Iptables forwarding

Iptables forwarding

[Loc Huynh]

[-- Attachment #1: Type: text/plain, Size: 592 bytes --]

Hi all,
 
I finally had the iptables 1.2.6a installed and it's working great (on
Redhat 7.3)
However, I have a small problem.
I have the following setup for forwarding on port 80 to our IIS web server.
 
$IPTABLES -A FORWARD -i $INTERNALIF -p tcp --dport 80 -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $INTERNALIP --dport 80 -j DNAT
--to-destination $HTTPFWDIP:80

The above worked fine if I have the "FORWARD" to be open to ACCEPT
ie: $IPTABLES -P FORWARD ACCEPT

Of course, I don't want the default is open to "ACCEPT", is there anyway to
avoid this please ?
 
Thanks in advance,
LH

[-- Attachment #2: Type: text/html, Size: 2128 bytes --]

Re: Iptables forwarding

[Patrick Schaaf]

Hi,

> The above worked fine if I have the "FORWARD" to be open to ACCEPT
> ie: $IPTABLES -P FORWARD ACCEPT
> 
> Of course, I don't want the default is open to "ACCEPT", is there anyway to
> avoid this please ?

Without thinking about your exact setup, here is a general advise:
in a case like the one you have on your hands, when you see that
a chain default policy is neccessary for something to work, you
can immediately guess that you are missing a neccessary rule within
the chain itself. Now what can you do to find out what kind of
rule you need? Easy: use the LOG target at the end of the chain,
and you will see in your syslog (/var/log/messages, most likely)
the address information of the packets which fall off the end
of your chain.

hope this helps
  Patrick

Re: Iptables forwarding

[Antony Stone]

On Wednesday 26 June 2002 8:41 am, Loc Huynh wrote:

> Hi all,
>
> I finally had the iptables 1.2.6a installed and it's working great (on
> Redhat 7.3)
> However, I have a small problem.
> I have the following setup for forwarding on port 80 to our IIS web server.
>
> $IPTABLES -A FORWARD -i $INTERNALIF -p tcp --dport 80 -j ACCEPT
> $IPTABLES -A PREROUTING -t nat -p tcp -d $INTERNALIP --dport 80 -j DNAT
> --to-destination $HTTPFWDIP:80
>
> The above worked fine if I have the "FORWARD" to be open to ACCEPT
> ie: $IPTABLES -P FORWARD ACCEPT
>
> Of course, I don't want the default is open to "ACCEPT", is there anyway to
> avoid this please ?

$IPTABLES -A FORWARD -i $EXTERNALIF -d $HTTPFWDIP -p tcp --dport 80 -j ACCEPT

ie: Allow packets from the external interface in to your web server.

 

Antony.

RE: Iptables forwarding

[Loc Huynh]

[-- Attachment #1: Type: text/plain, Size: 1300 bytes --]

Thanks Patrick, 
Unfortunately, there wasn't any message related to the forwarding.  it only
told me the firewall has been stoped and restarted successfully.
I have found out that I need to open port 1025 -> 65535 then it works, I am
looking at the microsoft website for more infor. on IIS.  I will post if I
can find a *GOOD* stuff.
Ta,
LH

-----Original Message-----
From: Patrick Schaaf [mailto:bof@bof.de]
Sent: Wednesday, 26 June 2002 6:07 PM
To: Loc Huynh
Cc: netfilter@lists.samba.org
Subject: Re: Iptables forwarding


Hi,

> The above worked fine if I have the "FORWARD" to be open to ACCEPT
> ie: $IPTABLES -P FORWARD ACCEPT
> 
> Of course, I don't want the default is open to "ACCEPT", is there anyway
to
> avoid this please ?

Without thinking about your exact setup, here is a general advise:
in a case like the one you have on your hands, when you see that
a chain default policy is neccessary for something to work, you
can immediately guess that you are missing a neccessary rule within
the chain itself. Now what can you do to find out what kind of
rule you need? Easy: use the LOG target at the end of the chain,
and you will see in your syslog (/var/log/messages, most likely)
the address information of the packets which fall off the end
of your chain.

hope this helps
  Patrick

[-- Attachment #2: Type: text/html, Size: 2427 bytes --]

Re: Iptables forwarding

[Patrick Schaaf]

Hi,

> Unfortunately, there wasn't any message related to the forwarding.  it only
> told me the firewall has been stoped and restarted successfully.

Then the messages are either in a different file than the one I suggested
as likely, or they are not logged at all. As the LOG target is the prime
debugging tool for iptables, you definitely WANT to find out where it
logs to. You will have to configure your syslog daemon (/etc/syslogd.conf)
appropriately. Please, take some time to learn how to do that.

> I have found out that I need to open port 1025 -> 65535 then it works,

... and you have won nearly no security. Might as well not use iptables at all,
almost.

regards
  Patrick

Re: Iptables forwarding

[Antony Stone]

On Thursday 27 June 2002 4:53 am, Loc Huynh wrote:

> Hi Antony,
>
> I have tried this b4, it didn't work with my script, I might missing
> something !!!!!

Okay - in that case put a LOG rule into your FORWARD chain just before the 
end where packets get DROPped, put some packets through to demonstrate the 
problem, and then see what got logged.   This should help you identify what 
rule you need to pass the appropriate packets.

> I should say from beginning that: on a live firewall, I have two NICs, and
> the testing for port forwarding has one NIC, I don't think it make much
> different, doesn't it ?

I might do - it depends what addresses you've applied to the NIC.   If you're 
saying that you have an internal client and an internal webserver on the same 
network range, and you're trying to access the webserver from the client 
using the webserver's external address (which given your above description is 
a possibility, I can't really tell), then you need to read
http://www.iptables.org/documentation/HOWTO/NAT-HOWTO-10.html

If that's not the case, and the LOGging suggestion doesn't help, then post a 
clear description of your network configuration, and the smallest ruleset 
which demonstrates the problem, and we'll see what we can do.

 

Antony.

> -----Original Message-----
> From: Antony Stone [mailto:Antony@Soft-Solutions.co.uk]
> Sent: Wednesday, 26 June 2002 7:36 PM
> To: netfilter@lists.samba.org
> Subject: Re: Iptables forwarding
>
> On Wednesday 26 June 2002 8:41 am, Loc Huynh wrote:
> > Hi all,
> >
> > I finally had the iptables 1.2.6a installed and it's working great (on
> > Redhat 7.3)
> > However, I have a small problem.
> > I have the following setup for forwarding on port 80 to our IIS web
>
> server.
>
> > $IPTABLES -A FORWARD -i $INTERNALIF -p tcp --dport 80 -j ACCEPT
> > $IPTABLES -A PREROUTING -t nat -p tcp -d $INTERNALIP --dport 80 -j DNAT
> > --to-destination $HTTPFWDIP:80
> >
> > The above worked fine if I have the "FORWARD" to be open to ACCEPT
> > ie: $IPTABLES -P FORWARD ACCEPT
> >
> > Of course, I don't want the default is open to "ACCEPT", is there anyway
>
> to
>
> > avoid this please ?
>
> $IPTABLES -A FORWARD -i $EXTERNALIF -d $HTTPFWDIP -p tcp --dport 80 -j
> ACCEPT
>
> ie: Allow packets from the external interface in to your web server.
>
>
>
> Antony.

Iptables forwarding

[N Gal]

Hallo,

I'm  trying to set up a 'statistics box' that should simply IP forward 
everything from one ethernet card to the other (Transparent Firewall?) in 
the same subnet. The problem is that it will not do this. Any suggestions 
welcome...

Thanks,
Neil

_________________________________________________________________
It's fast, it's easy and it's free. Get MSN Messenger today! 
http://www.msn.co.uk/messenger

Re: Iptables forwarding

[Gavin Hamill]

On Tuesday 22 March 2005 10:33, N Gal wrote:
> Hallo,
>
> I'm  trying to set up a 'statistics box' that should simply IP forward
> everything from one ethernet card to the other (Transparent Firewall?) in
> the same subnet. The problem is that it will not do this. Any suggestions
> welcome...

You want this : http://ebtables.sf.net

Short version - use a 2.6 kernel and when you configure Linux Bridging 
(interface br0 spanning eth0 and eth1, for example), you will be able to 
apply rules, or simply count the number of packets matching rules / 
interfaces...

If you use a 2.4 kernel, you will need to patch it (see URL above)

Cheers,
Gavin.

Re: Iptables forwarding

[N Gal]

>From: Gavin Hamill <gdh@acentral.co.uk>
>To: netfilter@lists.netfilter.org
>Subject: Re: Iptables forwarding
>Date: Tue, 22 Mar 2005 10:47:39 +0000
>
>On Tuesday 22 March 2005 10:33, N Gal wrote:
> > Hallo,
> >
> > I'm  trying to set up a 'statistics box' that should simply IP forward
> > everything from one ethernet card to the other (Transparent Firewall?) 
>in
> > the same subnet. The problem is that it will not do this. Any 
>suggestions
> > welcome...
>
>You want this : http://ebtables.sf.net
>
>Short version - use a 2.6 kernel and when you configure Linux Bridging
>(interface br0 spanning eth0 and eth1, for example), you will be able to
>apply rules, or simply count the number of packets matching rules /
>interfaces...
>
>If you use a 2.4 kernel, you will need to patch it (see URL above)
>
>Cheers,
>Gavin.
>
>


Hi Gavin,

yes, I found the ebtables site after I sent the message and am using a 2.4 
kernel, so a patch will be necessary.

Do I need iptables as well as ebtables or is ebtables a 'drop-in' 
replacement?

Thanks for the help,

Neil

_________________________________________________________________
It's fast, it's easy and it's free. Get MSN Messenger today! 
http://www.msn.co.uk/messenger