NAT can't redirect from firewall

kelper · 07-29-2003, 04:00 AM

I am running mandrake 9.1 and iptables
I have 3 network card:
1st one is eth0 --- dial up (pppoe) and connect to internet
2nd one is eth0 --- 10.121.64.x (internal network)
3rd one is eth0 --- 192.168.x.x (DMZ)
I want to set a PC in DMZ that it is web server (open port 80)
192.168.x.x :80 map to 202.169.x.x:80
I have set some rules below but it is a problem when the outsider can't connect to this pc. Is it correct?

Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Table: filter
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- 10.121.64.0/23 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- 10.121.64.0/23 anywhere
ACCEPT all -- 192.168.0.0/24 anywhere
ACCEPT icmp -- anywhere skhlmc
ACCEPT tcp -- anywhere skhlmc tcp dpt:ssh
ACCEPT udp -- anywhere skhlmc udp dpt:ssh
ACCEPT tcp -- anywhere skhlmc tcp dpt:http

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.121.64.0/23 anywhere
ACCEPT all -- 192.168.0.0/24 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere skhlmc
ACCEPT all -- anywhere skhlmc

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Table: nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere skhlmc tcp dpt:http to:192.168.0.100:80

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT tcp -- 192.168.0.100 anywhere tcp dpt:http to:203.169.x.x
MASQUERADE all -- 10.121.64.0/23 anywhere
MASQUERADE all -- 192.168.0.0/24 anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

kelper · 07-30-2003, 11:18 AM

The firewall script is shown below. Is it correct
THX

#!/bin/sh
echo "Firewall Starting..."
echo 1 > /proc/sys/net/ipv4/ip_forward

modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc

EXT_INTERFACE="eth0"
INT_INTERFACE="eth1"
DMZ_INTERFACE="eth2"
INT_ADDRESS="10.121.64.0/255.255.254.0"
DMZ_ADDRESS="192.168.0.0/255.255.255.0"
Real_EXT_IP="203.169.x.x"
ANY="0.0.0.0/0"
BROADCAST_DEST="255.255.255.255"

## Default Policy ####

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

## Clear perious setting
iptables -F
iptables -t nat -F
iptables -t mangle -F

###############
echo "INPUT Policy"
########## INPUT #######################################
iptables -A INPUT -i $EXT_INTERFACE -s $INT_ADDRESS -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $INT_INTERFACE -s $INT_ADDRESS -d $ANY -j ACCEPT
iptables -A INPUT -i $DMZ_INTERFACE -s $DMZ_ADDRESS -d $ANY -j ACCEPT

########### ALLOW INCOMING PORT ###########################

iptables -A INPUT -p icmp -s $ANY -d $Real_EXT_IP -j ACCEPT
iptables -A INPUT -p tcp -s $ANY -d $Real_EXT_IP --dport 22 -j ACCEPT
iptables -A INPUT -p udp -s $ANY -d $Real_EXT_IP --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s $ANY -d $Real_EXT_IP --dport 80 -j ACCEPT

echo "FORWARD Policy"
############ FORWARD ######################################
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $INT_INTERFACE -s $INT_ADDRESS -d $ANY -j ACCEPT
iptables -A FORWARD -i $DMZ_INTERFACE -s $DMZ_ADDRESS -d $ANY -j ACCEPT
iptables -A FORWARD -i lo -j ACCEPT
iptables -A FORWARD -i $EXT_INTERFACE -s $DMZ_ADDRESS -j ACCEPT
iptables -A FORWARD -i $EXT_INTERFACE -s $INT_ADDRESS -j ACCEPT
iptables -A FORWARD -i $EXT_INTERFACE -s $ANY -d $Real_EXT_IP -j ACCEPT
iptables -A FORWARD -i $EXT_INTERFACE -s $ANY -d 192.168.0.1 -j ACCEPT
iptables -A FORWARD -i $EXT_INTERFACE -s $ANY -d 10.121.64.1 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -s $ANY -d $Real_EXT_IP --dport 80 -j DNAT --to 192.168.0.100:80
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.100 -d $ANY --dport 80 -j SNAT --to $Real_EXT_IP:80

######## REDIRECT #################
######## Transparent Proxy ###############
#iptables -t nat -A PREROUTING -i $INT_INTERFACE -p tcp -s $INT_ADDRESS -d ! 192.168.1.0/24 --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -i $DMZ_INTERFACE -p tcp -s $DMZ_ADDRESS -d ! 192.168.1.0/24 --dport 80 -j REDIRECT --to-port 3128

######## Many-to-one NAT ##############

iptables -t nat -A POSTROUTING -j MASQUERADE -s $INT_ADDRESS -d $ANY -o ppp0
iptables -t nat -A POSTROUTING -j MASQUERADE -s $DMZ_ADDRESS -d $ANY -o ppp0
echo "Firewall Done."

Half_Elf · 07-30-2003, 04:40 PM

well
everything look good to me, but your notation is strange, maybe it create bugs?
I mean that $ANY should be 0/0 instead of 0.0.0.0/0 and that I doub that Iptables will take this : "Real_EXT_IP="203.169.x.x"

Also, this is very strange :
NT_ADDRESS="10.121.64.0/255.255.254.0"
DMZ_ADDRESS="192.168.0.0/255.255.255.0"

it should be this instead :
NT_ADDRESS="10.121.64.255/255.255.254.0"
DMZ_ADDRESS="192.168.0.255/255.255.255.0"

'cept that, I can't see any mistakes, try this and give me news.