Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 06-14-2010, 01:05 PM   #1
Registered: Nov 2007
Location: Newcastle, Australia
Distribution: Ubuntu, Debian, Arch
Posts: 53

Rep: Reputation: 15
Angry linux + iptables + port forwarding

Hi guys,

I'm currently using an old celeron machine with linux base system (ubuntu/debian) installed that i have a USB 3G modem and atheros wireless card installed in.

Along with this i have squid installed on the machine and have iptables rules in place for transparent proxying.

This machine connects automatically to the 3G service and shares it via wireless and uses squid to cache and also blocked certain web content.

I am currently trying to port forward from the WAN to an IP on the LAN and so far, it is not working at all.

Also, the syslog log of the rejected packets doesn't make sense.

This is my iptables script i have in place (and works fine for everything else except port forwarding):

# Delete all existing rules
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

## Firewall logndrop & lognrej
iptables -N logndrop
iptables -A logndrop -j LOG --log-prefix "IN: "
iptables -A logndrop -j DROP
iptables -N lognrej
iptables -A lognrej -j LOG --log-prefix "IN: "
iptables -A lognrej -j REJECT

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT

# Block all outgoing TCP and UDP ports
iptables -I FORWARD -o ppp0 -p tcp -j lognrej
iptables -I FORWARD -o ppp0 -p udp -j lognrej

# Allow established connections and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i ppp0 -j ACCEPT
iptables -A FORWARD -i br0 -o ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Block access to all ports except those allowed:
iptables -I FORWARD -o ppp0 -p tcp -m multiport --dports 22,23,24,443,1863 -j ACCEPT
iptables -I FORWARD -o ppp0 -p udp -m multiport --dports 53,123,5060,17020:17030 -j ACCEPT
# Allow outgoing connections from LAN
iptables -A FORWARD -i ppp0 -o br0 -j ACCEPT

# Masquerade
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

## SSH (port 24) to laptop
iptables -t nat -A PREROUTING -p tcp -i ppp0 -d <WANIP> --dport 24 -j DNAT --to
iptables -A FORWARD -p tcp -i ppp0 -o br0 -d --dport 24 -j ACCEPT

# Squid Transparent Cache
iptables -t nat -A PREROUTING -i br0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8888
# Dont forward from the outside to the inside
#ptables -A FORWARD -i ppp0 -o ppp0 -j REJECT

## Disable ping request incoming on WAN
iptables -A INPUT -i ppp0 -p icmp -m state --state NEW -j DROP

iptables -A INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -i ppp0 -p tcp -j logndrop
iptables -A INPUT -i ppp0 -p udp -j logndrop

echo 1 > /proc/sys/net/ipv4/ip_forward
When putting this in place and testing a connection (from another WAN connection to TCP port 24, it gives the following syslog output:

Jun 15 03:50:03 ares kernel: [807508.564585] IN: IN=br0 OUT=ppp0 PHYSIN=wlan0 SRC= DST=220.233.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=24 DPT=58186 WINDOW=5792 RES=0x00 ACK SYN URGP=0


I have been thinking of using iptables-restore instead of my above script, but for the most part is has been working fine.

Can someone please take a look and tell me what rules i need to add/change/delete to allow the port forwarding to work.

Also if someone could give me any advice on some better rules to use (eg. specifing default rules of DROP and then ACCEPT'ing what i need)

Old 06-14-2010, 08:08 PM   #2
Registered: May 2006
Location: Greece, Thessaloniki
Distribution: FEDORA
Posts: 37

Rep: Reputation: 16
try this...
Old 06-14-2010, 09:47 PM   #3
Registered: Nov 2007
Location: Newcastle, Australia
Distribution: Ubuntu, Debian, Arch
Posts: 53

Original Poster
Rep: Reputation: 15
Originally Posted by trelamenos View Post
try this...
I already have squid and transparent proxying (with applicable iptables rules) working fine.

My question is to port forwarding.

Thanks for your input though.
Old 06-16-2010, 05:18 AM   #4
Senior Member
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
I think you have a lot more rules in there than you really need and that something is causing a rule conflict. Please post the output of iptables -L, to list the rules that are executing and in what order. With IPtables, order is important. Consider starting with a clean slate. If your rules are saved and loaded at reboot, you can temporarily clear things with an iptables -F command.

Here is what I am currently using on one of my servers:
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -d -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

One thing to keep in mind is that most services will be off by default and while it may be safer to strictly prohibit them, it may not be necessary. For example, by default the server won't respond to pings, but I enabled it with the second to last line.

I said that order is important because the last line in my script is to drop the traffic. This causes all traffic that has not been explicitly allowed ABOVE that rule to be dropped. In order to perform the port routing to an internal server you will need to do a couple of things:

1 - open the port if you specifically disabled ports, like I did above
2 - configure the forwarding in iptables. You have -t nat -A POSTROUTING -o ppp0 -j MASQUERADE. This is a generic way to blanket translate connections to internal IP addresses. It may be too generic for your purposes. Try something along the lines of: iptables -t nat -I PREROUTING -d <wanip> -j DNAT --to <lanip>
iptables -t nat -I POSTROUTING -s <lanip> -j SNAT --to <wanip>
3 - enable ipv4forwarding, which you did.


firewall, forwarding, iptables, port, router

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables - port forwarding to blocked port? spangberg Linux - Networking 2 03-26-2010 04:48 AM
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 07:35 PM
iptables and port forwarding cs.cracker Linux - Networking 5 09-02-2006 01:03 PM
iptables port forwarding hawk4eye Linux - Security 2 02-07-2003 04:47 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:10 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration