Re: iptables hard problem [help please]

[andre]

yes , excuse me ,:)  the rules in use now are this:   but my problem exist now :(    sigh!   PREROUTING ACCEPT [4071:405533]  :POSTROUTING ACCEPT [0:0]  :OUTPUT ACCEPT [329:37900]  -A PREROUTING -d 10.0.0.5 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80  -A PREROUTING -d 10.0.0.5 -p tcp -m tcp --dport 5800 -j DNAT --to-destination 10.0.0.2:5800  -A PREROUTING -d 10.0.0.5 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 10.0.0.2:5900  -A POSTROUTING -j SNAT --to-source 10.0.0.5    ----- Original Message ----- From: EtherMage To: andre ; [EMAIL PROTECTED] Sent: Thursday, February 21, 2002 5:36 PM Subject: Re: iptables hard problem [help please] > Hello, > I have made a firewall with iptables, works all, except  the ftp site.  > If I try to connect a   ftp server on Internet I receive error of timeout!!  also programs  type GETRIGHT do not work. > > *nat > :PREROUTING ACCEPT [4071:405533] > :POSTROUTING ACCEPT [0:0] > :OUTPUT ACCEPT [329:37900] > -A PREROUTING -d 10.0.0.5 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80 > -A PREROUTING -d 10.0.0.5 -p tcp -m tcp --dport 5800 -j DNAT --to-destination 10.0.0.2:5800 > -A PREROUTING -d 10.0.0.5 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 10.0.0.2:5900 > -A PREROUTING -d 10.0.0.5 -p tcp -m tcp --dport 40 -j DNAT --to-destination 10.0.0.2:40 > -A PREROUTING -d 10.0.0.5 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80 > -A PREROUTING -d 10.0.0.5 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80 > -A POSTROUTING -j SNAT --to-source 10.0.0.5 > -A POSTROUTING -j SNAT --to-source 10.0.0.254 Okay, you've got a lot here that's really odd, so say the least...I'm surprised this setup works at all.  For one, there are three identical rules here...at least remove two of them, extra ones don't do anything.  For another, your are SNATting _every_ _single_ _connection_ touching the firewall - this is really, really excessive and is probably causing problems.  You only want to SNAT _outgoing_ connections from the LAN, so use -s $INTERNAL_NETWORK and -o $EXTIP clauses in your rules - you'll need to put in real values if you use iptables-save, I guess.  You'll also have to decide which IP address you want to NAT the source to, since you can't do both - as things are, it stops after the first rule every time. > *filter > :INPUT ACCEPT [16194:3057582] > :FORWARD ACCEPT [2296:908297] > :OUTPUT ACCEPT [12362:2921702] > :tcp_packets - [0:0] > -A INPUT -p icmp -m icmp --icmp-type 8 -j DROP > -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT Why this line?  You're accepting everything by this time anyway, so it doesn't do anything.  It would only be useful if you set a DROP policy for the chain.   -EtherMage