LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-29-2007, 02:50 AM   #1
utnalove
LQ Newbie
 
Registered: Jul 2007
Distribution: CentOS 7
Posts: 24

Rep: Reputation: 0
what's wrong with iptables or route


Hallo, messenger work, but my 2 browsers cannot browse.
I can ping web sites, but I cannot browse them.

Eth1 is my ISP
Eth2 is my windows client


Here is my Iptables
Code:
INPUT ACCEPT [179:50132] 
:FORWARD ACCEPT [37:1805] 
:OUTPUT ACCEPT [217:24615] 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -i eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
COMMIT 
# Completed on Sat Jul 28 20:23:21 2007 
# Generated by iptables-save v1.3.8 on Sat Jul 28 20:23:21 2007 
*nat 
:PREROUTING ACCEPT [10:521] 
:POSTROUTING ACCEPT [12:576] 
:OUTPUT ACCEPT [12:719] 
-A PREROUTING -i eth2 -p tcp -m tcp --dport 6662 -j DNAT --to-destination 192.168.100.20 
-A PREROUTING -i eth2 -p tcp -m tcp --dport 48741 -j DNAT --to-destination 192.168.100.20 
-A PREROUTING -i eth2 -p udp -m udp --dport 48741 -j DNAT --to-destination 192.168.100.20 
-A PREROUTING -i eth2 -p udp -m udp --dport 6672 -j DNAT --to-destination 192.168.100.20 
-A PREROUTING -i eth2 -p udp -m udp --dport 3830 -j DNAT --to-destination 192.168.100.20 
-A PREROUTING -i eth2 -p tcp -m tcp --dport 3830 -j DNAT --to-destination 192.168.100.20 
# I added this rule to try... but I remember that In my old firewall rules I didn't have this rule and it was working fine.
-A PREROUTING -i eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.100.20 
-A PREROUTING -i eth2 -p tcp -m tcp --dport 1445 -j DNAT --to-destination 192.168.100.20:443 
-A PREROUTING -i eth2 -p tcp -m tcp --dport 1446 -j DNAT --to-destination 192.168.100.20:80 
-A POSTROUTING -o eth1 -j MASQUERADE 
COMMIT
This is the traffic when my windows client tries to surf... I can see traffic one way... it seems to be that the firewall is blocking it.
The ports 4252,4 ... always change... when I restarted the 2 computers, the ports on the first side where about 2100. I don't remember precisiously.
Code:
P 192.168.100.20.4252 > 217.146.182.26.80: tcp 0 
IP 192.168.100.20.4252 > 192.168.100.20.80: tcp 0 
IP 192.168.100.20.4252 > 217.146.182.26.80: tcp 0 
IP 192.168.100.20.4252 > 192.168.100.20.80: tcp 0 
IP 192.168.100.20.4254 > 62.73.178.61.80: tcp 0 
IP 192.168.100.20.4254 > 192.168.100.20.80: tcp 0 
IP 192.168.100.20.4254 > 62.73.178.61.80: tcp 0 
IP 192.168.100.20.4254 > 192.168.100.20.80: tcp 0 
IP 192.168.100.20.4252 > 217.146.182.26.80: tcp 0 
IP 192.168.100.20.4252 > 192.168.100.20.80: tcp 0 
IP 192.168.100.20.4254 > 62.73.178.61.80: tcp 0 
IP 192.168.100.20.4254 > 192.168.100.20.80: tcp 0

and this is the traffic of a messenger running
Code:
IP 217.17.41.85.8074 > 192.168.100.20.4134: tcp 75 
IP 192.168.100.20.4134 > 217.17.41.85.8074: tcp 0 
IP 217.17.41.85.8074 > 192.168.100.20.4134: tcp 26 
IP 192.168.100.20.4134 > 217.17.41.85.8074: tcp 8 
IP 217.17.41.85.8074 > 192.168.100.20.4134: tcp 0 
IP 217.17.41.85.8074 > 192.168.100.20.4134: tcp 26 
IP 192.168.100.20.4134 > 217.17.41.85.8074: tcp 0

this is my route table
Code:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface 
192.168.100.0   *               255.255.255.0   U     0      0        0 eth2 
62.121.112.0    *               255.255.252.0   U     0      0        0 eth1 
loopback        *               255.0.0.0       U     0      0        0 lo 
default         my publib IP    0.0.0.0         UG    0      0        0 eth1
for now I just want everything to work fine... then I will add rules to make it secure...please help me to find where I wrong... There is no drop... so I don't know why I cannot browse...

where did I do wrong?

Last edited by utnalove; 07-29-2007 at 03:04 AM.
 
Old 07-29-2007, 08:12 AM   #2
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
Quote:
Originally Posted by utnalove
Eth1 is my ISP
Eth2 is my windows client
Your firewall rules reference eth0, eth1, and eth2. Do you have 3 ethernet connections?
 
Old 07-29-2007, 09:15 AM   #3
utnalove
LQ Newbie
 
Registered: Jul 2007
Distribution: CentOS 7
Posts: 24

Original Poster
Rep: Reputation: 0
I have only 2 eth.
I changed this rules

Code:
-A FORWARD -i eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
to

Code:
-A FORWARD -i eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
and I have the same traffic on tcpdump.


Do you think I have to add something to the route table? Or the error is just in the firewall rules?
 
Old 07-29-2007, 09:31 AM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
-A PREROUTING -i eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.100.20
So outgoing web traffic from the windows client is DNATed (the destination address is changed) to 192.168.100.20. Is that what you want to do? So for a web connection to yahoo, the packet would leave the windows client with yahoo.com as the destination address, the packet would come in eth2, and then get rewritten so that it is now addressed to 192.168.100.20, the packet is then sent to 192.168.100.20 !?!
 
Old 07-29-2007, 11:05 AM   #5
utnalove
LQ Newbie
 
Registered: Jul 2007
Distribution: CentOS 7
Posts: 24

Original Poster
Rep: Reputation: 0
This is my new firewall, this is working and logging, even my windows client works. But my emule still has low id...

In my old firewall I just had:
Code:
-A PREROUTING -i eth2 -p tcp -m tcp --dport 6662 -j DNAT --to-destination 192.168.100.20
-A PREROUTING -i eth2 -p udp -m udp --dport 6672 -j DNAT --to-destination 192.168.100.20
and it was working.....

in the new firewall I post here I still have low id... I tried to add this in the prerouting chain and still didn't work:
Code:
#$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 6662:6662 \
#     -j DNAT --to-destination 192.168.100.20

$IPT -t nat -A PREROUTING -p udp -i $LOCAL_IFACE --destination-port 6672:6672 \
     --destination $INET_ADDRESS -j DNAT --to-destination 192.168.100.20
then I tried to add this:

Code:
IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 6662 -j ACCEPT
and this:
Code:
# Port Forwarding is enabled, so accept forwarded traffic
$IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port 6662 \
     --destination 192.168.100.20 -j ACCEPT
$IPT -A FORWARD -p udp -i $INET_IFACE --destination-port 6672 \
     --destination 192.168.100.20 -j ACCEPT
but without result....


Code:
# Local Settings
#

# sysctl location.  If set, it will use sysctl to adjust the kernel parameters.
# If this is set to the empty string (or is unset), the use of sysctl
# is disabled.

SYSCTL="/sbin/sysctl -w"

# To echo the value directly to the /proc file instead
# SYSCTL=""

# IPTables Location - adjust if needed

IPT="/usr/sbin/iptables"
IPTS="/usr/sbin/iptables-save"
IPTR="/usr/sbin/iptables-restore"

# Internet Interface
INET_IFACE="eth1"
INET_ADDRESS="mypublicIP"

# Local Interface Information
LOCAL_IFACE="eth2"
LOCAL_IP="192.168.100.1"
LOCAL_NET="192.168.100.0/24"
LOCAL_BCAST="192.168.100.255"

# Localhost Interface

LO_IFACE="lo"
LO_IP="127.0.0.1"

# Local Settings
#

# sysctl location.  If set, it will use sysctl to adjust the kernel parameters.
# If this is set to the empty string (or is unset), the use of sysctl
# is disabled.

SYSCTL="/sbin/sysctl -w"

# To echo the value directly to the /proc file instead
# SYSCTL=""

# IPTables Location - adjust if needed

IPT="/usr/sbin/iptables"
IPTS="/usr/sbin/iptables-save"
IPTR="/usr/sbin/iptables-restore"

# Internet Interface
INET_IFACE="eth1"
INET_ADDRESS="mypublicIP"

# Local Interface Information
LOCAL_IFACE="eth2"
LOCAL_IP="192.168.100.1"
LOCAL_NET="192.168.100.0/24"
LOCAL_BCAST="192.168.100.255"

# Localhost Interface

LO_IFACE="lo"
LO_IP="127.0.0.1"

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc

# Required to enable IPv4 forwarding.
# Redhat users can try setting FORWARD_IPV4 in /etc/sysconfig/network to true
# Alternatively, it can be set in /etc/sysctl.conf
if [ "$SYSCTL" = "" ]
then
    echo "0" > /proc/sys/net/ipv4/ip_forward
else
    $SYSCTL net.ipv4.ip_forward="0"
fi


# This enables SYN flood protection.
# The SYN cookies activation allows your system to accept an unlimited
# number of TCP connections while still trying to give reasonable
# service during a denial of service attack.
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
    $SYSCTL net.ipv4.tcp_syncookies="1"
fi


# This enables source validation by reversed path according to RFC1812.
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
    $SYSCTL net.ipv4.conf.all.rp_filter="1"
fi

# This kernel parameter instructs the kernel to ignore all ICMP
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
    $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
fi

# This option can be used to accept or refuse source routed
if [ "$SYSCTL" = "" ]
then
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
    $SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi


# However, we'll ensure the secure_redirects option is on instead.
# This option accepts only from gateways in the default gateways list.
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
    $SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi


# This option logs packets from impossible addresses.
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
else
    $SYSCTL net.ipv4.conf.all.log_martians="1"
fi


echo "Flushing Tables ..."

# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F

# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

if [ "$1" = "stop" ]
then
        echo "Firewall completely flushed!  Now running with no firewall."
        exit 0
fi

# Set Policies

$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

# Create a chain to filter INVALID packets

$IPT -N bad_packets

# Create another chain to filter bad tcp packets

$IPT -N bad_tcp_packets

# Create separate chains for icmp, tcp (incoming and outgoing),
# and incoming udp packets.

$IPT -N icmp_packets

# Used for UDP packets inbound from the Internet
$IPT -N udp_inbound

# Used to block outbound UDP services from internal network
# Default to allow all
$IPT -N udp_outbound

# Used to allow inbound services if desired
# Default fail except for established sessions
$IPT -N tcp_inbound

# Used to block outbound services from internal network
# Default to allow all
$IPT -N tcp_outbound


# Drop packets received on the external interface
# claiming a source of the local network
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j LOG \
    --log-prefix "fp=bad_packets:2 a=DROP "
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP

# Drop INVALID packets immediately
$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
    --log-prefix "fp=bad_packets:1 a=DROP "

$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP

# Then check the tcp packets for additional problems
$IPT -A bad_packets -p tcp -j bad_tcp_packets

# All good, so return
$IPT -A bad_packets -p ALL -j RETURN


$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN



$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
    --log-prefix "fp=bad_tcp_packets:1 a=DROP "
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG \
    --log-prefix "fp=bad_tcp_packets:2 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG \
    --log-prefix "fp=bad_tcp_packets:3 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
    --log-prefix "fp=bad_tcp_packets:4 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \
    --log-prefix "fp=bad_tcp_packets:5 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
    --log-prefix "fp=bad_tcp_packets:6 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
    --log-prefix "fp=bad_tcp_packets:7 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# All good, so return
$IPT -A bad_tcp_packets -p tcp -j RETURN


# icmp_packets chain

$IPT -A icmp_packets --fragment -p ICMP -j LOG \
    --log-prefix "fp=icmp_packets:1 a=DROP "
$IPT -A icmp_packets --fragment -p ICMP -j DROP


# By default, however, drop pings without logging. Blaster
# and other worms have infected systems blasting pings.
# Comment the line below if you want pings logged, but it
# will likely fill your logs.
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP

# Time Exceeded
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# Not matched, so return so it will be logged
$IPT -A icmp_packets -p ICMP -j RETURN



$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP

# Ident requests (Port 113) must have a REJECT rule rather than the
# default DROP rule.  This is the minimum requirement to avoid
# long delays while connecting.  Also see the tcp_inbound rule.
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 113 -j REJECT

# Not matched, so return for logging
$IPT -A udp_inbound -p UDP -j RETURN

# No match, so ACCEPT
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT

# Ident requests (Port 113) must have a REJECT rule rather than the
# default DROP rule.  This is the minimum requirement to avoid
# long delays while connecting.  Also see the tcp_inbound rule.
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 113 -j REJECT


# Web Server

# HTTP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT

# HTTPS (Secure Web Server)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 443 -j ACCEPT

# FTP Server (Control)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 21 -j ACCEPT

# FTP Client (Data Port for non-PASV transfers)
$IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT


# Email Server (SMTP)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j ACCEPT

# Email Server (POP3)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 110 -j ACCEPT

# Email Server (IMAP4)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 143 -j ACCEPT

# SSL Email Server (POP3)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 995 -j ACCEPT

# SSL Email Server (IMAP4)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 993 -j ACCEPT

# sshd
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT



# ICQ File Transfers & Other Advanced Features

$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 5000:5100 -j ACCEPT


# MSN Messenger File Transfers

$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 6891:6900 -j ACCEPT

# Not matched, so return so it will be logged
$IPT -A tcp_inbound -p TCP -j RETURN


# tcp_outbound chain

# No match, so ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT

###############################################################################
#
# INPUT Chain
#
###############################################################################
# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

# Drop bad packets
$IPT -A INPUT -p ALL -j bad_packets

# Drop them without logging.
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
# The rule to accept the packets.
# $IPT -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT

# Rules for the private network (accessing gateway system itself)
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT

# Allow DHCP client request packets inbound from internal network
$IPT -A INPUT -p UDP -i $LOCAL_IFACE --source-port 68 --destination-port 67 \
     -j ACCEPT


# Inbound Internet Packet Rules

# Accept Established Connections
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
     -j ACCEPT

# Route the rest to the appropriate user chain
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

# Drop without logging broadcasts that get this far.
# Cuts down on log clutter.
# Comment this line if testing new rules that impact
# broadcast protocols.
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP

###############################################################################
#
# FORWARD Chain
#


# Used if forwarding for a private network

# Drop bad packets
$IPT -A FORWARD -p ALL -j bad_packets

# Accept TCP packets we want to forward from internal sources
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound

# Accept UDP packets we want to forward from internal sources
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound

# If not blocked, accept any other packets from the internal interface
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT

# Deal with responses from the internet
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
     -j ACCEPT


###############################################################################
#
# OUTPUT Chain
#
# However, invalid icmp packets need to be dropped
# to prevent a possible exploit.

$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP

# Localhost
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT

# To internal network
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT

# To internet
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT



###############################################################################
#
# POSTROUTING chain
#

$IPT -t nat -A POSTROUTING -o $INET_IFACE \
     -j SNAT --to-source $INET_ADDRESS
$IPT -t nat -A POSTROUTING -o $LOCAL_IFACE \
     -j SNAT --to-source $INET_ADDRESS


 if [ "$SYSCTL" = "" ]
 then
     echo "1" > /proc/sys/net/ipv4/ip_forward
     else
         $SYSCTL net.ipv4.ip_forward="1"
         fi
any suggestions??

Last edited by utnalove; 07-29-2007 at 11:10 AM.
 
Old 07-29-2007, 07:41 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
In my old firewall I just had:
Code:
-A PREROUTING -i eth2 -p tcp -m tcp --dport 6662 -j DNAT --to-destination 192.168.100.20 -A PREROUTING -i eth2 -p udp -m udp --dport 6672 -j DNAT --to-destination 192.168.100.20
and it was working.....
I'm not sure how, because based on what you've told us so far it shouldn't work. Maybe the interfaces were different or maybe you had another rule that was accepting that traffic.

This rule looks like it should work, but it looks like you've got it commented out? So remove the '#' signs.
Quote:
#$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 6662:6662 \
# -j DNAT --to-destination 192.168.100.20
This looks like the same problem as I pointed out earlier where the wrong interface is being used. Switch it to $INET_IFACE (You want incoming traffic from the internet to be forwarded to 192.168.100.20, not stuff coming *from* the LOCAL_IFACE)
Quote:
$IPT -t nat -A PREROUTING -p udp -i $LOCAL_IFACE --destination-port 6672:6672 \
--destination $INET_ADDRESS -j DNAT --to-destination 192.168.100.20
You'll need these rules to be included for it to work as well:
Quote:
# Port Forwarding is enabled, so accept forwarded traffic
$IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port 6662 \
--destination 192.168.100.20 -j ACCEPT
$IPT -A FORWARD -p udp -i $INET_IFACE --destination-port 6672 \
--destination 192.168.100.20 -j ACCEPT
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables -L -v and route lag tgo Linux - Networking 4 07-24-2006 07:12 PM
ping on wrong interface despite route ocgltd Linux - Networking 1 09-26-2005 11:23 PM
Iptables Need It To Route To A Windows Machine For Remote Desktop sal_paradise42 Linux - General 2 11-11-2003 08:20 PM
Why does 12.170.16.134 route to the wrong box?? registering Linux - Networking 3 09-24-2003 10:04 AM
STATIC Route using IPTables Milkman00 Linux - Networking 3 03-06-2003 07:47 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:07 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration