heeeeeelp! :( (packet forwarding)
:smash:
I <JUST> realised my firewall was rediculously insecure.... I'm forwarding connections to a certain port to an internal machine, on a per-host basis... HOWEVER, this port forwarding doesnt seem to match to the host atall! relavent setup: $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 41265 -j DNAT --to 192.168.1.37 $IPTABLES -A INPUT -i $EXT_IF -s $ANY -j ext_in $IPTABLES -A ext_in -p tcp --dport 41265 -m state --state NEW -j custom_rule $IPTABLES -A custom_rule -s 135.113.9.64 -j ACCEPT $IPTABLES -A custom_rule -j DROP can someone tell me what I've done wrong? clients connect to <<myip>>:41265 and EVERYONE is forwarded to 192.168.1.37 ... ... ... Thanks in advance for your help :) |
Quote:
$IPTABLES -t nat -A PREROUTING The above part of the command selects the PREROUTING entry from the nat table. -i $EXT_IF using the interface defined by $EXT_IF -p tcp --dport 41265 directed at the TCP port 41265 -j DNAT --to 192.168.1.37 take this connection and DNAT it to the IP specified. You'll notice, you haven't done any -s or -d flags(source and destination), so my question to you is, how did you expect it to NOT forward everyone to that port? Try something like: $IPTABLES -t nat -A PREROUTING -p tcp --dport 41265 -s $ALLOWED_IP -i $EXT_IF -j DNAT --to $DESTINATION_IP:41265 and substitute as many entries as you think you'll need for $ALLOWED_IP |
Quote:
I restrict by IP there... but if it doesnt go through that chain I guess I'll have to add all the ip's in there..... |
Nope, the order is loosely:
Prerouting->Input->Forward->Output->PostRouting Prerouting and Postrouting are ALWAYS used, the others are obviously optional depending on the connection. J |
All times are GMT -5. The time now is 05:21 AM. |