From: David T-G <davidtg-netfilter@justpickone.org>
To: NetFilter Users' List <netfilter@lists.netfilter.org>
Subject: ready to cry over NATting!
Date: Tue, 20 May 2003 06:29:57 -0400 [thread overview]
Message-ID: <20030520102957.GA98543@justpickone.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 6497 bytes --]
Hi, all --
I've found and read more HOWTOs and have tried my hand at some iptables
scripts, including the incredibly simple, but still am not getting
anywhere.
I started out with SuSEfirewall2 settings. As far as I can tell, I ended
up with a wide-open firewall that didn't NAT. Phooey. So I gave up on
that and tried iptables commands directly.
Lifting directly from the "Made Simple" HOWTO, I tried
modprobe ipt_MASQUERADE # If this fails, try continuing anyway
iptables -F; iptables -t nat -F; iptables -t mangle -F
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to my.ip.add.ress
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -P INPUT DROP #only if the first two are succesful
iptables -A FORWARD -i eth1 -o eth1 -j REJECT
to no avail. Just doing the first 4 commands left me with a server that
wouldn't talk. Adding the INPUT chains in the next two commands let me
talk again but didn't change anything else. Adding
iptables -P INPUT ACCEPT
still changed nothing. Adding
iptables -A FORWARD -i eth1 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
(the former out of desperation and the latter figuring that incoming on
the LAN and outgoing on the WAN would be a Good Thing) also changed
nothing.
Somewhere in here I was at least able to see packets counting up when
checking
iptables -t nat -vL
as a client on the inside was pinging an outside address.
So I went to Rusty's NAT HOWTO and built up some commands from it:
# load module
modprobe ipt_MASQUERADE # If this fails, try continuing anyway
# flush everything
iptables -F; iptables -t nat -F; iptables -t mangle -F
# turn on NATting & forwarding
#iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 65.69.195.178
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
# accept returning ext packets
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# accept anything originating inside ("not ext")
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
# allow ssh & telnet
iptables -A INPUT --protocol tcp --dport 22 -j ACCEPT
iptables -A INPUT --protocol tcp --dport 23 -j ACCEPT
# talk to web server
iptables -A INPUT --protocol tcp --dport 80 -j ACCEPT
iptables -A INPUT --protocol tcp --dport 443 -j ACCEPT
# talk to mysql server
iptables -A input --protocol tcp --dport 3306 -j ACCEPT
# drop everything else
## iptables -P INPUT DROP #only if the first two are succesful
# reject anything bound for a MASQed client
## iptables -A FORWARD -i eth1 -o eth0 -j REJECT
# what do we have?
echo "---"
iptables -L
echo "---"
iptables -t nat -L
echo "---"
[I also tried the 'abbreviated version', going only as far as the "echo"
line, but that was a bust.] Running this script as
linux:/tmp # nohup ./script
gave me
+ modprobe ipt_MASQUERADE
+ iptables -F
+ iptables -t nat -F
+ iptables -t mangle -F
+ iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
+ echo 1
+ iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ iptables -A INPUT -m state --state NEW -i '!' eth1 -j ACCEPT
+ iptables -A INPUT --protocol tcp --dport 22 -j ACCEPT
+ iptables -A INPUT --protocol tcp --dport 23 -j ACCEPT
+ iptables -A INPUT --protocol tcp --dport 80 -j ACCEPT
+ iptables -A INPUT --protocol tcp --dport 443 -j ACCEPT
+ iptables -A input --protocol tcp --dport 3306 -j ACCEPT
iptables: No chain/target/match by that name
+ echo ---
---
+ iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:telnet
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain input_ext (0 references)
target prot opt source destination
Chain reject_func (0 references)
target prot opt source destination
+ echo ---
---
+ iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
+ echo ---
---
[yes, I now see the typo on the mysql protocol line]. I figured I would
get a wide-open firewall -- which nonetheless also accepted ssh, telnet,
web, mysql -- which did NATting for me, but it didn't. As I look at the
-L output I realize that I don't see any rules for anything except INPUT
and POSTROUTING, so I probably need more pieces, no?
I'm trying to get a good foundation in the terms and ideas, but I confess
that I still don't really know what is a table or how does a chain work.
I don't know what or how to debug because I'm still coming up to speed,
but it seems that I can't even find a working example that I can then
flesh out! I would think that
Goal 1: NAT from eth1 (LAN) to and through eth0 (WAN) for client
Goal 2: Allow various connections and confirm that they work
Goal 3: Disallow Bad Stuff from WAN
Goal 4: Disallow Bad Stuff from LAN
is a good step-by-step approach but I can't even get past #1 :-(
TIA again & HAND
:-D
--
David T-G * There is too much animal courage in
(play) davidtg@justpickone.org * society and not sufficient moral courage.
(work) davidtgwork@justpickone.org -- Mary Baker Eddy, "Science and Health"
http://justpickone.org/davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg!
[-- Attachment #2: Type: application/pgp-signature, Size: 187 bytes --]
next reply other threads:[~2003-05-20 10:29 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-05-20 10:29 David T-G [this message]
2003-05-20 14:19 ` ready to cry over NATting! Ralf Spenneberg
2003-05-20 15:58 ` David T-G
2003-05-20 17:18 ` Ralf Spenneberg
2003-05-20 19:35 ` David T-G
2003-05-21 23:38 ` Thorsten Scherf
2003-05-21 1:11 ` tears of joy! (was "Re: ready to cry over NATting!") David T-G
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030520102957.GA98543@justpickone.org \
--to=davidtg-netfilter@justpickone.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox