Simple Port Forwarding Firewall

MadTurki · 01-05-2004, 04:49 PM

I've only been using RedHat for about 6 months. I have read a lot about IP tables but I'm not confident that I can say "I know iptables". I've tried gShield, Firestarter, Guarddog... Other independantly made scripts... And I cant get this to work. Stop traffic, yes! But what I want is to forward my incoming port 80 requests to another machine. I have a dual-homed system with static IPs running Redhat 9 or Fedora Core 1... Take your pic! I really need to get this up and I really appreciate any definite help. Again, I have no problem blocking services or allowing telnet to that machine or using it as a gateway. The only problem is using it to forward port requests. Thanks again for your help!

MadTurki

Dewar · 01-05-2004, 04:54 PM

I think the command you want is:

iptables -A PREROUTING -p tcp --dport 80 -j DNAT --to <insert webserver ip here>

Hopefully that helps.

-Dewar

MadTurki · 01-05-2004, 04:57 PM

I tried that but had no luck... I'll post the iptables file I was using ->

Quote:

# Generated by iptables-save v1.2.8 on Mon Jan 5 15:52:38 2004
*nat
:PREROUTING ACCEPT [36:3374]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [1:70]
-A POSTROUTING -o eth0 -j SNAT --to-source X.X.X.X
-A PREROUTING --dst X.X.X.X -p tcp -j DNAT --to-destination 192.168.1.12
COMMIT
# Completed on Mon Jan 5 15:52:38 2004
# Generated by iptables-save v1.2.8 on Mon Jan 5 15:52:38 2004
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

kay - [0:0]
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -j ACCEPT
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -s 192.168.1.4 -i lo -j ACCEPT
-A INPUT -s X.X.X.X -i lo -j ACCEPT
-A INPUT -d 192.168.1.255 -i eth1 -j ACCEPT
-A INPUT -d X.X.X.X -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 2401 -j okay
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 192.168.1.4 -j ACCEPT
-A OUTPUT -s X.X.X.X -j ACCEPT
COMMIT
# Completed on Mon Jan 5 15:52:38 2004

MadTurki · 01-05-2004, 04:58 PM

Okay so, that line you suggested wasn't in that one...

But I swear it was there! I'll try it again.. Please keep suggestions coming though!

borodimer · 01-05-2004, 10:55 PM

Do you have ip_forward enabled?

Code:

cat /proc/sys/net/ipv4/ip_forward

If that is set to 0, then it is disabled and needs to be enabled.

Code:

echo "1" > /proc/sys/net/ipv4/ip_forward

MadTurki · 01-06-2004, 11:39 AM

I thought I'd done the echo 1 /proc/.../ip_forward thing but I discovered that when I do a "service network restart" it resets that to a 0. And it didn't work without restarting it either. I replaced the 7th line with the one you suggested Dewar but still no luck. Could this be a network settings problem? Do I need to add a route somewhere maybe?

Dewar · 01-06-2004, 12:25 PM

Hmmm, it can't be your default gateway on the firewall, because you still have traffic going through, right....?

Oh, I know! I forgot to put something in the command I wrote. Try....

iptables -A PREROUTING -i <put external interface here> -p tcp --dport 80 -j DNAT --to <insert webserver ip here>
(example: iptables -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.12)

And if that doesn't work, try changing the -A to a -I to add the rule at the start of the chain.

-Dewar

Edit: Another silly question.... Is apache turned on?
Second Edit: Also, maybe the default gateway on the webserver is wrong?

MadTurki · 01-06-2004, 01:04 PM

Still no... Not with -A or -I. I'm not running Apache on the firewall. It is running on 1.12 though and I can access it with lynx to the local IP of the web server. My dg on the ext. nic is correct. On the internal nic I dont have one specified but I have a route for 192.168.1.0 to the other (windows) gateway.

redmap · 04-02-2006, 09:53 AM

Did you ever get it working? Could you post how?

abhi.b · 04-03-2006, 08:19 AM

Check this out if it helps....

##################################################
iptables -F -t nat

Then fire this rule --

iptables -I PREROUTING -p tcp -d {IP-on-external-interface} --dport 80 -j DNAT --to {local-ip} -t nat

iptables -I FORWARD -j ACCEPT -t filter

win32sux · 04-07-2006, 08:06 AM

Quote:

Originally Posted by redmap

Did you ever get it working? Could you post how?

i don't know if he got it working, but this is done like this (main commands are in bold, while the rest is provided for completeness):

Code:

echo "0" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

iptables -F -t nat
iptables -X -t nat

iptables -F FORWARD
iptables -P FORWARD DROP

iptables -A -t nat PREROUTING -p TCP -i $WAN_IFACE --dport 80 \
-j DNAT --to-destination 192.168.1.12

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -p TCP -i $WAN_IFACE -o $LAN_IFACE \
--dport 80 -d 192.168.1.12 -m state --state NEW -j ACCEPT

echo "1" > /proc/sys/net/ipv4/ip_forward

aq_mishu · 04-09-2006, 01:05 AM

take a look at the script... it should serve u... change as your need..

#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.net>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA 02111-1307 USA
#

###########################################################################
#
# 1. Configuration options.
#

###########################################################################
#
# Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BCAST_ADRESS="192.168.255.255"
LAN_IFACE="eth1"

###########################################################################
#
# Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

###########################################################################
#
# Internet Configuration.
#

INET_IP="194.236.50.155"
INET_IFACE="eth0"

###########################################################################
#
# IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#
/sbin/depmod -a

#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE

#
# Support for owner matching
#
#/sbin/modprobe ipt_owner

#
# Support for connection tracking of FTP and IRC.
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc

###########################################################################
#
# 3. /proc set up.
#
# Enable ip_forward if you have two or more networks, including the
# Internet, that needs forwarding of packets through this box. This is
# critical since it is turned off as default in Linux.
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# Dynamic IP users:
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. IPTables rules set up.
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains.
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# bad_tcp_packets chain
#
# Take care of bad TCP packets that we don't want.
#

$IPTABLES -N bad_tcp_packets
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# Do some checks for obviously spoofed IP's
#

$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 172.16.0.0/12 -j DROP

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#
# The allowed chain for TCP connections
#

$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# ICMP rules
#

# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# UDP ports
#

# nondocumented commenting out of these rules
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

##########################
# INPUT chain
#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for incoming packets from the internet.
#

$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

###############################
# OUTPUT chain
#
#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

jshonk · 04-09-2006, 04:11 AM

I build a file to port my machines. (ie prtfwd) thin chmod 775, install it in my rc.local
(ie /usr/sbin/prtfwd) this way you can tinker with it and make changes without having to disturb the main rule and restart it all the time. It looks like this.

Code:

/usr/sbin/iptables -A FORWARD -i eth0 -p udp --dport 27950:27970 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -i eth0 -p udp -d 0.0.0.0 --dport 27950:27970 -j DNAT --to-destination 192.168.0.2:27950-27970

/usr/sbin/iptables -A FORWARD -i eth0 -p tcp --dport 6890:6896 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -d 0.0.0.0 --dport 6890:6896 -j DNAT --to-destination 192.168.0.2:6890-6896

/usr/sbin/iptables -A FORWARD -i eth0 -p tcp --dport 6699 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -d 0.0.0.0 --dport 6699 -j DNAT --to-destination 192.168.0.2:6699

/usr/sbin/iptables -A FORWARD -i eth0 -p udp --dport 6257 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -i eth0 -p udp -d 0.0.0.0 --dport 6257 -j DNAT --to-destination 192.168.0.2:6257

Of course the 0.0.0.0 is your out side ip, notice the ports that look like 27650:27970, a range of ports or single. Works good for me. Great if you have a lan party and want to host several games on different ports or machiens. Hope this helps

aq_mishu · 04-09-2006, 09:33 AM

I also did the same thing... i modified the script and now i only execute the file. no restart. it depends on your need and practice... do some editing in the script. use a service iptables save and then service iptables restart at the bottom of the script... that i used to do...

jshonk · 04-09-2006, 12:08 PM

Yea thats why I 775 it. So now I just /usr/sbin/prtfwd when I make a change. But its a good idea to put it in the rc.local that way if ya reboot it's there