Hello all,
I have a Debian Sarge box with 2 ethernet cards. eth0 is the internal card and has the static IP 192.168.0.91. eth1 is the external interface card and does not have an IP, as it is a bridged connection to the ADSL modem (PPPoE). ppp0 has a static IP set by the ISP (which is referred to as xxx.xxx.xxx.xxx). The box runs a web and email server (Apache, Exim and Dovecot).
I have written an iptables script that allows selected ports through on the external interface, and allows users to use the ADSL connection from the local network.
Recently, they asked me to install an APC masterswitch which has a web interface on standard port 80. They wanted to be able to use it from outside of the network, so I decided to redirect port 8080 to the switch at the gateway. The switch has the static IP address of 192.168.0.10.
Unfortunately, the redirection bit is the only thing I can't get working. I've read and re-read Rusty Russell's NAT howto and followed his example. I've switched the order of iptables commands around in the script and have tried turning off DROP and REJECT commands also as a troubleshooting measure (for these reasons, there might be a few superfluous commands).
Any help with this problem would be greatly appreciated. Also, please let me know if I've created any gaping security holes ;)
Here is the script:
#!/bin/bash
# Flush any existing rules and zero the traffic counters iptables -F iptables -Z iptables -t nat -F iptables -t nat -Z
# Allow forwarding echo "1" > /proc/sys/net/ipv4/ip_forward
# Disable smurf attack response echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Don't accept source routed packets echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
# Enable bad error message protection echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Accept all input on local loopback iptables -A INPUT -i lo -j ACCEPT
# Filter ADSL traffic - returning traffic is okay, new connections are checked for valid ports, all others are rejected
# If it's an established returning connection, let it through
iptables -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8080 -j DNAT --to 192.168.0.10:80
#iptables -A FORWARD -p tcp -i eth1 -d 192.168.0.10 --dport 80 -j ACCEPT
# Allow ICMP iptables -A INPUT -i eth1 -p icmp -j ACCEPT # Allow SSH iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT # Allow HTTP iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT # Allow HTTPS iptables -A INPUT -i eth1 -p tcp --dport 443 -j ACCEPT # Allow SMTP iptables -A INPUT -i eth1 -p tcp --dport 25 -j ACCEPT # Allow POP3 iptables -A INPUT -i eth1 -p tcp --dport 110 -j ACCEPT # Allow POP3-SSL iptables -A INPUT -i eth1 -p tcp --dport 995 -j ACCEPT # Allow Alternate HTTP for APC iptables -A INPUT -i eth1 -p tcp --dport 8080 -j ACCEPT # Doesn't match any of the above, reject the packet iptables -A INPUT -i eth1 -j REJECT
# Allow all staff traffic (defined by all INPUT on ETH0) through if it's a local address
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j ACCEPT
# If it doesn't match the above subnet on the internal network, someone may be doing something nasty, so reject the packet
iptables -A INPUT -i eth0 -j REJECT
# This sets up Network Address Translation # When the packet is ready to be resent, the IP headers are rewritten iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.0.91 iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to-source xxx.xxx.xxx.xxx
-- Les
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
