Nother iptables issue
OK, I'm trying to set up my iptables but Im coming across a few difficutlies. The configuration Im looking for is to allow everything under port 22, 80, 81, and 443 to come from my outside device (eth0) then back out my internal network (eth1) without the firewall box itself accepting any connections. I've included the below script to show you what I've been messing with. As you can tell I've been using LinWiz a little to assist me.
Any help would be GREATLY appreciated. Thanks Shadowvyce Script LAN_IP_NET='321.3.2.1/24' LAN_NIC='eth1' WAN_IP='123.1.2.3' WAN_NIC='eth0' # FORWARD_IP='321.3.2.3' IPTABLES=/sbin/iptables # Flush $IPTABLES -t nat -F POSTROUTING $IPTABLES -t nat -F PREROUTING $IPTABLES -t nat -F OUTPUT $IPTABLES -F INPUT; $IPTABLES -P INPUT DROP; $IPTABLES -Z INPUT $IPTABLES -F FORWARD; $IPTABLES -P FORWARD DROP; $IPTABLES -Z FORWARD $IPTABLES -F OUTPUT; $IPTABLES -P OUTPUT ACCEPT; $IPTABLES -Z OUTPUT $IPTABLES -F $IPTABLES -t nat -A POSTROUTING -s $LAN_IP_NET -j MASQUERADE $IPTABLES -A FORWARD -j ACCEPT -i $LAN_NIC -s $LAN_IP_NET $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -X $IPTABLES -N LINWIZ-INPUT; $IPTABLES -N REJECT-PKT; $IPTABLES -N SYN-FLOOD; $IPTABLES -A INPUT -j LINWIZ-INPUT $IPTABLES -A LINWIZ-INPUT -i lo -j ACCEPT $IPTABLES -A LINWIZ-INPUT -s 127.0.0.0/8 -j DROP $IPTABLES -A LINWIZ-INPUT -d 127.0.0.0/8 -j DROP $IPTABLES -A LINWIZ-INPUT -p tcp -m tcp --syn -j SYN-FLOOD $IPTABLES -A LINWIZ-INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP $IPTABLES -A LINWIZ-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # $IPTABLES -A LINWIZ-INPUT -p tcp -m tcp --dport 22 -j ACCEPT # $IPTABLES -A LINWIZ-INPUT -p tcp -m tcp --dport 80:81 -j ACCEPT # $IPTABLES -A LINWIZ-INPUT -p tcp -m tcp --dport 443 -j ACCEPT # $IPTABLES -A FORWARD -j ACCEPT -p tcp --dport 22 # $IPTABLES -A FORWARD -j ACCEPT -p tcp --dport 80 # $IPTABLES -A FORWARD -j ACCEPT -p tcp --dport 81 # $IPTABLES -A FORWARD -j ACCEPT -p tcp --dport 443 # $IPTABLES -A FORWARD -j ACCEPT -p tcp --dport 22 $IPTABLES -A FORWARD -p tcp --dport 22 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 80 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 81 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 443 -j ACCEPT $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dport 22,80 -j DNAT --to 321.3.2.3:80 # $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to 321.3.2.3:80 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dport 22,80,81,443 -j DNAT --to 321.3.2.8:80 # $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 321.3.2.8:80 $IPTABLES -A LINWIZ-INPUT -j REJECT-PKT $IPTABLES -A SYN-FLOOD -m limit --limit 1/s --limit-burst 4 -j RETURN $IPTABLES -A SYN-FLOOD -j DROP $IPTABLES -A REJECT-PKT -p tcp -m tcp -j REJECT --reject-with tcp-reset $IPTABLES -A REJECT-PKT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable $IPTABLES -A REJECT-PKT -p icmp -m icmp --icmp-type ping -j REJECT --reject-with icmp-host-unreachable # $IPTABLES -L # $IPTABLES -A FORWARD -p tcp -i eth0 -o eth1 -m multiport --dport 22,80,81,443 -m multiport -m state --state NEW -j ACCEPT # $IPTABLES -A FORWARD -p tcp -i eth0 -o eth1 -d 321.3.2.3 -m multiport --dport 22,80,81,443 -m multiport --sport 1024:65535 -m state --state NEW -j ACCEPT |
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dport 22,80 -j DNAT --to 321.3.2.3:80
With this rule you're taking traffic to ports 22 and 80 and then sending them to only port 80 of the internal address which will immediately lose your ssh traffic and send garbage to the webserver. Instead, just make a PREROUTING rule for each type of traffic you need like this: Code:
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 321.3.2.3:80 Also, the IP address you're using for the LAN IP isn't a valid address, so I hope you're just using that as an example, not as the real LAN address. |
Thanks Caveman for your help. Thanks also for the IP range mentioned, just trying to avoid posting my IP :). I went ahead and commented out the two lines mentioned and added the additional 4 but now Im not getting a response from any port. Here's what I got from my iptable -L.
Chain INPUT (policy DROP) target prot opt source destination LINWIZ-INPUT all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- 321.3.2.0/24 anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain LINWIZ-INPUT (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere DROP all -- 127.0.0.0/8 anywhere DROP all -- anywhere 127.0.0.0/8 SYN-FLOOD tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED REJECT-PKT all -- anywhere anywhere Chain REJECT-PKT (1 references) target prot opt source destination REJECT tcp -- anywhere anywhere tcp reject-with tcp-reset REJECT udp -- anywhere anywhere udp reject-with icmp-port-unreachable REJECT icmp -- anywhere anywhere icmp echo-request reject-with icmp-host-unreachable Chain SYN-FLOOD (1 references) target prot opt source destination RETURN all -- anywhere anywhere limit: avg 1/sec burst 4 DROP all -- anywhere anywhere |
For some reason you're short a few forwarding rules. The iptables -L output shows rules allowing traffic from the LAN and ESTABLISHED connections, but there aren't any forwarding traffic from outside into the LAN. Your firewall rules in the first post had them:
Code:
$IPTABLES -A FORWARD -p tcp --dport 22 -j ACCEPT |
Here ya go :)
Chain PREROUTING (policy ACCEPT 368 packets, 36432 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 65 packets, 2652 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * * 321.3.2.0/24 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 1 packets, 92 bytes) pkts bytes target prot opt in out source destination |
Looks like none of your PREROUTING DNAT rules are getting loaded either. Maybe an issue with the script itself (though the last rule in the script is loaded). Try entering the each other rules manually and then verify that they have loaded properly. Post any error msgs.
|
I didnt receive a error and I have iptables 1.2.8 installed which I think is the most current.
|
When you manually enter the rules, do you see the prerouting and forwarding rules appear in the output of iptables -vnL ?
Just to clarify, when I say manually enter them, I mean enter them one by one in the command line like: Code:
root@linux# iptables -t nat -F POSTROUTING |
I manually went through each step but I was unable to resolve my issues.
Interestingly enough, I got frustrated and started editing the iptables directly. From what I understand did is NOT what is expected to done to fix the issue but I was able to get it work. I added my iptables for future reference in case any one #iptables-save v1.2.8 on Fri Nov 5 17:58:50 2004 *nat :PREROUTING ACCEPT [1:229] :POSTROUTING ACCEPT [3:320] :OUTPUT ACCEPT [3:320] -A PREROUTING -p tcp -d 123.1.2.3 --dport 22 -j DNAT --to-destination 321.3.2.1:22 -A PREROUTING -p tcp -d 123.1.2.3 --dport 80 -j DNAT --to-destination 321.3.2.1:80 -A PREROUTING -p tcp -d 123.1.2.4 --dport 80 -j DNAT --to-destination 321.3.2.2:80 -A PREROUTING -p tcp -d 123.1.2.4 --dport 81 -j DNAT --to-destination 321.3.2.2:81 -A PREROUTING -p tcp -d 123.1.2.4 --dport 443 -j DNAT --to-destination 321.3.2.2:443 -A PREROUTING -p tcp -d 123.1.2.5 --dport 22 -j DNAT --to-destination 321.3.2.3:22 -A PREROUTING -p tcp -d 123.1.2.5 --dport 6000 -j DNAT --to-destination 321.3.2.3:6000 -A POSTROUTING -s 321.3.2..0/255.255.255.0 -j MASQUERADE COMMIT # Completed on Fri Nov 5 17:58:50 2004 # Generated by iptables-save v1.2.8 on Fri Nov 5 17:58:50 2004 *filter :INPUT DROP [19:1748] :FORWARD DROP [0:0] :OUTPUT ACCEPT [157:17828] :LINWIZ-INPUT - [0:0] :REJECT-PKT - [0:0] :SYN-FLOOD - [0:0] -A INPUT -j LINWIZ-INPUT -A FORWARD -s 321.3.2.0/255.255.255.0 -i eth1 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 81 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT -A LINWIZ-INPUT -i lo -j ACCEPT -A LINWIZ-INPUT -s 127.0.0.0/255.0.0.0 -j DROP -A LINWIZ-INPUT -d 127.0.0.0/255.0.0.0 -j DROP -A LINWIZ-INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j SYN-FLOOD -A LINWIZ-INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP -A LINWIZ-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A LINWIZ-INPUT -j REJECT-PKT -A REJECT-PKT -p tcp -m tcp -j REJECT --reject-with tcp-reset -A REJECT-PKT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable -A REJECT-PKT -p icmp -m icmp --icmp-type 8 -j REJECT --reject-with icmp-host-unreachable -A SYN-FLOOD -m limit --limit 1/sec --limit-burst 4 -j RETURN -A SYN-FLOOD -j DROP COMMIT # Completed on Fri Nov 5 17:58:50 2004 I would love to figure out the script for this that works but thats what I got to do what I needed. Thanks alot for your help Caveman, I appreciate it Shadowvyce |
All times are GMT -5. The time now is 08:14 AM. |