LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-02-2008, 10:44 AM   #1
albertvd
LQ Newbie
 
Registered: Oct 2008
Distribution: openSUSE / Fedora / Ubuntu
Posts: 5

Rep: Reputation: 0
Fedora 9 Port forwarding


Hello,

I have a IP camera behind my firewall which I want to access from another network segment.

The firewall is configured as follows:
eth0: 192.168.1.1 (internal)
eth1: 192.168.0.254 (external)

The camera IP is 192.168.1.2.

My iptables configuration looks as follows:
Code:
# Generated by iptables-save v1.3.5 on Tue Dec  2 15:01:57 2008
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Tue Dec  2 15:01:57 2008
# Generated by iptables-save v1.3.5 on Tue Dec  2 15:01:57 2008
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 10002 -j DNAT --to-destination 192.168.1.2:10002 
-A POSTROUTING -o eth1 -j MASQUERADE 
COMMIT
# Completed on Tue Dec  2 15:01:57 2008
# Generated by iptables-save v1.3.5 on Tue Dec  2 15:01:57 2008
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forward_ext - [0:0]
:forward_int - [0:0]
:input_ext - [0:0]
:input_int - [0:0]
:reject_func - [0:0]
-A INPUT -i lo -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i eth0 -j input_int 
-A INPUT -i eth1 -j input_ext 
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options 
-A INPUT -j DROP 
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
-A FORWARD -i eth0 -j forward_int 
-A FORWARD -i eth1 -j forward_ext 
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options 
-A FORWARD -j DROP 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options 
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT 
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT 
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT 
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT 
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT 
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT 
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT 
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT 
-A forward_ext -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_ext -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_ext -d 192.168.1.2 -p tcp -m limit --limit 3/min -m tcp --dport 10002 -m state --state NEW -j LOG --log-prefix "SFW2-FWDext-ACC-REVMASQ " --log-tcp-options --log-ip-options 
-A forward_ext -d 192.168.1.2 -p tcp -m tcp --dport 10002 -j ACCEPT 
-A forward_ext -s 192.168.1.2 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_ext -m limit --limit 3/min -m pkttype --pkt-type multicast -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options 
-A forward_ext -m pkttype --pkt-type multicast -j DROP 
-A forward_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options 
-A forward_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options 
-A forward_ext -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options 
-A forward_ext -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT-INV " --log-tcp-options --log-ip-options 
-A forward_ext -j DROP 
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT 
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT 
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT 
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT 
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT 
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT 
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT 
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT 
-A forward_int -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_int -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_int -d 192.168.1.2 -p tcp -m limit --limit 3/min -m tcp --dport 10002 -m state --state NEW -j LOG --log-prefix "SFW2-FWDint-ACC-REVMASQ " --log-tcp-options --log-ip-options 
-A forward_int -d 192.168.1.2 -p tcp -m tcp --dport 10002 -j ACCEPT 
-A forward_int -s 192.168.1.2 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_int -m limit --limit 3/min -m pkttype --pkt-type multicast -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options 
-A forward_int -m pkttype --pkt-type multicast -j DROP 
-A forward_int -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options 
-A forward_int -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options 
-A forward_int -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options 
-A forward_int -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT-INV " --log-tcp-options --log-ip-options 
-A forward_int -j DROP 
-A input_ext -m pkttype --pkt-type broadcast -j DROP 
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT 
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT 
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT 
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT 
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT 
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT 
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT 
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT 
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT 
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options 
-A input_ext -p tcp -m tcp --dport 80 -j ACCEPT 
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options 
-A input_ext -p tcp -m tcp --dport 22 -j ACCEPT 
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 10000 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options 
-A input_ext -p tcp -m tcp --dport 10000 -j ACCEPT 
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 10001 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options 
-A input_ext -p tcp -m tcp --dport 10001 -j ACCEPT 
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 10002 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options 
-A input_ext -p tcp -m tcp --dport 10002 -j ACCEPT 
-A input_ext -p udp -m udp --dport 22401 -j ACCEPT 
-A input_ext -p tcp -m tcp --dport 113 -m state --state NEW -j reject_func 
-A input_ext -m limit --limit 3/min -m pkttype --pkt-type multicast -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options 
-A input_ext -m pkttype --pkt-type multicast -j DROP 
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options 
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options 
-A input_ext -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options 
-A input_ext -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-INext-DROP-DEFLT-INV " --log-tcp-options --log-ip-options 
-A input_ext -j DROP 
-A input_int -j ACCEPT 
-A reject_func -p tcp -j REJECT --reject-with tcp-reset 
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable 
-A reject_func -j REJECT --reject-with icmp-proto-unreachable 
COMMIT
# Completed on Tue Dec  2 15:01:57 2008
When accessing 192.168.0.254:10002 the following entry is made in the log:
Code:
Dec  2 16:32:52 MANA kernel: SFW2-FWDint-ACC-REVMASQ IN=eth1 OUT=eth0 SRC=192.168.0.100 DST=192.168.1.2 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=37623 DF PROTO=TCP SPT=3640 DPT=10002 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
There are no connection made to the camera but when accessing the camera directly on 192.168.1.2:10002 it works fine.

I'm using Fedora 9.
Code:
# uname -a:
Linux server.site 2.6.25-14.fc9.x86_64 #1 SMP Thu May 1 06:06:21 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux

# iptables ---version
iptables v1.4.0: Unknown arg `---version'
Try `iptables -h' or 'iptables --help' for more information.
Any assistance will be greatly appreciated.

Albert
 
Old 12-02-2008, 10:52 AM   #2
albertvd
LQ Newbie
 
Registered: Oct 2008
Distribution: openSUSE / Fedora / Ubuntu
Posts: 5

Original Poster
Rep: Reputation: 0
After a reboot it is working fine now. Don't know what was wrong.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
port forwarding on Belkin 4-port Cable/DSL Gateway Router sycamorex Linux - Networking 5 03-05-2007 04:27 PM
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 08:35 PM
Simple Port Forwarding Firewall - not forwarding MadTurki Linux - Security 14 04-09-2006 01:08 PM
FWBuilder + iptables + fedora -> port forwarding the_reen Linux - Security 2 09-04-2004 01:34 PM
Port forwarding with iptables on Fedora fychan Linux - Networking 3 04-13-2004 12:49 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:56 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration