Hello,
 
I'm trying to set up port forwarding in IPTABLES and so far it's working great from the internet, but when I attempt from my internal LAN using the External IP address, it fails.
 
EXTIF="eth0"
INTIF="eth1"
EXTIP="xxx.xxx.xxx.xxx"
INTNET="192.168.1.0/24"
INTIP="192.168.1.1"
PORTFWIP="192.168.1.13"

 
From the internet, if I type in http://xxx.xxx.xxx.xxx:81 it works.
 
When use a computer on my LAN and type in http://192.168.1.13:81 it works.
 
However, when i type in from a computer on my LAN: http://xxx.xxx.xxx.xxx:81 it does not.
 
Any ideas? Thanks in advance.
 
Mike
 
 
 
###############################################################################
 
 
 
#
# rc.firewall-2.4-stronger
#
 
FWVER=0.74s-4
 
echo -e "\nLoading STRONGER rc.firewall - version $FWVER..\n"
 

IPTABLES=/sbin/iptables
 

LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod
GREP=/bin/grep
AWK=/bin/awk
SED=/bin/sed
IFCONFIG=/sbin/ifconfig
 

EXTIF="eth0"
INTIF="eth1"
echo "  External Interface:  $EXTIF"
echo "  Internal Interface:  $INTIF"
echo "  ---"
 

# For users who wish to use STATIC IP addresses:
 
EXTIP="xxx.xxx.xxx.xxx"
echo "  External IP: $EXTIP"
echo "  ---"
 

# Assign the internal TCP/IP network and IP address
INTNET="192.168.1.0/24"
INTIP="192.168.1.1"
echo "  Internal Network: $INTNET"
echo "  Internal IP:      $INTIP"
echo "  ---"
 
 
 
 
 
UNIVERSE="0/0"
 

echo "  - Verifying that all kernel modules are ok"
$DEPMOD -a
 
echo -en "    Loading kernel modules: "
 

#Load the main body of the IPTABLES module - "ip_tables"
#  - Loaded automatically when the "iptables" command is invoked
#
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_tables, "
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
   $INSMOD ip_tables
fi
 

#Load the IPTABLES filtering module - "iptable_filter"
#
#  - Loaded automatically when filter policies are activated
 

#Load the stateful connection tracking framework - "ip_conntrack"
#
# The conntrack  module in itself does nothing without other specific
# conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
# module
#
#  - This module is loaded automatically when MASQ functionality is
#    enabled
#
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_conntrack, "
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
   $INSMOD ip_conntrack
fi
 

#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -e "ip_conntrack_ftp, "
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
   $INSMOD ip_conntrack_ftp
fi
 

#Load the IRC tracking mechanism for full IRC tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "                             ip_conntrack_irc, "
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
   $INSMOD ip_conntrack_irc
fi
 

#Load the general IPTABLES NAT code - "iptable_nat"
#  - Loaded automatically when MASQ functionality is turned on
#
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "iptable_nat, "
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
   $INSMOD iptable_nat
fi
 

#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -e "ip_nat_ftp"
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
   $INSMOD ip_nat_ftp
fi
 
echo "  ---"
 
 
 
 
 
 
 

#Clearing any previous configuration
 
echo "  Clearing any existing rules and setting default policy to DROP.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP 
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP 
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
 
#Not needed and it will only load the unneeded kernel module
#$IPTABLES -F -t mangle
 
 
 
#CRITICAL:  Enable IP forwarding since it is disabled by default since
#
#           Redhat Users:  you may try changing the options in
#                          /etc/sysconfig/network from:
#
#                       FORWARD_IPV4=false
#                             to
#                       FORWARD_IPV4=true
#
echo "  Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
 
 
 
# Flush the user chain.. if it exists
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
   $IPTABLES -F drop-and-log-it
fi
 

# Delete all User-specified chains
$IPTABLES -X
 

# Reset all IPTABLES counters
$IPTABLES -Z
 

#Configuring specific CHAINS for later use in the ruleset
#
#  NOTE:  Some users prefer to have their firewall silently
#         "DROP" packets while others prefer to use "REJECT"
#         to send ICMP error messages back to the remote
#         machine.  The default is "REJECT" but feel free to
#         change this below.
#
# NOTE: Without the --log-level set to "info", every single
#       firewall hit will goto ALL vtys.  This is a very big
#       pain.
#
echo "  Creating a DROP chain.."
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info
$IPTABLES -A drop-and-log-it -j DROP
 
echo -e "\n   - Loading INPUT rulesets"
 
 
 
#######################################################################
# INPUT: Incoming traffic from various interfaces.  All rulesets are
#        already flushed and set to a default policy of DROP.
#
 
# loopback interfaces are valid.
#
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
 

# local interface, local machines, going anywhere is valid
#
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
 

# remote interface, claiming to be local machines, IP spoofing, get lost
#
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
 

# external interface, from any source, for ICMP traffic is valid
#
#  If you would like your machine to "ping" from the Internet,
#  enable this next line
#
#$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
 

# remote interface, any source, going to permanent PPP address is valid
#
#$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
 

# Allow any related traffic coming back to the MASQ server in
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
 ESTABLISHED,RELATED -j ACCEPT
 

# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
#
$IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT
 

## FTP
# Allow ftp inbound:
 
$IPTABLES -A INPUT  -i $EXTIF -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
 
#
# Now for the connection tracking part of ftp. This is discussed more completely in my section
# on connection tracking to be found here.
 

# HTTPd - Enable the following lines if you run an EXTERNAL WWW server
#
echo -e "      - Allowing EXTERNAL access to the WWW server"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
 -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
 
 
 

# Catch all rule, all other incoming is denied and logged.
#
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
 
 
 
echo -e "   - Loading OUTPUT rulesets"
 
#######################################################################
# OUTPUT: Outgoing traffic from various interfaces.  All rulesets are
#         already flushed and set to a default policy of DROP.
#
 
# loopback interface is valid.
#
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
 

# local interfaces, any source going to local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
 

# local interface, any source going to local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
 

# outgoing to local net on remote interface, stuffed routing, deny
#
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
 

# anything else outgoing on remote interface is valid
#
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
 
 
 
# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
#         - Remove BOTH #s all the #s if you need this functionality.
#
$IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 \
 -d 255.255.255.255 --dport 68 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 \
 -d 255.255.255.255 --dport 68 -j ACCEPT
 
 
 
# Catch all rule, all other outgoing is denied and logged.
#
$IPTABLES -A OUTPUT -s ! $EXTIP -d $UNIVERSE -j drop-and-log-it
 
 
 

echo -e "   - Loading FORWARD rulesets"
 
#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
#
 
echo "Enabling PORTFW Redirection on the external LAN.."
 
# This will forward ALL port 81 traffic from the external IP address
# to port 81 on the 192.168.1.13 machine
#
# Be SURE that when you add these new rules to your rc.firewall, you
# add them before a direct or implemented drop or reject
 
PORTFWIP="192.168.1.13"
 
# Allow forwarding of new and existing port 81 connections
#
 
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 81 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 
# Enable PORTFW of this port 81 traffic
#
 
$IPTABLES -t nat -A PREROUTING -p tcp -d $EXTIP --dport 81 -j DNAT --to $PORTFWIP:81
 
echo "     - FWD: Allow all connections OUT and only existing/related IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED \
 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
 
# Catch all rule, all other forwarding is denied and logged.
#
$IPTABLES -A FORWARD -j drop-and-log-it
 

echo "     - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF"
#
#More liberal form
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#
#Stricter form
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
 

#######################################################################
echo -e "\nStronger rc.firewall-2.4 $FWVER done.\n"
 
 
 
 
 
 
 

Reply via email to