Hello everyone, I managed to get IPTABLES on my Red Hat 9 machine to load, but something is wrong either with my environment or the IPTABLES script. I've set up a dual-NIC machine for testing purposes, and connected both cards to the same LAN. I simulate the external connection on one card, and the internal one on another:
eth0 IP = 192.168.1.23 /* Connected to "internal" network */ eth1 IP = 10.0.0.1 /* Connected to "external" network */ One Windows-based machine (A) runs Apache web server; it is located on the "internal" subnet with IP = 192.168.1.250. Another Windows-based machine (B) simulates an external client, with IP = 10.0.0.2. The external client B tries to connect to the web server A through the firewall host running IPTABLES. I configured the script to forward all packets arriving on eth1 with port 80 as destination to eth0 - but the client browser cannot connect to the server (http://10.0.0.1 just times out). Schematically, this can be shown as: Client (10.0.0.2) -> RH9 host (10.0.0.1) -> RH9 host (192.168.1.23) -> Server (192.168.1.250) I also set net.ipv4.ip_forward = 1 in /etc/sysctl.conf, but to no avail. The following is the script of my (very simplistic) firewall. Perhaps someone knowledgeable in IPTABLES could have a look at it and point out my error. TIA Alex Molochnikov Gestalt Corporation #!/bin/sh IPTABLES="/sbin/iptables" INTERNET_IP=10.0.0.1 # Internet IP address (simulation) OFFICE_IP=192.168.1.23 # Office IP address INTERNET_CARD="eth1" # External interface OFFICE_CARD="eth0" # Office interface SOURCEPORTS="32769:65535" DESTPORTS="33434:33523" HTTP_SERVER="192.168.1.250" echo "Starting all modules (ip_tables,ip_conntrack,ip_conntrack_ftp,ip_nat_ftp,iptable_nat)." /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_ftp /sbin/modprobe iptable_nat echo FLUSH all tables. $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -t mangle -F $IPTABLES -Z $IPTABLES -t nat -Z $IPTABLES -t mangle -Z $IPTABLES -X echo Set the default policy to accept all INPUT,FORWARD, and OUTPUT. $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -P OUTPUT ACCEPT echo Accept all loopback connections. $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT echo ACCEPT all outbound TCP connections $IPTABLES -A OUTPUT -o $INTERNET_CARD -p tcp -m state --state ESTABLISHED,NEW -j ACCEPT $IPTABLES -A INPUT -i $INTERNET_CARD -p tcp -m state --state ESTABLISHED -j ACCEPT echo ACCEPT and establish new outbound traceroutes $IPTABLES -A OUTPUT -o $INTERNET_CARD -p udp --sport $SOURCEPORTS --dport $DESTPORTS -m state --state NEW -j ACCEPT echo ACCEPT all ICMP that are related to other connections and NEW ones $IPTABLES -A OUTPUT -o $INTERNET_CARD -p icmp -m state --state ESTABLISHED,NEW,RELATED -j ACCEPT $IPTABLES -A INPUT -i $INTERNET_CARD -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT echo ACCEPT inbound HTTP connections bound to port 80. Web Server. $IPTABLES -A FORWARD -s $INTERNET_IP -d $OFFICE_IP -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -d $INTERNET_IP --dport 80 -j DNAT --to-destination $HTTP_SERVER:80
