Hello,
I'm trying to set up port forwarding in IPTABLES
and so far it's working great from the internet, but when I attempt from my
internal LAN using the External IP address, it fails.
EXTIF="eth0"
INTIF="eth1" EXTIP="xxx.xxx.xxx.xxx"
INTNET="192.168.1.0/24" INTIP="192.168.1.1" PORTFWIP="192.168.1.13" From the internet, if I type in http://xxx.xxx.xxx.xxx:81 it
works.
When use a computer on my LAN and type in http://192.168.1.13:81 it works.
However, when i type in from a computer on my LAN:
http://xxx.xxx.xxx.xxx:81 it does
not.
Any ideas? Thanks in advance.
Mike
###############################################################################
#
# rc.firewall-2.4-stronger # FWVER=0.74s-4
echo -e "\nLoading STRONGER rc.firewall - version
$FWVER..\n"
IPTABLES=/sbin/iptables LSMOD=/sbin/lsmod DEPMOD=/sbin/depmod INSMOD=/sbin/insmod GREP=/bin/grep AWK=/bin/awk SED=/bin/sed IFCONFIG=/sbin/ifconfig EXTIF="eth0" INTIF="eth1" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" echo " ---" # For users who wish to use STATIC IP addresses: EXTIP="xxx.xxx.xxx.xxx"
echo " External IP: $EXTIP" echo " ---" # Assign the internal TCP/IP network and IP address INTNET="192.168.1.0/24" INTIP="192.168.1.1" echo " Internal Network: $INTNET" echo " Internal IP: $INTIP" echo " ---" UNIVERSE="0/0"
echo " - Verifying that all kernel modules are ok" $DEPMOD -a echo -en " Loading kernel modules: "
#Load the main body of the IPTABLES module - "ip_tables" # - Loaded automatically when the "iptables" command is invoked # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "ip_tables, " # #Verify the module isn't loaded. If it is, skip it # if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then $INSMOD ip_tables fi #Load the IPTABLES filtering module - "iptable_filter" # # - Loaded automatically when filter policies are activated #Load the stateful connection tracking framework - "ip_conntrack" # # The conntrack module in itself does nothing without other specific # conntrack modules being loaded afterwards such as the "ip_conntrack_ftp" # module # # - This module is loaded automatically when MASQ functionality is # enabled # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "ip_conntrack, " # #Verify the module isn't loaded. If it is, skip it # if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then $INSMOD ip_conntrack fi #Load the FTP tracking mechanism for full FTP tracking # # Enabled by default -- insert a "#" on the next line to deactivate # echo -e "ip_conntrack_ftp, " # #Verify the module isn't loaded. If it is, skip it # if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then $INSMOD ip_conntrack_ftp fi #Load the IRC tracking mechanism for full IRC tracking # # Enabled by default -- insert a "#" on the next line to deactivate # echo -en " ip_conntrack_irc, " # #Verify the module isn't loaded. If it is, skip it # if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then $INSMOD ip_conntrack_irc fi #Load the general IPTABLES NAT code - "iptable_nat" # - Loaded automatically when MASQ functionality is turned on # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "iptable_nat, " # #Verify the module isn't loaded. If it is, skip it # if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then $INSMOD iptable_nat fi #Loads the FTP NAT functionality into the core IPTABLES code # Required to support non-PASV FTP. # # Enabled by default -- insert a "#" on the next line to deactivate # echo -e "ip_nat_ftp" # #Verify the module isn't loaded. If it is, skip it # if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then $INSMOD ip_nat_ftp fi echo " ---"
#Clearing any previous configuration echo " Clearing any existing rules and setting default policy to
DROP.."
$IPTABLES -P INPUT DROP $IPTABLES -F INPUT $IPTABLES -P OUTPUT DROP $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -F -t nat #Not needed and it will only load the unneeded kernel module
#$IPTABLES -F -t mangle #CRITICAL: Enable IP forwarding since it is disabled by default
since
# # Redhat Users: you may try changing the options in # /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward # Flush the user chain.. if it exists
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then $IPTABLES -F drop-and-log-it fi # Delete all User-specified chains $IPTABLES -X # Reset all IPTABLES counters $IPTABLES -Z #Configuring specific CHAINS for later use in the ruleset # # NOTE: Some users prefer to have their firewall silently # "DROP" packets while others prefer to use "REJECT" # to send ICMP error messages back to the remote # machine. The default is "REJECT" but feel free to # change this below. # # NOTE: Without the --log-level set to "info", every single # firewall hit will goto ALL vtys. This is a very big # pain. # echo " Creating a DROP chain.." $IPTABLES -N drop-and-log-it $IPTABLES -A drop-and-log-it -j LOG --log-level info $IPTABLES -A drop-and-log-it -j DROP echo -e "\n - Loading INPUT rulesets"
#######################################################################
# INPUT: Incoming traffic from various interfaces. All rulesets are # already flushed and set to a default policy of DROP. # # loopback interfaces are valid.
# $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT # local interface, local machines, going anywhere is valid # $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT # remote interface, claiming to be local machines, IP spoofing, get lost # $IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it # external interface, from any source, for ICMP traffic is valid # # If you would like your machine to "ping" from the Internet, # enable this next line # #$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT # remote interface, any source, going to permanent PPP address is valid # #$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT # Allow any related traffic coming back to the MASQ server in # $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \ ESTABLISHED,RELATED -j ACCEPT # DHCPd - Enable the following lines if you run an INTERNAL DHCPd server # $IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT $IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT ## FTP # Allow ftp inbound: $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 21 -m state --state
NEW,ESTABLISHED -j ACCEPT
#
# Now for the connection tracking part of ftp. This is discussed more completely in my section # on connection tracking to be found here. # HTTPd - Enable the following lines if you run an EXTERNAL WWW server # echo -e " - Allowing EXTERNAL access to the WWW server" $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \ -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT # Catch all rule, all other incoming is denied and logged. # $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it echo -e " - Loading OUTPUT rulesets"
#######################################################################
# OUTPUT: Outgoing traffic from various interfaces. All rulesets are # already flushed and set to a default policy of DROP. # # loopback interface is valid.
# $IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT # local interfaces, any source going to local net is valid # $IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT # local interface, any source going to local net is valid # $IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT # outgoing to local net on remote interface, stuffed routing, deny # $IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it # anything else outgoing on remote interface is valid # $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT # DHCPd - Enable the following lines if you run an INTERNAL DHCPd
server
# - Remove BOTH #s all the #s if you need this functionality. # $IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 \ -d 255.255.255.255 --dport 68 -j ACCEPT $IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 \ -d 255.255.255.255 --dport 68 -j ACCEPT # Catch all rule, all other outgoing is denied and logged.
# $IPTABLES -A OUTPUT -s ! $EXTIP -d $UNIVERSE -j drop-and-log-it echo -e " - Loading FORWARD rulesets" #######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ # echo "Enabling PORTFW Redirection on the external LAN.."
# This will forward ALL port 81 traffic from the external IP address
# to port 81 on the 192.168.1.13 machine # # Be SURE that when you add these new rules to your rc.firewall, you # add them before a direct or implemented drop or reject PORTFWIP="192.168.1.13"
# Allow forwarding of new and existing port 81 connections
# $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 81 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
# Enable PORTFW of this port 81 traffic
# $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTIP --dport 81 -j DNAT --to
$PORTFWIP:81
echo " - FWD: Allow all connections OUT and only
existing/related IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED \ -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT # Catch all rule, all other forwarding is denied and logged.
# $IPTABLES -A FORWARD -j drop-and-log-it echo " - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF" # #More liberal form #$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE # #Stricter form $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP ####################################################################### echo -e "\nStronger rc.firewall-2.4 $FWVER done.\n" |