LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   IPtables Forward to Lan, and other Q (https://www.linuxquestions.org/questions/linux-networking-3/iptables-forward-to-lan-and-other-q-605337/)

jgtg32a 12-08-2007 01:38 AM
IPtables Forward to Lan, and other Q
 
I may have figured out whats my big problem is but I still want to ask.

Not gonna lie I didn't write this got it from here http://iptables-tutorial.frozentux.n...-tutorial.html, was the DHCP example but DHCP made me cry so I just used a static IP.

I got most everything working I'm having one big problem and a few questions.
FIREWALL Server
########## ###### ###### ######
#Internet#<-------->#Eth1#<->#Eth0#<------->#Eth0#
########## ###### ###### ######

This is my basic set up currently most everything works except anything from the internet doesn't have access to the server. I run Wireshark on all interfaces (2 on fw and 1 server) and watch traffic, connections from server can go to web and traffic comes back, happy day. I don't have a web server up on the server, just an SSH, not really important though. I can SSH into the server from the server itself, and from the firewall only if I use the servers IP, if I try to SSH into the server from the internet it doesn't work (It doesn't matter that when I say internet I mean I use the IP of eth1 on the FW or the server does it).

Thats my real problem wireshark shows no traffic when I try it from the internet. There are a few other question inside the code itself, I think I may have figured it out but I've been doing this all day and I'm going to bed.

-Thank you so much for any help you can provide.


Code:
#!/bin/sh
WAN="eth1" #To internet DHCP assigned by ISP

LAN_IP="192.168.8.0"
LAN_IP_RANGE="192.168.8.0/254"
LAN="eth0"#to my "server" static IP of 192...103

LO_IFACE="lo"
LO_IP="127.0.0.1"

IPTABLES="/sbin/iptables"

echo "1" > /proc/sys/net/ipv4/ip_forward #proc conf

#default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP


#User Tables
#$IPTABLES -N bad_tcp_packets #still trying to fully understand this table
$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets


#$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
#Am I don't understand this rule, from what I can tell it rejects all TCP packets

#$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
#$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

$IPTABLES -A allowed -p TCP --syn -j ACCEPT #allow TCP with SYN set
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT #allow current connections
$IPTABLES -A allowed -p TCP -j DROP #drop everything else?

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed #TCP connection on these ports

$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT


#syn flood defence found on net and added first, seems like the best place to check for Syn flood is up front
$IPTABLES -A INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name synflood --set
$IPTABLES -A INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name synflood --update --seconds 1 --hitcount 60 -j DROP
#


#$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
$IPTABLES -A INPUT -p ALL -i $LAN -s $LAN_IP_RANGE -j ACCEPT #anything from the LAN is accepted
$IPTABLES -A INPUT -i $WAN -s 192.168.8.0/254 -j DROP #Ingress filtering
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT #local loopback is trusted

$IPTABLES -A INPUT -p ALL -i $WAN -m state --state ESTABLISHED,RELATED -j ACCEPT #if already allowed keep it coming

$IPTABLES -A INPUT -p TCP -i $WAN -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $WAN -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $WAN -j icmp_packets




#$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

$IPTABLES -A FORWARD -i $LAN -j ACCEPT #anything from lan is accepted
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #current connections are go
#I think my problem is around here there isn't a rule that will allow for forwarding of connections to my lan
#I would assume that I need one

#$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $WAN -j ACCEPT


$IPTABLES -t nat -A POSTROUTING -o $WAN -j MASQUERADE

jschiwal 12-08-2007 02:58 AM
Here is a link to post on this site from a moderator:
http://www.linuxquestions.org/questi...037#post147037

You might want to go to that link if it is still there. You don't have a forwarding rule for port 22. You need to forward ingress port 22 traffic to the IP address of your server on the lan. That is your server's IP address, and not just the network address $LAN.

---

Update, the link to the netfilter doc in that post won't work, but if you go to the directory, you can find a number of similar docs:
http://www.netfilter.org/documentation/

jgtg32a 12-08-2007 02:57 PM
Code:
$IPTABLES -A PREROUTING -t nat -p TCP -d 66.253.186.83 --dport 22 -j DNAT --to 192.168.8.103
$IPTABLES -A FORWARD -p TCP -s 0/0 --dport 22 -j allowed
I found these two on the forums but neither of them work.


All times are GMT -5. The time now is 10:37 AM.