* Help with IPtables and NAT
@ 2006-07-21 23:19 James Marcinek
2006-07-21 23:32 ` Gary W. Smith
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: James Marcinek @ 2006-07-21 23:19 UTC (permalink / raw)
To: netfilter
Hello Everyone,
I've been running my Red Hat box as a router for my small network for
the past couple of years with no problems (if it works don't fix it). I
have another live IP address that I would like use. I would like any
traffic destined for this 'new' address to forward (DNAT) traffic to a
system in my intranet. I don't want to blindly allow all traffic, just
certain ones based off of rules. I have attempted to do this a couple of
time but without success. Below is my current topology (real IP's have
been substituted for 172.10.10.x addresses:
Internet
|
|
|
-------------------------
| 172.10.10.1 eth0 |
| |
| |
| 192.168.0.1 eth1 |
-------------------------
|
|
|
Intranet (private network)
Here's what I would like to have:
Internet
|
|
|
-------------------------
| 172.10.10.1 eth0 |
| 172.10.10.2 eth0:0 |
| |
| 192.168.0.1 eth1 |
-------------------------
|
|
|
Intranet (private network)
|
----------------------------------------->172.10.10.2 traffic to 192.168.0.2
I have bound the 2 IP addresses to the external NIC on my system (RHEL
4). I have attempted at modifying the script and have reverted to my
original to start over. Here's my current config:
# First drop everything (lets you open what you want)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# User-defined chain for ACCEPTed TCP packets
iptables -N okay
iptables -A okay -p TCP --syn -j ACCEPT
iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p TCP -j DROP
# INPUT chain rules
iptables -A INPUT -p ALL -i eth1 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 172.10.10.1 -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -d 192.168.0.255 -j ACCEPT
# Rules for incoming packets from the Internet
# Packets for established connections
iptables -A INPUT -p ALL -d 172.10.10.1 -m state --state
ESTABLISHED,RELATED -j ACCEPT
# TCP rules
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 21 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 25 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 443 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 953 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 993 -j okay
# UDP rules
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 53 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 2074 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 4000 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 953 -j ACCEPT
# ICMP rules
# FORWARD chain rules
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# OUTPUT chain rules
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 172.10.10.1 -j ACCEPT
# POSTROUTING
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 172.10.10.1
###################
This has been working fine for me. I've been modifying it and things
haven't been going well for me I have to say. Would I would like to do
is forward any traffic that is going to eth0:0 and send it to an
internal system. I don't want everything open on this system. This is my
latest concoction:
# First drop everything (lets you open what you want)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat -P PREROUTING DROP
iptables -t nat -P POSTROUTING DROP
# PREROUTING chain rules
# iptables -t nat -i PREROUTING 1 -d 172.10.10.2 -j LOG --loglevel debug
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 80 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 443 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 21 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 22 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 25 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 953 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 993 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p udp --dport 53 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p udp --dport 53 -j DNAT
--to-dest 192.168.0.2
# User-defined chain for ACCEPTed TCP packets
iptables -N okay
iptables -A okay -p TCP --syn -j ACCEPT
iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p TCP -j DROP
# INPUT chain rules
iptables -A INPUT -p ALL -i eth1 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 172.10.10.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 172.10.10.2 -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -d 192.168.0.255 -j ACCEPT
# Rules for incoming packets from the Internet
# Packets for established connections
iptables -A INPUT -p ALL -d 172.10.10.1 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p ALL -d 172.10.10.2 -m state --state
ESTABLISHED,RELATED -j ACCEPT
# TCP rules
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 21 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 25 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 443 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 953 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 993 -j okay
# UDP rules
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 53 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 2074 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 4000 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 953 -j ACCEPT
# ICMP rules
# FORWARD chain rules
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -i eth0 -d 192.168.0.2 -j ACCEPT
# OUTPUT chain rules
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 172.10.10.1 -j ACCEPT
# iptables -A OUTPUT -p ALL -s 172.10.10.2 -j ACCEPT
iptables -t nat -A OUTPUT -d 172.10.10.2 -p ALL -j DNAT --to-destination
192.168.0.2
# POSTROUTING
iptables -t nat -A POSTROUTING -s 192.168.0.2 -j SNAT --to-source
172.10.10.2
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 172.10.10.1
I put all of the ports that I want allowed to go to the internal system
in the PREROUTING table. Is this the right way to do it? I would hope
that somebody can look at this and tell me what I'm doing wrong and what
I'm missing.
Thanks,
James
^ permalink raw reply [flat|nested] 9+ messages in thread* RE: Help with IPtables and NAT
2006-07-21 23:19 Help with IPtables and NAT James Marcinek
@ 2006-07-21 23:32 ` Gary W. Smith
2006-07-22 0:58 ` Pascal Hambourg
2006-07-22 8:23 ` Guillaume
2 siblings, 0 replies; 9+ messages in thread
From: Gary W. Smith @ 2006-07-21 23:32 UTC (permalink / raw)
To: James Marcinek, netfilter
You basically you are looking for DNAT on the inside for all hosts and
1:1 SNAT for the .2 address?
If that is the case then you will to change the *nat rules to something
like this:
Where 192.168.0.x are the external address and 10.1.0.x are the internal
addresses
-A PREROUTING -d 192.168.0.1 -j DNAT --to-destination 10.1.0.1
-A PREROUTING -d 192.168.0.2 -j DNAT --to-destination 10.1.0.2
-A POSTROUTING -s 10.1.0.1 -o eth0 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -s 10.1.0.2 -o eth0 -j SNAT --to-source 192.168.0.2
# Some say the next two aren't required but odd things happen when I'm
# trying to access things from the internal subnet from the external
# IP. This seems to fix that.
-A POSTROUTING -s 10.1.0.1 -d 10.1.0.1 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -s 10.1.0.2 -d 10.1.0.2 -j SNAT --to-source 192.168.0.2
-A POSTROUTING -o eth0 -j SNAT --to-source 192.168.0.1
-A OUTPUT -d 192.168.0.1 -j DNAT --to-destination 10.1.0.1
-A OUTPUT -d 192.168.0.2 -j DNAT --to-destination 10.1.0.1
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-
> bounces@lists.netfilter.org] On Behalf Of James Marcinek
> Sent: Friday, July 21, 2006 4:20 PM
> To: netfilter@lists.netfilter.org
> Subject: Help with IPtables and NAT
>
> Hello Everyone,
>
> I've been running my Red Hat box as a router for my small network for
> the past couple of years with no problems (if it works don't fix it).
I
> have another live IP address that I would like use. I would like any
> traffic destined for this 'new' address to forward (DNAT) traffic to a
> system in my intranet. I don't want to blindly allow all traffic, just
> certain ones based off of rules. I have attempted to do this a couple
of
> time but without success. Below is my current topology (real IP's have
> been substituted for 172.10.10.x addresses:
>
>
>
>
> Internet
>
> |
>
> |
>
> |
>
> -------------------------
>
> | 172.10.10.1 eth0 |
>
> | |
>
> | |
>
> | 192.168.0.1 eth1 |
>
> -------------------------
>
> |
>
> |
>
> |
>
> Intranet (private network)
>
>
> Here's what I would like to have:
>
>
> Internet
>
> |
>
> |
>
> |
>
> -------------------------
>
> | 172.10.10.1 eth0 |
>
> | 172.10.10.2 eth0:0 |
>
> | |
>
> | 192.168.0.1 eth1 |
>
> -------------------------
>
> |
>
> |
>
> |
>
> Intranet (private network)
>
> |
>
>
> ----------------------------------------->172.10.10.2 traffic to
> 192.168.0.2
>
> I have bound the 2 IP addresses to the external NIC on my system (RHEL
> 4). I have attempted at modifying the script and have reverted to my
> original to start over. Here's my current config:
>
> # First drop everything (lets you open what you want)
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
>
> # User-defined chain for ACCEPTed TCP packets
> iptables -N okay
> iptables -A okay -p TCP --syn -j ACCEPT
> iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A okay -p TCP -j DROP
>
> # INPUT chain rules
> iptables -A INPUT -p ALL -i eth1 -s 192.168.0.0/24 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 192.168.0.1 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 172.10.10.1 -j ACCEPT
> iptables -A INPUT -p ALL -i eth1 -d 192.168.0.255 -j ACCEPT
>
> # Rules for incoming packets from the Internet
>
> # Packets for established connections
> iptables -A INPUT -p ALL -d 172.10.10.1 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> # TCP rules
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 21 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 25 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 443 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 953 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 993 -j okay
>
> # UDP rules
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 53 -j
ACCEPT
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 2074 -j
ACCEPT
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 4000 -j
ACCEPT
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 953 -j
ACCEPT
>
> # ICMP rules
>
> # FORWARD chain rules
> iptables -A FORWARD -i eth1 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>
> # OUTPUT chain rules
> iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
> iptables -A OUTPUT -p ALL -s 192.168.0.1 -j ACCEPT
> iptables -A OUTPUT -p ALL -s 172.10.10.1 -j ACCEPT
>
> # POSTROUTING
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 172.10.10.1
>
> ###################
>
> This has been working fine for me. I've been modifying it and things
> haven't been going well for me I have to say. Would I would like to do
> is forward any traffic that is going to eth0:0 and send it to an
> internal system. I don't want everything open on this system. This is
my
> latest concoction:
>
> # First drop everything (lets you open what you want)
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
> iptables -t nat -P PREROUTING DROP
> iptables -t nat -P POSTROUTING DROP
>
> # PREROUTING chain rules
> # iptables -t nat -i PREROUTING 1 -d 172.10.10.2 -j LOG --loglevel
debug
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 80 -j DNAT
> --to-dest 192.168.0.2
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 443 -j
DNAT
> --to-dest 192.168.0.2
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 21 -j DNAT
> --to-dest 192.168.0.2
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 22 -j DNAT
> --to-dest 192.168.0.2
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 25 -j DNAT
> --to-dest 192.168.0.2
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 953 -j
DNAT
> --to-dest 192.168.0.2
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 993 -j
DNAT
> --to-dest 192.168.0.2
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p udp --dport 53 -j DNAT
> --to-dest 192.168.0.2
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p udp --dport 53 -j DNAT
> --to-dest 192.168.0.2
>
> # User-defined chain for ACCEPTed TCP packets
> iptables -N okay
> iptables -A okay -p TCP --syn -j ACCEPT
> iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A okay -p TCP -j DROP
>
> # INPUT chain rules
> iptables -A INPUT -p ALL -i eth1 -s 192.168.0.0/24 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 192.168.0.1 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 172.10.10.1 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 172.10.10.2 -j ACCEPT
> iptables -A INPUT -p ALL -i eth1 -d 192.168.0.255 -j ACCEPT
>
> # Rules for incoming packets from the Internet
>
> # Packets for established connections
> iptables -A INPUT -p ALL -d 172.10.10.1 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -p ALL -d 172.10.10.2 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> # TCP rules
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 21 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 25 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 443 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 953 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 993 -j okay
>
> # UDP rules
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 53 -j
ACCEPT
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 2074 -j
ACCEPT
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 4000 -j
ACCEPT
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 953 -j
ACCEPT
>
> # ICMP rules
>
> # FORWARD chain rules
> iptables -A FORWARD -i eth1 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # iptables -A FORWARD -i eth0 -d 192.168.0.2 -j ACCEPT
>
> # OUTPUT chain rules
> iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
> iptables -A OUTPUT -p ALL -s 192.168.0.1 -j ACCEPT
> iptables -A OUTPUT -p ALL -s 172.10.10.1 -j ACCEPT
> # iptables -A OUTPUT -p ALL -s 172.10.10.2 -j ACCEPT
> iptables -t nat -A OUTPUT -d 172.10.10.2 -p ALL -j DNAT
--to-destination
> 192.168.0.2
>
> # POSTROUTING
> iptables -t nat -A POSTROUTING -s 192.168.0.2 -j SNAT --to-source
> 172.10.10.2
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 172.10.10.1
>
> I put all of the ports that I want allowed to go to the internal
system
> in the PREROUTING table. Is this the right way to do it? I would hope
> that somebody can look at this and tell me what I'm doing wrong and
what
> I'm missing.
>
> Thanks,
>
> James
>
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Help with IPtables and NAT
2006-07-21 23:19 Help with IPtables and NAT James Marcinek
2006-07-21 23:32 ` Gary W. Smith
@ 2006-07-22 0:58 ` Pascal Hambourg
2006-07-24 15:16 ` Martijn Lievaart
[not found] ` <42950.2001:888:19e1::53.1153754175.squirrel@dexter>
2006-07-22 8:23 ` Guillaume
2 siblings, 2 replies; 9+ messages in thread
From: Pascal Hambourg @ 2006-07-22 0:58 UTC (permalink / raw)
To: netfilter
Hello,
James Marcinek a écrit :
[...]
> This is my latest concoction:
>
> # First drop everything (lets you open what you want)
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
So far so good.
> iptables -t nat -P PREROUTING DROP
> iptables -t nat -P POSTROUTING DROP
This is wrong, *very* wrong. The 'nat' table is not intended to do any
filtering, so you don't want to set the default policy of any nat chain
to DROP. Trust me. (Sometimes I wonder why the DROP default policy is
allowed in the nat chains.)
> # PREROUTING chain rules
> # iptables -t nat -i PREROUTING 1 -d 172.10.10.2 -j LOG --loglevel debug
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 80 -j DNAT
> --to-dest 192.168.0.2
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 443 -j DNAT
> --to-dest 192.168.0.2
[and so on]
Since you want to DNAT 172.10.10.2 to 192.168.0.2, I suggest you write a
single rule for all protocols and ports :
iptables -t nat -A PREROUTING -d 172.10.10.2 -j DNAT --to 192.168.0.2
Then you add rules in the filter FORWARD chain to do the filtering, just
like you did in the filter INPUT chain.
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p udp --dport 53 -j DNAT
> --to-dest 192.168.0.2
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p udp --dport 53 -j DNAT
> --to-dest 192.168.0.2
Here you have twice the same rule. Shouldn't one be for TCP (DNS can use
either TCP our UDP) ?
> # User-defined chain for ACCEPTed TCP packets
> iptables -N okay
> iptables -A okay -p TCP --syn -j ACCEPT
> iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A okay -p TCP -j DROP
It does not really matter, but I don't fully understant the purpose of
this chain.
> # INPUT chain rules
> iptables -A INPUT -p ALL -i eth1 -s 192.168.0.0/24 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 192.168.0.1 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 172.10.10.1 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 172.10.10.2 -j ACCEPT
You forgot the whole 127.0.0.0/8 subnet which can be used on the
loopback interface. Anyway, why don't you just allow all traffic on the
loopback interface ?
> iptables -A INPUT -p ALL -i eth1 -d 192.168.0.255 -j ACCEPT
Useless : 192.168.0.255 belongs to 192.168.0.0/24.
> # Rules for incoming packets from the Internet
>
> # Packets for established connections
> iptables -A INPUT -p ALL -d 172.10.10.1 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -p ALL -d 172.10.10.2 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
If all traffic on 172.10.10.2 is redirected to 192.168.0.2, this last
rule becomes useless.
> # TCP rules
[...]
> # UDP rules
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 53 -j ACCEPT
[...]
As DNS can also use TCP, I'd expect a rule accepting TCP port 53.
> # ICMP rules
>
> # FORWARD chain rules
> iptables -A FORWARD -i eth1 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # iptables -A FORWARD -i eth0 -d 192.168.0.2 -j ACCEPT
Ok, you don't want to accept all traffic redirected to 192.168.0.2. So
you have to add rules to accept some protocols/ports. E.g. :
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT
> # OUTPUT chain rules
> iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
> iptables -A OUTPUT -p ALL -s 192.168.0.1 -j ACCEPT
> iptables -A OUTPUT -p ALL -s 172.10.10.1 -j ACCEPT
Same remark as above about 127.0.0.0/8.
By the way, why do you need to filter the source address in OUTPUT ?
This could break things like the REJECT target if you used it.
> # iptables -A OUTPUT -p ALL -s 172.10.10.2 -j ACCEPT
> iptables -t nat -A OUTPUT -d 172.10.10.2 -p ALL -j DNAT --to-destination
> 192.168.0.2
>
> # POSTROUTING
> iptables -t nat -A POSTROUTING -s 192.168.0.2 -j SNAT --to-source
> 172.10.10.2
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 172.10.10.1
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: Help with IPtables and NAT
2006-07-22 0:58 ` Pascal Hambourg
@ 2006-07-24 15:16 ` Martijn Lievaart
[not found] ` <42950.2001:888:19e1::53.1153754175.squirrel@dexter>
1 sibling, 0 replies; 9+ messages in thread
From: Martijn Lievaart @ 2006-07-24 15:16 UTC (permalink / raw)
To: Pascal Hambourg; +Cc: netfilter
<citaat van="Pascal Hambourg">
> Hello,
>
> James Marcinek a écrit :
>
> You forgot the whole 127.0.0.0/8 subnet which can be used on the
> loopback interface. Anyway, why don't you just allow all traffic on the
> loopback interface ?
Even worse, loopback is used for communicating with any local address, not
just the one assigned to the lo interface. Don't restrict loopback unless
you know exactly what you're doing.
M4
^ permalink raw reply [flat|nested] 9+ messages in thread[parent not found: <42950.2001:888:19e1::53.1153754175.squirrel@dexter>]
* Re: Help with IPtables and NAT
[not found] ` <42950.2001:888:19e1::53.1153754175.squirrel@dexter>
@ 2006-07-28 10:31 ` Pascal Hambourg
0 siblings, 0 replies; 9+ messages in thread
From: Pascal Hambourg @ 2006-07-28 10:31 UTC (permalink / raw)
To: netfilter
Martijn Lievaart a écrit :
> <citaat van="Pascal Hambourg">
>>
>>You forgot the whole 127.0.0.0/8 subnet which can be used on the
>>loopback interface. Anyway, why don't you just allow all traffic on the
>>loopback interface ?
>
> Even worse, loopback is used for communicating with any local address, not
> just the one assigned to the lo interface.
Local addresses were already dealt with by the following rules :
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 172.10.10.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 172.10.10.2 -j ACCEPT
> Don't restrict loopback unless you know exactly what you're doing.
Sure. Much less pain.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Help with IPtables and NAT
2006-07-21 23:19 Help with IPtables and NAT James Marcinek
2006-07-21 23:32 ` Gary W. Smith
2006-07-22 0:58 ` Pascal Hambourg
@ 2006-07-22 8:23 ` Guillaume
2006-07-22 10:29 ` Pascal Hambourg
2 siblings, 1 reply; 9+ messages in thread
From: Guillaume @ 2006-07-22 8:23 UTC (permalink / raw)
To: netfilter
James Marcinek a écrit :
> Hello Everyone,
>
> I've been running my Red Hat box as a router for my small network for
> the past couple of years with no problems (if it works don't fix it). I
> have another live IP address that I would like use. I would like any
> traffic destined for this 'new' address to forward (DNAT) traffic to a
> system in my intranet. I don't want to blindly allow all traffic, just
> certain ones based off of rules. I have attempted to do this a couple of
> time but without success. Below is my current topology (real IP's have
> been substituted for 172.10.10.x addresses:
>
>
>
>
> Internet
>
> |
>
> |
>
> |
>
> -------------------------
>
> | 172.10.10.1 eth0 |
>
> | |
>
> | |
>
> | 192.168.0.1 eth1 |
>
> -------------------------
>
> |
>
> |
>
> |
>
> Intranet (private network)
>
>
> Here's what I would like to have:
>
>
> Internet
>
> |
>
> |
>
> |
>
> -------------------------
>
> | 172.10.10.1 eth0 |
>
> | 172.10.10.2 eth0:0 |
>
> | |
>
> | 192.168.0.1 eth1 |
>
> -------------------------
>
> |
>
> |
>
> |
>
> Intranet (private network)
>
> |
>
>
> ----------------------------------------->172.10.10.2 traffic to
> 192.168.0.2
>
> I have bound the 2 IP addresses to the external NIC on my system (RHEL
> 4). I have attempted at modifying the script and have reverted to my
> original to start over. Here's my current config:
>
> # First drop everything (lets you open what you want)
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
>
> # User-defined chain for ACCEPTed TCP packets
> iptables -N okay
> iptables -A okay -p TCP --syn -j ACCEPT
> iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A okay -p TCP -j DROP
>
> # INPUT chain rules
> iptables -A INPUT -p ALL -i eth1 -s 192.168.0.0/24 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 192.168.0.1 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 172.10.10.1 -j ACCEPT
> iptables -A INPUT -p ALL -i eth1 -d 192.168.0.255 -j ACCEPT
>
> # Rules for incoming packets from the Internet
>
> # Packets for established connections
> iptables -A INPUT -p ALL -d 172.10.10.1 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> # TCP rules
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 21 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 25 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 443 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 953 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 993 -j okay
>
> # UDP rules
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 53 -j ACCEPT
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 2074 -j ACCEPT
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 4000 -j ACCEPT
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 953 -j ACCEPT
>
> # ICMP rules
>
> # FORWARD chain rules
> iptables -A FORWARD -i eth1 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>
> # OUTPUT chain rules
> iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
> iptables -A OUTPUT -p ALL -s 192.168.0.1 -j ACCEPT
> iptables -A OUTPUT -p ALL -s 172.10.10.1 -j ACCEPT
>
> # POSTROUTING
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 172.10.10.1
>
> ###################
>
> This has been working fine for me. I've been modifying it and things
> haven't been going well for me I have to say. Would I would like to do
> is forward any traffic that is going to eth0:0 and send it to an
> internal system. I don't want everything open on this system. This is my
> latest concoction:
>
> # First drop everything (lets you open what you want)
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
> iptables -t nat -P PREROUTING DROP
> iptables -t nat -P POSTROUTING DROP
>
> # PREROUTING chain rules
> # iptables -t nat -i PREROUTING 1 -d 172.10.10.2 -j LOG --loglevel debug
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 80 -j DNAT
> --to-dest 192.168.0.2
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 443 -j DNAT
> --to-dest 192.168.0.2
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 21 -j DNAT
> --to-dest 192.168.0.2
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 22 -j DNAT
> --to-dest 192.168.0.2
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 25 -j DNAT
> --to-dest 192.168.0.2
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 953 -j DNAT
> --to-dest 192.168.0.2
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 993 -j DNAT
> --to-dest 192.168.0.2
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p udp --dport 53 -j DNAT
> --to-dest 192.168.0.2
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p udp --dport 53 -j DNAT
> --to-dest 192.168.0.2
>
> # User-defined chain for ACCEPTed TCP packets
> iptables -N okay
> iptables -A okay -p TCP --syn -j ACCEPT
> iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A okay -p TCP -j DROP
>
> # INPUT chain rules
> iptables -A INPUT -p ALL -i eth1 -s 192.168.0.0/24 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 192.168.0.1 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 172.10.10.1 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 172.10.10.2 -j ACCEPT
> iptables -A INPUT -p ALL -i eth1 -d 192.168.0.255 -j ACCEPT
>
> # Rules for incoming packets from the Internet
>
> # Packets for established connections
> iptables -A INPUT -p ALL -d 172.10.10.1 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -p ALL -d 172.10.10.2 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> # TCP rules
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 21 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 25 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 443 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 953 -j okay
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 993 -j okay
>
> # UDP rules
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 53 -j ACCEPT
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 2074 -j ACCEPT
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 4000 -j ACCEPT
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 953 -j ACCEPT
>
> # ICMP rules
>
> # FORWARD chain rules
> iptables -A FORWARD -i eth1 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # iptables -A FORWARD -i eth0 -d 192.168.0.2 -j ACCEPT
>
> # OUTPUT chain rules
> iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
> iptables -A OUTPUT -p ALL -s 192.168.0.1 -j ACCEPT
> iptables -A OUTPUT -p ALL -s 172.10.10.1 -j ACCEPT
> # iptables -A OUTPUT -p ALL -s 172.10.10.2 -j ACCEPT
> iptables -t nat -A OUTPUT -d 172.10.10.2 -p ALL -j DNAT --to-destination
> 192.168.0.2
>
> # POSTROUTING
> iptables -t nat -A POSTROUTING -s 192.168.0.2 -j SNAT --to-source
> 172.10.10.2
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 172.10.10.1
>
> I put all of the ports that I want allowed to go to the internal system
> in the PREROUTING table. Is this the right way to do it? I would hope
> that somebody can look at this and tell me what I'm doing wrong and what
> I'm missing.
>
> Thanks,
>
> James
>
>
>
Hi
I think you 2 problems in your rules:
- The chains in NAT table must not be set to drop. NO filtering in nat
table.
- You forgot to add the rules to autorise traffic coming from eth0:0
to your internal host. After a DNAT rule, you need to explicitely
autorise the corresponding traffic.
Ab i think, I've don't read any rule related to that.
For example, you set this rule:
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 80 -j DNAT
--to-dest 192.168.0.2
You must set this rule:
iptables -t filter -A FORWARD -i eth0:0 -p tcp -d 192.168.0.2 --dport 80
-j ACCEPT
And the same for all incoming traffics.
Regards
Guillaume
--
Guillaume
E-mail: silencer_<at>_free-4ever_<dot>_net
Blog: http://guillaume.free-4ever.net
----
Site: http://www.free-4ever.net
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Help with IPtables and NAT
2006-07-22 8:23 ` Guillaume
@ 2006-07-22 10:29 ` Pascal Hambourg
2006-07-22 11:18 ` Guillaume
0 siblings, 1 reply; 9+ messages in thread
From: Pascal Hambourg @ 2006-07-22 10:29 UTC (permalink / raw)
To: netfilter
Guillaume a écrit :
>
> I think you 2 problems in your rules:
> - The chains in NAT table must not be set to drop. NO filtering in nat
> table.
> - You forgot to add the rules to autorise traffic coming from eth0:0 to
> your internal host. After a DNAT rule, you need to explicitely autorise
> the corresponding traffic.
> Ab i think, I've don't read any rule related to that.
>
> For example, you set this rule:
> iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 80 -j DNAT
> --to-dest 192.168.0.2
> You must set this rule:
> iptables -t filter -A FORWARD -i eth0:0 -p tcp -d 192.168.0.2 --dport 80
> -j ACCEPT
> And the same for all incoming traffics.
This is correct except for one detail : the interface eth0:0 does not
exist. It is only an alias and is not used by either the routing nor
iptables. You muse use the real interface name, eth0.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Help with IPtables and NAT
2006-07-22 10:29 ` Pascal Hambourg
@ 2006-07-22 11:18 ` Guillaume
2006-07-22 14:38 ` James Marcinek
0 siblings, 1 reply; 9+ messages in thread
From: Guillaume @ 2006-07-22 11:18 UTC (permalink / raw)
To: netfilter
Pascal Hambourg a écrit :
> Guillaume a écrit :
>>
>> I think you 2 problems in your rules:
>> - The chains in NAT table must not be set to drop. NO filtering in
>> nat table.
>> - You forgot to add the rules to autorise traffic coming from eth0:0
>> to your internal host. After a DNAT rule, you need to explicitely
>> autorise the corresponding traffic.
>> Ab i think, I've don't read any rule related to that.
>>
>> For example, you set this rule:
>> iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 80 -j DNAT
>> --to-dest 192.168.0.2
>> You must set this rule:
>> iptables -t filter -A FORWARD -i eth0:0 -p tcp -d 192.168.0.2 --dport
>> 80 -j ACCEPT
>> And the same for all incoming traffics.
>
> This is correct except for one detail : the interface eth0:0 does not
> exist. It is only an alias and is not used by either the routing nor
> iptables. You muse use the real interface name, eth0.
>
hhhmmm
Ok :-)
I never use alias on interface... :-)
Thx for correcting me
Guillaume
--
Guillaume
E-mail: silencer_<at>_free-4ever_<dot>_net
Blog: http://guillaume.free-4ever.net
----
Site: http://www.free-4ever.net
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Help with IPtables and NAT
2006-07-22 11:18 ` Guillaume
@ 2006-07-22 14:38 ` James Marcinek
0 siblings, 0 replies; 9+ messages in thread
From: James Marcinek @ 2006-07-22 14:38 UTC (permalink / raw)
To: netfilter, doug
Thanks for responding everyone. I am hopefully very close to
implementing these rules. Here is my proposed set of rules. I have a
couple of concerns but please feel free to leave input:
# First drop everything (lets you open what you want)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# PREROUTING chain rules
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 80 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 443 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 21 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 22 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 25 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 953 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 993 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p udp --dport 53 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p udp --dport 53 -j DNAT
--to-dest 192.168.0.2
# User-defined chain for ACCEPTed TCP packets
iptables -N okay
iptables -A okay -p TCP --syn -j ACCEPT
iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p TCP -j DROP
# INPUT chain rules
iptables -A INPUT -p ALL -i eth1 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 172.10.10.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 172.10.10.2 -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -d 192.168.0.255 -j ACCEPT
# Rules for incoming packets from the Internet
# Packets for established connections
iptables -A INPUT -p ALL -d 172.10.10.1 -m state --state
ESTABLISHED,RELATED -j ACCEPT
# NOT SURE IF I NEED THIS AS IT'S AN INPUT???
# iptables -A INPUT -p ALL -d 172.10.10.2 -m state --state
ESTABLISHED,RELATED -j ACCEPT
# TCP rules
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 21 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 25 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 443 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 953 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 993 -j okay
# UDP rules
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 53 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 2074 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 4000 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 953 -j ACCEPT
# ICMP rules
# FORWARD chain rules
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# - FORWARDS to server
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 953-j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 993 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i etho -d 192.168.0.2 -p udp --dport 953-j ACCEPT
# iptables -A FORWARD -i eth0 -d 192.168.0.2 -j ACCEPT
# OUTPUT chain rules
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 172.10.10.1 -j ACCEPT
# NOT SURE IF THIS IS CORRECT OR NEEDED???
iptables -A OUTPUT -p ALL -s 172.10.10.2 -j ACCEPT
# POSTROUTING
iptables -t nat -A POSTROUTING -s 192.168.0.2 -j SNAT --to-source
172.10.10.2
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 172.10.10.1
Guillaume wrote:
> Pascal Hambourg a écrit :
>> Guillaume a écrit :
>>>
>>> I think you 2 problems in your rules:
>>> - The chains in NAT table must not be set to drop. NO filtering in
>>> nat table.
>>> - You forgot to add the rules to autorise traffic coming from
>>> eth0:0 to your internal host. After a DNAT rule, you need to
>>> explicitely autorise the corresponding traffic.
>>> Ab i think, I've don't read any rule related to that.
>>>
>>> For example, you set this rule:
>>> iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 80 -j
>>> DNAT --to-dest 192.168.0.2
>>> You must set this rule:
>>> iptables -t filter -A FORWARD -i eth0:0 -p tcp -d 192.168.0.2
>>> --dport 80 -j ACCEPT
>>> And the same for all incoming traffics.
>>
>> This is correct except for one detail : the interface eth0:0 does not
>> exist. It is only an alias and is not used by either the routing nor
>> iptables. You muse use the real interface name, eth0.
>>
>
> hhhmmm
> Ok :-)
>
> I never use alias on interface... :-)
>
> Thx for correcting me
>
> Guillaume
>
>
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2006-07-28 10:31 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-07-21 23:19 Help with IPtables and NAT James Marcinek
2006-07-21 23:32 ` Gary W. Smith
2006-07-22 0:58 ` Pascal Hambourg
2006-07-24 15:16 ` Martijn Lievaart
[not found] ` <42950.2001:888:19e1::53.1153754175.squirrel@dexter>
2006-07-28 10:31 ` Pascal Hambourg
2006-07-22 8:23 ` Guillaume
2006-07-22 10:29 ` Pascal Hambourg
2006-07-22 11:18 ` Guillaume
2006-07-22 14:38 ` James Marcinek
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox