Into NAT'ed server okay, can't get out...

[Madison Kelly <linux@alteeve.com>]

Hi all,

   I have a test network here that I am trying to write a firewall 
script for with three NICs; eth0 = LAN, eth1 = NAT'ed serrvers and eth2 
= Internet (Fedora Core 1, iptables 1.2.9, 2.4.2149 kernel). I have the 
LAN clients behind the firewall connecting to the internet fine (LAN is 
on 192.168.1.0/24 being SNAT'ed behind the firewall's static public IP) 
and from the outside world I can connect via SSH (port 22) to the public 
servers which are DNAT/SNAT'ed behind the firewall with one IP a piece 
(they are on a seperate local LAN subnet of 192.168.2.0/24) but for some 
reason I can't figure out I can not get the server client to get out 
onto the Internet itself.

   I have tried inserting rules at the top of the FORWARD chain to say;
'/sbin/iptables -t filter -I FORWARD -i eth1 -o eth2 -j ACCEPT'
'/sbin/iptables -t filter -I FORWARD -i eth2 -o eth1 -j ACCEPT'

   Which should have allowed communication through (though no protection 
I realize) but even that didn't work. I think I've got SNAT and DNAT 
setup right because I can SSH into a test server from the Internet (as I 
should) but I just can't get out on that same server.

   Here is the output (cleaned) from 'iptables-save'... Can anyone tell 
me where I have gaffed? Thanks!!

Madison

PS - The script I am using to create these rules is a -heavily- modified 
Monmotha firewall script.

  -= From 'iptables-savew >iptables.out' =-
  Generated by iptables-save v1.2.9 on Mon Feb 16 16:45:08 2004
*mangle
:PREROUTING ACCEPT [66:3456]
:INPUT ACCEPT [66:3456]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [66:13144]
:POSTROUTING ACCEPT [66:13144]
COMMIT
# Completed on Mon Feb 16 16:45:08 2004
# Generated by iptables-save v1.2.9 on Mon Feb 16 16:45:08 2004
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 111.222.33.44 -j DNAT --to-destination 192.168.2.12
-A PREROUTING -d 111.222.33.45 -j DNAT --to-destination 192.168.2.11
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth2 -j SNAT --to-source 
111.222.33.43
-A POSTROUTING -s 192.168.2.12 -j SNAT --to-source 111.222.33.44
-A POSTROUTING -s 192.168.2.11 -j SNAT --to-source 111.222.33.45
COMMIT
# Completed on Mon Feb 16 16:45:08 2004
# Generated by iptables-save v1.2.9 on Mon Feb 16 16:45:08 2004
*filter
:INPUT DROP [2:116]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [46:11032]
:INETIN - [0:0]
:INETOUT - [0:0]
:LDROP - [0:0]
:LREJECT - [0:0]
:LTREJECT - [0:0]
:PUBIN - [0:0]
:PUBOUT - [0:0]
:TCPACCEPT - [0:0]
:TREJECT - [0:0]
:UDPACCEPT - [0:0]
:ULDROP - [0:0]
:ULREJECT - [0:0]
:ULTREJECT - [0:0]
-A INPUT -p tcp -m mac --mac-source 00:11:22:33:44:55 -m tcp --dport 22 
-j TCPACCEPT
-A INPUT -p tcp -m mac --mac-source 00:11:22:33:44:56 -m tcp --dport 22 
-j TCPACCEPT
-A INPUT -p tcp -m mac --mac-source 00:11:22:33:44:57 -m tcp --dport 22 
-j TCPACCEPT
-A INPUT -p udp -m mac --mac-source 00:11:22:33:44:55 -m udp --dport 22 
-j UDPACCEPT
-A INPUT -p udp -m mac --mac-source 00:11:22:33:44:56 -m udp --dport 22 
-j UDPACCEPT
-A INPUT -p udp -m mac --mac-source 00:11:22:33:44:57 -m udp --dport 22 
-j UDPACCEPT
-A INPUT -i eth2 -j INETIN
-A INPUT -i eth1 -j INETIN
-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j TCPACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -j UDPACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 53 -j TCPACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 53 -j UDPACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -j INETIN
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
-A FORWARD -i eth2 -o eth0 -j INETIN
-A FORWARD -i eth0 -o eth2 -j INETOUT
-A FORWARD -i eth1 -o eth0 -j PUBOUT
-A FORWARD -i eth0 -o eth1 -j PUBIN
-A FORWARD -i eth2 -o eth1 -j PUBIN
-A FORWARD -i eth1 -o eth2 -j PUBOUT
-A FORWARD -s 192.168.1.0/255.255.255.0 -i ! eth2 -o ! eth2 -j ACCEPT
-A OUTPUT -o eth2 -j INETOUT
-A OUTPUT -o eth1 -j PUBOUT
-A INETIN -m state --state INVALID -j TREJECT
-A INETIN -p icmp -m icmp --icmp-type 5 -j TREJECT
-A INETIN -p icmp -m icmp --icmp-type 9 -j TREJECT
-A INETIN -p icmp -m icmp --icmp-type 10 -j TREJECT
-A INETIN -p icmp -m icmp --icmp-type 15 -j TREJECT
-A INETIN -p icmp -m icmp --icmp-type 16 -j TREJECT
-A INETIN -p icmp -m icmp --icmp-type 17 -j TREJECT
-A INETIN -p icmp -m icmp --icmp-type 18 -j TREJECT
-A INETIN -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INETIN -p icmp -m icmp --icmp-type 8 -j TREJECT
-A INETIN -p icmp -m icmp ! --icmp-type 8 -j ACCEPT
-A INETIN -m state --state ESTABLISHED -j ACCEPT
-A INETIN -p tcp -m tcp --dport 1024:65535 -m state --state RELATED -j 
TCPACCEPT
-A INETIN -p udp -m udp --dport 1024:65535 -m state --state RELATED -j 
UDPACCEPT
-A INETIN -j TREJECT
-A INETOUT -j ACCEPT
-A LDROP -p tcp -m limit --limit 2/sec -j LOG --log-prefix "TCP Dropped 
" --log-level 6
-A LDROP -p udp -m limit --limit 2/sec -j LOG --log-prefix "UDP Dropped 
" --log-level 6
-A LDROP -p icmp -m limit --limit 2/sec -j LOG --log-prefix "ICMP 
Dropped " --log-level 6
-A LDROP -f -m limit --limit 2/sec -j LOG --log-prefix "FRAGMENT Dropped "
-A LDROP -j DROP
-A LREJECT -p tcp -m limit --limit 2/sec -j LOG --log-prefix "TCP 
Rejected " --log-level 6
-A LREJECT -p udp -m limit --limit 2/sec -j LOG --log-prefix "UDP 
Rejected " --log-level 6
-A LREJECT -p icmp -m limit --limit 2/sec -j LOG --log-prefix "ICMP 
Rejected " --log-level 6
-A LREJECT -f -m limit --limit 2/sec -j LOG --log-prefix "FRAGMENT 
Rejected "
-A LREJECT -j REJECT --reject-with icmp-port-unreachable
-A LTREJECT -p tcp -m limit --limit 2/sec -j LOG --log-prefix "TCP 
Rejected " --log-level 6
-A LTREJECT -p udp -m limit --limit 2/sec -j LOG --log-prefix "UDP 
Rejected " --log-level 6
-A LTREJECT -p icmp -m limit --limit 2/sec -j LOG --log-prefix "ICMP 
Rejected " --log-level 6
-A LTREJECT -f -m limit --limit 2/sec -j LOG --log-prefix "FRAGMENT 
Rejected "
-A LTREJECT -j TREJECT
-A PUBIN -d 192.168.2.12 -p tcp -m tcp --dport 22 -j TCPACCEPT
-A PUBIN -d 192.168.2.12 -p tcp -m tcp --dport 25 -j TCPACCEPT
-A PUBIN -d 192.168.2.12 -p tcp -m tcp --dport 53 -j TCPACCEPT
-A PUBIN -d 192.168.2.12 -p tcp -m tcp --dport 80 -j TCPACCEPT
-A PUBIN -d 192.168.2.12 -p tcp -m tcp --dport 110 -j TCPACCEPT
-A PUBIN -d 192.168.2.12 -p tcp -m tcp --dport 443 -j TCPACCEPT
-A PUBIN -d 192.168.2.12 -p udp -m udp --dport 22 -j UDPACCEPT
-A PUBIN -d 192.168.2.12 -p udp -m udp --dport 25 -j UDPACCEPT
-A PUBIN -d 192.168.2.12 -p udp -m udp --dport 53 -j UDPACCEPT
-A PUBIN -d 192.168.2.12 -p udp -m udp --dport 80 -j UDPACCEPT
-A PUBIN -d 192.168.2.12 -p udp -m udp --dport 110 -j UDPACCEPT
-A PUBIN -d 192.168.2.12 -p udp -m udp --dport 443 -j UDPACCEPT
-A PUBIN -d 192.168.2.11 -p tcp -m tcp --dport 22 -j TCPACCEPT
-A PUBIN -d 192.168.2.11 -p tcp -m tcp --dport 25 -j TCPACCEPT
-A PUBIN -d 192.168.2.11 -p tcp -m tcp --dport 53 -j TCPACCEPT
-A PUBIN -d 192.168.2.11 -p tcp -m tcp --dport 80 -j TCPACCEPT
-A PUBIN -d 192.168.2.11 -p tcp -m tcp --dport 110 -j TCPACCEPT
-A PUBIN -d 192.168.2.11 -p udp -m udp --dport 22 -j UDPACCEPT
-A PUBIN -d 192.168.2.11 -p udp -m udp --dport 25 -j UDPACCEPT
-A PUBIN -d 192.168.2.11 -p udp -m udp --dport 53 -j UDPACCEPT
-A PUBIN -d 192.168.2.11 -p udp -m udp --dport 80 -j UDPACCEPT
-A PUBIN -d 192.168.2.11 -p udp -m udp --dport 110 -j UDPACCEPT
-A PUBIN -j TREJECT
-A PUBOUT -o eth1 -p tcp -m tcp --dport 53 -j TCPACCEPT
-A PUBOUT -o eth1 -p udp -m udp --dport 53 -j UDPACCEPT
-A PUBOUT -s 192.168.2.12 -d 192.168.2.1 -p tcp -m tcp --dport 22 -j 
TCPACCEPT
-A PUBOUT -s 192.168.2.12 -d 192.168.2.1 -p udp -m udp --dport 22 -j 
UDPACCEPT
-A PUBOUT -s 192.168.2.11 -o eth0 -p tcp -m tcp --dport 22 -j TCPACCEPT
-A PUBOUT -s 192.168.2.11 -o eth0 -p udp -m udp --dport 22 -j UDPACCEPT
-A PUBOUT -o eth0 -j INETIN
-A PUBOUT -j ACCEPT
-A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 
20/sec -j ACCEPT
-A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 
2/sec -j LOG --log-prefix "Possible SynFlood "
-A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j TREJECT
-A TCPACCEPT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A TCPACCEPT -m limit --limit 2/sec -j LOG --log-prefix "Mismatch in 
TCPACCEPT "
-A TCPACCEPT -j TREJECT
-A TREJECT -p tcp -j REJECT --reject-with tcp-reset
-A TREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
-A TREJECT -p icmp -j DROP
-A TREJECT -j REJECT --reject-with icmp-port-unreachable
-A UDPACCEPT -p udp -j ACCEPT
-A UDPACCEPT -m limit --limit 2/sec -j LOG --log-prefix "Mismatch on 
UDPACCEPT "
-A UDPACCEPT -j TREJECT
-A ULDROP -p tcp -m limit --limit 2/sec -j ULOG --ulog-prefix "LDROP_TCP"
-A ULDROP -p udp -m limit --limit 2/sec -j ULOG --ulog-prefix "LDROP_UDP"
-A ULDROP -p icmp -m limit --limit 2/sec -j ULOG --ulog-prefix "LDROP_ICMP"
-A ULDROP -f -m limit --limit 2/sec -j ULOG --ulog-prefix "LDROP_FRAG"
-A ULDROP -j DROP
-A ULREJECT -p tcp -m limit --limit 2/sec -j ULOG --ulog-prefix 
"LREJECT_TCP"
-A ULREJECT -p udp -m limit --limit 2/sec -j ULOG --ulog-prefix 
"LREJECT_UDP"
-A ULREJECT -p icmp -m limit --limit 2/sec -j ULOG --ulog-prefix 
"LREJECT_UDP"
-A ULREJECT -f -m limit --limit 2/sec -j ULOG --ulog-prefix "LREJECT_FRAG"
-A ULREJECT -j REJECT --reject-with icmp-port-unreachable
-A ULTREJECT -p tcp -m limit --limit 2/sec -j ULOG --ulog-prefix 
"LTREJECT_TCP"
-A ULTREJECT -p udp -m limit --limit 2/sec -j ULOG --ulog-prefix 
"LTREJECT_UDP"
-A ULTREJECT -p icmp -m limit --limit 2/sec -j ULOG --ulog-prefix 
"LTREJECT_ICMP"
-A ULTREJECT -f -m limit --limit 2/sec -j ULOG --ulog-prefix 
"LTREJECT_FRAG"
-A ULTREJECT -p tcp -j REJECT --reject-with tcp-reset
-A ULTREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
-A ULTREJECT -p icmp -j DROP
-A ULTREJECT -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Mon Feb 16 16:45:08 2004