using on one of my servers:
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -d 126.96.36.199/32 -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP
One thing to keep in mind is that most services will be off by default and while it may be safer to strictly prohibit them, it may not be necessary. For example, by default the server won't respond to pings, but I enabled it with the second to last line.
I said that order is important because the last line in my script is to drop the traffic. This causes all traffic that has not been explicitly allowed ABOVE that rule to be dropped. In order to perform the port routing to an internal server you will need to do a couple of things:
1 - open the port if you specifically disabled ports, like I did above
2 - configure the forwarding in iptables. You have -t nat -A POSTROUTING -o ppp0 -j MASQUERADE. This is a generic way to blanket translate connections to internal IP addresses. It may be too generic for your purposes. Try something along the lines of: iptables -t nat -I PREROUTING -d <wanip> -j DNAT --to <lanip>
iptables -t nat -I POSTROUTING -s <lanip> -j SNAT --to <wanip>
3 - enable ipv4forwarding, which you did.
|All times are GMT -5. The time now is 03:04 PM.|