Nother iptables issue
 

OK, I'm trying to set up my iptables but Im coming across a few difficutlies. The configuration Im looking for is to allow everything under port 22, 80, 81, and 443 to come from my outside device (eth0) then back out my internal network (eth1) without the firewall box itself accepting any connections. I've included the below script to show you what I've been messing with. As you can tell I've been using LinWiz a little to assist me.

Any help would be GREATLY appreciated.

Thanks

Shadowvyce

Script

LAN_IP_NET='321.3.2.1/24'
LAN_NIC='eth1'
WAN_IP='123.1.2.3'
WAN_NIC='eth0'
# FORWARD_IP='321.3.2.3'

IPTABLES=/sbin/iptables

# Flush
$IPTABLES -t nat -F POSTROUTING
$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -F OUTPUT
$IPTABLES -F INPUT; $IPTABLES -P INPUT DROP; $IPTABLES -Z INPUT
$IPTABLES -F FORWARD; $IPTABLES -P FORWARD DROP; $IPTABLES -Z FORWARD
$IPTABLES -F OUTPUT; $IPTABLES -P OUTPUT ACCEPT; $IPTABLES -Z OUTPUT
$IPTABLES -F

$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_NET -j MASQUERADE
$IPTABLES -A FORWARD -j ACCEPT -i $LAN_NIC -s $LAN_IP_NET
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -X
$IPTABLES -N LINWIZ-INPUT;
$IPTABLES -N REJECT-PKT;
$IPTABLES -N SYN-FLOOD;

$IPTABLES -A INPUT -j LINWIZ-INPUT

$IPTABLES -A LINWIZ-INPUT -i lo -j ACCEPT

$IPTABLES -A LINWIZ-INPUT -s 127.0.0.0/8 -j DROP
$IPTABLES -A LINWIZ-INPUT -d 127.0.0.0/8 -j DROP

$IPTABLES -A LINWIZ-INPUT -p tcp -m tcp --syn -j SYN-FLOOD

$IPTABLES -A LINWIZ-INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP

$IPTABLES -A LINWIZ-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# $IPTABLES -A LINWIZ-INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# $IPTABLES -A LINWIZ-INPUT -p tcp -m tcp --dport 80:81 -j ACCEPT
# $IPTABLES -A LINWIZ-INPUT -p tcp -m tcp --dport 443 -j ACCEPT

# $IPTABLES -A FORWARD -j ACCEPT -p tcp --dport 22
# $IPTABLES -A FORWARD -j ACCEPT -p tcp --dport 80
# $IPTABLES -A FORWARD -j ACCEPT -p tcp --dport 81
# $IPTABLES -A FORWARD -j ACCEPT -p tcp --dport 443
# $IPTABLES -A FORWARD -j ACCEPT -p tcp --dport 22

$IPTABLES -A FORWARD -p tcp --dport 22 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 81 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 443 -j ACCEPT






$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dport 22,80 -j DNAT --to 321.3.2.3:80
# $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to 321.3.2.3:80
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dport 22,80,81,443 -j DNAT --to 321.3.2.8:80
# $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 321.3.2.8:80

$IPTABLES -A LINWIZ-INPUT -j REJECT-PKT

$IPTABLES -A SYN-FLOOD -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A SYN-FLOOD -j DROP

$IPTABLES -A REJECT-PKT -p tcp -m tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A REJECT-PKT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A REJECT-PKT -p icmp -m icmp --icmp-type ping -j REJECT --reject-with icmp-host-unreachable

# $IPTABLES -L
# $IPTABLES -A FORWARD -p tcp -i eth0 -o eth1 -m multiport --dport 22,80,81,443 -m multiport -m state --state NEW -j ACCEPT

# $IPTABLES -A FORWARD -p tcp -i eth0 -o eth1 -d 321.3.2.3 -m multiport --dport 22,80,81,443 -m multiport --sport 1024:65535 -m state --state NEW -j ACCEPT

$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dport 22,80 -j DNAT --to 321.3.2.3:80
With this rule you're taking traffic to ports 22 and 80 and then sending them to only port 80 of the internal address which will immediately lose your ssh traffic and send garbage to the webserver. Instead, just make a PREROUTING rule for each type of traffic you need like this:
Note that you can probably use one rule with the multiport match and just remove the port number at the end of the rule, but I think it's easier to troubleshoot this way

Also, the IP address you're using for the LAN IP isn't a valid address, so I hope you're just using that as an example, not as the real LAN address.

Thanks Caveman for your help. Thanks also for the IP range mentioned, just trying to avoid posting my IP :). I went ahead and commented out the two lines mentioned and added the additional 4 but now Im not getting a response from any port. Here's what I got from my iptable -L.

Chain INPUT (policy DROP)
target prot opt source destination
LINWIZ-INPUT all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 321.3.2.0/24 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain LINWIZ-INPUT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- 127.0.0.0/8 anywhere
DROP all -- anywhere 127.0.0.0/8
SYN-FLOOD tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT-PKT all -- anywhere anywhere

Chain REJECT-PKT (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp reject-with tcp-reset
REJECT udp -- anywhere anywhere udp reject-with icmp-port-unreachable
REJECT icmp -- anywhere anywhere icmp echo-request reject-with icmp-host-unreachable

Chain SYN-FLOOD (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere limit: avg 1/sec burst 4
DROP all -- anywhere anywhere

For some reason you're short a few forwarding rules. The iptables -L output shows rules allowing traffic from the LAN and ESTABLISHED connections, but there aren't any forwarding traffic from outside into the LAN. Your firewall rules in the first post had them:
But those don't appear in the iptables -L output. Also, could you post iptables -t nat -vnL

Here ya go :)

Chain PREROUTING (policy ACCEPT 368 packets, 36432 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 65 packets, 2652 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 321.3.2.0/24 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 1 packets, 92 bytes)
pkts bytes target prot opt in out source destination

Looks like none of your PREROUTING DNAT rules are getting loaded either. Maybe an issue with the script itself (though the last rule in the script is loaded). Try entering the each other rules manually and then verify that they have loaded properly. Post any error msgs.

I didnt receive a error and I have iptables 1.2.8 installed which I think is the most current.

When you manually enter the rules, do you see the prerouting and forwarding rules appear in the output of iptables -vnL ?

Just to clarify, when I say manually enter them, I mean enter them one by one in the command line like:

I manually went through each step but I was unable to resolve my issues.
Interestingly enough, I got frustrated and started editing the iptables directly.
From what I understand did is NOT what is expected to done to fix the issue but I was able to get
it work. I added my iptables for future reference in case any one


#iptables-save v1.2.8 on Fri Nov 5 17:58:50 2004
*nat
:PREROUTING ACCEPT [1:229]
:POSTROUTING ACCEPT [3:320]
:OUTPUT ACCEPT [3:320]
-A PREROUTING -p tcp -d 123.1.2.3 --dport 22 -j DNAT --to-destination 321.3.2.1:22
-A PREROUTING -p tcp -d 123.1.2.3 --dport 80 -j DNAT --to-destination 321.3.2.1:80
-A PREROUTING -p tcp -d 123.1.2.4 --dport 80 -j DNAT --to-destination 321.3.2.2:80
-A PREROUTING -p tcp -d 123.1.2.4 --dport 81 -j DNAT --to-destination 321.3.2.2:81
-A PREROUTING -p tcp -d 123.1.2.4 --dport 443 -j DNAT --to-destination 321.3.2.2:443
-A PREROUTING -p tcp -d 123.1.2.5 --dport 22 -j DNAT --to-destination 321.3.2.3:22
-A PREROUTING -p tcp -d 123.1.2.5 --dport 6000 -j DNAT --to-destination 321.3.2.3:6000
-A POSTROUTING -s 321.3.2..0/255.255.255.0 -j MASQUERADE
COMMIT
# Completed on Fri Nov 5 17:58:50 2004
# Generated by iptables-save v1.2.8 on Fri Nov 5 17:58:50 2004
*filter
:INPUT DROP [19:1748]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [157:17828]
:LINWIZ-INPUT - [0:0]
:REJECT-PKT - [0:0]
:SYN-FLOOD - [0:0]
-A INPUT -j LINWIZ-INPUT
-A FORWARD -s 321.3.2.0/255.255.255.0 -i eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 81 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT
-A LINWIZ-INPUT -i lo -j ACCEPT
-A LINWIZ-INPUT -s 127.0.0.0/255.0.0.0 -j DROP
-A LINWIZ-INPUT -d 127.0.0.0/255.0.0.0 -j DROP
-A LINWIZ-INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j SYN-FLOOD
-A LINWIZ-INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A LINWIZ-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A LINWIZ-INPUT -j REJECT-PKT
-A REJECT-PKT -p tcp -m tcp -j REJECT --reject-with tcp-reset
-A REJECT-PKT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable
-A REJECT-PKT -p icmp -m icmp --icmp-type 8 -j REJECT --reject-with icmp-host-unreachable
-A SYN-FLOOD -m limit --limit 1/sec --limit-burst 4 -j RETURN
-A SYN-FLOOD -j DROP
COMMIT
# Completed on Fri Nov 5 17:58:50 2004



I would love to figure out the script for this that works but thats what I got to do what I needed.

Thanks alot for your help Caveman, I appreciate it

Shadowvyce