> Shaun Landau wrote:
>
> I have a simple network consisting of a linux machine attached to the
> internet and acting as a firewall for a second machine with a web
> server. The firewall machine has two NICs, the first of which is
> connected to the internet (DHCP) and the second is connected to the
> LAN as 192.168.1.1. The web server machine on the LAN has a single NIC
> as 192.168.1.2.
>
> I am attempting to have port 80 internet traffic coming to the
> firewall machine routed to port 80 of 192.168.1.2, using DNAT. My
> firewall script is below (the DNAT rule is near the end of the
> script). It is not letting any port 80 traffic through at all from the
> internet. What's up with that?!
1. Are you sure your ISP is allowing incoming port 80 connections?
2. You ACCEPT the packets on your input chain first (meaning they go to
the local box, and are routed per the routing table) and THEN you do
DNAT. By the tiem you reach DNAT, all the port 80 bound packets have
already been ACCEPTed by the INPUT chaing. Put the DNAT rules first
(remember the ASCII art flow chart? prerouting, then input).
--Yan
>
>
>
> #!/bin/sh
> #
>
> FWVER=0.70s
> echo -e "\nLoading rc.firewall - version $FWVER..\n"
>
> #Setting the EXTERNAL and INTERNAL interfaces for the network
> EXTIF="eth1"
> INTIF="eth0"
>
> # Determine the external IP automatically:
> EXTIP="`/sbin/ifconfig $EXTIF | grep 'inet addr' | awk '{print $2}' |
> sed -e 's/.*://'`"
>
> # For STATIC IP addresses:
> # EXTIP="your.static.PPP.address"
>
> # Assign the internal TCP/IP network and IP address
> INTNET="192.168.1.0/24"
> INTIP="192.168.1.1/24"
>
> IPTABLES=/sbin/iptables
> LSMOD=/sbin/lsmod
> GREP=/bin/grep
> AWK=/bin/awk
>
> UNIVERSE="0.0.0.0/0"
>
> echo "Enabling forwarding ..."
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
>
> # If you get your IP address dynamically from SLIP, PPP, or DHCP,
> # enable the following option. This enables dynamic-address hacking
> # which makes the life with Diald and similar programs much easier.
> echo "Enabling DynamicAddr ..."
> echo "1" > /proc/sys/net/ipv4/ip_dynaddr
>
>
> echo "Clearing any existing rules and setting default policy to DROP
> ..."
> $IPTABLES -P INPUT DROP
> $IPTABLES -F INPUT
> $IPTABLES -P OUTPUT DROP
> $IPTABLES -F OUTPUT
> $IPTABLES -P FORWARD DROP
> $IPTABLES -F FORWARD
> $IPTABLES -F -t nat
>
> # Flush the user chain.. if it exists
> if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
> $IPTABLES -F drop-and-log-it
> fi
>
> # Delete all User-specified chains
> $IPTABLES -X
>
> # Reset all IPTABLES counters
> $IPTABLES -Z
>
> echo "Creating a DROP chain.."
> $IPTABLES -N drop-and-log-it
> $IPTABLES -A drop-and-log-it -j LOG --log-level info
> $IPTABLES -A drop-and-log-it -j DROP
>
>
> echo -e "Loading INPUT rulesets"
>
>
> # loopback interfaces are valid.
> $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
>
> # local interface, local machines, going anywhere is valid
> $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
>
> # remote interface, claiming to be local machines, IP spoofing, get
> lost
> $IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j
> drop-and-log-it
>
> # Allow any related traffic coming back to the MASQ server in
> $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
> ESTABLISHED,RELATED -j ACCEPT
>
>
> ######### OPEN PORTS TO ALLOW ACCESS FROM THE INTERNET ############
> ########################################################################
>
> #echo -e "Allowing EXTERNAL access to the WWW server on port 80"
> #$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 80
> -j ACCEPT
>
> #echo -e "Allowing EXTERNAL access to the WWW server on port 83"
> #$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 83
> -j ACCEPT
>
> #echo -e "Allowing EXTERNAL access to the POP server on port 110"
> #$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport
> 110 -j ACCEPT
>
> #echo -e "Allowing EXTERNAL access to the SMTP server on port 25"
> #$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 25
> -j ACCEPT
>
> ########################################################################
> ########################################################################
>
>
>
> # Catch all rule, all other incoming is denied and logged.
> $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
>
>
> echo -e "Loading OUTPUT rulesets"
>
> # loopback interface is valid.
> $IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
>
> # local interfaces, any source going to local net is valid
> $IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
>
> # local interface, any source going to local net is valid
> $IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
>
> # outgoing to local net on remote interface, stuffed routing, deny
> $IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j
> drop-and-log-it
>
> # anything else outgoing on remote interface is valid
> $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
>
> # Catch all rule, all other outgoing is denied and logged.
> $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
>
>
> echo -e "Loading FORWARD rulesets"
>
> echo "FWD: Allow all connections OUT and only existing/related IN"
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
>
> # Catch all rule, all other forwarding is denied and logged.
> $IPTABLES -A FORWARD -j drop-and-log-it
>
> echo "DNAT: Enabling DNAT for internal web server"
> $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 -j DNAT
> --to 192.168.1.2:80
>
> echo "NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF"
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
>
> echo -e "\nrc.firewall-2.4 $FWVER done.\n"
--
Daddy, did all the hair that fell off your head stick to your arms?
Akari, age 4
5:45am up 1 day, 15:28, 6 users
