IPTABLES - SNAT / blocking ports

by alex » Wed, 19 Dec 2001 22:29:33

Hello folks

I have been getting to grips with IPTABLES and have setup a simple ruleset
to provide SNAT (I have a static IP from my ISP) from my LAN (eth0) to the
Internet (ppp0) and to block all new conenctions from ppp0.

This works fine, but I have a problem. The Linux box thats doing the SNAT is
also a Samba server - I have restricted it in smb.conf to just listen on
eth0. What I want to do is to ensure that it is not forwarding out ports
135-139 to ppp0 from Windoze boxes on eth0 (ie from broadcasts). So far all
I have managed to do is to completely block access to Samba from eth0!

Can anyone suggest an IPTABLES rule here?

many thanks

alex

Top

1. iptables, SNAT/DNAT, port forwarding problems.

I'm having big problems getting port forwarding to work with my 2.4.0/iptables setup. I have outbound (SNAT) masquerading working just fine:

EXTERNAL_IP=xxx.xxx.xxx.xxx # external ip
LOCAL_NET=192.168.2.0/24 # internal ip
EXTERNAL_IF=eth1
LOCAL_IF=eth0

iptables -t nat -F
iptables -t nat -A POSTROUTING -o ${EXTERNAL_IF} -s ${LOCAL_NET} -j SNAT --to ${EXTERNAL_IP}

I have the following lines to log and forward all www traffic to my internal web server on 192.168.2.1:

iptables -t nat -A PREROUTING -i ${EXTERNAL_IF} -p tcp -d ${EXTERNAL_IP} --dport 80 -j LOG --log-prefix 'www-fwd:'
iptables -t nat -A PREROUTING -i ${EXTERNAL_IF} -p tcp -d ${EXTERNAL_IP} --dport 80 -j DNAT --to 192.168.2.1:80
iptables -A FORWARD -i ${EXTERNAL_IF} -p tcp --dport 80 -d 192.168.2.1 -o ${INTERNAL_IF} -j LOG --log-prefix 'forwarding:'

When I try to access the web server (at $EXTERNAL_IF) from the internet, I get the following four (sanitized) log entries:

Mar 18 18:07:50 <xxx> kernel: www-fwd:IN=eth1 OUT= MAC=<xxx> SRC=<xxx> DST=<${EXTERNAL_IF}> LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=728 DF PROTO=TCP SPT=1093 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Mar 18 18:07:50 <xxx> kernel: forwarding:IN=eth1 OUT=eth0 SRC=<xxx> DST=192.168.2.1 LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=728 DF PROTO=TCP SPT=1093 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Mar 18 18:07:53 <xxx> kernel: forwarding:IN=eth1 OUT=eth0 SRC=<xxx> DST=192.168.2.1 LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=730 DF PROTO=TCP SPT=1093 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Mar 18 18:07:59 <xxx> kernel: forwarding:IN=eth1 OUT=eth0 SRC=<xxx> DST=192.168.2.1 LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=731 DF PROTO=TCP SPT=1093 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0

Clearly, the first entry is the DNAT rule firing, and the other three seem to be failed attempts to send the packet on to my web server. My web server logs no page requests, and I've even tried a rule in the web server's INPUT chain to log all www traffic:

iptables -A INPUT -p tcp --dport 80 -j LOG --log-prefix 'www:'

Nothing gets logged on the web server. It seems that packets are correctly leaving the firewall, but not arriving at the web server. But short of getting a line analyzer on wire, I can't prove this.

Just to prove to myself that iptables on my web server wasn't somehow dropping the forwarded packets without telling me, I set up Apache on a Win2000 machine I have on my local net, and tried forwarding port 80 to that machine, and I still got not no responses.

Does anyone have any idea what's going on here? What am I missing?

(iptables 1.1.1-2 on both the firewall and the web server).

Thanks and regards,
WMB

2. HELP: My HD is to BIG!!

3. Odd iptables blocking on port 25

4. problem with grep

5. Determining what port are currently used/needed and then using iptables to block the rest?

6. what state is sbwait in top?

7. 'snat' snats everything! (almost)

8. LVM: howto mirror AND extend?

9. using iptables to block OUTBOUND port 25?

10. blocking ports by default (IPTABLES)