LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   problems with iptables NAT (https://www.linuxquestions.org/questions/linux-networking-3/problems-with-iptables-nat-190337/)

figjam 06-06-2004 11:23 AM
problems with iptables NAT
 
I'm trying to get an iptables script working for my linux box so that I can basically use it as a router. The setup is fairly weird for reasons beyond my control, so bear with me while I outline it (This is why I couldn't find any examples etc to help me through it).

I've got a ADSL router which is set to do NAT itself, but it's one I cannot admin and have to go get somebody to change it every time I want a new port forwarded, and bridging it is out of the question, so I've just gotten them to forward every port through to my linux box and I'm redistributing them from there. So essentially I'm routing data back out on the same interface it's comming in on (eth0, the only interface on the whole machine)

I can route ports to itself easily, for example I tested routing 3000 to 6667 and my IRC could find the IRCD. When I attempt to route to other ip's though I get errors. When I routed port 3100 on the linux server back to 2000 on my windows machine and listened with hyperterminal and then telnetted to port 3100 on the linux box I recieved a connection in (My windows firewall noticed it) and then hyperterminal stopped listening and the connection failed. I also tried routing it out to a friend's machine who was hosting an IRCD and the IRCD reported "Can't allocate fd for socks on [@IP.REMOVED.WEIRDNUMBER]" and failed to connect.

Below is the whole script I am using to create my iptables. A few comments to help everyone trying to read:
My windows machine: 192.168.1.99
My linux box: 192.168.1.100
My internet IP is non-static so I have used 0.0.0.0/0 to represent all IP's.

This is pretty much the first time I've used iptables, and the below was put together from reading a few tutorials. hopefully somebody can show me what I've done wrong.
Code:
#!/bin/sh

#EDITABLE CONSTANTS
VALID_ADMIN_IP=192.168.1.99
VNC_SERVER_MAX_COUNT=10
SELF=192.168.1.100
SELF_EXTERNAL=0.0.0.0/0
FIGJAM=192.168.1.99

#DO NOT EDIT THESE VARIABLES
VNC_START_PORT=5901
let "VNC_END_PORT=$VNC_START_PORT+$VNC_SERVER_MAX_COUNT-1"

#FUNCTIONS
route_port()
{
        source_port=$1
        dest_ip=$2
        dest_port=$3
        protocol=$4
        if [ -z "$protocol" ]; then
                protocol="tcp"
        fi

        iptables -A FORWARD -p $protocol --dport $dest_port -j ACCEPT
        iptables -t nat -A PREROUTING -p $protocol -d $SELF_EXTERNAL --dport $source_port -j DNAT --to $dest_ip:$dest_port
}

#Clear IP tables
iptables -F -t filter
iptables -F -t nat

#Set default security levels
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

#Create exceptions to rules
# --------------- PUBLIC ACCESS ---------------
# Apache and FTP and IRCD
iptables -A INPUT -p TCP --destination-port http -j ACCEPT
iptables -A INPUT -p TCP --destination-port ftp-data:ftp -j ACCEPT
iptables -A INPUT -p TCP --destination-port 6667 -j ACCEPT
# Allow pinging
iptables -A INPUT -p ICMP --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p ICMP --icmp-type echo-reply -j ACCEPT
# Allow DNS
iptables -A INPUT -p udp --sport 53 --dport 1024:65535 -j ACCEPT
#  --------------- ADMIN ONLY  ---------------
# SSH, VNC, SAMBA, SWAT
iptables -A INPUT -p TCP -s $VALID_ADMIN_IP --destination-port ssh -j ACCEPT
iptables -A INPUT -p TCP -s $VALID_ADMIN_IP --destination-port $VNC_START_PORT:$VNC_END_PORT -j ACCEPT
iptables -A INPUT -p TCP -s $VALID_ADMIN_IP --destination-port 135:139 -j ACCEPT
iptables -A INPUT -p TCP -s $VALID_ADMIN_IP --destination-port 901 -j ACCEPT


# ------------- ROUTE-O-LICIOUS --------------
# I think I need this, but I may just be stupid
iptables -A POSTROUTING -t nat -s 192.168.1.0/255.255.255.0 -d 0/0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

# Azureus
route_port 6881 $FIGJAM 6881 tcp
# Total Annihilation
route_port 2300:2400 $FIGJAM 2300:2400 tcp
route_port 2300:2400 $FIGJAM 2300:2400 udp
route_port 47624 $FIGJAM 47624 tcp
route_port 3000 66.216.103.243 6667 tcp
route_port 3100 $FIGJAM 2000 tcp
If you got to here, thanks for your time even if you can't help :)

andresurzagasti 06-14-2004 07:49 PM
adsl router
 
Hi!

Wich ADSL router have?
Some routers in the manual supports the mapping of high ports,
but in the reality it do not do it. When they are formed in high ports they do not generate error
message and they happen problems similar to which you comment.

A very known router with this problem is the Amigo (Conexant) CA-61. This problem has solved in part by
a upgrade of the firmware released by the fabricant.

Regards,


All times are GMT -5. The time now is 12:47 AM.