linux + iptables + port forwarding

morphix · 06-14-2010, 01:05 PM

Hi guys,

I'm currently using an old celeron machine with linux base system (ubuntu/debian) installed that i have a USB 3G modem and atheros wireless card installed in.

Along with this i have squid installed on the machine and have iptables rules in place for transparent proxying.

This machine connects automatically to the 3G service and shares it via wireless and uses squid to cache and also blocked certain web content.

I am currently trying to port forward from the WAN to an IP on the LAN and so far, it is not working at all.

Also, the syslog log of the rejected packets doesn't make sense.

This is my iptables script i have in place (and works fine for everything else except port forwarding):

Code:

#!/bin/sh
PATH=/usr/sbin:/sbin:/bin:/usr/bin

# Delete all existing rules
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

## Firewall logndrop & lognrej
iptables -N logndrop
iptables -A logndrop -j LOG --log-prefix "IN: "
iptables -A logndrop -j DROP
iptables -N lognrej
iptables -A lognrej -j LOG --log-prefix "IN: "
iptables -A lognrej -j REJECT

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT

# Block all outgoing TCP and UDP ports
iptables -I FORWARD -o ppp0 -p tcp -j lognrej
iptables -I FORWARD -o ppp0 -p udp -j lognrej

# Allow established connections and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i ppp0 -j ACCEPT
iptables -A FORWARD -i br0 -o ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Block access to all ports except those allowed:
iptables -I FORWARD -o ppp0 -p tcp -m multiport --dports 22,23,24,443,1863 -j ACCEPT
iptables -I FORWARD -o ppp0 -p udp -m multiport --dports 53,123,5060,17020:17030 -j ACCEPT
# Allow outgoing connections from LAN
iptables -A FORWARD -i ppp0 -o br0 -j ACCEPT

# Masquerade
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

## SSH (port 24) to laptop
iptables -t nat -A PREROUTING -p tcp -i ppp0 -d <WANIP> --dport 24 -j DNAT --to 192.168.3.4:24
iptables -A FORWARD -p tcp -i ppp0 -o br0 -d 192.168.3.4 --dport 24 -j ACCEPT

# Squid Transparent Cache
iptables -t nat -A PREROUTING -i br0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8888
# Dont forward from the outside to the inside
#ptables -A FORWARD -i ppp0 -o ppp0 -j REJECT

## Disable ping request incoming on WAN
iptables -A INPUT -i ppp0 -p icmp -m state --state NEW -j DROP

iptables -A INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -i ppp0 -p tcp -j logndrop
iptables -A INPUT -i ppp0 -p udp -j logndrop

echo 1 > /proc/sys/net/ipv4/ip_forward

When putting this in place and testing a connection (from another WAN connection to TCP port 24, it gives the following syslog output:

Jun 15 03:50:03 ares kernel: [807508.564585] IN: IN=br0 OUT=ppp0 PHYSIN=wlan0 SRC=192.168.3.4 DST=220.233.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=24 DPT=58186 WINDOW=5792 RES=0x00 ACK SYN URGP=0

---

I have been thinking of using iptables-restore instead of my above script, but for the most part is has been working fine.

Can someone please take a look and tell me what rules i need to add/change/delete to allow the port forwarding to work.

Also if someone could give me any advice on some better rules to use (eg. specifing default rules of DROP and then ACCEPT'ing what i need)

Thanks.

trelamenos · 06-14-2010, 08:08 PM

try this...

morphix · 06-14-2010, 09:47 PM

Quote:

Originally Posted by trelamenos

try this...

I already have squid and transparent proxying (with applicable iptables rules) working fine.

My question is to port forwarding.

Thanks for your input though.

Noway2 · 06-16-2010, 05:18 AM

I think you have a lot more rules in there than you really need and that something is causing a rule conflict. Please post the output of iptables -L, to list the rules that are executing and in what order. With IPtables, order is important. Consider starting with a clean slate. If your rules are saved and loaded at reboot, you can temporarily clear things with an iptables -F command.

Here is what I am currently using on one of my servers:
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -d 96.10.215.210/32 -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP

One thing to keep in mind is that most services will be off by default and while it may be safer to strictly prohibit them, it may not be necessary. For example, by default the server won't respond to pings, but I enabled it with the second to last line.

I said that order is important because the last line in my script is to drop the traffic. This causes all traffic that has not been explicitly allowed ABOVE that rule to be dropped. In order to perform the port routing to an internal server you will need to do a couple of things:

1 - open the port if you specifically disabled ports, like I did above
2 - configure the forwarding in iptables. You have -t nat -A POSTROUTING -o ppp0 -j MASQUERADE. This is a generic way to blanket translate connections to internal IP addresses. It may be too generic for your purposes. Try something along the lines of: iptables -t nat -I PREROUTING -d <wanip> -j DNAT --to <lanip>
iptables -t nat -I POSTROUTING -s <lanip> -j SNAT --to <wanip>
3 - enable ipv4forwarding, which you did.