Help me! iptables
Hi Everyone,
I am new to Linux and recently trying to build DNS server with transparant proxy for my Wifi Broadcasting. I'd installed Red Hat Enterprice 4 into my computer and run every configuration needed to build up DNS server such as hosts, host.conf, resolv.conf, named.conf...etc. infrastructure internet (ISP) <-> ADSL2+ modem router <-> mycompany.com (DNS Server) <-> Home Network & Wifi Broadcasting. The server has two ethernet card, eth0 : 192.168.0.5 eth1 : 192.168.1.5 DNS server : 192.168.1.5 ]#ping mycompany.com PING mycomputer.mycompany.com (192.168.1.5) 56 (84) bytes of data. ....etc. The DNS is running fine but my problem now is the iptables. DHCP also running fine both end eth0 and eth1. ==========================PROBLEM ================================= Here the iptables in # /etc/init.d/iptables * Firewall configuration written by system-config securitylevel * Manual Customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -P udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited -table nat -A PREROUTING -i eth1 -p tcp -dport 80 -j DNAT -to 192.168.1.2:3128 -table nat -A PREROUTING -i eth1 -p tcp -dport 80 -j REDIRECT -to-port 3128 COMMIT When I run it! # /etc/init.d/iptables restart Flush firewll rules : [OK] Setting chains to policy ACCEPT: filter [OK] Unloading iptables modules: [OK] Applying iptables firewall rules: Bad argument 'nat' Error Occurred at line: 24 Try 'iptables-restore -h' or 'iptables-restore --help' for more information [FAILED] I had tried such (-iptable, nat, -t) and simply give me headache. I am ready frustrated because I have been trying for some times but no solutions. Please anyone who can help me solve the problem will be appreciated Best Regards, Sam |
Always start with a default drop policy... there's no point having all those explicit accepts if you are already accepting everything by default.
it's supposed to be one of: Code:
iptables -A PREROUTING -t NAT http://freshmeat.net/articles/view/1433/ ... explains a fair bit - you seem to be doing it the hard way. |
Maybe the trouble lays at the end of the 'to '
i think you should use '-to' '--to' you'd have a try,dose it ok ? |
Thanks Simon Bridge,
I'd tried to add code line as given. -A PREROUTING - and I got error as show below: Applying iptables firewall rules: iptables-restore v1.2.11: line 23 seems to have a -t table option. Error occurred at line: 23 |
Quote:
Hi wanghao, thanks for your tips. your suggestion also got error. where possible got error or I need to upgrade squid instead. |
-table nat -A PREROUTING -i eth1 -p tcp -dport 80 -j DNAT -to 192.168.1.2:3128
should be: --table NAT -A PREROUTING -i eth1 -p tcp -dport 80 -j DNAT -to 192.168.1.2:3128 or: -t NAT -A PREROUTING -i eth1 -p tcp -dport 80 -j DNAT -to 192.168.1.2:3128 what did you do? I'm not sure the line makes any sense though. Did you read the linux proxy tutorial? |
i'm sorry you problem still ,and follow you first post that the trouble appeard in the nat table
so i tried on my host it works well just like this : iptalbes -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.2:3128 #at the first time i followd yours it reports that "80 is an bad argument ",so i modifiyed as you see . Hope that this my help you !Goodluck! |
Quote:
both commands got the same error: iptables-restore v1.2.11: line 25 seems to have a -t table option. This is weird because every single articles that I had read suggest the same command but I just can't use -t, -table, -iptables or nat in /etc/sysconfig/iptable. I bought a text book Fedore 7 and Red Hat Enterprise Linux Bible written by Christpher Negus and follow every steps to setup or configure but not helping a lot....end up with nothing accomplish! http://www.amazon.com/Fedora-Red-Ent...374365-3944727 I even try -t -nat -A PREROUTING -i eth1....etc also got same error! :( PS: The squid is running fine. http://freshmeat.net/articles/view/1433/ |
Quote:
possible I miss something hence this error just won't go away? |
OK, I'll check it myself:
$ sudo iptables -t nat -A PREROUTING -i eth1 -p tcp -dport 80 -j DNAT -to 192.168.1.2:3128 Bad argument `80' Hmm... the following is error-free ~$ sudo iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.2:3128 ... it was a matter of getting the double-dashes in the right places. What is it you expect that line to achieve btw? What's with the amazon.com link? |
Quote:
/etc/sysconfig/iptables -t nat -A -PREROUTING -i -eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.2:3128 I run it and got the same error as posted on #4 "iptables-restore v1.2.11: line 25 seems to have a -t table option. What I am trying to do is to route traffic from eth0 to eth1. here the drawing: Internet (ISP) <--(1)--> Prolink ADSL2+ modem /Router <--(2)--> Switch <--eth0-(3)--*--> mycomputer.com (server : DNS, DHCP, Squid, Radius (billing)) <--eth1-(4)--> SmartBridge airHaul Nexus 2.4 Ghz /home network (testing). (1) DHCP from ISP (2) Gateway (example 192.168.1.1 example IP:192.168.1.2) (3) 8 ports Switch Hub (4) Wifi 802.11a/b/g * (Clients (1) / home network for testing, browsing are work fine) ** What I am trying to do is to route traffic from eth1 to eth0 hence smartBridge/clients can browse Internet. At the moment on the DNS server (mycomputer.com) still can't browse internet but I had put forwarder in named.conf. I wonder why connection from switch to my computer can browsing but putting ISP DNS ip address but mycomputer can't :( amazing.com just refer to the book that I had been reading, nothing particular. If I explain not clear enought..please feel free to ask. |
Quote:
You should be using masquerading or bridging for this. I posted a link from way back taking you to a tutorial. Is there a reason neither of these techniques works for you? Quote:
|
Quote:
I think MASQUERADING is not best for this because it's for internet connection where IP address is assigned dynamically (ISP). If I'd not mistaken MASQUERADING for implemented if my mycomputer.com (Server) get IP Address from ISP. Meanwhile mycomputer.com use static IP address (eth0: 192.168.1.5) and Prolink ADSL2+ does the routing. Hence I decided SNAT for this implementation. please correct me if I am wrong! |
[QUOTE=saman;2958688]CLI?[quote]
http://acronyms.thefreedictionary.com/CLI Command Line Interface - your fav. shell will do. Quote:
The bridging method produces a transparent gateway, which can also be used to provide a proxy, content protection, etc. It's very powerful, scaleable, and flexable. So it's become a popular method. Suggest you look into it. Basic NAT + IP Forwarding usually goes like this: Code:
# Allow IP Forwarding and use NAT for outgoing connections. If I've understood your setup, the nic that looks at the internet is eth0 (so WEBFACE=eth0), and the IP of this nic is 192.168.1.5 (so WEBIP=192.168.1.5). The only place you can now get errors is in mixing up the IPs and nics (or if your kernel doesn't support this... unusual, but it happens with custom kernels). I'm not about to mirror your setup here, so you'll have to figure that out yourself. The command is correct. I still think that your lack of DROP policies suggests some confusion about what you are trying to do - especially as you have explicit ACCEPT rules in there. They're moot - with ACCEPT policies on all chains, you need to be explicitly DROPping undesirable packets. Security is easier with DROP policies... then you set up rules to accept desirable packets. What you are trying to do looks a lot like what I was doing a while ago... I've dug up my old firewall script for reference. I used to use this as a point of departure. Code:
###################################################################### |
[QUOTE=Simon Bridge;2959289][QUOTE=saman;2958688]CLI?
Quote:
below here is the file: ---------------------------iptables-config-------------------- # Load additional iptables modules (nat helpers) # Default: -none- # Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which # are loaded after the firewall rules are applied. Options for the helpers are # stored in /etc/modules.conf. IPTABLES_MODULES="ip_nat_ftp" # Unload modules on restart and stop # Value: yes|no, default: yes # This option has to be 'yes' to get to a sane state for a firewall # restart or stop. Only set to 'no' if there are problems unloading netfilter # modules. IPTABLES_MODULES_UNLOAD="yes" # Save current firewall rules on stop. # Value: yes|no, default: no # Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped # (e.g. on system shutdown). IPTABLES_SAVE_ON_STOP="no" # Save current firewall rules on restart. # Value: yes|no, default: no # Saves all firewall rules to /etc/sysconfig/iptables if firewall gets # restarted. IPTABLES_SAVE_ON_RESTART="no" # Save (and restore) rule and chain counter. # Value: yes|no, default: no # Save counters for rules and chains to /etc/sysconfig/iptables if # 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or # SAVE_ON_RESTART is enabled. IPTABLES_SAVE_COUNTER="no" # Numeric status output # Value: yes|no, default: yes # Print IP addresses and port numbers in numeric format in the status output. IPTABLES_STATUS_NUMERIC="yes" --------------end of iptables-config------------------- IP forwarding also enabled /bin/echo "1" > /proc/sys/net/ipv4/ip_forward -----------------------here the iptables----------------------- # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter #*nat -P INPUT DROP -P FORWARD DROP -P OUTPUT DROP ##User defined chain for ACCEPTED TCP packet -N mars -A mars -p TCP --syn -j ACCEPT -A mars -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT -A mars -p TCP -j DROP ## INPUT Chain rules -A INPUT -p ALL -i eth1 -s 192.168.0.10/24 -j ACCEPT -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT -A INPUT -p ALL -i lo -s 192.168.0.10 -j ACCEPT -A INPUT -p ALL -i lo -s 192.168.1.5 -j ACCEPT -A INPUT -p ALL -i lo -d 192.168.0.10 -j ACCEPT ## rULES FOR INCOMING PACKET FROM THE INTERNET # PACKET FOR ESTABLISHED CONNECTIONS -A INPUT -p ALL -d 192.168.1.5 -m state --state ESTABLISHED,RELATED -j ACCEPT ## TCP Rules -A INPUT -p TCP -i eth0 --destination-port 21 -j mars -A INPUT -p TCP -i eht0 --destination-port 22 -j mars -A INPUT -p TCP -i eth0 --destination-port 80 -j mars -A INPUT -p TCP -i eth0 --destination-port 113 -j mars ## UDP rules -A INPUT -p ICMP -i eth0 --icmp-type 8 -j ACCEPT -A INPUT -p ICMP -i eth0 --icmp-type 11 -j ACCEPT ## FORWARD CHAIN RULES -A FORWARD -i eth1 -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT ## OUTPUT CHAIN RULES # ONLY OUTPUT PACKET WITH LOCAL ADDRESSES (NO SPOOFING) -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT -A OUTPUT -p ALL -s 192.168.0.10 -j ACCEPT -A OUTPUT -p ALL -s 192.168.1.5 -j ACCEPT ## POSTROUTING chain rules -table nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.1.5 COMMIT ---------------------end of iptables -------------------------- When I run it, got error Bad argument 'nat' If I changed 'nat' to -table NAT, got same error -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.1.5 or -t NAT -A ....etc (iptables-restore v1.2.11: kube 49 seems to have a -t table option [FAILED] Where did I get wrong, somewhere I can improve to solve the problem? |
All times are GMT -5. The time now is 09:37 PM. |