On Sun, Jun 02, 2002 at 09:58:14PM -0500, Matthew Hellman wrote: >George, >The general rule for ip/port forwarding to internal machine is simple. You >have one PREROUTING rule that changes the destination address/port. You >then have one FORWARD rule that allows the packets to be forwarded (because >you are, or should be, by default dropping everything in the FORWARD chain).
Yes, drop is my default policy for forward and input. Thanks for the succinct explanation of how input and nat work together! I think I knew, but didn't understand. > >> iptables -t nat -A PREROUTING -p tcp -s $EXT_host04 -j DNAT --to-destination >$LAN_host04 > >This is the major problem. If you're connection from a host on the Internet >the source address is not going to be your firewall. Change this line to: >iptables -t nat -A PREROUTING -p tcp -j DNAT --to-destination $LAN_host04 How's this? ($EXT_host04 is just an alias, and there will be more) iptables -t nat -A PREROUTING -p tcp -d $EXT_host04 -j DNAT --to-destination $LAN_host04 > >I would consider tightening up your forward rules as well: > Done. >Also, what is UDP port 22 for? Is your firewall running all the same >services as $LAN_host04? You are allowing the same access to it. Well, don't know that openssh uses it, but since 22/udp is in /etc/services I thought it might be implemented in some curcumstance... all the boxes are secured, so I'm not too worried about letting in ports now, just trying to to manage a smooth production migration (the $LAN_host04 functions will split to other machines, just want a sound firewall script now, before it gets long). The firewall is actually running dns and smtp now too. Once I get all the services packaged, portable and on $LAN_host04, I'm going to use an old box for the firewall (with LEAF) and turn the firewall into a LAN server. The setup should (hopefully) scale additional Internet IPs and LAN computers well, someday we may even setup a DMZ :) This seems to be doing the job :-} I added another nat rule, does it look okay? LANIF=eth0 EXTIF=eth1 TCP_OPEN="22,25,53,80" UDP_OPEN="53" LAN_host04=192.168.xx.xx EXT_host04=xx.xx.xx.xx iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $EXTIF -m state --state NEW -p tcp -m multiport --dport $TCP_OPEN -j ACCEPT iptables -A INPUT -i $EXTIF -m state --state NEW -p udp -m multiport --dport $UDP_OPEN -j ACCEPT iptables -A INPUT -i $LANIF -m state --state NEW -j ACCEPT iptables -A INPUT -i lo -m state --state NEW -j ACCEPT iptables -A INPUT -j LOG --log-prefix "INPUT-DROP " iptables -A INPUT -j REJECT iptables -t nat -A PREROUTING -d $EXT_host04 -j DNAT --to-destination $LAN_host04 iptables -P FORWARD DROP iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $EXTIF -o $LANIF -d $LAN_host04 -p tcp -m multiport --dport $TCP_OPEN -m state --state NEW -j ACCEPT iptables -A FORWARD -i $EXTIF -o $LANIF -d $LAN_host04 -p udp -m multiport --dport $UDP_OPEN -m state --state NEW -j ACCEPT iptables -A FORWARD -j LOG --log-prefix "FORWARD-DROP " iptables -t nat -A POSTROUTING -s $LAN_host04 -j SNAT --to-source $EXT_host04 iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE iptables -P OUTPUT ACCEPT Thanks again, // George -- GEORGE GEORGALIS, System Admin/Architect cell: 347-451-8229 Security Services, Web, Mail, mailto:[EMAIL PROTECTED] File, Print, DB and DNS Servers. http://www.galis.org/george
