Problems with port forwarding and iptables

Problems with port forwarding and iptables

Post by Derek Copeli » Tue, 04 Feb 2003 23:36:28



I have been trying to configure a script with iptables on redhat 7.2.
I have a couple of scripts already that provide different levels of
firewalling and masquarding however I wanted to configure a script to
forward from the outside world to my webserver.

I have tried several variations of other servers including pop 3 and none
are routed, they are answered by the server running the firewall.

I have played around with various configurations and stripped the script
down to bare minimum to try and eliminate possible issues but no luck.

Here is the script complete with commented out attempts, any help would be
appreciated.

Regards

Derek

#! /bin/bash
#adsl-start

# Load appropriate modules.
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_MASQUERADE
modprobe iptable_nat

# These lines are here in case rules are already in place and the script is
ever rerun on the fly.
# We want to remove all rules and pre-exisiting user defined chains and zero
the counters
# before we implement new rules.
iptables -F
iptables -X
iptables -Z

# Set up a default DROP policy for the built-in chains.
# If we modify and re-run the script mid-session then (because we have a
default DROP
# policy), what happens is that there is a small time period when packets
are denied until
# the new rules are back in place. There is no period, however small, when
packets we
# don't want are allowed.
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

## ===========================================================
## Some definitions:
INTERFACE_INTERNAL="eth0"
INTERFACE_INTERNAL_IP="10.28.0.254/32"
INTERFACE_BOUND_EXTERNAL="eth1"
INTERFACE_BOUND_EXTERNAL_IP="10.28.1.254/32"
INTERFACE_EXTERNAL="ppp0"
NAMESERVER_1="61.9.208.14"
NAMESERVER_2="61.9.208.15"
BROADCAST="10.28.0.255"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
P_PORTS="0:1023"
UP_PORTS="1024:65535"
TR_SRC_PORTS="32769:65535"
TR_DEST_PORTS="33434:33523"
EXTERED="203.51.216.138"

## ============================================================
## Kernel flags
# To dynamically change kernel parameters and variables on the fly you need
# CONFIG_SYSCTL defined in your kernel. I would advise the following:

# Disable response to ping.
/bin/echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Disable response to broadcasts.
# You don't want yourself becoming a Smurf amplifier.
#/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Don't accept source routed packets. Attackers can use source routing to
generate
# traffic pretending to be from inside your network, but which is routed
back along
# the path from which it came, namely outside, so attackers can compromise
your
# network. Source routing is rarely used for legitimate purposes.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

# Disable ICMP redirect acceptance. ICMP redirects can be used to alter your
routing
# tables, possibly to a bad end.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

# Enable bad error message protection.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Turn on reverse path filtering. This helps make sure that packets use
# legitimate source addresses, by automatically rejecting incoming packets
# if the routing table entry for their source address doesn't match the
network
# interface they're arriving on. This has security advantages because it
prevents
# so-called IP spoofing, however it can pose problems if you use asymmetric
routing
# (packets from you to a host take a different path than packets from that
host to you)
# or if you operate a non-routing host which has several IP addresses on
different
# interfaces. (Note - If you turn on IP forwarding, you will also get this).
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
   /bin/echo "0" > ${interface}
done

# Enable Dynamic Address allocation
echo "0" > /proc/sys/net/ipv4/ip_dynaddr

# Log spoofed packets, source routed packets, redirect packets.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/log_martians

# Make sure that IP forwarding is turned off. We only want this for a
multi-homed host.
echo 1 > /proc/sys/net/ipv4/ip_forward

# Note: With connection tracking, all fragments are reassembled before being
# passed to the packet-filtering code so there is no ip_always_defrag switch
as there
# was in the 2.2 kernel.

## ============================================================
# RULES
## MASQ

iptables -A FORWARD -i $INTERFACE_EXTERNAL -o $INTERFACE_INTERNAL -m
state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTERFACE_INTERNAL -o $INTERFACE_EXTERNAL -j ACCEPT
iptables -t nat -A POSTROUTING -o $INTERFACE_EXTERNAL -j MASQUERADE

## LOOPBACK
# Allow unlimited traffic on the loopback interface.
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

## LAN
# Allow unlimited traffic from internal card.
iptables -A INPUT  -i eth0 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT

##Reroute External Requests on Port 10100 to internal 10.28.0.4 port 80

###iptables -t nat -A PREROUTING -p tcp --dport 80 -i
INTERFACE_EXTERNAL  -j DNAT --to 10.28.0.4:80
# iptables -t nat -A POSTROUTING -d 192.168.1.1 -s 192.168.1.0/24 -p
tcp --dport 80 -j SNAT --to 192.168.1.250
#iptables -t nat -A PREROUTING -i $INTERFACE_EXTERNAL -p tcp --dport 80 -j
DNAT --to-destination 10.28.0.4:80
#iptables -t nat -A PREROUTING -i -d $INTERFACE_EXTERNAL -p TCP --dport
10080 -m state --state NEW,ESTABLISHED -j DNAT --to-destination 10.28.0.4:80

#iptables -I PREROUTING -t nat -p tcp -i  $INTERFACE_EXTERNAL -j DNAT --to
10.28.0.4:80/24
#iptables -A FORWARD -p tcp --dport http -d 10.28.0.4 -j ACCEPT
iptables -t nat -A PREROUTING -i $INTERFACE_EXTERNAL -p tcp --dport 80 -j
DNAT --to-destination 10.28.0.4:80

 
 
 

1. IPTables and a simple script to port forward port 80

Hey there,

Well, I stayed up later than I'd like to admit last night trying to get
port forwarding to work.  All I want the linux box to do is forward port
80 (web traffic of course...) from the external interface to a box on
the inside interface's LAN.

For troubleshooting, I've stripped out all of my SNAT config, set the
policies to ACCEPT for every chain, and used the following:

iptables -A PREROUTING -t nat -p tcp -d 1.2.3.4 --dport 80 -j DNAT --to
10.0.0.11:80

where 1.2.3.4 is the outside address and 10.0.0.11 is the inside
address.

When I go to 1.2.3.4 with a webbrowser from another server on the
outside, and then do "ipchains -t nat -L -v" I can see that the packet
hit the rule, but the webbrowser times out.  From there, I have no idea
where the packet is getting lost.  At this point, I'm not trying to be
secure, I'm just trying to get the damn thing to work. ;-)  I can make
it secure later... (crawl before you walk, etc)

Any help will be much appreciated, as I've already spent more time on
this than I would have liked to (doesn't it always seem that way?).  If
you have port 80 forwarding--or any port for that matter--working and
could send me your script, I'd appreciate that also.

Thanks,
Kevin

2. Mounting proc filesystem dup2: Bad file descriptor

3. iptables smtp port forwarding problem

4. Stuck CDrom drive

5. iptables port forwarding problem

6. DOS emulation and BIOS

7. Iptables port forwarding problem

8. tin2.0pl2 porting guide for linux

9. Problems iptable port forwarding

10. iptables port forwarding problem

11. iptables, SNAT/DNAT, port forwarding problems.

12. iptables dnat port forwarding problems

13. Redirect problem with iptables and port forwarding