Hi guys,
I'm currently using an old celeron machine with linux base system (ubuntu/debian) installed that i have a USB 3G modem and atheros wireless card installed in.
Along with this i have squid installed on the machine and have iptables rules in place for transparent proxying.
This machine connects automatically to the 3G service and shares it via wireless and uses squid to cache and also blocked certain web content.
I am currently trying to port forward from the WAN to an IP on the LAN and so far, it is not working at all.
Also, the syslog log of the rejected packets doesn't make sense.
This is my iptables script i have in place (and works fine for everything else except port forwarding):
Code:
#!/bin/sh
PATH=/usr/sbin:/sbin:/bin:/usr/bin
# Delete all existing rules
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
## Firewall logndrop & lognrej
iptables -N logndrop
iptables -A logndrop -j LOG --log-prefix "IN: "
iptables -A logndrop -j DROP
iptables -N lognrej
iptables -A lognrej -j LOG --log-prefix "IN: "
iptables -A lognrej -j REJECT
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Block all outgoing TCP and UDP ports
iptables -I FORWARD -o ppp0 -p tcp -j lognrej
iptables -I FORWARD -o ppp0 -p udp -j lognrej
# Allow established connections and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i ppp0 -j ACCEPT
iptables -A FORWARD -i br0 -o ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Block access to all ports except those allowed:
iptables -I FORWARD -o ppp0 -p tcp -m multiport --dports 22,23,24,443,1863 -j ACCEPT
iptables -I FORWARD -o ppp0 -p udp -m multiport --dports 53,123,5060,17020:17030 -j ACCEPT
# Allow outgoing connections from LAN
iptables -A FORWARD -i ppp0 -o br0 -j ACCEPT
# Masquerade
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
## SSH (port 24) to laptop
iptables -t nat -A PREROUTING -p tcp -i ppp0 -d <WANIP> --dport 24 -j DNAT --to 192.168.3.4:24
iptables -A FORWARD -p tcp -i ppp0 -o br0 -d 192.168.3.4 --dport 24 -j ACCEPT
# Squid Transparent Cache
iptables -t nat -A PREROUTING -i br0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8888
# Dont forward from the outside to the inside
#ptables -A FORWARD -i ppp0 -o ppp0 -j REJECT
## Disable ping request incoming on WAN
iptables -A INPUT -i ppp0 -p icmp -m state --state NEW -j DROP
iptables -A INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp -j logndrop
iptables -A INPUT -i ppp0 -p udp -j logndrop
echo 1 > /proc/sys/net/ipv4/ip_forward
When putting this in place and testing a connection (from another WAN connection to TCP port 24, it gives the following syslog output:
Jun 15 03:50:03 ares kernel: [807508.564585] IN: IN=br0 OUT=ppp0 PHYSIN=wlan0 SRC=192.168.3.4 DST=220.233.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=24 DPT=58186 WINDOW=5792 RES=0x00 ACK SYN URGP=0
---
I have been thinking of using iptables-restore instead of my above script, but for the most part is has been working fine.
Can someone please take a look and tell me what rules i need to add/change/delete to allow the port forwarding to work.
Also if someone could give me any advice on some better rules to use (eg. specifing default rules of DROP and then ACCEPT'ing what i need)
Thanks.