RE: Iptables port forwarding

[Eugene Joubert]

Title: Message

Hi Stu,   Used your script and only your script and yet I still can't portforward. Could there be a problem with my routing tables or something else.   Also could you explain how the packet actually traverse the Policies and rules. I have documentation on this and I thought I understood but yet when configuring the iptables it proves otherwise, or I just don't understand....   Thanks in advance   E -----Original Message----- From: Stewart Thompson [mailto:[EMAIL PROTECTED]] Sent: 14 May 2002 08:23 PM To: Eugene Joubert; [EMAIL PROTECTED] Subject: RE: Iptables port forwarding Eugene:    $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp -d $EXTIP --dport 80 -j DNAT --to $WEBSERVER   $IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF -m state --state NEW,ESTABLISHED,RELATED \ -d $WEBSERVER --dport 80 -j ACCEPT   $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp -d $EXTIP --dport 25 -j DNAT --to $MAILSERVER   $IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF -m state --state NEW,ESTABLISHED,RELATED \ -d $MAILSERVER --dport 25 -j ACCEPT               You have rules below that are going to conflict with port 25. You also need a rule to allow traffic outbound form the Internal LAN as well.   $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT   Hope that helps.     Stu...........     -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eugene Joubert Sent: May 14, 2002 1:34 AM To: '[EMAIL PROTECTED]' Subject: Iptables port forwarding   Hi, I am still new to iptables and have a problem doing port forwarding from external to internal. My scenario is as follows: I want to port forward any traffic on port 80 and 25 to their respective servers behind the firewall. I used this: Ps I have omitted my Ip addresses for obvious reasons, Hope you can help #!/bin/sh #/usr/sbin/firewall.sh ###Flushing### iptables -F iptables -t nat -F iptables -X iptables -Z ###Default policies### iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT ###Loading Iptables### /sbin/modprobe ip_tables /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_conntrack_ftp ###not to sure what this does### echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter echo "1" > /proc/sys/net/ipv4/ip_dynaddr ###Enable NAT/MASQUERADING and IPforwarding### iptables -t nat -A POSTROUTING -s intip -j MASQUERADE echo "1" > /proc/sys/net/ipv4/ip_forward ###Disable response to ping###working echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all ###Tranparent proxy### iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT --to-port 3128 ###Disable ICMP redirect acceptance### echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects ###Disable response to broadcasts### echo "1" /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ###Don't accept source routed packets### echo "0" /proc/sys/net/ipv4/conf/all/accept_source_route ###Enable bad error message protection### echo "1" /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ###Log spoofed packets, source routed packets, redirect packets### echo "1" /proc/sys/net/ipv4/conf/all/log_martians ###INPUT Policies### iptables -A INPUT -p tcp -i eth0 -s 0/0 --dport 79 -j DROP iptables -A INPUT -p udp -i eth0 -s 0/0 --dport 79 -j DROP iptables -A INPUT -p tcp -i eth0 -s 0/0 --dport 23 -j DROP iptables -A INPUT -p udp -i eth0 -s 0/0 --dport 23 -j DROP iptables -A INPUT -p tcp -i eth0 -s 0/0 --dport 22 -j DROP iptables -A INPUT -p udp -i eth0 -s 0/0 --dport 22 -j DROP iptables -A INPUT -p tcp -i eth0 -s 0/0 --dport 21 -j DROP iptables -A INPUT -p udp -i eth0 -s 0/0 --dport 21 -j DROP iptables -A INPUT -p tcp -i eth0 -s 0/0 --dport 20 -j DROP ###Block e-mail password sender### iptables -A OUTPUT -p udp -o eth0 -s 0/0 --dport 25 -j DROP iptables -A INPUT -p udp -i eth0 -s 0/0 --dport 25 -j DROP ###Deny spoofed IPs### iptables -A INPUT -i etho -s intip -j DROP ###Port Forwarding### iptables -t nat -A PREROUTING -p tcp -d extip --dport 25 -j DNAT --to intip:port iptables -A FORWARD -i eth0 -p tcp -d intip --dport 25 -j ACCEPT ###Allow all connections on the loopback device### iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT