iptables - Opening a range of ports
 

I've been reading post after post about iptables, and I have to admit that I'm still a little confused (newbie warning).

Here's the situation...
I have 15 win-x computers connected to a Mandrake 8.1 server. I am the new IT guy here, and I'm not too familiar with Linux firewalls.

I need everyone to be able to connect to the internet through port 400. Currently, we are blocked when trying to connect thru this port. I may also need ports 6660 thru 6670 to be opened up.

I tried using:
iptables -A INPUT -p tcp -i interface0_in --dport 400 -j ACCEPT

That didn't do anything.

Is there even a way to open the port for our entire office? This is a huge problem if it can't be done.

Also, I'm not sure if we're using NAT or not. I looked at the iptables -nL and it's all greek to me.

The listing was rather large, but here's some of it:
Sorry, I'm infected with newbetitis.

Re: iptables - Opening a range of ports
 

You should edit your post to not display the public IP address of your firewall!

That doesn't sound good. Security support for Mandrake 8.1 ceased a couple of years ago. You really need to upgrade to a distribution that has active security support. (Unless you're doing the upgrade yourself by closely monitoring all installed package for vulnarabilities.)

Do you mean that people from outside of your network need to access every single computer on the inside on port 400 (or 6660-6670) or the other way around? The former is impossible if you use NAT: If you use portforwarding you will have to use a single (private) IP as the destination. You can't just stick an entire network in and expect netfilter to magically determine which IP to use. If, however, the connections are initiated inside your network then you need to enable destination port 400 in the forward chain for outgoing connections (that would be the chain named network1_out in your case).

This allows access to the machine that runs the firewall on port 400 (assuming you substitude an interface name for interface0_in). As it is interface0_in looks like the name of a user-defined chain (judging from the bits you posted) and as such can only be used as the target in an iptables rule.

You are using NAT for what is called network1 in the iptables rules (192.168.100.0/24).

Quite frankly it looks like you will have a lot of work to do: You can't expect people to understand the firewall concept you have implemented without posting the whole script along with a description of your network topology. Then again this is very sensitive information about your network so at least edit out the public IP addresses should you decide to post this.

Bottom line is you will have to understand iptables inside out and know what every one of the lines in your script do exactly or else you're in for a lot of trouble. A good starting point are Rusty Russell's guides and man iptables.
http://people.netfilter.org/rusty/unreliable-guides/

Right on. Thanks for the help. I'll see what I can find out.

Just for note, I didn't use my own IP address. I replaced all of my real IP addresses with a quickly spoofed one (63.202.100.150). Luckily I'm not that newbish :)

If I can get just a single computer in my office to have access in/out on port 400, that may work. We have two people that need it, but even having one would be beneficial.

This person's internal IP addy is 192.168.100.48.

What's the easiest way to port forward to that address?

Thanks again for your help. I'm still going through the tons of iptables documents I've printed out, so it could take awhile.

So the connections are being initiated on the inside to a remote host on port 400? In that case you can, of course, open port 400 for the entire network. You need to allow port 400 is the forward chain:
And you need source nat in postrouting:
Replace $IFACE_INT with the internal interface name (probably eth0 or eth1) and $IP_EXT with your external IP address.
The second rule probably already is in place (or otherwise none of the workstations would have access to the outside world). If you want to keep the structure of the existing firewall script you should put the first rule in the network1_out chain.

If what you want is people from the outside being able to contact your external IP and get redirected to 192.168.100.48 you need two rules:

Redirect $IP_EXT:400 to 192.168.100.48:400:
Allow packets to flow through the firewall to 192.168.100.48:
If you need udp port 400 accessible add two more rules with -p udp. Again, to follow the logic of the script this should go in the network1_out chain.

The above will work without any other rules in place. You will need to find the right place to add them to your iptables script. The order of the rules in a chain is vital. You didn't post your nat table (iptables -t nat -nvL) so I can't tell you if there are rules in there that might interfere with this one.