LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Nat Question (https://www.linuxquestions.org/questions/linux-newbie-8/nat-question-728204/)

keyboard1973 05-24-2009 01:28 PM
Nat Question
 
Hello,

I am running Linux version 2.6.18-92.1.22.el5xen (mockbuild@builder16.centos.org) (gcc version 4.1.2 20071124 (Red Hat 4.1.2-42)) with 2 network interface cards set up as a linux nat. My lan is working fine, all boxes can hit the internet, and each other fine. The only issue I am having is the nat box can't get out to the internet, I can ping google.com fine but I can't resolve anything. I have tried to load google with links which stops at making connection. I checked my resolv.conf it is the same as all the other boxes on my network which get out fine. This is leading me to believe I am missing a configuration in iptables.

Here is my iptables

# Generated by iptables-save v1.3.5 on Wed Jan 7 03:53:36 2009
*nat
:PREROUTING ACCEPT [41:3406]
:POSTROUTING ACCEPT [62:3180]
:OUTPUT ACCEPT [17:1020]
-A PREROUTING -d 76.180.209.213 -i eth0 -p tcp -m tcp --dport 200 -j DNAT --to-destination 192.168.2.101:22
-A PREROUTING -d 76.180.209.213 -i eth0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.2.101:3389
-A PREROUTING -d 76.180.209.213 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.2.101:80
-A PREROUTING -d 76.180.209.213 -i eth0 -p tcp -m tcp --dport 8000 -j DNAT --to-destination 192.168.2.151:8000
-A PREROUTING -d 76.180.209.213 -i eth0 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 192.168.2.151:5900
-A PREROUTING -d 76.180.209.213 -i eth0 -p tcp -m tcp --dport 5901 -j DNAT --to-destination 192.168.2.101:5901
-A PREROUTING -d 76.180.209.213 -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.2.101:8080
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Jan 7 03:53:36 2009
# Generated by iptables-save v1.3.5 on Wed Jan 7 03:53:36 2009
*filter
:INPUT ACCEPT [1455:126056]
:FORWARD ACCEPT [897:157706]
:OUTPUT ACCEPT [17:1020]
-A INPUT -i eth0 -p tcp -j DROP
#-A INPUT -p udp -m udp --dport 123 -j ACCEPT
##-A FORWARD --in-interface eth1 -j ACCEPT
##-A FORWARD -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
##A FORWARD -i eth0 -p tcp -m tcp --dport 8000 -j ACCEPT
##A FORWARD -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
##A FORWARD -d 192.168.2.101 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
##A FORWARD -d 192.168.2.151 -i eth0 -p tcp -m tcp --dport 8000 -j ACCEPT
##A FORWARD -d 192.168.2.101 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
#A FORWARD -d 192.168.2.101 -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
##-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#-A OUTPUT -p udp -m udp --sport 123 -j ACCEPT
COMMIT



Any help and suggestions would be appreciated.

Thanks again

janhe 05-24-2009 01:44 PM
You drop all tcp connection that come through eth0.
You should at least allow related and established connections.
I used this command to make that happen on my box:
Code:
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
I don't know how to configure the firewall on Red Hat, but you probably do ;-)

another remark: your firewall seems to let through everything except tcp. I would recommend dropping all traffic exept related connections and some services. Especially on the internet interface.

keyboard1973 05-24-2009 02:46 PM
Fixed
 
Hello,

That rule did the trick I have to read more about the input rules on the firewall. If I allow input for the services I would like which reflect the open ports, then add a rule to drop all others at the end iptables will only allow services on those ports correct? or am I looking at this wrong.

Thanks again.

janhe 05-24-2009 03:17 PM
Quote:
Originally Posted by keyboard1973 (Post 3551308)
Hello,

That rule did the trick I have to read more about the input rules on the firewall. If I allow input for the services I would like which reflect the open ports, then add a rule to drop all others at the end iptables will only allow services on those ports correct? or am I looking at this wrong.

Thanks again.
The firewall rules are processed from top to bottom.
Each packet is compared to the rules. If it matches, it is sent to the target that belongs to that rule. Once they are sent to a DROP or to a ACCEPT target, they are dropped directly, and no more rules will be compared to them.

So basically you create accept rules for each port on wich you have a service running.
The last rule is to drop all packets.

That way only the packets for the ports that you have opened are allowed.

I think this is what you said, but I'm not sure.

keyboard1973 05-24-2009 03:27 PM
Connection dropped
 
Hello,

I set up my list of input rules in my fire wall and I put -A INPUT -j DROP at the very end of the config which dropped my ssh connection after I restarted iptables and could not ssh back in. I want to drop everything else except for what I specified with my input rules.

Thanks again

janhe 05-24-2009 04:25 PM
do you have a rule that looks like this one somewhere?
Code:
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

keyboard1973 05-24-2009 04:28 PM
Inpute Rules
 
Hello,

Here are what I have for input rules so far.

:INPUT ACCEPT [5868:1133049]
:FORWARD ACCEPT [119558:154645241]
:OUTPUT ACCEPT [295:18153]
#-A INPUT -i eth0 -p tcp -j DROP
#-A INPUT -j DROP
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8000 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5900 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3389 -j ACCEPT


Thank you

Keith

janhe 05-25-2009 01:49 AM
Try allowing related and established connections for all interfaces, not just eth0


All times are GMT -5. The time now is 02:00 AM.