Nat Question
Hello,
I am running Linux version 2.6.18-92.1.22.el5xen (mockbuild@builder16.centos.org) (gcc version 4.1.2 20071124 (Red Hat 4.1.2-42)) with 2 network interface cards set up as a linux nat. My lan is working fine, all boxes can hit the internet, and each other fine. The only issue I am having is the nat box can't get out to the internet, I can ping google.com fine but I can't resolve anything. I have tried to load google with links which stops at making connection. I checked my resolv.conf it is the same as all the other boxes on my network which get out fine. This is leading me to believe I am missing a configuration in iptables. Here is my iptables # Generated by iptables-save v1.3.5 on Wed Jan 7 03:53:36 2009 *nat :PREROUTING ACCEPT [41:3406] :POSTROUTING ACCEPT [62:3180] :OUTPUT ACCEPT [17:1020] -A PREROUTING -d 76.180.209.213 -i eth0 -p tcp -m tcp --dport 200 -j DNAT --to-destination 192.168.2.101:22 -A PREROUTING -d 76.180.209.213 -i eth0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.2.101:3389 -A PREROUTING -d 76.180.209.213 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.2.101:80 -A PREROUTING -d 76.180.209.213 -i eth0 -p tcp -m tcp --dport 8000 -j DNAT --to-destination 192.168.2.151:8000 -A PREROUTING -d 76.180.209.213 -i eth0 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 192.168.2.151:5900 -A PREROUTING -d 76.180.209.213 -i eth0 -p tcp -m tcp --dport 5901 -j DNAT --to-destination 192.168.2.101:5901 -A PREROUTING -d 76.180.209.213 -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.2.101:8080 -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Wed Jan 7 03:53:36 2009 # Generated by iptables-save v1.3.5 on Wed Jan 7 03:53:36 2009 *filter :INPUT ACCEPT [1455:126056] :FORWARD ACCEPT [897:157706] :OUTPUT ACCEPT [17:1020] -A INPUT -i eth0 -p tcp -j DROP #-A INPUT -p udp -m udp --dport 123 -j ACCEPT ##-A FORWARD --in-interface eth1 -j ACCEPT ##-A FORWARD -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT ##A FORWARD -i eth0 -p tcp -m tcp --dport 8000 -j ACCEPT ##A FORWARD -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT ##A FORWARD -d 192.168.2.101 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT ##A FORWARD -d 192.168.2.151 -i eth0 -p tcp -m tcp --dport 8000 -j ACCEPT ##A FORWARD -d 192.168.2.101 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT #A FORWARD -d 192.168.2.101 -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT ##-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #-A OUTPUT -p udp -m udp --sport 123 -j ACCEPT COMMIT Any help and suggestions would be appreciated. Thanks again |
You drop all tcp connection that come through eth0.
You should at least allow related and established connections. I used this command to make that happen on my box: Code:
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT another remark: your firewall seems to let through everything except tcp. I would recommend dropping all traffic exept related connections and some services. Especially on the internet interface. |
Fixed
Hello,
That rule did the trick I have to read more about the input rules on the firewall. If I allow input for the services I would like which reflect the open ports, then add a rule to drop all others at the end iptables will only allow services on those ports correct? or am I looking at this wrong. Thanks again. |
Quote:
Each packet is compared to the rules. If it matches, it is sent to the target that belongs to that rule. Once they are sent to a DROP or to a ACCEPT target, they are dropped directly, and no more rules will be compared to them. So basically you create accept rules for each port on wich you have a service running. The last rule is to drop all packets. That way only the packets for the ports that you have opened are allowed. I think this is what you said, but I'm not sure. |
Connection dropped
Hello,
I set up my list of input rules in my fire wall and I put -A INPUT -j DROP at the very end of the config which dropped my ssh connection after I restarted iptables and could not ssh back in. I want to drop everything else except for what I specified with my input rules. Thanks again |
do you have a rule that looks like this one somewhere?
Code:
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT |
Inpute Rules
Hello,
Here are what I have for input rules so far. :INPUT ACCEPT [5868:1133049] :FORWARD ACCEPT [119558:154645241] :OUTPUT ACCEPT [295:18153] #-A INPUT -i eth0 -p tcp -j DROP #-A INPUT -j DROP -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 8000 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 5900 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 3389 -j ACCEPT Thank you Keith |
Try allowing related and established connections for all interfaces, not just eth0
|
All times are GMT -5. The time now is 02:00 AM. |