Hi all
Here's a problem I've been wrestling with for a while now.
I have two firewall scripts using IPtables on kernel 2.4.18-8.
One firewall script does NOT use port forwarding. It is the version that I'm using right now, since it's a production environment with public terminals.
We have two external locations that I would like them to be able to access a database on a webserver internal to our network. So I tried to set up port forwarding such that requests coming in to our IP address on port 5523 will be forwarded to this internal machine's port 80.
When I run this script identical to the first except for the port forwarding, the port forwarding works (i.e. requests to our ip:5523 reach the machine in question) but all Internet access is then disabled.
What's even wierder is that by adding and removing rules one by one, I've been able to get it so that the port forwarding AND the Internet work, but only for about an hour or so before the Internet goes down and I have to run the non-port-forwarding firewall script again.
Also: I am running squid proxy and squidGuard on the firewall machine. Don't know if this has anything to do with it.
Here's the forwarding rules from the working script:
Code:
echo -e " Loading FORWARD rulesets ..."
iptables -A FORWARD -p tcp --dport 135:139 -j DROP
iptables -A FORWARD -p udp --dport 136:139 -j DROP
... more like this ...
echo -e " Redirect all outbound http traffic to squid"
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
# allow existing and related connections IN
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow all connections OUT
iptables -A FORWARD -i eth1 -o ppp0 -j ACCEPT
# default
iptables -A FORWARD -j DROP
# masquerade
iptables -A POSTROUTING -t nat -o ppp0 -j MASQUERADE
Heres the one with port forwarding.
Code:
echo -e " Loading FORWARD rulesets ..."
echo -e "Loading PORT FORWARDING"
iptables -A FORWARD -i eth0 -p tcp --dport 5523 -j ACCEPT
iptables -A FORWARD -i ppp0 -p tcp --dport 5523 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 5523 -j ACCEPT
iptables -I FORWARD -p tcp -d 192.168.1.121 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5523 -j DNAT --to 192.168.1.121:80
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5523 -j DNAT --to 192.168.1.121:80
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5523 -j DNAT --to 192.168.1.121:80
iptables -t nat -I PREROUTING -p tcp -d 64.231.XXX.XXX --dport 5523 -j DNAT --to 192.168.1.121:80
## old - works without it
# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to 64.231.XXX.XXX
iptables -A FORWARD -j LOG --log-level warning --log-prefix "forwarded: "
iptables -A FORWARD -p tcp --dport 135:139 -j DROP
iptables -A FORWARD -p udp --dport 136:139 -j DROP
... more like this ...
the rest is the same.
Any ideas what's amiss here??
Thanks!