LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-05-2004, 04:49 PM   #1
MadTurki
Member
 
Registered: Nov 2003
Location: Toronto
Distribution: RedHat 9, Mandrake 10, OS X
Posts: 114

Rep: Reputation: 15
Question Simple Port Forwarding Firewall - not forwarding


I've only been using RedHat for about 6 months. I have read a lot about IP tables but I'm not confident that I can say "I know iptables". I've tried gShield, Firestarter, Guarddog... Other independantly made scripts... And I cant get this to work. Stop traffic, yes! But what I want is to forward my incoming port 80 requests to another machine. I have a dual-homed system with static IPs running Redhat 9 or Fedora Core 1... Take your pic! I really need to get this up and I really appreciate any definite help. Again, I have no problem blocking services or allowing telnet to that machine or using it as a gateway. The only problem is using it to forward port requests. Thanks again for your help!

MadTurki
 
Old 01-05-2004, 04:54 PM   #2
Dewar
Member
 
Registered: Sep 2003
Location: Washington State
Distribution: SuSE 8.0, SuSE 9.0, Slack 9.1
Posts: 90

Rep: Reputation: 15
I think the command you want is:

iptables -A PREROUTING -p tcp --dport 80 -j DNAT --to <insert webserver ip here>

Hopefully that helps.

-Dewar
 
Old 01-05-2004, 04:57 PM   #3
MadTurki
Member
 
Registered: Nov 2003
Location: Toronto
Distribution: RedHat 9, Mandrake 10, OS X
Posts: 114

Original Poster
Rep: Reputation: 15
I tried that but had no luck... I'll post the iptables file I was using ->

Quote:
# Generated by iptables-save v1.2.8 on Mon Jan 5 15:52:38 2004
*nat
:PREROUTING ACCEPT [36:3374]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [1:70]
-A POSTROUTING -o eth0 -j SNAT --to-source X.X.X.X
-A PREROUTING --dst X.X.X.X -p tcp -j DNAT --to-destination 192.168.1.12
COMMIT
# Completed on Mon Jan 5 15:52:38 2004
# Generated by iptables-save v1.2.8 on Mon Jan 5 15:52:38 2004
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
kay - [0:0]
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -j ACCEPT
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -s 192.168.1.4 -i lo -j ACCEPT
-A INPUT -s X.X.X.X -i lo -j ACCEPT
-A INPUT -d 192.168.1.255 -i eth1 -j ACCEPT
-A INPUT -d X.X.X.X -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 2401 -j okay
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 192.168.1.4 -j ACCEPT
-A OUTPUT -s X.X.X.X -j ACCEPT
COMMIT
# Completed on Mon Jan 5 15:52:38 2004
 
Old 01-05-2004, 04:58 PM   #4
MadTurki
Member
 
Registered: Nov 2003
Location: Toronto
Distribution: RedHat 9, Mandrake 10, OS X
Posts: 114

Original Poster
Rep: Reputation: 15
Okay so, that line you suggested wasn't in that one... But I swear it was there! I'll try it again.. Please keep suggestions coming though!
 
Old 01-05-2004, 10:55 PM   #5
borodimer
LQ Newbie
 
Registered: Nov 2003
Posts: 13

Rep: Reputation: 0
Do you have ip_forward enabled?
Code:
cat /proc/sys/net/ipv4/ip_forward
If that is set to 0, then it is disabled and needs to be enabled.
Code:
echo "1" > /proc/sys/net/ipv4/ip_forward
 
Old 01-06-2004, 11:39 AM   #6
MadTurki
Member
 
Registered: Nov 2003
Location: Toronto
Distribution: RedHat 9, Mandrake 10, OS X
Posts: 114

Original Poster
Rep: Reputation: 15
I thought I'd done the echo 1 /proc/.../ip_forward thing but I discovered that when I do a "service network restart" it resets that to a 0. And it didn't work without restarting it either. I replaced the 7th line with the one you suggested Dewar but still no luck. Could this be a network settings problem? Do I need to add a route somewhere maybe?
 
Old 01-06-2004, 12:25 PM   #7
Dewar
Member
 
Registered: Sep 2003
Location: Washington State
Distribution: SuSE 8.0, SuSE 9.0, Slack 9.1
Posts: 90

Rep: Reputation: 15
Hmmm, it can't be your default gateway on the firewall, because you still have traffic going through, right....?

Oh, I know! I forgot to put something in the command I wrote. Try....

iptables -A PREROUTING -i <put external interface here> -p tcp --dport 80 -j DNAT --to <insert webserver ip here>
(example: iptables -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.12)

And if that doesn't work, try changing the -A to a -I to add the rule at the start of the chain.

-Dewar

Edit: Another silly question.... Is apache turned on?
Second Edit: Also, maybe the default gateway on the webserver is wrong?

Last edited by Dewar; 01-06-2004 at 12:32 PM.
 
Old 01-06-2004, 01:04 PM   #8
MadTurki
Member
 
Registered: Nov 2003
Location: Toronto
Distribution: RedHat 9, Mandrake 10, OS X
Posts: 114

Original Poster
Rep: Reputation: 15
Still no... Not with -A or -I. I'm not running Apache on the firewall. It is running on 1.12 though and I can access it with lynx to the local IP of the web server. My dg on the ext. nic is correct. On the internal nic I dont have one specified but I have a route for 192.168.1.0 to the other (windows) gateway.
 
Old 04-02-2006, 09:53 AM   #9
redmap
LQ Newbie
 
Registered: Apr 2006
Posts: 7

Rep: Reputation: 0
Did you ever get it working? Could you post how?
 
Old 04-03-2006, 08:19 AM   #10
abhi.b
LQ Newbie
 
Registered: Apr 2006
Posts: 12

Rep: Reputation: 0
Check this out if it helps....

##################################################
iptables -F -t nat

Then fire this rule --

iptables -I PREROUTING -p tcp -d {IP-on-external-interface} --dport 80 -j DNAT --to {local-ip} -t nat

iptables -I FORWARD -j ACCEPT -t filter
 
Old 04-07-2006, 08:06 AM   #11
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by redmap
Did you ever get it working? Could you post how?
i don't know if he got it working, but this is done like this (main commands are in bold, while the rest is provided for completeness):
Code:
echo "0" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

iptables -F -t nat
iptables -X -t nat

iptables -F FORWARD
iptables -P FORWARD DROP

iptables -A -t nat PREROUTING -p TCP -i $WAN_IFACE --dport 80 \
-j DNAT --to-destination 192.168.1.12

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -p TCP -i $WAN_IFACE -o $LAN_IFACE \
--dport 80 -d 192.168.1.12 -m state --state NEW -j ACCEPT

echo "1" > /proc/sys/net/ipv4/ip_forward

Last edited by win32sux; 04-07-2006 at 08:09 AM.
 
Old 04-09-2006, 01:05 AM   #12
aq_mishu
Member
 
Registered: Sep 2005
Location: Bangladesh
Distribution: RH 7.2, 8, 9, Fedora
Posts: 210

Rep: Reputation: 30
take a look at the script... it should serve u... change as your need..

#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001 Oskar Andreasson &lt;blueflux@koffein.net&gt;
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA 02111-1307 USA
#

###########################################################################
#
# 1. Configuration options.
#

###########################################################################
#
# Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BCAST_ADRESS="192.168.255.255"
LAN_IFACE="eth1"

###########################################################################
#
# Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

###########################################################################
#
# Internet Configuration.
#

INET_IP="194.236.50.155"
INET_IFACE="eth0"

###########################################################################
#
# IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#
/sbin/depmod -a

#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE

#
# Support for owner matching
#
#/sbin/modprobe ipt_owner

#
# Support for connection tracking of FTP and IRC.
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc


###########################################################################
#
# 3. /proc set up.
#
# Enable ip_forward if you have two or more networks, including the
# Internet, that needs forwarding of packets through this box. This is
# critical since it is turned off as default in Linux.
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# Dynamic IP users:
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. IPTables rules set up.
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains.
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# bad_tcp_packets chain
#
# Take care of bad TCP packets that we don't want.
#

$IPTABLES -N bad_tcp_packets
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# Do some checks for obviously spoofed IP's
#

$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 172.16.0.0/12 -j DROP

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#
# The allowed chain for TCP connections
#

$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# ICMP rules
#

# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# UDP ports
#

# nondocumented commenting out of these rules
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

##########################
# INPUT chain
#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for incoming packets from the internet.
#

$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

###############################
# OUTPUT chain
#
#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
 
Old 04-09-2006, 04:11 AM   #13
jshonk
LQ Newbie
 
Registered: Apr 2006
Posts: 6

Rep: Reputation: 0
Script

I build a file to port my machines. (ie prtfwd) thin chmod 775, install it in my rc.local
(ie /usr/sbin/prtfwd) this way you can tinker with it and make changes without having to disturb the main rule and restart it all the time. It looks like this.

Code:
/usr/sbin/iptables -A FORWARD -i eth0 -p udp --dport 27950:27970 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -i eth0 -p udp -d 0.0.0.0 --dport 27950:27970 -j DNAT --to-destination 192.168.0.2:27950-27970

/usr/sbin/iptables -A FORWARD -i eth0 -p tcp --dport 6890:6896 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -d 0.0.0.0 --dport 6890:6896 -j DNAT --to-destination 192.168.0.2:6890-6896

/usr/sbin/iptables -A FORWARD -i eth0 -p tcp --dport 6699 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -d 0.0.0.0 --dport 6699 -j DNAT --to-destination 192.168.0.2:6699

/usr/sbin/iptables -A FORWARD -i eth0 -p udp --dport 6257 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -i eth0 -p udp -d 0.0.0.0 --dport 6257 -j DNAT --to-destination 192.168.0.2:6257
Of course the 0.0.0.0 is your out side ip, notice the ports that look like 27650:27970, a range of ports or single. Works good for me. Great if you have a lan party and want to host several games on different ports or machiens. Hope this helps
 
Old 04-09-2006, 09:33 AM   #14
aq_mishu
Member
 
Registered: Sep 2005
Location: Bangladesh
Distribution: RH 7.2, 8, 9, Fedora
Posts: 210

Rep: Reputation: 30
I also did the same thing... i modified the script and now i only execute the file. no restart. it depends on your need and practice... do some editing in the script. use a service iptables save and then service iptables restart at the bottom of the script... that i used to do...
 
Old 04-09-2006, 12:08 PM   #15
jshonk
LQ Newbie
 
Registered: Apr 2006
Posts: 6

Rep: Reputation: 0
Script

Yea thats why I 775 it. So now I just /usr/sbin/prtfwd when I make a change. But its a good idea to put it in the rc.local that way if ya reboot it's there
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH port forwarding through a firewall linuxLuser Linux - Networking 1 07-14-2005 11:29 PM
Firewall + port forwarding question tomammon Linux - Security 4 09-27-2004 11:39 PM
Simple enough...iptables..port forwarding pembo13 Linux - Networking 4 07-19-2003 02:08 AM
How can I do simple port forwarding on RH9? yetalu Linux - Networking 4 07-14-2003 07:44 PM
firewall port forwarding manthram Linux - Networking 0 04-01-2002 07:08 PM


All times are GMT -5. The time now is 09:36 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration