iptables port forwarding removes net access?

Avatar · 05-07-2004, 09:09 AM

Hi all

Here's a problem I've been wrestling with for a while now.

I have two firewall scripts using IPtables on kernel 2.4.18-8.

One firewall script does NOT use port forwarding. It is the version that I'm using right now, since it's a production environment with public terminals.

We have two external locations that I would like them to be able to access a database on a webserver internal to our network. So I tried to set up port forwarding such that requests coming in to our IP address on port 5523 will be forwarded to this internal machine's port 80.

When I run this script identical to the first except for the port forwarding, the port forwarding works (i.e. requests to our ip:5523 reach the machine in question) but all Internet access is then disabled.

What's even wierder is that by adding and removing rules one by one, I've been able to get it so that the port forwarding AND the Internet work, but only for about an hour or so before the Internet goes down and I have to run the non-port-forwarding firewall script again.

Also: I am running squid proxy and squidGuard on the firewall machine. Don't know if this has anything to do with it.

Here's the forwarding rules from the working script:

Code:

echo -e " Loading FORWARD rulesets ..."

iptables -A FORWARD -p tcp --dport 135:139 -j DROP
iptables -A FORWARD -p udp --dport 136:139 -j DROP
... more like this ...

echo -e " Redirect all outbound http traffic to squid"
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
# allow existing and related connections IN
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow all connections OUT
iptables -A FORWARD -i eth1 -o ppp0 -j ACCEPT
# default
iptables -A FORWARD -j DROP
# masquerade
iptables -A POSTROUTING -t nat -o ppp0 -j MASQUERADE

Heres the one with port forwarding.

Code:

echo -e " Loading FORWARD rulesets ..."

echo -e "Loading PORT FORWARDING"
iptables -A FORWARD -i eth0 -p tcp --dport 5523 -j ACCEPT
iptables -A FORWARD -i ppp0 -p tcp --dport 5523 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 5523 -j ACCEPT
iptables -I FORWARD -p tcp -d 192.168.1.121 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5523 -j DNAT --to 192.168.1.121:80
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5523 -j DNAT --to 192.168.1.121:80
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5523 -j DNAT --to 192.168.1.121:80
iptables -t nat -I PREROUTING -p tcp -d 64.231.XXX.XXX --dport 5523 -j DNAT --to 192.168.1.121:80
## old - works without it
# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to 64.231.XXX.XXX
iptables -A FORWARD -j LOG --log-level warning --log-prefix "forwarded: "

iptables -A FORWARD -p tcp --dport 135:139 -j DROP
iptables -A FORWARD -p udp --dport 136:139 -j DROP
... more like this ...

the rest is the same.

Any ideas what's amiss here??
Thanks!

Mara · 05-07-2004, 04:39 PM

You can get your first script and add something like
iptables -A FORWARD -i ethX --dport 5523 -d 192.168.1.121 -j ACCEPT
iptables -A PREROUTING -t nat -i ethX -d 64.231.XXX.XXX --dport 5555 -j DNAT --to 192.168.1.121:80
where ethX is your external interface (the one the packets to be forwarded will come from)

Avatar · 05-21-2004, 12:56 PM

So: looking at my second code clip: You're saying to use only lines 2 and 6, and take everything else out?

The external interface is technically ppp0 (it's an ADSL connection). I'll try it...