From: Guillaume <silencer@free-4ever.net>
To: netfilter@lists.netfilter.org
Subject: Re: Help with IPtables and NAT
Date: Sat, 22 Jul 2006 10:23:11 +0200 [thread overview]
Message-ID: <44C1E06F.1080803@free-4ever.net> (raw)
In-Reply-To: <44C16109.20704@jemconsult.biz>
James Marcinek a écrit :
> Hello Everyone,
>
> I've been running my Red Hat box as a router for my small network for
> the past couple of years with no problems (if it works don't fix it). I
> have another live IP address that I would like use. I would like any
> traffic destined for this 'new' address to forward (DNAT) traffic to a
> system in my intranet. I don't want to blindly allow all traffic, just
> certain ones based off of rules. I have attempted to do this a couple of
> time but without success. Below is my current topology (real IP's have
> been substituted for 172.10.10.x addresses:
>
>
>
>
> Internet
>
> |
>
> |
>
> |
>
> -------------------------
>
> | 172.10.10.1 eth0 |
>
> | |
>
> | |
>
> | 192.168.0.1 eth1 |
>
> -------------------------
>
> |
>
> |
>
> |
>
> Intranet (private network)
>
>
> Here's what I would like to have:
>
>
> Internet
>
> |
>
> |
>
> |
>
> -------------------------
>
> | 172.10.10.1 eth0 |
>
> | 172.10.10.2 eth0:0 |
>
> | |
>
> | 192.168.0.1 eth1 |
>
> -------------------------
>
> |
>
> |
>
> |
>
> Intranet (private network)
>
> |
>
>
> ----------------------------------------->172.10.10.2 traffic to
> 192.168.0.2
>
> I have bound the 2 IP addresses to the external NIC on my system (RHEL
> 4). I have attempted at modifying the script and have reverted to my
> original to start over. Here's my current config:
>
> # First drop everything (lets you open what you want)
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
>
> # User-defined chain for ACCEPTed TCP packets
> iptables -N okay
> iptables -A okay -p TCP --syn -j ACCEPT
> iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A okay -p TCP -j DROP
>
> # INPUT chain rules
> iptables -A INPUT -p ALL -i eth1 -s 192.168.0.0/24 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 192.168.0.1 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 172.10.10.1 -j ACCEPT
> iptables -A INPUT -p ALL -i eth1 -d 192.168.0.255 -j ACCEPT
>
> # Rules for incoming packets from the Internet
>
> # Packets for established connections
> iptables -A INPUT -p ALL -d 172.10.10.1 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> # TCP rules
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 21 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 25 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 443 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 953 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 993 -j okay
>
> # UDP rules
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 53 -j ACCEPT
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 2074 -j ACCEPT
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 4000 -j ACCEPT
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 953 -j ACCEPT
>
> # ICMP rules
>
> # FORWARD chain rules
> iptables -A FORWARD -i eth1 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>
> # OUTPUT chain rules
> iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
> iptables -A OUTPUT -p ALL -s 192.168.0.1 -j ACCEPT
> iptables -A OUTPUT -p ALL -s 172.10.10.1 -j ACCEPT
>
> # POSTROUTING
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 172.10.10.1
>
> ###################
>
> This has been working fine for me. I've been modifying it and things
> haven't been going well for me I have to say. Would I would like to do
> is forward any traffic that is going to eth0:0 and send it to an
> internal system. I don't want everything open on this system. This is my
> latest concoction:
>
> # First drop everything (lets you open what you want)
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
> iptables -t nat -P PREROUTING DROP
> iptables -t nat -P POSTROUTING DROP
>
> # PREROUTING chain rules
> # iptables -t nat -i PREROUTING 1 -d 172.10.10.2 -j LOG --loglevel debug
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 80 -j DNAT
> --to-dest 192.168.0.2
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 443 -j DNAT
> --to-dest 192.168.0.2
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 21 -j DNAT
> --to-dest 192.168.0.2
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 22 -j DNAT
> --to-dest 192.168.0.2
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 25 -j DNAT
> --to-dest 192.168.0.2
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 953 -j DNAT
> --to-dest 192.168.0.2
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 993 -j DNAT
> --to-dest 192.168.0.2
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p udp --dport 53 -j DNAT
> --to-dest 192.168.0.2
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p udp --dport 53 -j DNAT
> --to-dest 192.168.0.2
>
> # User-defined chain for ACCEPTed TCP packets
> iptables -N okay
> iptables -A okay -p TCP --syn -j ACCEPT
> iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A okay -p TCP -j DROP
>
> # INPUT chain rules
> iptables -A INPUT -p ALL -i eth1 -s 192.168.0.0/24 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 192.168.0.1 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 172.10.10.1 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 172.10.10.2 -j ACCEPT
> iptables -A INPUT -p ALL -i eth1 -d 192.168.0.255 -j ACCEPT
>
> # Rules for incoming packets from the Internet
>
> # Packets for established connections
> iptables -A INPUT -p ALL -d 172.10.10.1 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -p ALL -d 172.10.10.2 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> # TCP rules
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 21 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 25 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 443 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 953 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 993 -j okay
>
> # UDP rules
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 53 -j ACCEPT
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 2074 -j ACCEPT
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 4000 -j ACCEPT
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 953 -j ACCEPT
>
> # ICMP rules
>
> # FORWARD chain rules
> iptables -A FORWARD -i eth1 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # iptables -A FORWARD -i eth0 -d 192.168.0.2 -j ACCEPT
>
> # OUTPUT chain rules
> iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
> iptables -A OUTPUT -p ALL -s 192.168.0.1 -j ACCEPT
> iptables -A OUTPUT -p ALL -s 172.10.10.1 -j ACCEPT
> # iptables -A OUTPUT -p ALL -s 172.10.10.2 -j ACCEPT
> iptables -t nat -A OUTPUT -d 172.10.10.2 -p ALL -j DNAT --to-destination
> 192.168.0.2
>
> # POSTROUTING
> iptables -t nat -A POSTROUTING -s 192.168.0.2 -j SNAT --to-source
> 172.10.10.2
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 172.10.10.1
>
> I put all of the ports that I want allowed to go to the internal system
> in the PREROUTING table. Is this the right way to do it? I would hope
> that somebody can look at this and tell me what I'm doing wrong and what
> I'm missing.
>
> Thanks,
>
> James
>
>
>
Hi
I think you 2 problems in your rules:
- The chains in NAT table must not be set to drop. NO filtering in nat
table.
- You forgot to add the rules to autorise traffic coming from eth0:0
to your internal host. After a DNAT rule, you need to explicitely
autorise the corresponding traffic.
Ab i think, I've don't read any rule related to that.
For example, you set this rule:
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 80 -j DNAT
--to-dest 192.168.0.2
You must set this rule:
iptables -t filter -A FORWARD -i eth0:0 -p tcp -d 192.168.0.2 --dport 80
-j ACCEPT
And the same for all incoming traffics.
Regards
Guillaume
--
Guillaume
E-mail: silencer_<at>_free-4ever_<dot>_net
Blog: http://guillaume.free-4ever.net
----
Site: http://www.free-4ever.net
next prev parent reply other threads:[~2006-07-22 8:23 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-07-21 23:19 Help with IPtables and NAT James Marcinek
2006-07-21 23:32 ` Gary W. Smith
2006-07-22 0:58 ` Pascal Hambourg
2006-07-24 15:16 ` Martijn Lievaart
[not found] ` <42950.2001:888:19e1::53.1153754175.squirrel@dexter>
2006-07-28 10:31 ` Pascal Hambourg
2006-07-22 8:23 ` Guillaume [this message]
2006-07-22 10:29 ` Pascal Hambourg
2006-07-22 11:18 ` Guillaume
2006-07-22 14:38 ` James Marcinek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44C1E06F.1080803@free-4ever.net \
--to=silencer@free-4ever.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox