Been banging my head against this one for a while now, the machine NATs just fine, does all of its normal stuff fine, won't do port forwarding, everything just times out:
Code:
echo 0 > /proc/sys/net/ipv4/ip_forward
LAN_IP_NET='192.168.0.0/24'
LAN_NIC='eth0'
WAN_IP='1.2.3.4'
WAN_NIC='eth1'
# The Next two sets flush this #@#!er clean.
iptables -Z
iptables -F
iptables -X
# Zero all chains, flush current buffers, and remove all nonstandard
# chains in the NAT table.
iptables -Z -t nat
iptables -F -t nat
iptables -X -t nat
echo "Setting default policies"
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# enable Masquerade and forwarding
echo "Enabling basic NAT functions"
iptables -t nat -A POSTROUTING -o $WAN_NIC -j SNAT --to $WAN_IP
# iptables -t nat -A POSTROUTING -s $LAN_IP_NET -o $WAN_NIC -j MASQUERADE
iptables -A FORWARD -j ACCEPT -i $LAN_NIC -s $LAN_IP_NET
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# TCP FESTIVAL
# Open ports on router for server/services
echo "Allowing specific services"
iptables -A INPUT -j ACCEPT -p tcp -i $LAN_NIC
iptables -A INPUT -j ACCEPT -p tcp -i lo
iptables -A INPUT -j ACCEPT -p tcp --dport 21 -i $WAN_NIC
iptables -A INPUT -j ACCEPT -p tcp --dport 22 -i $WAN_NIC
# stupid avoidance of SoBig wank!!!
iptables -A INPUT -j REJECT --reject-with tcp-reset -p tcp -s 66.98.40.126 --dport 25 -i $WAN_NIC
iptables -A INPUT -j ACCEPT -p tcp --dport 25 -i $WAN_NIC
iptables -A INPUT -j ACCEPT -p tcp --dport 53 -i $WAN_NIC
iptables -A INPUT -j ACCEPT -p tcp --dport 80 -i $WAN_NIC
iptables -A INPUT -j ACCEPT -p tcp --dport 110 -i $WAN_NIC
iptables -A INPUT -j ACCEPT -p tcp --dport 113 -i $WAN_NIC
iptables -A INPUT -j ACCEPT -p tcp --dport 143 -i $WAN_NIC
iptables -A INPUT -j ACCEPT -p tcp --dport 443 -i $WAN_NIC
# Epi's weird $#@!:
iptables -A INPUT -j ACCEPT -p tcp --dport 1234 -i $WAN_NIC
# Wilson's remote access to MySQL
iptables -A INPUT -p TCP -s 2.3.4.5 --dport 3306 -j ACCEPT -i $WAN_NIC
iptables -A INPUT -p TCP -s 4.5.6.0/24 --dport 3306 -j ACCEPT -i $WAN_NIC
# UDP JAM SESSION
iptables -A INPUT -j ACCEPT -p udp -i lo
iptables -A INPUT -j ACCEPT -p udp --dport 53
# ICMP AFTERPARTY
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT # echo-reply (pong)
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT # dest-unreachable
iptables -A INPUT -p icmp --icmp-type 4 -j ACCEPT # source-quench
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT # echo-request (ping)
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT # time-exceeded
iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT # parameter-problem
iptables -A INPUT -p icmp --icmp-type 30 -j ACCEPT # traceroute
# STATE RELATED for router
echo "Enabling state-related filtering"
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Enable forwarding
echo "Enabling forwarding"
echo 1 > /proc/sys/net/ipv4/ip_forward
Then, the port forwarding script:
Code:
iptables -A INPUT -j ACCEPT -p tcp --dport 1111 -i eth1
/usr/sbin/iptables -A FORWARD -p tcp -i eth1 -o eth0 --dport 1111 -j ACCEPT
# /usr/sbin/iptables -A PREROUTING -t nat -p tcp -i eth1 --dport 1111 -j DNAT --to 192.168.0.5:22
iptables -t nat -A PREROUTING -p tcp --dport 1111 -i eth1 -j DNAT --to 192.168.0.5:22
Which spits out a nat table like this:
Code:
#~ iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:1111 to:192.168.0.5:22
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- anywhere anywhere to:1.2.3.4
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
And a normal iptables -L:
Code:
root@orwell:/home/fin/scripts# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
REJECT tcp -- jackass in the Dominican Republic anywhere tcp dpt:smtp reject-with tcp-reset
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:auth
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:1234
ACCEPT tcp -- blady.bdasadad.elsewhere.net anywhere tcp dpt:3306
ACCEPT tcp -- blah.blah.somewhere/24 anywhere tcp dpt:3306
ACCEPT udp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp type 30
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.0.0/24 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:1111
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Aight, any suggestions accept, please don't just paste me your script, I wanna figure out
why this one isn't working as much as how to get it to work.
Cheers,
Finegan
