port forwarding problems

with

iptables --check <rule>

Now it's a windows problem

But don't forget to set the gateway in windows.

When I do: iptables --check
I get: iptables v1.2.7a: Unkown arg '--check'


Also coudl you provide me with the necessary iptable commands to forward port 3128 from firewall to internal client?

Please help

fresh redhat 9 install off of 3 fresh, verrified disks. Still nothing works. I can lynx into the web server on the w2k3 machine, so in addition to knowing it's on the network, i know i should be able to get to its webserver (running on port 80)

any thoughts!?

Have you made sure you have enabled ip forwarding:
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

What rules have you added to your iptables now?

I haven't added anything. Just changed the order. I set the first one you listed to 1, but not the second.

"dynaddr"? huh? I haven't messed with this.

FYI i'm now running a static IP.

Quote:

Originally posted by robiewp [B]sorry, i hadn't realized I clipped it. #!/bin/sh # # Set an absolute path to IPTABLES and define the interface

Thanks very much for posting that script. With a couple of small
mods it solved my initial problem (lokkit was producing a firewall
that wouldn't let anything on my home network out of the gateway).

Now it's working for people to use browsers and pop mailers, with
the dialup connection being brought up on demand-dial with pppd.

The remaining problems are:

a) what do I need to add to allow specific ports to be opened, eg
I need to allow any computer on the local (trusted) eth0 to be
able to send the server NTP(123) LPD(515) X11(6000) and
IRC(194/6667) packets. Right now these don't seem to get thru.
My problem is working out how to phrase the iptables command.

b) something, somewhere, in your script is defeating pppd timeout.
I have it set to die after 900 secs inactivity (my telco's charge
period), but it's staying up. Is there anything in there which
might account for it?

///Peter

Post a copy of your script first so we can see if there's any reason why it's not getting through.

Quote:

Originally posted by pembo13 Post a copy of your script first so we can see if there's any reason why it's not getting through.

It's the same as originally posted, with the OUTSIDE set to ppp0
and INSIDE set to eth0, but here it is again.

My only problem is I cannot understand either the syntax or the
iptables man page, so I can't work out how to open up additional
ports. If there was a more sensible syntax, like

allow incoming tcp 515 eth0

it might make it easier to set up.

#!/bin/sh
# From http://www.linuxquestions.org/questi...103#post482103
# Set an absolute path to IPTABLES and define the interface
#
# OUTSIDE is the outside or untrusted interface that connects to the Internet
# and INSIDE is, well that ought to be obvious.
#
# For a system to function as a firewall the kernel has to be told to forward
# packets between interfaces, i.e., it needs to be a router. Since
# you'll save the running config with 'iptables-save' for RedHat to reinstate
# at the next boot IP fordarding must be enabled by other than this script for
# production use. That's best done by editing /etc/sysctl.comf and setting
# 'net.ipv4.ip_forward = 1'.
#
# Once the rule sets are to your liking you can easily arrainge to have them
# installed at boot on a Redhat box (7.1 or later). Save the rules with:
#
# iptables-save >/etc/sysconfig/iptables
#
# When /etc/init.d/iptables executes it will see the file and restore the rules.
#
# Since that file will only be read at boot, you can uncomment the following
# line to enable forwarding on the fly for initial testing. Just remember that
# the saved iptables data won't include the command.
#

# echo 1 > /proc/sys/net/ipv4/ip_forward

IPTABLES="/sbin/iptables"
OUTSIDE=ppp0
INSIDE=eth0
LOOPBACK=lo

#
# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
#
# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packetsthat we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.
#
# silent - Just drop the packet
# tcpflags - Log packets with bad flags, most likely an attack
# firewalled - Log packets that that we refuse, possibly from an attack
#
$IPTABLES -N silent
$IPTABLES -A silent -j DROP

$IPTABLES -N tcpflags
$IPTABLES -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPTABLES -A tcpflags -j DROP

$IPTABLES -N firewalled
$IPTABLES -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPTABLES -A firewalled -j DROP

# Use up NPAT if you have a dynamic IP. Otherwise comment out the following
# line and use the Source NAT below.
#
$IPTABLES -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE
#
# Use Source NAT if to do the NPAT you have a static IP or netblock.
# Remember to change the IP to be that of your OUTSIDE NIC.
#
#$IPTABLES -t nat -A POSTROUTING -o $OUTSIDE -j SNAT --to 1.2.3.4
#
# Examples of Port forwarding.
#
# The first forwards HTTP traffic to 10.1.0.1 (edit: 192.168.0.2) (author's local machine, not gateway)
# The second forwards SSH to 10.1.0.1
# The third forwards a block of tcp and udp ports (2300-2400) to 10.1.0.1
#
# Remember that if you intend to forward something that you'll also
# have to add a rule to permit the inbound traffic.
#
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT --to 192.168.0.2
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT --to 192.168.0.2
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 2300:2400 -j DNAT --to 192.168.0.2
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 2300:2400 -j DNAT --to 192.168.0.2
#
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
#
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j firewalled
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things on the firewall will break. Uncomment the line following
# if the inside machines are trustworthy and there are services on the firewall,
# like DNS, web, DHCP etc., that they need to access. And remember to change the
# IP to be that of the INSIDE interface of the firewall.
#
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -d 192.168.42.1 -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Silently drop any SMB traffic. We've slipped the surly bonds of windows
# and are dancing on the silvery wings of Linux, so block that windows trash.
#
$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j silent
#
# If you want to be able to connect via SSH from the Internet
# uncomment the next line.
#
$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT
#
# Examples of allowing inbound for the port forwarding examples above.
#
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 2300:2400 -j ACCEPT
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 2300:2400 -j ACCEPT
#
#Anything that hasn't already matched gets logged and then dropped.
#
#my own additions based on comments from linuxquestions.org
#
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT --to 192.168.0.2
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
#
$IPTABLES -A INPUT -j firewalled

[eof]

I can see several large mistakes there...

1st. It looks like you still have the iptables and ipchains services starting at boot... The Lokkit rules came from that service file. Can't do both if you have a script, only one or the other...
do chkconfig --del iptables and chkconfig --del ipchains,
OR
make sure your script never starts but do service iptables save once the rules are loaded, to make sure iptables reads your rules from /etc/sysconfig/iptables when it boots
In either case make sure ipchains is deleted.

2nd. INPUT chain only controls packets which stop on the RH box. FORWARD chain controls what is passed to/from the LAN behind the box, so your last post didn't show any of the FORWARD rules david_ross mentioned a long time ago.

3rd. You MUST do either "echo 1 > proc/sys/net/ipv4/ip_forward" OR add the comment to /etc/sysctl.conf OR both. It is commented out in your script... (I hope it is an oversight)

4th. The rules for tcp flags and icmp types need to be duplicated for the FORWARD chain to protect the LAN machines.

5th. Please post the rules once they are loaded. This is the crunch information and will say what is required. do iptables-save and they will be printed on the screen, do iptables-save > filename and they will be written to that file.

A last comment, there is a good tutorial for iptables at http://www.linuxquestions.org/questi...n=jump&bmid=10
I recommend you read this to explain how the rule sets work together and you can use the example scripts at the end to base your work on.

Quote:

Originally posted by peter_robb I can see several large mistakes there...

All I've changed is the defs of INSIDE and OUTSIDE, so any mistakes are carried over from the ooriginal poster's version...I just copied it.

Quote:

1st. It looks like you still have the iptables and ipchains services starting at boot...

What is the evidence for this? I'm running this on RH9.
This script is run from rc.local. ipchains is not installed.

Quote:

The Lokkit rules came from that service file.

Er, what Lokkit rules? I don't have any Lokkit rules that I'm
aware of.

Quote:

2nd. INPUT chain only controls packets which stop on the RH box. FORWARD chain controls what is passed to/from the LAN behind the box, so your last post didn't show any of the FORWARD rules david_ross mentioned a long time ago.

Probably because I wasn't reading this forum at the time.

Quote:

3rd. You MUST do either "echo 1 > proc/sys/net/ipv4/ip_forward" OR add the comment to /etc/sysctl.conf OR both. It is commented out in your script... (I hope it is an oversight)

No, deliberate. It's done in the preceding line in rc.local

Quote:

4th. The rules for tcp flags and icmp types need to be duplicated for the FORWARD chain to protect the LAN machines.

As I explained, I don't grok the iptables commands yet.
I have no idea how to do this.

Quote:

5th. Please post the rules once they are loaded. This is the crunch information and will say what is required.

How can it possibly guess what I want to do? The rules are:

# service iptables status
Table: nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Table: mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Table: filter
Chain INPUT (policy DROP)
target prot opt source destination
tcpflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
tcpflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
tcpflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
tcpflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
tcpflags tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
tcpflags tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
firewalled icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere salem.silmaril.ie
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
silent udp -- anywhere anywhere udp spt:netbios-ns dpt:netbios-ns
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
firewalled all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain firewalled (2 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 15/min burst 5 LOG level warning prefix `Firewalled:'
DROP all -- anywhere anywhere

Chain silent (1 references)
target prot opt source destination
DROP all -- anywhere anywhere

Chain tcpflags (6 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 15/min burst 5 LOG level warning prefix `TCPflags:'
DROP all -- anywhere anywhere

Quote:

A last comment, there is a good tutorial for iptables at http://www.linuxquestions.org/questi...n=jump&bmid=10 I recommend you read this to explain how the rule sets work together and you can use the example scripts at the end to base your work on.

Excellent, many thanks. But It would be useful to have a worked example to learn with. What is the syntax of the iptables
command which will allow bidirectional tcp traffic on port 515?

My mistake, they were references to robiewp.
He posted a listing with Lokkit chain names, which shows he is using the /etc/init.d/iptables boot script called service iptables start hence my comments about chosing either the init.d startup OR his script, not BOTH.

And yes, you have inherited the other mistakes...

To print a listing, do iptables-save rather than iptables -L
It gives much more information ...

And as far as port 515 is concerned, where do you want the traffic to go? just to the firewall or to the LAN behind?
The rules are quite different...

Quote:

Originally posted by peter_robb My mistake, they were references to robiewp. He posted a listing with Lokkit chain names, which shows he is using the /etc/init.d/iptables boot script called service iptables start hence my comments about chosing either the init.d startup OR his script, not BOTH. And yes, you have inherited the other mistakes...

Cool, thanks, I'll fix them.

Quote:

And as far as port 515 is concerned, where do you want the traffic to go? just to the firewall or to the LAN behind? The rules are quite different...

Sorry, I didn't explain it properly. In the case of lpd, I just want to
allow all machines on the [trusted] eth0 LAN to send jobs to the
printer which is physically attached to the gateway machine where the firewall is. No requirement to go outside the LAN.

In the cases of half a dozen other ports/protocols, some I need
to be able to take in from the outside, some I need to be able to
initiate from the inside, and some just need to go to the firewall
machine and no further. I've read half a dozen docs on iptables
syntax but they all seem to deal with borderline cases and special
parameters rather than with bog-standard everyday needs like
ssh, lpd, pop3, etc.

P

Sorry for the extended break...

Usually, the LAN segment doesn't need to have rules allowing services. If it does, that's a really tight Policy...
Try...
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 515 -j REDIRECT
iptables -I INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 515 -j ACCEPT

Anything coming to port 515 from the lan will be redirected to 127.0.0.1
Anything related or connected from the lan will be allowed to stay connected. This allows the lpd service to generate dns queries etc before connecting the stream.
Anything coming into the firewall itself to port 515 from the lan will be accepted.