* no connection
@ 2007-05-20 2:53 William Perry
0 siblings, 0 replies; only message in thread
From: William Perry @ 2007-05-20 2:53 UTC (permalink / raw)
To: netfilter
I am using the following iptables script:
# eth0 is the Local network
# eth1 is the External network
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
#allow traffic from the firewall to go out
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow local loopback connections
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# Allow all connections to the local network
-A INPUT -i eth0 -s 123.123.123.0/24 -j ACCEPT
-A OUTPUT -o eth0 -d 123.123.123.0/24 -j ACCEPT
# drop INVALID connections
-A INPUT -m state --state INVALID -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A FORWARD -m state --state INVALID -j DROP
# allow all established and related
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow connectionsto my ISP's DNS servers
-A OUTPUT -d 206.13.31.12 -m state --state NEW -p udp --dport 53 -o
eth1 -j ACCEPT
-A FORWARD -d 206.13.31.12 -m state --state NEW -p udp --dport 53 -i
eth0 -o eth1 -j ACCEPT
-A OUTPUT -d 206.13.28.12 -m state --state NEW -p udp --dport 53 -o
eth1 -j ACCEPT
-A FORWARD -d 206.13.28.12 -m state --state NEW -p udp --dport 53 -i
eth0 -o eth1 -j ACCEPT
# allow outgoing conections web servers
-A OUTPUT -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -p tcp
--dport http -o eth1 -j ACCEPT
-A FORWARD -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -p tcp
--dport http -o eth1 -i eth0 -j ACCEPT
-A OUTPUT -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -p tcp
--dport https -o eth1 -j ACCEPT
-A FORWARD -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -p tcp
--dport https -o eth1 -i eth0 -j ACCEPT
# allow outgoing conections ntp
-A OUTPUT -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -p tcp
--dport 123 -o eth1 -j ACCEPT
-A FORWARD -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -p tcp
--dport 123 -o eth1 -i eth0 -j ACCEPT
# Log all other attempts to out-going connection
-A OUTPUT -o eth1 -j LOG --log-level info --log-prefix "[ATTEMPTED] "
-A FORWARD -o eth1 -j ACCEPT
-A FORWARD -j LOG --log-level info --log-prefix "[FWD-] "
-A FORWARD -o eth0 -j ACCEPT
COMMIT
*nat
-A POSTROUTING -o eth1 -j SNAT --to 71.133.232.116
#port forward port 80
-A PREROUTING -d 71.133.232.116 -i eth1 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 123.123.123.2:80
COMMIT
#----
I was expecting the firewall (external ip 71.133.232.116) to send the
packets to the web server (123.123.123.2), but it appears that the
packets are not going anywhere.
Test:
use a machine whose gateway is not 71.133.232.116 and execute:
wget http://71.133.232.116/
1. On the log file of the firewall, I see a log record indicating that
the "[FWD-]" log was hit.
2. On the web server, I see no record in the access log file.
3. No response is received to the wget command.
Isn't the prerouting command enough to get the packets to go? What do I
need to do to get iptables to actually send the packet?
--
William Perry
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2007-05-20 2:53 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-05-20 2:53 no connection William Perry
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.