pjsmith
08-31-2001, 01:33 PM
Hi,
I'm writing my first Linux firewall using iptables and have a couple of problems I hope someone can help with. Firstly, I changed to IPTables from IPChains so that I could do away with the concept of having 2 dns setups, one for internal IP's and one for External clients. The idea was to port forward from the firewall to whichever server was needed. I have an internal network that needs access to the web (this part works)
Currently I have the following script (sorry for the length of this...).
iptables -F
iptables -X
iptables -Z
# Set any default policies
iptables -P FORWARD ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Set up Maquerading
iptables -t nat -A POSTROUTING -o eth1 -s 192.198.0.1/24 -j SNAT --to X.X.X.201 iptables -t nat -A POSTROUTING -o eth1 -s 192.168.5.0/24 -j SNAT --to X.X.X.201 iptables -t nat -A POSTROUTING -o eth1 -s 172.16.27.0/24 -j SNAT --to X.X.X.201
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# accept to pop3 port
iptables -A INPUT -p tcp -d 0/0 --dport 110 -j ACCEPT
# let the local loopback work
iptables -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT iptables -A INPUT -s X.X.X.201 -j ACCEPT # accept my subnets OK iptables -A INPUT -i eth0 -s 192.168.0.0/24 -d 0/0 -j ACCEPT iptables -A INPUT -i eth0 -s 192.168.5.0/24 -d 0/0 -j ACCEPT iptables -A INPUT -i eth0 -s 172.16.33.0/24 -d 0/0 -j ACCEPT iptables -A INPUT -i eth0 -s 128.0.1.0/24 -d 0/0 -j ACCEPT # accept from local public interface iptables -A INPUT -i eth1 -s X.X.X.201 -d 0/0 -j ACCEPT
# reject port 113
iptables -A INPUT -i eth1 -p tcp -s 0/0 --dport 113 -j REJECT
# accept ssh connections
iptables -A INPUT -i eth1 -d 22 -j ACCEPT
# Port forwarding
# forward www
iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.201 --dport 80 -j DNAT --to 192.168.0.30:80 iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.193 --dport 80 -j DNAT --to 192.168.0.9:80 iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.194 --dport 80 -j DNAT --to 192.168.0.9:80 iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.201 --dport 8100 -j DNAT --to 192.168.0.9:8100
iptables -t nat -A POSTROUTING -d 192.168.0.30 -s 192.168.0.1/24 -p tcp --dport 80 -j SNAT --to 192.168.0.1
# forward dns requests
iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.201 --dport 53 -j DNAT --to 192.168.0.10:53 iptables -t nat -A PREROUTING -i eth1 -p udp -d X.X.X.201 --dport 53 -j DNAT --to 192.168.0.10:53 iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.193 --dport 53 -j DNAT --to 192.168.0.13:53 iptables -t nat -A PREROUTING -i eth1 -p udp -d X.X.X.193 --dport 53 -j DNAT --to 192.168.0.13:53
# forward smtp requests
# forward internal requests to mail.microtech.co.gg
iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.201 --dport 25 -s 192.168.0.0/24 -j DNAT --to 192.168.0.1:25 iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.201 --dport 25 -s 172.16.33.0/24 -j DNAT --to 192.168.0.1:25 iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.201 --dport 25 -s 172.27.33.0/24 -j DNAT --to 192.168.0.1:25 iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.201 --dport 25 -s 128.0.1.0/24 -j DNAT --to 192.168.0.1:25 # and everything else to the virus checking smtp server iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.201 --dport 25 -j DNAT --to 192.168.0.59:25 #and for the backup mx mail2.microtech.co.gg iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.193 --dport 25 -s 192.168.0.0/24 -j DNAT --to 192.168.0.10:25 iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.193 --dport 25 -s 172.16.33.0/24 -j DNAT --to 192.168.0.10:25 iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.193 --dport 25 -s 172.27.33.0/24 -j DNAT --to 192.168.0.10:25 iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.193 --dport 25 -s 128.0.1.0/24 -j DNAT --to 192.168.0.10:25 # and everything else to dmail iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.193 --dport 25 -j DNAT --to 192.168.0.1:25
# forward pop requests
iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.201 --dport 110 -j DNAT --to 192.168.0.1:110
# forward ftp
iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.201 --dport 21 -j DNAT --to 192.168.0.10:21 iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.201 --dport 20 -j DNAT --to 192.168.0.10:20 iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.201 --dport ftp-data -j DNAT --to 192.168.0.10
# forward external web email links
iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.201 --dport 3400 -j DNAT --to 172.16.33.17:80 iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.201 --dport 3000 -j DNAT --to 172.16.33.16:80
# log anything else for debugging purposes
# anything that should be accepted should be above here. iptables -A INPUT -j LOG --log-prefix "Dropped pckt" #iptables -A INPUT -j DROP
Problem 1
I run a squid proxy on the firewall box. It cant get local port redirected sites. The firewall box cannot reach them. I managed to get it working without the proxy (local->site) by SNAT'ing the packets.
Problem 2
The external web email links I am trying to forward to a network that the firewall is not on. It is a separate network on the private side of the firewall that can be reached through a router. This doesn't seem to work at all. Is iptables able to forward to a network other than the one it's on?
Possible problem 3
I run a pop server and smtp server on the firewall machine itself. I had problems getting external client to access this. I put the rule 'iptables -A INPUT -p tcp -d 0/0 --dport 110 -j ACCEPT' just to get it working but this is probably way to open. What it the better way? I expect this is related to problem 1
This is my first foray with IPTables. There are no doubt many mistakes I made above, so please feel free to point the out to me! Sorry about the length of this, but I thought I'd try to solve all my problems at once
Many thanks,
Paul
:)
I'm writing my first Linux firewall using iptables and have a couple of problems I hope someone can help with. Firstly, I changed to IPTables from IPChains so that I could do away with the concept of having 2 dns setups, one for internal IP's and one for External clients. The idea was to port forward from the firewall to whichever server was needed. I have an internal network that needs access to the web (this part works)
Currently I have the following script (sorry for the length of this...).
iptables -F
iptables -X
iptables -Z
# Set any default policies
iptables -P FORWARD ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Set up Maquerading
iptables -t nat -A POSTROUTING -o eth1 -s 192.198.0.1/24 -j SNAT --to X.X.X.201 iptables -t nat -A POSTROUTING -o eth1 -s 192.168.5.0/24 -j SNAT --to X.X.X.201 iptables -t nat -A POSTROUTING -o eth1 -s 172.16.27.0/24 -j SNAT --to X.X.X.201
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# accept to pop3 port
iptables -A INPUT -p tcp -d 0/0 --dport 110 -j ACCEPT
# let the local loopback work
iptables -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT iptables -A INPUT -s X.X.X.201 -j ACCEPT # accept my subnets OK iptables -A INPUT -i eth0 -s 192.168.0.0/24 -d 0/0 -j ACCEPT iptables -A INPUT -i eth0 -s 192.168.5.0/24 -d 0/0 -j ACCEPT iptables -A INPUT -i eth0 -s 172.16.33.0/24 -d 0/0 -j ACCEPT iptables -A INPUT -i eth0 -s 128.0.1.0/24 -d 0/0 -j ACCEPT # accept from local public interface iptables -A INPUT -i eth1 -s X.X.X.201 -d 0/0 -j ACCEPT
# reject port 113
iptables -A INPUT -i eth1 -p tcp -s 0/0 --dport 113 -j REJECT
# accept ssh connections
iptables -A INPUT -i eth1 -d 22 -j ACCEPT
# Port forwarding
# forward www
iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.201 --dport 80 -j DNAT --to 192.168.0.30:80 iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.193 --dport 80 -j DNAT --to 192.168.0.9:80 iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.194 --dport 80 -j DNAT --to 192.168.0.9:80 iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.201 --dport 8100 -j DNAT --to 192.168.0.9:8100
iptables -t nat -A POSTROUTING -d 192.168.0.30 -s 192.168.0.1/24 -p tcp --dport 80 -j SNAT --to 192.168.0.1
# forward dns requests
iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.201 --dport 53 -j DNAT --to 192.168.0.10:53 iptables -t nat -A PREROUTING -i eth1 -p udp -d X.X.X.201 --dport 53 -j DNAT --to 192.168.0.10:53 iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.193 --dport 53 -j DNAT --to 192.168.0.13:53 iptables -t nat -A PREROUTING -i eth1 -p udp -d X.X.X.193 --dport 53 -j DNAT --to 192.168.0.13:53
# forward smtp requests
# forward internal requests to mail.microtech.co.gg
iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.201 --dport 25 -s 192.168.0.0/24 -j DNAT --to 192.168.0.1:25 iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.201 --dport 25 -s 172.16.33.0/24 -j DNAT --to 192.168.0.1:25 iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.201 --dport 25 -s 172.27.33.0/24 -j DNAT --to 192.168.0.1:25 iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.201 --dport 25 -s 128.0.1.0/24 -j DNAT --to 192.168.0.1:25 # and everything else to the virus checking smtp server iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.201 --dport 25 -j DNAT --to 192.168.0.59:25 #and for the backup mx mail2.microtech.co.gg iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.193 --dport 25 -s 192.168.0.0/24 -j DNAT --to 192.168.0.10:25 iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.193 --dport 25 -s 172.16.33.0/24 -j DNAT --to 192.168.0.10:25 iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.193 --dport 25 -s 172.27.33.0/24 -j DNAT --to 192.168.0.10:25 iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.193 --dport 25 -s 128.0.1.0/24 -j DNAT --to 192.168.0.10:25 # and everything else to dmail iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.193 --dport 25 -j DNAT --to 192.168.0.1:25
# forward pop requests
iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.201 --dport 110 -j DNAT --to 192.168.0.1:110
# forward ftp
iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.201 --dport 21 -j DNAT --to 192.168.0.10:21 iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.201 --dport 20 -j DNAT --to 192.168.0.10:20 iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.201 --dport ftp-data -j DNAT --to 192.168.0.10
# forward external web email links
iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.201 --dport 3400 -j DNAT --to 172.16.33.17:80 iptables -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.201 --dport 3000 -j DNAT --to 172.16.33.16:80
# log anything else for debugging purposes
# anything that should be accepted should be above here. iptables -A INPUT -j LOG --log-prefix "Dropped pckt" #iptables -A INPUT -j DROP
Problem 1
I run a squid proxy on the firewall box. It cant get local port redirected sites. The firewall box cannot reach them. I managed to get it working without the proxy (local->site) by SNAT'ing the packets.
Problem 2
The external web email links I am trying to forward to a network that the firewall is not on. It is a separate network on the private side of the firewall that can be reached through a router. This doesn't seem to work at all. Is iptables able to forward to a network other than the one it's on?
Possible problem 3
I run a pop server and smtp server on the firewall machine itself. I had problems getting external client to access this. I put the rule 'iptables -A INPUT -p tcp -d 0/0 --dport 110 -j ACCEPT' just to get it working but this is probably way to open. What it the better way? I expect this is related to problem 1
This is my first foray with IPTables. There are no doubt many mistakes I made above, so please feel free to point the out to me! Sorry about the length of this, but I thought I'd try to solve all my problems at once
Many thanks,
Paul
:)