LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-10-2007, 05:20 AM   #1
saman
Member
 
Registered: Oct 2007
Posts: 49

Rep: Reputation: 13
Help me! iptables


Hi Everyone,

I am new to Linux and recently trying to build DNS server with transparant proxy for my Wifi Broadcasting.
I'd installed Red Hat Enterprice 4 into my computer and run every configuration needed to build up DNS server such as hosts, host.conf, resolv.conf, named.conf...etc.

infrastructure

internet (ISP) <-> ADSL2+ modem router <-> mycompany.com (DNS Server) <-> Home Network & Wifi Broadcasting.

The server has two ethernet card,
eth0 : 192.168.0.5
eth1 : 192.168.1.5

DNS server : 192.168.1.5

]#ping mycompany.com
PING mycomputer.mycompany.com (192.168.1.5) 56 (84) bytes of data.
....etc.

The DNS is running fine but my problem now is the iptables.
DHCP also running fine both end eth0 and eth1.

==========================PROBLEM =================================

Here the iptables in
# /etc/init.d/iptables

* Firewall configuration written by system-config securitylevel
* Manual Customization of this file is not recommended.
*filter

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]

-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -P udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

-table nat -A PREROUTING -i eth1 -p tcp -dport 80 -j DNAT -to 192.168.1.2:3128
-table nat -A PREROUTING -i eth1 -p tcp -dport 80 -j REDIRECT -to-port 3128
COMMIT

When I run it!

# /etc/init.d/iptables restart
Flush firewll rules : [OK]
Setting chains to policy ACCEPT: filter [OK]
Unloading iptables modules: [OK]
Applying iptables firewall rules: Bad argument 'nat'
Error Occurred at line: 24
Try 'iptables-restore -h' or 'iptables-restore --help' for more information
[FAILED]

I had tried such (-iptable, nat, -t) and simply give me headache.
I am ready frustrated because I have been trying for some times but no solutions.
Please anyone who can help me solve the problem will be appreciated

Best Regards,
Sam
 
Old 11-10-2007, 08:11 AM   #2
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
Always start with a default drop policy... there's no point having all those explicit accepts if you are already accepting everything by default.

it's supposed to be one of:
Code:
iptables -A PREROUTING -t NAT
iptables -A PREROUTING --table NAT
Here's a tutorial an setting up a transparent proxy with iptables:
http://freshmeat.net/articles/view/1433/
... explains a fair bit - you seem to be doing it the hard way.

Last edited by Simon Bridge; 11-10-2007 at 08:13 AM.
 
Old 11-11-2007, 02:46 AM   #3
wanghao
Member
 
Registered: Mar 2007
Distribution: centos
Posts: 126

Rep: Reputation: 15
Maybe the trouble lays at the end of the 'to '
i think you should use '-to' '--to'
you'd have a try,dose it ok ?
 
Old 11-11-2007, 10:31 PM   #4
saman
Member
 
Registered: Oct 2007
Posts: 49

Original Poster
Rep: Reputation: 13
Thanks Simon Bridge,
I'd tried to add code line as given.
-A PREROUTING -
and I got error as show below:

Applying iptables firewall rules: iptables-restore v1.2.11: line 23 seems to have a -t table option.
Error occurred at line: 23
 
Old 11-11-2007, 10:34 PM   #5
saman
Member
 
Registered: Oct 2007
Posts: 49

Original Poster
Rep: Reputation: 13
Quote:
Originally Posted by wanghao View Post
Maybe the trouble lays at the end of the 'to '
i think you should use '-to' '--to'
you'd have a try,dose it ok ?

Hi wanghao, thanks for your tips.
your suggestion also got error.
where possible got error or I need to upgrade squid instead.
 
Old 11-11-2007, 11:44 PM   #6
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
-table nat -A PREROUTING -i eth1 -p tcp -dport 80 -j DNAT -to 192.168.1.2:3128

should be:

--table NAT -A PREROUTING -i eth1 -p tcp -dport 80 -j DNAT -to 192.168.1.2:3128

or:

-t NAT -A PREROUTING -i eth1 -p tcp -dport 80 -j DNAT -to 192.168.1.2:3128

what did you do?

I'm not sure the line makes any sense though. Did you read the linux proxy tutorial?
 
Old 11-12-2007, 02:28 AM   #7
wanghao
Member
 
Registered: Mar 2007
Distribution: centos
Posts: 126

Rep: Reputation: 15
i'm sorry you problem still ,and follow you first post that the trouble appeard in the nat table
so i tried on my host it works well just like this :
iptalbes -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.2:3128
#at the first time i followd yours it reports that "80 is an bad argument ",so i modifiyed as you see .
Hope that this my help you !Goodluck!
 
Old 11-12-2007, 03:56 AM   #8
saman
Member
 
Registered: Oct 2007
Posts: 49

Original Poster
Rep: Reputation: 13
Quote:
Originally Posted by Simon Bridge View Post
-table nat -A PREROUTING -i eth1 -p tcp -dport 80 -j DNAT -to 192.168.1.2:3128

should be:

--table NAT -A PREROUTING -i eth1 -p tcp -dport 80 -j DNAT -to 192.168.1.2:3128

or:

-t NAT -A PREROUTING -i eth1 -p tcp -dport 80 -j DNAT -to 192.168.1.2:3128

what did you do?

I'm not sure the line makes any sense though. Did you read the linux proxy tutorial?
Ok I put it in /etc/sysconfig/iptables as suggested and got errors,
both commands got the same error:
iptables-restore v1.2.11: line 25 seems to have a -t table option.

This is weird because every single articles that I had read suggest the same command but I just can't use -t, -table, -iptables or nat in /etc/sysconfig/iptable.
I bought a text book Fedore 7 and Red Hat Enterprise Linux Bible written by Christpher Negus and follow every steps to setup or configure but not helping a lot....end up with nothing accomplish!
http://www.amazon.com/Fedora-Red-Ent...374365-3944727

I even try -t -nat -A PREROUTING -i eth1....etc also got same error!

PS:
The squid is running fine.
http://freshmeat.net/articles/view/1433/
 
Old 11-12-2007, 04:10 AM   #9
saman
Member
 
Registered: Oct 2007
Posts: 49

Original Poster
Rep: Reputation: 13
Quote:
Originally Posted by wanghao View Post
i'm sorry you problem still ,and follow you first post that the trouble appeard in the nat table
so i tried on my host it works well just like this :
iptalbes -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.2:3128
#at the first time i followd yours it reports that "80 is an bad argument ",so i modifiyed as you see .
Hope that this my help you !Goodluck!
i got same error as post #4
possible I miss something hence this error just won't go away?
 
Old 11-12-2007, 06:27 AM   #10
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
OK, I'll check it myself:

$ sudo iptables -t nat -A PREROUTING -i eth1 -p tcp -dport 80 -j DNAT -to 192.168.1.2:3128
Bad argument `80'

Hmm... the following is error-free

~$ sudo iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.2:3128

... it was a matter of getting the double-dashes in the right places.

What is it you expect that line to achieve btw?

What's with the amazon.com link?

Last edited by Simon Bridge; 11-12-2007 at 06:28 AM.
 
Old 11-14-2007, 05:59 AM   #11
saman
Member
 
Registered: Oct 2007
Posts: 49

Original Poster
Rep: Reputation: 13
Quote:
Originally Posted by Simon Bridge View Post
OK, I'll check it myself:

$ sudo iptables -t nat -A PREROUTING -i eth1 -p tcp -dport 80 -j DNAT -to 192.168.1.2:3128
Bad argument `80'

Hmm... the following is error-free

~$ sudo iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.2:3128

... it was a matter of getting the double-dashes in the right places.

What is it you expect that line to achieve btw?

What's with the amazon.com link?
Sorry for late reply..
/etc/sysconfig/iptables
-t nat -A -PREROUTING -i -eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.2:3128
I run it and got the same error as posted on #4
"iptables-restore v1.2.11: line 25 seems to have a -t table option.

What I am trying to do is to route traffic from eth0 to eth1.
here the drawing:


Internet (ISP) <--(1)--> Prolink ADSL2+ modem /Router <--(2)--> Switch <--eth0-(3)--*--> mycomputer.com (server : DNS, DHCP, Squid, Radius (billing)) <--eth1-(4)--> SmartBridge airHaul Nexus 2.4 Ghz /home network (testing).

(1) DHCP from ISP
(2) Gateway (example 192.168.1.1 example IP:192.168.1.2)
(3) 8 ports Switch Hub
(4) Wifi 802.11a/b/g
* (Clients (1) / home network for testing, browsing are work fine)
**

What I am trying to do is to route traffic from eth1 to eth0 hence smartBridge/clients can browse Internet.
At the moment on the DNS server (mycomputer.com) still can't browse internet but I had put forwarder in named.conf.
I wonder why connection from switch to my computer can browsing but putting ISP DNS ip address but mycomputer can't

amazing.com just refer to the book that I had been reading, nothing particular.

If I explain not clear enought..please feel free to ask.
 
Old 11-14-2007, 09:46 AM   #12
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
Quote:
What I am trying to do is to route traffic from eth0 to eth1.
You don't seem to be going about it the right way.
You should be using masquerading or bridging for this.
I posted a link from way back taking you to a tutorial. Is there a reason neither of these techniques works for you?

Quote:
"iptables-restore v1.2.11: line 25 seems to have a -t table option.
... run the command from CLI like I did and see what happens.
 
Old 11-14-2007, 10:40 AM   #13
saman
Member
 
Registered: Oct 2007
Posts: 49

Original Poster
Rep: Reputation: 13
Quote:
Originally Posted by Simon Bridge View Post
You don't seem to be going about it the right way.
You should be using masquerading or bridging for this.
I posted a link from way back taking you to a tutorial. Is there a reason neither of these techniques works for you?


... run the command from CLI like I did and see what happens.
CLI?

I think MASQUERADING is not best for this because it's for internet connection where IP address is assigned dynamically (ISP). If I'd not mistaken MASQUERADING for implemented if my mycomputer.com (Server) get IP Address from ISP.
Meanwhile mycomputer.com use static IP address (eth0: 192.168.1.5) and Prolink ADSL2+ does the routing. Hence I decided SNAT for this implementation.

please correct me if I am wrong!
 
Old 11-14-2007, 10:46 PM   #14
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
[QUOTE=saman;2958688]CLI?[quote]
http://acronyms.thefreedictionary.com/CLI
Command Line Interface - your fav. shell will do.

Quote:
I think MASQUERADING is not best for this because it's for internet connection where IP address is assigned dynamically (ISP). If I'd not mistaken MASQUERADING for implemented if my mycomputer.com (Server) get IP Address from ISP.
Meanwhile mycomputer.com use static IP address (eth0: 192.168.1.5) and Prolink ADSL2+ does the routing. Hence I decided SNAT for this implementation.

please correct me if I am wrong!
Hmmm... I thought it was for when the ISP assigned (external) IP was via DHCP. You still use NAT to got packets to the correct internal host.

The bridging method produces a transparent gateway, which can also be used to provide a proxy, content protection, etc. It's very powerful, scaleable, and flexable. So it's become a popular method. Suggest you look into it.

Basic NAT + IP Forwarding usually goes like this:
Code:
# Allow IP Forwarding and use NAT for outgoing connections.
# (Only use for dual homed host acting as an internet gateway.)
/bin/echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -P FORWARD ACCEPT
iptables -A POSTROUTING -t nat -o $WEBFACE -j SNAT --to $WEBIP
Now, you didn't make any DROP policies so the second line is moot. But I don't see you enabling IP-Forwarding, which would be a problem.

If I've understood your setup, the nic that looks at the internet is eth0 (so WEBFACE=eth0), and the IP of this nic is 192.168.1.5 (so WEBIP=192.168.1.5). The only place you can now get errors is in mixing up the IPs and nics (or if your kernel doesn't support this... unusual, but it happens with custom kernels). I'm not about to mirror your setup here, so you'll have to figure that out yourself. The command is correct.

I still think that your lack of DROP policies suggests some confusion about what you are trying to do - especially as you have explicit ACCEPT rules in there. They're moot - with ACCEPT policies on all chains, you need to be explicitly DROPping undesirable packets. Security is easier with DROP policies... then you set up rules to accept desirable packets.

What you are trying to do looks a lot like what I was doing a while ago... I've dug up my old firewall script for reference. I used to use this as a point of departure.

Code:
######################################################################
# sdb firewall: Simon Bridge 2005                                    #
# Updated 2006, 2007                                                 #
# based on the mdh firewall of Jon "maddog" Hall & Paul G Seary 2003 #
# (CC) Creative Commons Attribution Share-alike                      #
# Leave this header in place with the CC notice.                     #
######################################################################

#! /bin/bash

# Load appropriate modules.
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# remove existing rules
iptables --flush
iptables -t nat --flush
iptables --delete_chain
iptables --zero

# Definitions
MYNET="192.168.2.0/24"
LANFACE="eth0"
WEBFACE="eth0"
WEBIP="192.168.0.0" # for a gateway
DNS01=""
DNS02=""
BCAST="192.168.255.255"
LOOPB="127.0.0.1/32"

ADDINP="iptables -A INPUT"
ADDOUT="iptables -A OUTPUT"
ADDFWD="iptables -A FORWARD"

### Kernel Parameters ###

# Uncomment to disable response to icmp ping requests.
#/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Disable response to broadcasts.
# You don't want yourself becoming a Smurf amplifier.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Don't accept source routed packets.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

# Disable ICMP redirect acceptance.
for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
   /bin/echo "0" > $WEBFACE
done

# Enable bad error message protection.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Turn on reverse path filtering.
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
   /bin/echo "1" > $WEBFACE
done

# Make sure that IP forwarding is turned off.
/bin/echo "0" > /proc/sys/net/ipv4/ip_forward

### Rules ###

# Set up a default DROP policy for the built-in chains.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

### Explicit deny rules before the accept rules
# Prevent external packets from using loopback addr
$ADDINP   -i $WEBFACE -s $LOOPB -j DROP
#$ADDFWD -i $WEBFACE -s $LOOPB -j DROP
$ADDINP   -i $WEBFACE-d $LOOPB -j DROP
#$ADDFWD -i $WEBFACE -d $LOOPB -j DROP

### Explicit allow rules

# Allow traffic on the loopback interface.
$ADDINP  -i lo -j ACCEPT
$ADDOUT -o lo -j ACCEPT

# Allow SSH connections
$ADDINP -p tcp -j ACCEPT -dport 22

# Allow only initiated traffic in
$ADDINP -m state --state RELATED,EXISTING -j ACCEPT

# Allow accesss to Samba shares via the LAN
#$ADDINP -p udp -m udp -s $LANFACE --dport 137 -j ACCEPT
#$ADDINP -p udp -m udp -s $LANFACE --dport 138 -j ACCEPT
#$ADDINP -m state --state NEW -m tcp -p tcp -s $LANFACE --dport 139 -j ACCEPT
#$ADDINP -m state --state NEW -m tcp -p tcp -s $LANFACE --dport 445 -j ACCEPT

# Allow IP Forwarding and use NAT for outgoing connections.
# (Only use for dual homed host acting as an internet gateway.)
#/bin/echo "1" > /proc/sys/net/ipv4/ip_forward
#iptables -P FORWARD ACCEPT
#iptables -A POSTROUTING -t NAT -o $WEBFACE -j SNAT --to $WEBIP

# Allow network traffic through LAN
$ADDINP -i $LANFACE -s $MYNET -j ACCEPT

# Allow all traffic out
# Any other output rule should go /before/ this one
$ADDOUT -m state --state NEW,RELATED,EXISTING -j ACCEPT

# Policy ACCEPT would work as well ... but I could add explicit rules 
# here and comment out this line instead

Last edited by Simon Bridge; 11-14-2007 at 10:52 PM.
 
Old 11-15-2007, 11:23 AM   #15
saman
Member
 
Registered: Oct 2007
Posts: 49

Original Poster
Rep: Reputation: 13
[QUOTE=Simon Bridge;2959289][QUOTE=saman;2958688]CLI?
Quote:
http://acronyms.thefreedictionary.com/CLI
Command Line Interface - your fav. shell will do.

Hmmm... I thought it was for when the ISP assigned (external) IP was via DHCP. You still use NAT to got packets to the correct internal host.

The bridging method produces a transparent gateway, which can also be used to provide a proxy, content protection, etc. It's very powerful, scaleable, and flexable. So it's become a popular method. Suggest you look into it.

Basic NAT + IP Forwarding usually goes like this:
Code:
# Allow IP Forwarding and use NAT for outgoing connections.
# (Only use for dual homed host acting as an internet gateway.)
/bin/echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -P FORWARD ACCEPT
iptables -A POSTROUTING -t nat -o $WEBFACE -j SNAT --to $WEBIP
Now, you didn't make any DROP policies so the second line is moot. But I don't see you enabling IP-Forwarding, which would be a problem.

If I've understood your setup, the nic that looks at the internet is eth0 (so WEBFACE=eth0), and the IP of this nic is 192.168.1.5 (so WEBIP=192.168.1.5). The only place you can now get errors is in mixing up the IPs and nics (or if your kernel doesn't support this... unusual, but it happens with custom kernels). I'm not about to mirror your setup here, so you'll have to figure that out yourself. The command is correct.

I still think that your lack of DROP policies suggests some confusion about what you are trying to do - especially as you have explicit ACCEPT rules in there. They're moot - with ACCEPT policies on all chains, you need to be explicitly DROPping undesirable packets. Security is easier with DROP policies... then you set up rules to accept desirable packets.

What you are trying to do looks a lot like what I was doing a while ago... I've dug up my old firewall script for reference. I used to use this as a point of departure.

Code:
######################################################################
# sdb firewall: Simon Bridge 2005                                    #
# Updated 2006, 2007                                                 #
# based on the mdh firewall of Jon "maddog" Hall & Paul G Seary 2003 #
# (CC) Creative Commons Attribution Share-alike                      #
# Leave this header in place with the CC notice.                     #
######################################################################

#! /bin/bash

# Load appropriate modules.
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# remove existing rules
iptables --flush
iptables -t nat --flush
iptables --delete_chain
iptables --zero

# Definitions
MYNET="192.168.2.0/24"
LANFACE="eth0"
WEBFACE="eth0"
WEBIP="192.168.0.0" # for a gateway
DNS01=""
DNS02=""
BCAST="192.168.255.255"
LOOPB="127.0.0.1/32"

ADDINP="iptables -A INPUT"
ADDOUT="iptables -A OUTPUT"
ADDFWD="iptables -A FORWARD"

### Kernel Parameters ###

# Uncomment to disable response to icmp ping requests.
#/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Disable response to broadcasts.
# You don't want yourself becoming a Smurf amplifier.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Don't accept source routed packets.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

# Disable ICMP redirect acceptance.
for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
   /bin/echo "0" > $WEBFACE
done

# Enable bad error message protection.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Turn on reverse path filtering.
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
   /bin/echo "1" > $WEBFACE
done

# Make sure that IP forwarding is turned off.
/bin/echo "0" > /proc/sys/net/ipv4/ip_forward

### Rules ###

# Set up a default DROP policy for the built-in chains.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

### Explicit deny rules before the accept rules
# Prevent external packets from using loopback addr
$ADDINP   -i $WEBFACE -s $LOOPB -j DROP
#$ADDFWD -i $WEBFACE -s $LOOPB -j DROP
$ADDINP   -i $WEBFACE-d $LOOPB -j DROP
#$ADDFWD -i $WEBFACE -d $LOOPB -j DROP

### Explicit allow rules

# Allow traffic on the loopback interface.
$ADDINP  -i lo -j ACCEPT
$ADDOUT -o lo -j ACCEPT

# Allow SSH connections
$ADDINP -p tcp -j ACCEPT -dport 22

# Allow only initiated traffic in
$ADDINP -m state --state RELATED,EXISTING -j ACCEPT

# Allow accesss to Samba shares via the LAN
#$ADDINP -p udp -m udp -s $LANFACE --dport 137 -j ACCEPT
#$ADDINP -p udp -m udp -s $LANFACE --dport 138 -j ACCEPT
#$ADDINP -m state --state NEW -m tcp -p tcp -s $LANFACE --dport 139 -j ACCEPT
#$ADDINP -m state --state NEW -m tcp -p tcp -s $LANFACE --dport 445 -j ACCEPT

# Allow IP Forwarding and use NAT for outgoing connections.
# (Only use for dual homed host acting as an internet gateway.)
#/bin/echo "1" > /proc/sys/net/ipv4/ip_forward
#iptables -P FORWARD ACCEPT
#iptables -A POSTROUTING -t NAT -o $WEBFACE -j SNAT --to $WEBIP

# Allow network traffic through LAN
$ADDINP -i $LANFACE -s $MYNET -j ACCEPT

# Allow all traffic out
# Any other output rule should go /before/ this one
$ADDOUT -m state --state NEW,RELATED,EXISTING -j ACCEPT

# Policy ACCEPT would work as well ... but I could add explicit rules 
# here and comment out this line instead
Ok since you'd recommendated and I decided to implement DROP policy.

below here is the file:
---------------------------iptables-config--------------------

# Load additional iptables modules (nat helpers)
# Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modules.conf.
IPTABLES_MODULES="ip_nat_ftp"

# Unload modules on restart and stop
# Value: yes|no, default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
IPTABLES_MODULES_UNLOAD="yes"

# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"

# Save current firewall rules on restart.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART="no"

# Save (and restore) rule and chain counter.
# Value: yes|no, default: no
# Save counters for rules and chains to /etc/sysconfig/iptables if
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
# SAVE_ON_RESTART is enabled.
IPTABLES_SAVE_COUNTER="no"

# Numeric status output
# Value: yes|no, default: yes
# Print IP addresses and port numbers in numeric format in the status output.
IPTABLES_STATUS_NUMERIC="yes"

--------------end of iptables-config-------------------

IP forwarding also enabled
/bin/echo "1" > /proc/sys/net/ipv4/ip_forward

-----------------------here the iptables-----------------------

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
#*nat

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP

##User defined chain for ACCEPTED TCP packet
-N mars
-A mars -p TCP --syn -j ACCEPT
-A mars -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
-A mars -p TCP -j DROP

## INPUT Chain rules
-A INPUT -p ALL -i eth1 -s 192.168.0.10/24 -j ACCEPT
-A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
-A INPUT -p ALL -i lo -s 192.168.0.10 -j ACCEPT
-A INPUT -p ALL -i lo -s 192.168.1.5 -j ACCEPT
-A INPUT -p ALL -i lo -d 192.168.0.10 -j ACCEPT

## rULES FOR INCOMING PACKET FROM THE INTERNET

# PACKET FOR ESTABLISHED CONNECTIONS
-A INPUT -p ALL -d 192.168.1.5 -m state --state ESTABLISHED,RELATED -j ACCEPT

## TCP Rules
-A INPUT -p TCP -i eth0 --destination-port 21 -j mars
-A INPUT -p TCP -i eht0 --destination-port 22 -j mars
-A INPUT -p TCP -i eth0 --destination-port 80 -j mars
-A INPUT -p TCP -i eth0 --destination-port 113 -j mars

## UDP rules
-A INPUT -p ICMP -i eth0 --icmp-type 8 -j ACCEPT
-A INPUT -p ICMP -i eth0 --icmp-type 11 -j ACCEPT

## FORWARD CHAIN RULES
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

## OUTPUT CHAIN RULES
# ONLY OUTPUT PACKET WITH LOCAL ADDRESSES (NO SPOOFING)
-A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
-A OUTPUT -p ALL -s 192.168.0.10 -j ACCEPT
-A OUTPUT -p ALL -s 192.168.1.5 -j ACCEPT

## POSTROUTING chain rules
-table nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.1.5

COMMIT

---------------------end of iptables --------------------------

When I run it, got error
Bad argument 'nat'
If I changed 'nat' to -table NAT, got same error

-t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.1.5
or
-t NAT -A ....etc
(iptables-restore v1.2.11: kube 49 seems to have a -t table option [FAILED]

Where did I get wrong, somewhere I can improve to solve the problem?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
An error occured getting IPtables status from the command /etc/rc.d/init.d/iptables s CrazyMAzeY Linux - Newbie 10 08-12-2010 06:25 AM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 09:20 PM
Iptables - Couldn't load target `ACCPET':/lib/iptables/libipt_ACCPET.so: z00t Linux - Security 3 01-26-2004 03:24 AM
IPtables Log Analyzer from http://www.gege.org/iptables/ brainlego Linux - Software 0 08-11-2003 07:08 AM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 08:36 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 06:47 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration