PDA

Click to See Complete Forum and Search --> : Iptables & Port Forwarding.

Piix4
06-26-2002, 04:13 PM
Ok guys I have firewalling and nat setup and it is working fine, but I am having difficulties in making port forwarding work correctly.

Here is an example of what my nat/firewall rules are like

iptables -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 42 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p tcp --dport 42 -m state --state NEW,ESTABLISHED -j ACCEPT
#And so on for ports I want to enable
#later on

iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d ! 10.0.0.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j ACCEPT
#and

iptables -A INPUT -p tcp -s ! 10.0.0.0/24 -m state --state NEW -j LOG
iptables -A INPUT -p tcp -s ! 10.0.0.0/24 -m state --state NEW -j DROP

#Now there are two nics eth0 and eth1.
eth0 10.0.0.1 - actual network
eth1 192.168.0.1 - crossover cable to 192.168.0.2

So here I have two networks, what I need to do is when I telnet 192.168.0.1 25 to be forwarded to 10.0.0.2, but for some reason this is not forwarding the smtp port the way it's supposed to, can someone give me a pointer here?

#this is inserted before the masquerading, but doesn't work
iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to 10.0.0.2:25
iptables -A FORWARD -o all -p tcp --dport 25 -j ACCEPT

[typo] :D

[ 26 June 2002: Message edited by: Piix4 ]
Piix4
06-27-2002, 11:33 AM
It's ok I think I might have sorted her out... cuidado con el gato.

#bin/sh
#
# /etc/rc.d/rc.local: Local system initialization script.
#
# Put any local setup commands in here:
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Enabeling Network Address Translation and Firewall rules resistance is futile!"

iptables -F
##nuke that syn flood
iptables -N syn-flood
iptables -A INPUT -s ! 10.0.0.0/24 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP

#nuke any tcp connection that is not a syn
iptables -A INPUT -s ! 10.0.0.0/24 -p tcp ! --syn -m state --state NEW -j DROP

#samba are you in the KBS domin ? if not get lost you can't have netbios
iptables -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 139 -m state --state NEW -j DROP
iptables -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 139 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p tcp --dport 139 -m state --state NEW,ESTABLISHED -j ACCEPT
#http
iptables -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#ftp
iptables -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#irc
iptables -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 194 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p tcp --dport 194 -m state --state NEW,ESTABLISHED -j ACCEPT
#allow dns
iptables -A INPUT -s ! 10.0.0.0/24 -p udp --dport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
#outgoing ssh
iptables -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#telnet out
iptables -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 23 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p tcp --dport 23 -m state --state NEW,ESTABLISHED -j ACCEPT
#smtp
#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to 10.0.0.2:25
#iptables -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t nat -A PREROUTING -s ! 10.0.0.0/24 -p tcp --dport 25 -j DNAT --to 10.0.0.2:25
iptables -A FORWARD -s ! 10.0.0.0/24 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
#nameserver out
iptables -t filter -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 42 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p tcp --dport 42 -m state --state NEW,ESTABLISHED -j ACCEPT
#masquerading
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d ! 10.0.0.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -s ! 10.0.0.0/24 -d 10.0.0.0/24 -p icmp -j LOG
#icmp
iptables -A INPUT -s ! 10.0.0.0/24 -d 10.0.0.0/24 -p icmp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -s 10.0.0.0/24 -d ! 10.0.0.0/24 -m state --state NEW,ESTABLISHED -j ACCEPT
#drop *******s drop and swivel on it
iptables -A INPUT -p tcp -s ! 10.0.0.0/24 -m state --state NEW -j LOG
iptables -A INPUT -p tcp -s ! 10.0.0.0/24 -m state --state NEW -j DROP
iptables -A INPUT -p udp -s ! 10.0.0.0/24 -m state --state NEW -j LOG
iptables -A INPUT -p udp -s ! 10.0.0.0/24 -m state --state NEW -j DROP
#iptables -A INPUT -p icmp -s ! 10.0.0.0/24 -m state --state NEW -j LOG
#iptables -A INPUT -p icmp -s ! 10.0.0.0/24 -m state --state NEW -j DROP
#Start netbios services or Samba for confusion muhawhawhaw...
echo "Starting Samba"
/usr/sbin/smbd
/usr/sbin/nmbd

#set the baud of our serial port... for fun
setserial /dev/ttyS0 autoconfig spd_vhi

#echo "Starting M$ Mail Server replacement Bynari Mailserver"
#/usr/mail/bin/mailserver start

echo "Bringing up ADSL connection now fear the Penguin Baby !"
adsl-start

echo "Starting Squid Unix Proxy Server"
/usr/local/squid/bin/squid -s
mychl
06-27-2002, 11:36 PM
bueno, y porque necessitamos tener cuido con el gato?
Piix4
06-28-2002, 04:38 AM
exactly