LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Nat server with iptables -P FORWARD set to DROP problem (https://www.linuxquestions.org/questions/linux-server-73/nat-server-with-iptables-p-forward-set-to-drop-problem-644155/)

Ronin_tekorei 05-22-2008 07:02 PM
Nat server with iptables -P FORWARD set to DROP problem
 
Hello to all of you out there :D

I have modify mi iptables rules to block everything and later set the rules to open services.
Here goes my config.
Code:
#!/bin/bash

#WAN side values
WAN_IP="my_public_ip"
WAN_DEV="eth0"

#LAN side values
LAN_IP1="192.168.1.1"
LAN_IP2="192.168.2.1"
LAN_IP3="192.168.3.1"
LAN_NET1="192.168.1.0/24"
LAN_NET2="192.168.2.0/24"
LAN_NET3="192.168.3.0/24"
LAN_DEV="eth1"

#Old rules flush
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

##Packets forward
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "ip_forward done"

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
echo "Drop politics done"

##Accept conections related, established
iptables -A INPUT -i $WAN_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $LAN_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $WAN_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $LAN_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $WAN_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT

##Drop Invalid packages
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP

##Loopback free
iptables -A INPUT -i lo -s 127.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -o lo -s 127.0.0.0/8 -j ACCEPT
echo "loopback done"

##SSH from cdeonline.net
iptables -A INPUT -i $WAN_DEV -s xxx.xxx.xxx.xxx -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i $WAN_DEV -s xxx.xxx.xxx.xxx -p udp --dport 22 -j ACCEPT

##ICMP traffic allow for LAN, and only ping for WAN
iptables -A INPUT -i $LAN_DEV -p icmp --icmp-type any -j ACCEPT
iptables -A INPUT -i $LAN_DEV -j ACCEPT
iptables -A OUTPUT -o $LAN_DEV -p icmp --icmp-type any -j ACCEPT

iptables -A INPUT -i $WAN_DEV -p icmp --icmp-type 8 -j ACCEPT
iptables -A OUTPUT -o $WAN_DEV -p icmp --icmp-type 8 -j ACCEPT
echo "icmp done"

##Allow all trafic to the server from and to internal network
iptables -A INPUT -i $LAN_DEV -s $LAN_NET1 -j ACCEPT
iptables -A INPUT -i $LAN_DEV -s $LAN_NET2 -j ACCEPT
iptables -A INPUT -i $LAN_DEV -s $LAN_NET3 -j ACCEPT

iptables -A OUTPUT -o $LAN_DEV -d $LAN_NET1 -j ACCEPT
iptables -A OUTPUT -o $LAN_DEV -d $LAN_NET2 -j ACCEPT
iptables -A OUTPUT -o $LAN_DEV -d $LAN_NET3 -j ACCEPT
echo "Trafic to and from internal lan done"

##Now lets open some ports :)

##Free for test
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -s 192.168.1.250 -j ACCEPT
iptables -A FORWARD -i $WAN_DEV -o $LAN_DEV -d 192.168.1.250 -j ACCEPT
echo "Free"
iptables -A INPUT -p tcp --dport 55043 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 55043 -i $WAN_DEV -j DNAT --to-destination 192.168.1.250
echo "  free torrent done"
iptables -A INPUT -p tcp --dport 18603 -j ACCEPT
iptables -A INPUT -p udp --dport 48117 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 18603 -i $WAN_DEV -j DNAT --to-destination 192.168.1.250
iptables -t nat -A PREROUTING -p udp --dport 48117 -i $WAN_DEV -j DNAT --to-destination 192.168.1.250
echo "  free emule done"
iptables -A INPUT -i $WAN_DEV -s xxx.xxx.xxx.xxx -p tcp --dport 5900 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 5900 -i $WAN_DEV -j DNAT --to-destination 192.168.1.250
echo "  free vnc done"
echo "  free test done"

##MSN
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 1863 -j ACCEPT
#iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p udp --dport 1863 -j ACCEPT
        ##File Transfer
        iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 6891:6910 -j ACCEPT
        iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p udp --dport 6891:6910 -j ACCEPT

##Yahoo Messenger
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 5050 -j ACCEPT
#iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p udp --dport 5050 -j ACCEPT

#AIM
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 5190 -j ACCEPT
#iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 5190 -j ACCEPT
echo "MSN, Yahoo Messenger and AIM done"

##http
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 8008 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 8080 -j ACCEPT

##https
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 443 -j ACCEPT
echo "http and https done"

##ftp
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 20 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 21 -j ACCEPT
echo "ftp done"

##ssh
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p udp --dport 22 -j ACCEPT
echo "ssh done"

##smtp
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p udp --dport 25 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 465 -j ACCEPT
echo "smtp done"

##kerberos
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 88 -j ACCEPT
echo "kerberos done"

##pop2 y pop3
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 109 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 110 -j ACCEPT
echo "pop2 and pop3 done"

##imap4
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 143 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p udp --dport 143 -j ACCEPT
echo "imap4 done"
##P2P trafic drop
iptables -A FORWARD -m ipp2p --ipp2p -j LOG --log-prefix "p2p-traffic: "
iptables -A FORWARD -m ipp2p --ipp2p -j DROP
echo "p2p done"

##PING
iptables -A FORWARD -i LAN_DEV -p icmp --icmp-type any -j ACCEPT

##Transparent squid
iptables -t nat -A PREROUTING -i $LAN_DEV -s $LAN_NET1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i $LAN_DEV -s $LAN_NET2 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i $LAN_DEV -s $LAN_NET3 -p tcp --dport 80 -j REDIRECT --to-port 3128
echo "squid done"

##Masquerade of internal trafic going to internet
iptables -t nat -A POSTROUTING -s $LAN_NET1 -j SNAT --to-source $WAN_IP
iptables -t nat -A POSTROUTING -s $LAN_NET2 -j SNAT --to-source $WAN_IP
iptables -t nat -A POSTROUTING -s $LAN_NET3 -j SNAT --to-source $WAN_IP
echo "SNAT done"
but the nat does not work, i don't understand, What am i doing wrong? all the port to navigate and messenger are open, but it only works if i put the -P FORWARD to ACCEPT. Can anyone help me please?

SonJelfn 05-22-2008 07:22 PM
Hello,

I don't see anything particularly wrong with your script. I'll give it a guess and ask you to replace this line

Code:
iptables -t nat -A POSTROUTING -s $LAN_NET1 -j SNAT --to-source $WAN_IP
with this

Code:
iptables -t nat -A POSTROUTING -s $LAN_NET1 -o $WAN_DEV -j SNAT --to-source $WAN_IP
For all your SNATting lines.

You could also make your FORWARD lines more lenient. Changing this:

Code:
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 22 -j ACCEPT
for just this:

Code:
iptables -A FORWARD -i $LAN_DEV -p tcp --dport 22 -j ACCEPT

See if that works for you.

Good luck


All times are GMT -5. The time now is 05:49 PM.