Ronin_tekorei |
05-22-2008 07:02 PM |
Nat server with iptables -P FORWARD set to DROP problem
Hello to all of you out there :D
I have modify mi iptables rules to block everything and later set the rules to open services.
Here goes my config.
Code:
#!/bin/bash
#WAN side values
WAN_IP="my_public_ip"
WAN_DEV="eth0"
#LAN side values
LAN_IP1="192.168.1.1"
LAN_IP2="192.168.2.1"
LAN_IP3="192.168.3.1"
LAN_NET1="192.168.1.0/24"
LAN_NET2="192.168.2.0/24"
LAN_NET3="192.168.3.0/24"
LAN_DEV="eth1"
#Old rules flush
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
##Packets forward
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "ip_forward done"
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
echo "Drop politics done"
##Accept conections related, established
iptables -A INPUT -i $WAN_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $LAN_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $WAN_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $LAN_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $WAN_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
##Drop Invalid packages
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
##Loopback free
iptables -A INPUT -i lo -s 127.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -o lo -s 127.0.0.0/8 -j ACCEPT
echo "loopback done"
##SSH from cdeonline.net
iptables -A INPUT -i $WAN_DEV -s xxx.xxx.xxx.xxx -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i $WAN_DEV -s xxx.xxx.xxx.xxx -p udp --dport 22 -j ACCEPT
##ICMP traffic allow for LAN, and only ping for WAN
iptables -A INPUT -i $LAN_DEV -p icmp --icmp-type any -j ACCEPT
iptables -A INPUT -i $LAN_DEV -j ACCEPT
iptables -A OUTPUT -o $LAN_DEV -p icmp --icmp-type any -j ACCEPT
iptables -A INPUT -i $WAN_DEV -p icmp --icmp-type 8 -j ACCEPT
iptables -A OUTPUT -o $WAN_DEV -p icmp --icmp-type 8 -j ACCEPT
echo "icmp done"
##Allow all trafic to the server from and to internal network
iptables -A INPUT -i $LAN_DEV -s $LAN_NET1 -j ACCEPT
iptables -A INPUT -i $LAN_DEV -s $LAN_NET2 -j ACCEPT
iptables -A INPUT -i $LAN_DEV -s $LAN_NET3 -j ACCEPT
iptables -A OUTPUT -o $LAN_DEV -d $LAN_NET1 -j ACCEPT
iptables -A OUTPUT -o $LAN_DEV -d $LAN_NET2 -j ACCEPT
iptables -A OUTPUT -o $LAN_DEV -d $LAN_NET3 -j ACCEPT
echo "Trafic to and from internal lan done"
##Now lets open some ports :)
##Free for test
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -s 192.168.1.250 -j ACCEPT
iptables -A FORWARD -i $WAN_DEV -o $LAN_DEV -d 192.168.1.250 -j ACCEPT
echo "Free"
iptables -A INPUT -p tcp --dport 55043 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 55043 -i $WAN_DEV -j DNAT --to-destination 192.168.1.250
echo " free torrent done"
iptables -A INPUT -p tcp --dport 18603 -j ACCEPT
iptables -A INPUT -p udp --dport 48117 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 18603 -i $WAN_DEV -j DNAT --to-destination 192.168.1.250
iptables -t nat -A PREROUTING -p udp --dport 48117 -i $WAN_DEV -j DNAT --to-destination 192.168.1.250
echo " free emule done"
iptables -A INPUT -i $WAN_DEV -s xxx.xxx.xxx.xxx -p tcp --dport 5900 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 5900 -i $WAN_DEV -j DNAT --to-destination 192.168.1.250
echo " free vnc done"
echo " free test done"
##MSN
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 1863 -j ACCEPT
#iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p udp --dport 1863 -j ACCEPT
##File Transfer
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 6891:6910 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p udp --dport 6891:6910 -j ACCEPT
##Yahoo Messenger
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 5050 -j ACCEPT
#iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p udp --dport 5050 -j ACCEPT
#AIM
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 5190 -j ACCEPT
#iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 5190 -j ACCEPT
echo "MSN, Yahoo Messenger and AIM done"
##http
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 8008 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 8080 -j ACCEPT
##https
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 443 -j ACCEPT
echo "http and https done"
##ftp
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 20 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 21 -j ACCEPT
echo "ftp done"
##ssh
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p udp --dport 22 -j ACCEPT
echo "ssh done"
##smtp
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p udp --dport 25 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 465 -j ACCEPT
echo "smtp done"
##kerberos
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 88 -j ACCEPT
echo "kerberos done"
##pop2 y pop3
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 109 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 110 -j ACCEPT
echo "pop2 and pop3 done"
##imap4
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 143 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p udp --dport 143 -j ACCEPT
echo "imap4 done"
##P2P trafic drop
iptables -A FORWARD -m ipp2p --ipp2p -j LOG --log-prefix "p2p-traffic: "
iptables -A FORWARD -m ipp2p --ipp2p -j DROP
echo "p2p done"
##PING
iptables -A FORWARD -i LAN_DEV -p icmp --icmp-type any -j ACCEPT
##Transparent squid
iptables -t nat -A PREROUTING -i $LAN_DEV -s $LAN_NET1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i $LAN_DEV -s $LAN_NET2 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i $LAN_DEV -s $LAN_NET3 -p tcp --dport 80 -j REDIRECT --to-port 3128
echo "squid done"
##Masquerade of internal trafic going to internet
iptables -t nat -A POSTROUTING -s $LAN_NET1 -j SNAT --to-source $WAN_IP
iptables -t nat -A POSTROUTING -s $LAN_NET2 -j SNAT --to-source $WAN_IP
iptables -t nat -A POSTROUTING -s $LAN_NET3 -j SNAT --to-source $WAN_IP
echo "SNAT done"
but the nat does not work, i don't understand, What am i doing wrong? all the port to navigate and messenger are open, but it only works if i put the -P FORWARD to ACCEPT. Can anyone help me please?
|