LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 05-22-2008, 07:02 PM   #1
Ronin_tekorei
Member
 
Registered: May 2006
Distribution: Fedora
Posts: 57

Rep: Reputation: 15
Nat server with iptables -P FORWARD set to DROP problem


Hello to all of you out there

I have modify mi iptables rules to block everything and later set the rules to open services.
Here goes my config.
Code:
#!/bin/bash

#WAN side values
WAN_IP="my_public_ip"
WAN_DEV="eth0"

#LAN side values
LAN_IP1="192.168.1.1"
LAN_IP2="192.168.2.1"
LAN_IP3="192.168.3.1"
LAN_NET1="192.168.1.0/24"
LAN_NET2="192.168.2.0/24"
LAN_NET3="192.168.3.0/24"
LAN_DEV="eth1"

#Old rules flush
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

##Packets forward
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "ip_forward done"

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
echo "Drop politics done"

##Accept conections related, established
iptables -A INPUT -i $WAN_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $LAN_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $WAN_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $LAN_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $WAN_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT

##Drop Invalid packages
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP

##Loopback free
iptables -A INPUT -i lo -s 127.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -o lo -s 127.0.0.0/8 -j ACCEPT
echo "loopback done"

##SSH from cdeonline.net
iptables -A INPUT -i $WAN_DEV -s xxx.xxx.xxx.xxx -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i $WAN_DEV -s xxx.xxx.xxx.xxx -p udp --dport 22 -j ACCEPT

##ICMP traffic allow for LAN, and only ping for WAN
iptables -A INPUT -i $LAN_DEV -p icmp --icmp-type any -j ACCEPT
iptables -A INPUT -i $LAN_DEV -j ACCEPT
iptables -A OUTPUT -o $LAN_DEV -p icmp --icmp-type any -j ACCEPT

iptables -A INPUT -i $WAN_DEV -p icmp --icmp-type 8 -j ACCEPT
iptables -A OUTPUT -o $WAN_DEV -p icmp --icmp-type 8 -j ACCEPT
echo "icmp done"

##Allow all trafic to the server from and to internal network
iptables -A INPUT -i $LAN_DEV -s $LAN_NET1 -j ACCEPT
iptables -A INPUT -i $LAN_DEV -s $LAN_NET2 -j ACCEPT
iptables -A INPUT -i $LAN_DEV -s $LAN_NET3 -j ACCEPT

iptables -A OUTPUT -o $LAN_DEV -d $LAN_NET1 -j ACCEPT
iptables -A OUTPUT -o $LAN_DEV -d $LAN_NET2 -j ACCEPT
iptables -A OUTPUT -o $LAN_DEV -d $LAN_NET3 -j ACCEPT
echo "Trafic to and from internal lan done"

##Now lets open some ports :)

##Free for test
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -s 192.168.1.250 -j ACCEPT
iptables -A FORWARD -i $WAN_DEV -o $LAN_DEV -d 192.168.1.250 -j ACCEPT
echo "Free"
iptables -A INPUT -p tcp --dport 55043 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 55043 -i $WAN_DEV -j DNAT --to-destination 192.168.1.250
echo "  free torrent done"
iptables -A INPUT -p tcp --dport 18603 -j ACCEPT
iptables -A INPUT -p udp --dport 48117 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 18603 -i $WAN_DEV -j DNAT --to-destination 192.168.1.250
iptables -t nat -A PREROUTING -p udp --dport 48117 -i $WAN_DEV -j DNAT --to-destination 192.168.1.250
echo "  free emule done"
iptables -A INPUT -i $WAN_DEV -s xxx.xxx.xxx.xxx -p tcp --dport 5900 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 5900 -i $WAN_DEV -j DNAT --to-destination 192.168.1.250
echo "  free vnc done"
echo "  free test done"

##MSN
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 1863 -j ACCEPT
#iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p udp --dport 1863 -j ACCEPT
        ##File Transfer
        iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 6891:6910 -j ACCEPT
        iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p udp --dport 6891:6910 -j ACCEPT

##Yahoo Messenger
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 5050 -j ACCEPT
#iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p udp --dport 5050 -j ACCEPT

#AIM
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 5190 -j ACCEPT
#iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 5190 -j ACCEPT
echo "MSN, Yahoo Messenger and AIM done"

##http
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 8008 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 8080 -j ACCEPT

##https
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 443 -j ACCEPT
echo "http and https done"

##ftp
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 20 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 21 -j ACCEPT
echo "ftp done"

##ssh
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p udp --dport 22 -j ACCEPT
echo "ssh done"

##smtp
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p udp --dport 25 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 465 -j ACCEPT
echo "smtp done"

##kerberos
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 88 -j ACCEPT
echo "kerberos done"

##pop2 y pop3
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 109 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 110 -j ACCEPT
echo "pop2 and pop3 done"

##imap4
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 143 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p udp --dport 143 -j ACCEPT
echo "imap4 done"
##P2P trafic drop
iptables -A FORWARD -m ipp2p --ipp2p -j LOG --log-prefix "p2p-traffic: "
iptables -A FORWARD -m ipp2p --ipp2p -j DROP
echo "p2p done"

##PING
iptables -A FORWARD -i LAN_DEV -p icmp --icmp-type any -j ACCEPT

##Transparent squid
iptables -t nat -A PREROUTING -i $LAN_DEV -s $LAN_NET1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i $LAN_DEV -s $LAN_NET2 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i $LAN_DEV -s $LAN_NET3 -p tcp --dport 80 -j REDIRECT --to-port 3128
echo "squid done"

##Masquerade of internal trafic going to internet
iptables -t nat -A POSTROUTING -s $LAN_NET1 -j SNAT --to-source $WAN_IP
iptables -t nat -A POSTROUTING -s $LAN_NET2 -j SNAT --to-source $WAN_IP
iptables -t nat -A POSTROUTING -s $LAN_NET3 -j SNAT --to-source $WAN_IP
echo "SNAT done"
but the nat does not work, i don't understand, What am i doing wrong? all the port to navigate and messenger are open, but it only works if i put the -P FORWARD to ACCEPT. Can anyone help me please?
 
Old 05-22-2008, 07:22 PM   #2
SonJelfn
Member
 
Registered: Aug 2003
Location: Sendai, Japan
Distribution: Slackware, Slackware64, Debian
Posts: 63

Rep: Reputation: 16
Hello,

I don't see anything particularly wrong with your script. I'll give it a guess and ask you to replace this line

Code:
iptables -t nat -A POSTROUTING -s $LAN_NET1 -j SNAT --to-source $WAN_IP
with this

Code:
iptables -t nat -A POSTROUTING -s $LAN_NET1 -o $WAN_DEV -j SNAT --to-source $WAN_IP
For all your SNATting lines.

You could also make your FORWARD lines more lenient. Changing this:

Code:
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 22 -j ACCEPT
for just this:

Code:
iptables -A FORWARD -i $LAN_DEV -p tcp --dport 22 -j ACCEPT

See if that works for you.

Good luck

Last edited by SonJelfn; 05-22-2008 at 07:24 PM. Reason: other thoughts
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables nat port forwarding rule set crowhurst01 Linux - Networking 2 02-13-2012 03:39 AM
iptables: forward traffic through server Swakoo Linux - Networking 3 03-30-2008 11:59 PM
Can't figure out how to set up NAT/iptables is confusing rcx11 Linux - Networking 5 05-05-2007 05:37 PM
Iptables FORWARD or NAT. problem. aronnok Linux - Networking 0 01-30-2005 04:57 AM
How do I set-up a firwall without NAT w/ iptables v1.2.8 - kernel 2.4.22? fleeingduck Linux - Newbie 0 06-01-2004 01:29 PM


All times are GMT -5. The time now is 03:30 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration