LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-06-2004, 12:23 PM   #1
figjam
LQ Newbie
 
Registered: May 2004
Posts: 2

Rep: Reputation: 0
problems with iptables NAT


I'm trying to get an iptables script working for my linux box so that I can basically use it as a router. The setup is fairly weird for reasons beyond my control, so bear with me while I outline it (This is why I couldn't find any examples etc to help me through it).

I've got a ADSL router which is set to do NAT itself, but it's one I cannot admin and have to go get somebody to change it every time I want a new port forwarded, and bridging it is out of the question, so I've just gotten them to forward every port through to my linux box and I'm redistributing them from there. So essentially I'm routing data back out on the same interface it's comming in on (eth0, the only interface on the whole machine)

I can route ports to itself easily, for example I tested routing 3000 to 6667 and my IRC could find the IRCD. When I attempt to route to other ip's though I get errors. When I routed port 3100 on the linux server back to 2000 on my windows machine and listened with hyperterminal and then telnetted to port 3100 on the linux box I recieved a connection in (My windows firewall noticed it) and then hyperterminal stopped listening and the connection failed. I also tried routing it out to a friend's machine who was hosting an IRCD and the IRCD reported "Can't allocate fd for socks on [@IP.REMOVED.WEIRDNUMBER]" and failed to connect.

Below is the whole script I am using to create my iptables. A few comments to help everyone trying to read:
My windows machine: 192.168.1.99
My linux box: 192.168.1.100
My internet IP is non-static so I have used 0.0.0.0/0 to represent all IP's.

This is pretty much the first time I've used iptables, and the below was put together from reading a few tutorials. hopefully somebody can show me what I've done wrong.
Code:
#!/bin/sh

#EDITABLE CONSTANTS
VALID_ADMIN_IP=192.168.1.99
VNC_SERVER_MAX_COUNT=10
SELF=192.168.1.100
SELF_EXTERNAL=0.0.0.0/0
FIGJAM=192.168.1.99

#DO NOT EDIT THESE VARIABLES
VNC_START_PORT=5901
let "VNC_END_PORT=$VNC_START_PORT+$VNC_SERVER_MAX_COUNT-1"

#FUNCTIONS
route_port()
{
	source_port=$1
	dest_ip=$2
	dest_port=$3
	protocol=$4
	if [ -z "$protocol" ]; then
		protocol="tcp"
	fi

	iptables -A FORWARD -p $protocol --dport $dest_port -j ACCEPT
	iptables -t nat -A PREROUTING -p $protocol -d $SELF_EXTERNAL --dport $source_port -j DNAT --to $dest_ip:$dest_port
}

#Clear IP tables
iptables -F -t filter
iptables -F -t nat

#Set default security levels
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

#Create exceptions to rules
# --------------- PUBLIC ACCESS ---------------
# Apache and FTP and IRCD
iptables -A INPUT -p TCP --destination-port http -j ACCEPT
iptables -A INPUT -p TCP --destination-port ftp-data:ftp -j ACCEPT
iptables -A INPUT -p TCP --destination-port 6667 -j ACCEPT
# Allow pinging
iptables -A INPUT -p ICMP --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p ICMP --icmp-type echo-reply -j ACCEPT
# Allow DNS
iptables -A INPUT -p udp --sport 53 --dport 1024:65535 -j ACCEPT
#  --------------- ADMIN ONLY  ---------------
# SSH, VNC, SAMBA, SWAT
iptables -A INPUT -p TCP -s $VALID_ADMIN_IP --destination-port ssh -j ACCEPT
iptables -A INPUT -p TCP -s $VALID_ADMIN_IP --destination-port $VNC_START_PORT:$VNC_END_PORT -j ACCEPT
iptables -A INPUT -p TCP -s $VALID_ADMIN_IP --destination-port 135:139 -j ACCEPT
iptables -A INPUT -p TCP -s $VALID_ADMIN_IP --destination-port 901 -j ACCEPT


# ------------- ROUTE-O-LICIOUS --------------
# I think I need this, but I may just be stupid
iptables -A POSTROUTING -t nat -s 192.168.1.0/255.255.255.0 -d 0/0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

# Azureus
route_port 6881 $FIGJAM 6881 tcp
# Total Annihilation
route_port 2300:2400 $FIGJAM 2300:2400 tcp
route_port 2300:2400 $FIGJAM 2300:2400 udp
route_port 47624 $FIGJAM 47624 tcp
route_port 3000 66.216.103.243 6667 tcp
route_port 3100 $FIGJAM 2000 tcp
If you got to here, thanks for your time even if you can't help
 
Old 06-14-2004, 08:49 PM   #2
andresurzagasti
Member
 
Registered: Sep 2002
Location: Reconquista
Distribution: RedHat, Fedora
Posts: 38

Rep: Reputation: 15
Lightbulb adsl router

Hi!

Wich ADSL router have?
Some routers in the manual supports the mapping of high ports,
but in the reality it do not do it. When they are formed in high ports they do not generate error
message and they happen problems similar to which you comment.

A very known router with this problem is the Amigo (Conexant) CA-61. This problem has solved in part by
a upgrade of the firmware released by the fabricant.

Regards,
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTables 1:1 NAT Garak Linux - Security 13 12-19-2011 06:03 PM
iptables nat kernelvn Linux - Networking 5 05-03-2005 12:39 PM
IPTABLES : build NAT using IPTABLES joseph Linux - Networking 4 04-23-2004 06:08 AM
iptables...NAT...and problems... Bug Linux - Security 6 12-31-2003 04:31 AM
iptables-nat problems didget Linux - Security 8 12-13-2001 03:15 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:11 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration