LinuxQuestions.org - Help me! iptables

- Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)

- - Help me! iptables (https://www.linuxquestions.org/questions/linux-newbie-8/help-me-iptables-598536/)

Help me! iptables

Hi Everyone,

I am new to Linux and recently trying to build DNS server with transparant proxy for my Wifi Broadcasting.
I'd installed Red Hat Enterprice 4 into my computer and run every configuration needed to build up DNS server such as hosts, host.conf, resolv.conf, named.conf...etc.

infrastructure

internet (ISP) <-> ADSL2+ modem router <-> mycompany.com (DNS Server) <-> Home Network & Wifi Broadcasting.

The server has two ethernet card,
eth0 : 192.168.0.5
eth1 : 192.168.1.5

DNS server : 192.168.1.5

]#ping mycompany.com
PING mycomputer.mycompany.com (192.168.1.5) 56 (84) bytes of data.
....etc.

The DNS is running fine but my problem now is the iptables.
DHCP also running fine both end eth0 and eth1.

==========================PROBLEM =================================

Here the iptables in
# /etc/init.d/iptables

* Firewall configuration written by system-config securitylevel
* Manual Customization of this file is not recommended.
*filter

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]

-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -P udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

-table nat -A PREROUTING -i eth1 -p tcp -dport 80 -j DNAT -to 192.168.1.2:3128
-table nat -A PREROUTING -i eth1 -p tcp -dport 80 -j REDIRECT -to-port 3128
COMMIT

When I run it!

# /etc/init.d/iptables restart
Flush firewll rules : [OK]
Setting chains to policy ACCEPT: filter [OK]
Unloading iptables modules: [OK]
Applying iptables firewall rules: Bad argument 'nat'
Error Occurred at line: 24
Try 'iptables-restore -h' or 'iptables-restore --help' for more information
[FAILED]

I had tried such (-iptable, nat, -t) and simply give me headache.
I am ready frustrated because I have been trying for some times but no solutions.
Please anyone who can help me solve the problem will be appreciated

Best Regards,
Sam

Always start with a default drop policy... there's no point having all those explicit accepts if you are already accepting everything by default.

it's supposed to be one of:

Code:

iptables -A PREROUTING -t NAT

iptables -A PREROUTING --table NAT

Here's a tutorial an setting up a transparent proxy with iptables:
http://freshmeat.net/articles/view/1433/
... explains a fair bit - you seem to be doing it the hard way.

Maybe the trouble lays at the end of the 'to '
i think you should use '-to' '--to'
you'd have a try,dose it ok ?

Thanks Simon Bridge,
I'd tried to add code line as given.
-A PREROUTING -
and I got error as show below:

Applying iptables firewall rules: iptables-restore v1.2.11: line 23 seems to have a -t table option.
Error occurred at line: 23

Quote:

Originally Posted by wanghao (Post 2954937)

Maybe the trouble lays at the end of the 'to '
i think you should use '-to' '--to'
you'd have a try,dose it ok ?

Hi wanghao, thanks for your tips.
your suggestion also got error.
where possible got error or I need to upgrade squid instead.

-table nat -A PREROUTING -i eth1 -p tcp -dport 80 -j DNAT -to 192.168.1.2:3128

should be:

--table NAT -A PREROUTING -i eth1 -p tcp -dport 80 -j DNAT -to 192.168.1.2:3128

or:

-t NAT -A PREROUTING -i eth1 -p tcp -dport 80 -j DNAT -to 192.168.1.2:3128

what did you do?

I'm not sure the line makes any sense though. Did you read the linux proxy tutorial?

i'm sorry you problem still ,and follow you first post that the trouble appeard in the nat table
so i tried on my host it works well just like this :
iptalbes -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.2:3128
#at the first time i followd yours it reports that "80 is an bad argument ",so i modifiyed as you see .
Hope that this my help you !Goodluck!

Quote:

Originally Posted by Simon Bridge (Post 2955816)

Ok I put it in /etc/sysconfig/iptables as suggested and got errors,
both commands got the same error:
iptables-restore v1.2.11: line 25 seems to have a -t table option.

This is weird because every single articles that I had read suggest the same command but I just can't use -t, -table, -iptables or nat in /etc/sysconfig/iptable.
I bought a text book Fedore 7 and Red Hat Enterprise Linux Bible written by Christpher Negus and follow every steps to setup or configure but not helping a lot....end up with nothing accomplish!
http://www.amazon.com/Fedora-Red-Ent...374365-3944727

I even try -t -nat -A PREROUTING -i eth1....etc also got same error! :(

PS:
The squid is running fine.
http://freshmeat.net/articles/view/1433/

Quote:

Originally Posted by wanghao (Post 2955907)

i got same error as post #4
possible I miss something hence this error just won't go away?

OK, I'll check it myself:

$ sudo iptables -t nat -A PREROUTING -i eth1 -p tcp -dport 80 -j DNAT -to 192.168.1.2:3128
Bad argument `80'

Hmm... the following is error-free

~$ sudo iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.2:3128

... it was a matter of getting the double-dashes in the right places.

What is it you expect that line to achieve btw?

What's with the amazon.com link?

Quote:

Originally Posted by Simon Bridge (Post 2956046)

Sorry for late reply..
/etc/sysconfig/iptables
-t nat -A -PREROUTING -i -eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.2:3128
I run it and got the same error as posted on #4
"iptables-restore v1.2.11: line 25 seems to have a -t table option.

What I am trying to do is to route traffic from eth0 to eth1.
here the drawing:

Internet (ISP) <--(1)--> Prolink ADSL2+ modem /Router <--(2)--> Switch <--eth0-(3)--*--> mycomputer.com (server : DNS, DHCP, Squid, Radius (billing)) <--eth1-(4)--> SmartBridge airHaul Nexus 2.4 Ghz /home network (testing).

(1) DHCP from ISP
(2) Gateway (example 192.168.1.1 example IP:192.168.1.2)
(3) 8 ports Switch Hub
(4) Wifi 802.11a/b/g
* (Clients (1) / home network for testing, browsing are work fine)
**

What I am trying to do is to route traffic from eth1 to eth0 hence smartBridge/clients can browse Internet.
At the moment on the DNS server (mycomputer.com) still can't browse internet but I had put forwarder in named.conf.
I wonder why connection from switch to my computer can browsing but putting ISP DNS ip address but mycomputer can't :(

amazing.com just refer to the book that I had been reading, nothing particular.

If I explain not clear enought..please feel free to ask.

Quote:

What I am trying to do is to route traffic from eth0 to eth1.

You don't seem to be going about it the right way.
You should be using masquerading or bridging for this.
I posted a link from way back taking you to a tutorial. Is there a reason neither of these techniques works for you?

Quote:

"iptables-restore v1.2.11: line 25 seems to have a -t table option.

... run the command from CLI like I did and see what happens.

Quote:

Originally Posted by Simon Bridge (Post 2958640)

CLI?

I think MASQUERADING is not best for this because it's for internet connection where IP address is assigned dynamically (ISP). If I'd not mistaken MASQUERADING for implemented if my mycomputer.com (Server) get IP Address from ISP.
Meanwhile mycomputer.com use static IP address (eth0: 192.168.1.5) and Prolink ADSL2+ does the routing. Hence I decided SNAT for this implementation.

please correct me if I am wrong!

[QUOTE=saman;2958688]CLI?[quote]
http://acronyms.thefreedictionary.com/CLI
Command Line Interface - your fav. shell will do.

Quote:

I think MASQUERADING is not best for this because it's for internet connection where IP address is assigned dynamically (ISP). If I'd not mistaken MASQUERADING for implemented if my mycomputer.com (Server) get IP Address from ISP.
Meanwhile mycomputer.com use static IP address (eth0: 192.168.1.5) and Prolink ADSL2+ does the routing. Hence I decided SNAT for this implementation.

please correct me if I am wrong!

Hmmm... I thought it was for when the ISP assigned (external) IP was via DHCP. You still use NAT to got packets to the correct internal host.

The bridging method produces a transparent gateway, which can also be used to provide a proxy, content protection, etc. It's very powerful, scaleable, and flexable. So it's become a popular method. Suggest you look into it.

Basic NAT + IP Forwarding usually goes like this:

Code:

# Allow IP Forwarding and use NAT for outgoing connections.

# (Only use for dual homed host acting as an internet gateway.)

/bin/echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -P FORWARD ACCEPT

iptables -A POSTROUTING -t nat -o $WEBFACE -j SNAT --to $WEBIP

Now, you didn't make any DROP policies so the second line is moot. But I don't see you enabling IP-Forwarding, which would be a problem.

If I've understood your setup, the nic that looks at the internet is eth0 (so WEBFACE=eth0), and the IP of this nic is 192.168.1.5 (so WEBIP=192.168.1.5). The only place you can now get errors is in mixing up the IPs and nics (or if your kernel doesn't support this... unusual, but it happens with custom kernels). I'm not about to mirror your setup here, so you'll have to figure that out yourself. The command is correct.

I still think that your lack of DROP policies suggests some confusion about what you are trying to do - especially as you have explicit ACCEPT rules in there. They're moot - with ACCEPT policies on all chains, you need to be explicitly DROPping undesirable packets. Security is easier with DROP policies... then you set up rules to accept desirable packets.

What you are trying to do looks a lot like what I was doing a while ago... I've dug up my old firewall script for reference. I used to use this as a point of departure.

Code:

######################################################################

# sdb firewall: Simon Bridge 2005                                    #

# Updated 2006, 2007                                                #

# based on the mdh firewall of Jon "maddog" Hall & Paul G Seary 2003 #

# (CC) Creative Commons Attribution Share-alike                      #

# Leave this header in place with the CC notice.                    #

######################################################################



#! /bin/bash



# Load appropriate modules.

modprobe ip_tables

modprobe ip_conntrack

modprobe ip_conntrack_ftp



# remove existing rules

iptables --flush

iptables -t nat --flush

iptables --delete_chain

iptables --zero



# Definitions

MYNET="192.168.2.0/24"

LANFACE="eth0"

WEBFACE="eth0"

WEBIP="192.168.0.0" # for a gateway

DNS01=""

DNS02=""

BCAST="192.168.255.255"

LOOPB="127.0.0.1/32"



ADDINP="iptables -A INPUT"

ADDOUT="iptables -A OUTPUT"

ADDFWD="iptables -A FORWARD"



### Kernel Parameters ###



# Uncomment to disable response to icmp ping requests.

#/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all



# Disable response to broadcasts.

# You don't want yourself becoming a Smurf amplifier.

/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts



# Don't accept source routed packets.

/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route



# Disable ICMP redirect acceptance.

for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do

  /bin/echo "0" > $WEBFACE

done



# Enable bad error message protection.

/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses



# Turn on reverse path filtering.

for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do

  /bin/echo "1" > $WEBFACE

done



# Make sure that IP forwarding is turned off.

/bin/echo "0" > /proc/sys/net/ipv4/ip_forward



### Rules ###



# Set up a default DROP policy for the built-in chains.

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT DROP



### Explicit deny rules before the accept rules

# Prevent external packets from using loopback addr

$ADDINP  -i $WEBFACE -s $LOOPB -j DROP

#$ADDFWD -i $WEBFACE -s $LOOPB -j DROP

$ADDINP  -i $WEBFACE-d $LOOPB -j DROP

#$ADDFWD -i $WEBFACE -d $LOOPB -j DROP



### Explicit allow rules



# Allow traffic on the loopback interface.

$ADDINP  -i lo -j ACCEPT

$ADDOUT -o lo -j ACCEPT



# Allow SSH connections

$ADDINP -p tcp -j ACCEPT -dport 22



# Allow only initiated traffic in

$ADDINP -m state --state RELATED,EXISTING -j ACCEPT



# Allow accesss to Samba shares via the LAN

#$ADDINP -p udp -m udp -s $LANFACE --dport 137 -j ACCEPT

#$ADDINP -p udp -m udp -s $LANFACE --dport 138 -j ACCEPT

#$ADDINP -m state --state NEW -m tcp -p tcp -s $LANFACE --dport 139 -j ACCEPT

#$ADDINP -m state --state NEW -m tcp -p tcp -s $LANFACE --dport 445 -j ACCEPT



# Allow IP Forwarding and use NAT for outgoing connections.

# (Only use for dual homed host acting as an internet gateway.)

#/bin/echo "1" > /proc/sys/net/ipv4/ip_forward

#iptables -P FORWARD ACCEPT

#iptables -A POSTROUTING -t NAT -o $WEBFACE -j SNAT --to $WEBIP



# Allow network traffic through LAN

$ADDINP -i $LANFACE -s $MYNET -j ACCEPT



# Allow all traffic out

# Any other output rule should go /before/ this one

$ADDOUT -m state --state NEW,RELATED,EXISTING -j ACCEPT



# Policy ACCEPT would work as well ... but I could add explicit rules 

# here and comment out this line instead

[QUOTE=Simon Bridge;2959289][QUOTE=saman;2958688]CLI?

Quote:

http://acronyms.thefreedictionary.com/CLI
Command Line Interface - your fav. shell will do.

Hmmm... I thought it was for when the ISP assigned (external) IP was via DHCP. You still use NAT to got packets to the correct internal host.

The bridging method produces a transparent gateway, which can also be used to provide a proxy, content protection, etc. It's very powerful, scaleable, and flexable. So it's become a popular method. Suggest you look into it.

Basic NAT + IP Forwarding usually goes like this:

Code:

# Allow IP Forwarding and use NAT for outgoing connections.

# (Only use for dual homed host acting as an internet gateway.)

/bin/echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -P FORWARD ACCEPT

iptables -A POSTROUTING -t nat -o $WEBFACE -j SNAT --to $WEBIP

Code:

######################################################################

# sdb firewall: Simon Bridge 2005                                    #

# Updated 2006, 2007                                                #

# based on the mdh firewall of Jon "maddog" Hall & Paul G Seary 2003 #

# (CC) Creative Commons Attribution Share-alike                      #

# Leave this header in place with the CC notice.                    #

######################################################################



#! /bin/bash



# Load appropriate modules.

modprobe ip_tables

modprobe ip_conntrack

modprobe ip_conntrack_ftp



# remove existing rules

iptables --flush

iptables -t nat --flush

iptables --delete_chain

iptables --zero



# Definitions

MYNET="192.168.2.0/24"

LANFACE="eth0"

WEBFACE="eth0"

WEBIP="192.168.0.0" # for a gateway

DNS01=""

DNS02=""

BCAST="192.168.255.255"

LOOPB="127.0.0.1/32"



ADDINP="iptables -A INPUT"

ADDOUT="iptables -A OUTPUT"

ADDFWD="iptables -A FORWARD"



### Kernel Parameters ###



# Uncomment to disable response to icmp ping requests.

#/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all



# Disable response to broadcasts.

# You don't want yourself becoming a Smurf amplifier.

/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts



# Don't accept source routed packets.

/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route



# Disable ICMP redirect acceptance.

for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do

  /bin/echo "0" > $WEBFACE

done



# Enable bad error message protection.

/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses



# Turn on reverse path filtering.

for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do

  /bin/echo "1" > $WEBFACE

done



# Make sure that IP forwarding is turned off.

/bin/echo "0" > /proc/sys/net/ipv4/ip_forward



### Rules ###



# Set up a default DROP policy for the built-in chains.

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT DROP



### Explicit deny rules before the accept rules

# Prevent external packets from using loopback addr

$ADDINP  -i $WEBFACE -s $LOOPB -j DROP

#$ADDFWD -i $WEBFACE -s $LOOPB -j DROP

$ADDINP  -i $WEBFACE-d $LOOPB -j DROP

#$ADDFWD -i $WEBFACE -d $LOOPB -j DROP



### Explicit allow rules



# Allow traffic on the loopback interface.

$ADDINP  -i lo -j ACCEPT

$ADDOUT -o lo -j ACCEPT



# Allow SSH connections

$ADDINP -p tcp -j ACCEPT -dport 22



# Allow only initiated traffic in

$ADDINP -m state --state RELATED,EXISTING -j ACCEPT



# Allow accesss to Samba shares via the LAN

#$ADDINP -p udp -m udp -s $LANFACE --dport 137 -j ACCEPT

#$ADDINP -p udp -m udp -s $LANFACE --dport 138 -j ACCEPT

#$ADDINP -m state --state NEW -m tcp -p tcp -s $LANFACE --dport 139 -j ACCEPT

#$ADDINP -m state --state NEW -m tcp -p tcp -s $LANFACE --dport 445 -j ACCEPT



# Allow IP Forwarding and use NAT for outgoing connections.

# (Only use for dual homed host acting as an internet gateway.)

#/bin/echo "1" > /proc/sys/net/ipv4/ip_forward

#iptables -P FORWARD ACCEPT

#iptables -A POSTROUTING -t NAT -o $WEBFACE -j SNAT --to $WEBIP



# Allow network traffic through LAN

$ADDINP -i $LANFACE -s $MYNET -j ACCEPT



# Allow all traffic out

# Any other output rule should go /before/ this one

$ADDOUT -m state --state NEW,RELATED,EXISTING -j ACCEPT



# Policy ACCEPT would work as well ... but I could add explicit rules 

# here and comment out this line instead

Ok since you'd recommendated and I decided to implement DROP policy.

below here is the file:
---------------------------iptables-config--------------------

# Load additional iptables modules (nat helpers)
# Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modules.conf.
IPTABLES_MODULES="ip_nat_ftp"

# Unload modules on restart and stop
# Value: yes|no, default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
IPTABLES_MODULES_UNLOAD="yes"

# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"

# Save current firewall rules on restart.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART="no"

# Save (and restore) rule and chain counter.
# Value: yes|no, default: no
# Save counters for rules and chains to /etc/sysconfig/iptables if
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
# SAVE_ON_RESTART is enabled.
IPTABLES_SAVE_COUNTER="no"

# Numeric status output
# Value: yes|no, default: yes
# Print IP addresses and port numbers in numeric format in the status output.
IPTABLES_STATUS_NUMERIC="yes"

--------------end of iptables-config-------------------

IP forwarding also enabled
/bin/echo "1" > /proc/sys/net/ipv4/ip_forward

-----------------------here the iptables-----------------------

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
#*nat

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP

##User defined chain for ACCEPTED TCP packet
-N mars
-A mars -p TCP --syn -j ACCEPT
-A mars -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
-A mars -p TCP -j DROP

## INPUT Chain rules
-A INPUT -p ALL -i eth1 -s 192.168.0.10/24 -j ACCEPT
-A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
-A INPUT -p ALL -i lo -s 192.168.0.10 -j ACCEPT
-A INPUT -p ALL -i lo -s 192.168.1.5 -j ACCEPT
-A INPUT -p ALL -i lo -d 192.168.0.10 -j ACCEPT

## rULES FOR INCOMING PACKET FROM THE INTERNET

# PACKET FOR ESTABLISHED CONNECTIONS
-A INPUT -p ALL -d 192.168.1.5 -m state --state ESTABLISHED,RELATED -j ACCEPT

## TCP Rules
-A INPUT -p TCP -i eth0 --destination-port 21 -j mars
-A INPUT -p TCP -i eht0 --destination-port 22 -j mars
-A INPUT -p TCP -i eth0 --destination-port 80 -j mars
-A INPUT -p TCP -i eth0 --destination-port 113 -j mars

## UDP rules
-A INPUT -p ICMP -i eth0 --icmp-type 8 -j ACCEPT
-A INPUT -p ICMP -i eth0 --icmp-type 11 -j ACCEPT

## FORWARD CHAIN RULES
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

## OUTPUT CHAIN RULES
# ONLY OUTPUT PACKET WITH LOCAL ADDRESSES (NO SPOOFING)
-A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
-A OUTPUT -p ALL -s 192.168.0.10 -j ACCEPT
-A OUTPUT -p ALL -s 192.168.1.5 -j ACCEPT

## POSTROUTING chain rules
-table nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.1.5

COMMIT

---------------------end of iptables --------------------------

When I run it, got error
Bad argument 'nat'
If I changed 'nat' to -table NAT, got same error

-t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.1.5
or
-t NAT -A ....etc
(iptables-restore v1.2.11: kube 49 seems to have a -t table option [FAILED]

Where did I get wrong, somewhere I can improve to solve the problem?