Failing to get forwarding to work fully.

[David at roamware <david@roamware.co.uk>]

Hi,

I have tried to get this iptables script on my Centos 4.4 machine 
working, with some help, but still have not succeeded in forwarding port 
722 to a machine on the LAN attached to the machine running iptables 
attached to the internet. The logging of the FORWARD packets just before 
drop tells me they are being forwarded. I also made sure the the LAN 
attached machine on eth0 does accept ssh -D 722 once I logged into the 
public facing machine via ssh. So I kinda assume it is the return packet 
that is the problem, but cannot see why. Ideas? 333.333.333.333 is 
substituted for the public IP addr, 111.111.111.111  222.222.222.222 are 
machines I want to be the only ones that can access. eth0 is the LAN NIC 
and eth1 is the public facing NIC.

# Generated by iptables-save v1.2.11 on Thu Dec 15 17:00:25 2005
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i eth0 -j LOG --log-level debug
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth0 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -j DROP
-A INPUT -s 111.111.111.111 -p tcp --dport 22 -j ACCEPT
-A INPUT -s 222.222.222.222 -p tcp --dport 22 -j ACCEPT
-A INPUT -p ipv6-crypt -j ACCEPT
-A INPUT -p ipv6-auth -j ACCEPT
-A INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -p udp -m udp --dport 631 -j ACCEPT
-A INPUT -d
333.333.333.333 -i eth1 -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -d 333.333.333.333 -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 5/sec -j ACCEPT
-A INPUT -p tcp -m multiport --dports 21,22,443,80,8080 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j LOG --log-level debug
-A FORWARD -d 192.168.0.0/255.255.255.0 -i eth1 -o eth0 -p tcp -m multiport --dports 22,3306 -m state --state NEW -j ACCEPT
-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -j LOG --log-prefix "FORWARD DROP: "
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 333.333.333.333 -d 192.168.0.0/255.255.255.0 -o eth0 -j ACCEPT
-A OUTPUT -s 192.168.0.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -o eth0 -j
ACCEPT
-A OUTPUT -d 192.168.0.0/255.255.255.0 -o eth1 -j DROP
-A OUTPUT -s 333.333.333.333 -o eth1 -j ACCEPT
-A OUTPUT -j DROP
COMMIT
# Completed on Thu Dec 15 17:00:25 2005
# Generated by iptables-save v1.2.11 on Thu Dec 15 17:00:25 2005
*nat
:PREROUTING ACCEPT [2:208]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 333.333.333.333 -p tcp -j LOG --log-level debug
-A PREROUTING -i eth1 -p tcp -d 333.333.333.333 --dport 3307 -j DNAT --to-destination 192.168.0.223:3306
-A PREROUTING -i eth1 -p tcp -d 333.333.333.333 --dport 722 -j DNAT --to-destination 192.168.0.223:22
-A POSTROUTING -o eth1 -j SNAT --to-source 333.333.333.333
COMMIT


David