Port forwarding problem

Port forwarding problem

[Tom Elsesser]

Hi,
 I have 2 linux servers on a 20 workstation network. There is an adsl
connection coming thru a EN5861 router which connects to one server
(yzerman) on eth1. Eth0 on this box goes to a 48 port switch. The
other linux box (ulysses) is going to be a webmail server, and has 1
nic going to the switch. I have the apache server on ulysses listening
on port 8000. The router can forward ports but only on its own subnet,
which is the same as eth1 on yzerman. I am trying to get port 8000 to
go thru yzerman to ulysses, but can't seem to get it right. Can
someone take a peek at my iptables config and tell me where I went
wrong?

Thanks in advance.

+++++++++++++++++
#!/bin/sh

# Turn on ipforwarding just in case
echo "1" > /proc/sys/net/ipv4/ip_forward

# Flush old rulesets
/sbin/iptables -F
/sbin/iptables -F -t nat

# Default policies
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP

# Masq out eth1 (to router)
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Allow packets to return
/sbin/iptables -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED
-j ACCEPT

# Allow packets out
/sbin/iptables -A FORWARD -i eth0 -s 10.1.1.0/8 -j ACCEPT

# Forward squirrelmail http request to ulysses
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8000 -j
DNAT --to 10.1.1.2

# Connect to port 8000 (squirrelmail) from outside
/sbin/iptables -A INPUT -i eth1 -d 0/0 -p tcp --dport 8000 -j ACCEPT

# Connect via ssh from outside
/sbin/iptables -A INPUT -i eth1 -d 0/0 -p tcp --dport 22 -j ACCEPT

# Log to syslog
# /sbin/iptables -A INPUT -j LOG


-- 
Tom

Re: Port forwarding problem

[Joel Newkirk]

On Wednesday 13 November 2002 11:29 pm, Tom Elsesser wrote:
> Hi,
>  I have 2 linux servers on a 20 workstation network. There is an adsl
> connection coming thru a EN5861 router which connects to one server
> (yzerman) on eth1. Eth0 on this box goes to a 48 port switch. The
> other linux box (ulysses) is going to be a webmail server, and has 1
> nic going to the switch. I have the apache server on ulysses listening
> on port 8000. The router can forward ports but only on its own subnet,
> which is the same as eth1 on yzerman. I am trying to get port 8000 to
> go thru yzerman to ulysses, but can't seem to get it right. Can
> someone take a peek at my iptables config and tell me where I went
> wrong?

You need a few rules to allow this:  DNAT incoming port 8000 requests, accept 
those in FORWARD, accept returning in FORWARD.  (Once DNATted they are 
packets to be forwarded to another machine, not INPUT for the local firewall 
machine)

I've commented throughout the script below.  Is this your complete ruleset?


> Thanks in advance.
>
> +++++++++++++++++
> #!/bin/sh
>
> # Turn on ipforwarding just in case
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
> # Flush old rulesets
> /sbin/iptables -F
> /sbin/iptables -F -t nat
>
> # Default policies
> /sbin/iptables -P INPUT ACCEPT
> /sbin/iptables -P OUTPUT ACCEPT
> /sbin/iptables -P FORWARD DROP

I'd STRONGLY suggest that for everyday use you set at least INPUT policy to 
DROP as well, and ACCEPT only traffic that legitimately should be granted 
access to the firewall machine.  Webmail traffic will (with proper 
configuration) all go through FORWARD, as will masqueraded LAN traffic.
Only connections to yzerman itself should ever be in INPUT, and only 
connections you explicitly want to allow to your firewall should ever be 
ACCEPTed in INPUT.

> # Masq out eth1 (to router)
> /sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Fine here, but if your IP is static just SNAT, there's a lot less overhead if 
netfilter doesn't need to constantly double-check the firewall's IP.

> # Allow packets to return
> /sbin/iptables -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED
> -j ACCEPT
>
> # Allow packets out
> /sbin/iptables -A FORWARD -i eth0 -s 10.1.1.0/8 -j ACCEPT

If this is all the FORWARD rules you have, then you'll have problems.  You 
have a default DROP policy for FORWARD, which is good, but here you only 
allow EST/REL connections back from the internet (allows MASQ back through) 
and connections out from the LAN.  You need to also allow the DNATted 
connections through FORWARD, IE the INPUT --dport 8000 rule below should be 
in FORWARD, since that's where the DNATted packets are bound.  Your rule 
construction also doesn't allow connections from the LAN to forward to 
ulysses.  Is this the way you want it?  It's quite a bit more complicated to 
allow that, but can certainly be done.


> # Forward squirrelmail http request to ulysses
> /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8000 -j
> DNAT --to 10.1.1.2
>
> # Connect to port 8000 (squirrelmail) from outside
> /sbin/iptables -A INPUT -i eth1 -d 0/0 -p tcp --dport 8000 -j ACCEPT

As said above, port 8000 is FORWARD traffic for the firewall after DNATting, 
not INPUT.

> # Connect via ssh from outside
> /sbin/iptables -A INPUT -i eth1 -d 0/0 -p tcp --dport 22 -j ACCEPT

Is this intended to allow SSH from the internet to the firewall?  That's what 
it currently does.  With ACCEPT policy on INPUT this is redundant anyway, but 
you should really default DROP, then allow specific cases through.  Again, no 
provisions for SSH from the LAN - is that something you want?  Currently the 
ACCEPT policy would allow that anyway, so the net effect right now is that 
SSH connections from the internet to the firewall machine are counted 
separately, and all traffic into the firewall machine is accepted.  NOT a 
particularly secure arrangement...  (actually about as unsecure as it could 
get, barring ACCEPT policy on FORWARD...)

> # Log to syslog
> # /sbin/iptables -A INPUT -j LOG


My suggestions would be:

Set default DROP policy for INPUT and FORWARD.  

Accept EST/REL in FORWARD without matching source/dest/in/out, or set up 
multiple state rules to allow both directions.  (only difference is multiple 
rules allow you to see traffic volume in each direction separately with 
iptables -L -v -n)  Personally I would have 4 EST/REL rules in FORWARD: one 
each for in and out from Ulysses, followed by one each for in and out from 
LAN in general.  This gives more detailed records without actually LOGging.

DNAT port 8000 to Ulysses, then ACCEPT in FORWARD. 

MASQ outbound connections to internet NOT from Ulysses.  (webmail replies will 
be reverse NATted automatically)

ACCEPT specific port connections in FORWARD coming from the LAN, IE allow 
TCP80, TCP/UDP53, etc.

Set a REJECT rule at the end of FORWARD for anything not allowed that came 
from the LAN, let not allowed from the internet just DROP silently.

Repeat for emphasis:  DROP INPUT to the firewall except for things that REALLY 
need to communicate directly to that machine.  If you want to be polite (to 
the LAN at least) you can REJECT instead of DROP, but from the outside world 
you really should DROP.

If the firewall machine itself has no reason to communicate directly with 
anything else (apart from forwarding) set a default REJECT policy on OUTPUT, 
and LOG anything reaching policy.  The only times this would matter is if 
someone is using the firewall box as a workstation, a server, or it has been 
compromised.

j

port forwarding problem

[oarojo]

hello guys!!! Can someone help me on my problem regarding iptables???

This has been my problem a month now.. I'm running a redhat 7.3 firewall
server with two NICs; eth0 facing the internal network (192.168.0.x) and
eth1 facing the internet (external network). Now I wish to forward all
traffic on eth1, port 25 to another to my mail server (say, 192.168.0.2). I
did something like:

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
iptables -A FORWARD -p tcp --dport 25 -d 192.168.0.2 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp --dport 25 -d x.x.x.x -j DNAT
 --to 192.168.0.2

Now when i used to test SMTP connection thru telnetting from another
server... say:

#telnet xxx.xxx.xxx.xxx 25

It just stucked in there doesn't continue...

using nmap on my firewall:

#nmap xxx.xxx.xxx.xxx -p 25

it says that port 25 is filtered...


Is there anything wrong with my iptable rules? I would really appreciate if
you can send me your help... thanks!


Oliver

Re: port forwarding problem

[Ian McBeth]

Hello.....

I think you must have the SNAT in there as well


-A PREROUTING -p tcp -m tcp -d (external IP) -i eth1 --dport 25 -j DNAT
--to-destination 192.168.0.2:25
-A POSTROUTING -p tcp -m tcp -s 192.168.0.2 -o eth1 -j SNAT --to-source
62.194.25.2:25


-A FORWARD -p tcp -m tcp -d 192.168.0.2 -i eth1 -o eth0 --dport 25

let me know if this helps

Ian

On Tue, 2003-01-28 at 01:14, oarojo@intermediacorp.com wrote:
> hello guys!!! Can someone help me on my problem regarding iptables???
> 
> This has been my problem a month now.. I'm running a redhat 7.3
firewall
> server with two NICs; eth0 facing the internal network (192.168.0.x)
and
> eth1 facing the internet (external network). Now I wish to forward all
> traffic on eth1, port 25 to another to my mail server (say,
192.168.0.2). I
> did something like:
> 
> iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
> iptables -A FORWARD -p tcp --dport 25 -d 192.168.0.2 -j ACCEPT
> iptables -A PREROUTING -t nat -p tcp --dport 25 -d x.x.x.x -j DNAT
>  --to 192.168.0.2
> 
> Now when i used to test SMTP connection thru telnetting from another
> server... say:
> 
> #telnet xxx.xxx.xxx.xxx 25
> 
> It just stucked in there doesn't continue...
> 
> using nmap on my firewall:
> 
> #nmap xxx.xxx.xxx.xxx -p 25
> 
> it says that port 25 is filtered...
> 
> 
> Is there anything wrong with my iptable rules? I would really
appreciate if
> you can send me your help... thanks!
> 
> 
> Oliver
> 
> 
> 

Re: port forwarding problem

[Arnt Karlsen]

On Tue, 28 Jan 2003 16:14:09 +0800 (PHT), 
<oarojo@intermediacorp.com> wrote in message 
<24307.192.168.0.1.1043741649.squirrel@mail.intermediacorp.com>:

> hello guys!!! Can someone help me on my problem regarding iptables???
> 
> This has been my problem a month now.. I'm running a redhat 7.3
> firewall server with two NICs; eth0 facing the internal network
> (192.168.0.x) and eth1 facing the internet (external network). Now I
> wish to forward all traffic on eth1, port 25 to another to my mail
> server (say, 192.168.0.2). I did something like:
> 
> iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
> iptables -A FORWARD -p tcp --dport 25 -d 192.168.0.2 -j ACCEPT
> iptables -A PREROUTING -t nat -p tcp --dport 25 -d x.x.x.x -j DNAT
>  --to 192.168.0.2
> 
> Now when i used to test SMTP connection thru telnetting from another
> server... say:
> 
> #telnet xxx.xxx.xxx.xxx 25
> 
> It just stucked in there doesn't continue...
> 
> using nmap on my firewall:
> 
> #nmap xxx.xxx.xxx.xxx -p 25
> 
> it says that port 25 is filtered...
> 
> 
> Is there anything wrong with my iptable rules? I would really
> appreciate if you can send me your help... thanks!

..a stab in the dark: 'cat /proc/sys/net/ipv4/ip_forward' says?

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Port forwarding problem...

[Danila Octavian]

[-- Attachment #1: Type: text/plain, Size: 624 bytes --]

Hello,

I want to ask you something regarding something that i am stuck in... :-)
I need to allow acces to a Web server which runs on a machine inside my LAN.
my topology is  :

internet <------>(eth0)[web,smtp,pop3,ftp](eth1)<------>LAN(192.168.13.0/24)

i have only one "real" IP on eth0.
 
can you tell me how can i use something like :

http://www.myserver.xxx:33333 to redirect to .. let's say 192.168.13.147:80 ??

the main problem that i see here is that on port 33333 i have no services running.

Thanxx in advance,
                                         Danila Octavian(pisic@service.agress.ro)

[-- Attachment #2: Type: text/html, Size: 1882 bytes --]

Re: Port forwarding problem...

[DarKRaveR]

Hello Danila,

Shouldn't be a problem, since netfilter takes care before the paket
hits anything else, as long as you put your rule in the prerouting
chain.
All you wanna do is add something like:

iptables -t nat -A PREROUTING -d realip --dport 33333 -i eth0 -j DNAT
--to 192.168.13.147.80

This rewrites the destination address. if you ip is from a dialup
connection you might want to use MASQUERADE ...
And make sure you have connection tracking, so the answer packages get
rewritten properly.

I think that should do ....
Check out the FAQs there's some nice examples there ...

Tuesday, February 11, 2003, 7:21:30 PM, you wrote:

DO> Hello,

DO> I want to ask you something regarding something that i am stuck in... :-)
DO> I need to allow acces to a Web server which runs on a machine inside my LAN.
DO> my topology is  :

DO> internet <------>(eth0)[web,smtp,pop3,ftp](eth1)<------>LAN(192.168.13.0/24)

DO> i have only one "real" IP on eth0.
 
DO> can you tell me how can i use something like :

DO> http://www.myserver.xxx:33333 to redirect to .. let's say 192.168.13.147:80 ??

DO> the main problem that i see here is that on port 33333 i have no services running.

DO> Thanxx in advance,
DO>                                          Danila Octavian(pisic@service.agress.ro)



-- 
Best regards,
 DarKRaveR                            mailto:DarKRaveR@habitat-b.de

RE: Port forwarding problem...

[Rob Sterenborg]

> internet 
> <------>(eth0)[web,smtp,pop3,ftp](eth1)<------>LAN(192.168.13.0/24)
> 
> i have only one "real" IP on eth0.
> 
> can you tell me how can i use something like :
> 
> http://www.myserver.xxx:33333 to redirect to .. let's say
192.168.13.147:80 ??
> 

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -d 192.168.13.147 -j ACCEPT

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3333 -j DNAT
--to-destination 192.168.13.147:80

> the main problem that i see here is that on port 33333 i have no
services running.

If port forwarding doesn't work, you don't see a service running on the
port.
OTOH if portforwarding works but the service isn't running, the port
isn't open on <inet_ip> either.


Gr,
Rob

Port Forwarding Problem

[Tom Smith]

[-- Attachment #1: Type: text/plain, Size: 1024 bytes --]

RedHat 7.3 w/ Kernel 2.4.9-13
iptables version 1.2.5
rc.firewall-2.4-stronger version 0.77s

Having problem forwarding 216.161.174.4 port 8241 to 192.168.20.246 port 22.

I added the following rule to run DNAT:
$IPTABLES -t nat -A PREROUTING -p tcp -d 216.161.174.4 --dport 8241 -j 
DNAT --to-destination 192.168.20.246:22

What I saw when trying to connect to the port from a remote host was:
uccinet kernel: IN=eth1 OUT=eth0 SRC=64.158.129.226 DST=192.168.20.246 
LEN=60 TOS=0x10 PREC=0x00 TTL=45 ID=63685 DF PROTO=TCP SPT=2030 DPT=22 
WINDOW=5840 RES=0x00 SYN URGP=0

I later learned that I also needed some FORWARD rules to make it work. 
The default script had most of them. I added:
$IPTABLES -A FORWARD -d 192.168.20.246 -p tcp --dport 22 -j ACCEPT

Now, I don't see anything in the logs AND I'm still NOT connecting to 
the internal host.

Attached is both the firewall script and the output from iptables -nL. 
The only lines added to the firewall script are 477-483 and 553-554.

Tom Smith
tom@openadventures.org


[-- Attachment #2: iptables --]
[-- Type: text/plain, Size: 2048 bytes --]

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          
ACCEPT     all  --  192.168.20.0/24      0.0.0.0/0          
drop-and-log-it  all  --  192.168.20.0/24      0.0.0.0/0          
ACCEPT     icmp --  0.0.0.0/0            216.161.174.4      
ACCEPT     all  --  0.0.0.0/0            216.161.174.4      state RELATED,ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          multiport dports 21,23,25,53,80,110,199,1994,1998,1999 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0          multiport dports 21,23,25,53,80,110,199,1994,1998,1999 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          multiport dports 22,47,143,443,993,1723 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0          multiport dports 22,47,143,443,993,1723 
drop-and-log-it  all  --  0.0.0.0/0            0.0.0.0/0          

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            192.168.20.246     tcp dpt:22 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          
drop-and-log-it  all  --  0.0.0.0/0            0.0.0.0/0          

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          
ACCEPT     all  --  216.161.174.4        192.168.20.0/24    
ACCEPT     all  --  192.168.20.0/24      192.168.20.0/24    
drop-and-log-it  all  --  0.0.0.0/0            192.168.20.0/24    
ACCEPT     all  --  216.161.174.4        0.0.0.0/0          
drop-and-log-it  all  --  0.0.0.0/0            0.0.0.0/0          

Chain drop-and-log-it (5 references)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 6 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0          reject-with icmp-port-unreachable 

[-- Attachment #3: rc.firewall-2.4-stronger --]
[-- Type: text/plain, Size: 19046 bytes --]

#!/bin/sh
#
# rc.firewall-2.4-stronger
#
FWVER=0.77s

#          An example of a stronger IPTABLES firewall with IP Masquerade 
#          support for 2.4.x kernels.  
#
# Log:
#
#   0.78s - REJECT is not a legal policy yet; back to DROP
#   0.77s - Changed the default block behavior to REJECT not DROP
#   0.76s - Added a comment about the OPTIONAL WWW ruleset and a comment
#           where to put optional PORTFW commands
#   0.75s - Added clarification that PPPoE users need to use
#           "ppp0" instead of "eth0" for their external interface
#   0.74s - Changed the EXTIP command to work on NON-English distros
#   0.73s - Added comments in the output section that DHCPd is optional
#           and changed the default settings to disabled
#   0.72s - Changed the filter from the INTNET to the INTIP to be
#           stateful; moved the command VARs to the top and made the
#           rest of the script to use them
#   0.70s - Added a disabled examples for allowing internal DHCP  
#           and external WWW access to the server
#   0.63s - Added support for the IRC module
#   0.62s - Initial version based upon the basic 2.4.x rc.firewall


echo -e "\nLoading STRONGER rc.firewall - version $FWVER..\n"


# The location of various iptables and other shell programs
#
#   If your Linux distribution came with a copy of iptables, most
#   likely it is located in /sbin.  If you manually compiled 
#   iptables, the default location is in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out 
# ** where your copy is and change the path below to reflect 
# ** your setup
#
IPTABLES=/sbin/iptables
#IPTABLES=/usr/local/sbin/iptables
#
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod
GREP=/bin/grep
AWK=/bin/awk
SED=/bin/sed
IFCONFIG=/sbin/ifconfig


#Setting the EXTERNAL and INTERNAL interfaces for the network
#
#  Each IP Masquerade network needs to have at least one
#  external and one internal network.  The external network
#  is where the natting will occur and the internal network
#  should preferably be addressed with a RFC1918 private address
#  scheme.
#
#  For this example, "eth0" is external and "eth1" is internal"
#
#  NOTE:  If this doesnt EXACTLY fit your configuration, you must 
#         change the EXTIF or INTIF variables above. For example: 
#
#            If you are a PPPoE or analog modem user:
#
#               EXTIF="ppp0" 
#
EXTIF="eth1"
INTIF="eth0"
echo "  External Interface:  $EXTIF"
echo "  Internal Interface:  $INTIF"
echo "  ---"

# Specify your Static IP address here or let the script take care of it 
# for you.
#
#   If you prefer to use STATIC addresses in your firewalls, un-# out the
#   static example below and # out the dynamic line.  If you don't care,
#   just leave this section alone.
#
#   If you have a DYNAMIC IP address, the ruleset already takes care of
#   this for you.  Please note that the different single and double quote 
#   characters and the script MATTER.
#
#
#   DHCP users:
#   -----------
#   If you get your TCP/IP address via DHCP, **you will need ** to enable the 
#   #ed out command below underneath the PPP section AND replace the word 
#   "eth0" with the name of your EXTERNAL Internet connection (ppp0, ippp0, 
#   etc) on the lines for "ppp-ip" and "extip".  You should also note that the 
#   DHCP server can and will change IP addresses on you.  To deal with this, 
#   users should configure their DHCP client to re-run the rc.firewall ruleset 
#   everytime the DHCP lease is renewed.
#
#     NOTE #1:  Some DHCP clients like the original "pump" (the newer
#               versions have been fixed) did NOT have the ability to run 
#               scripts after a lease-renew.  Because of this, you need to 
#               replace it with something like "dhcpcd" or "dhclient".
#
#     NOTE #2:  The syntax for "dhcpcd" has changed in recent versions.
#
#               Older versions used syntax like:
#                         dhcpcd -c /etc/rc.d/rc.firewall eth0
#
#               Newer versions execute a file called /etc/dhcpc/dhcpcd-eth0.exe
#
#     NOTE #3:  For Pump users, put the following line in /etc/pump.conf:
#
#                   script /etc/rc.d/rc.firewall
#
#   PPP users:
#   ----------
#   If you aren't already aware, the /etc/ppp/ip-up script is always run when 
#   a PPP connection comes up.  Because of this, we can make the ruleset go and 
#   get the new PPP IP address and update the strong firewall ruleset.
#
#   If the /etc/ppp/ip-up file already exists, you should edit it and add a line
#   containing "/etc/rc.d/rc.firewall" near the end of the file.
#
#   If you don't already have a /etc/ppp/ip-up sccript, you need to create the 
#   following link to run the /etc/rc.d/rc.firewall script.
#
#       ln -s /etc/rc.d/rc.firewall /etc/ppp/ip-up
#
#   * You then want to enable the #ed out shell command below *
#
#
# Determine the external IP automatically:
# ----------------------------------------
#
#  The following line will determine your external IP address.  This
#  line is somewhat complex and confusing but it will also work for
#  all NON-English Linux distributions:
#
EXTIP="`$IFCONFIG $EXTIF | $AWK \
 /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"


# For users who wish to use STATIC IP addresses:
#
#  # out the EXTIP line above and un-# out the EXTIP line below
#
#EXTIP="your.static.PPP.address"
echo "  External IP: $EXTIP"
echo "  ---"


# Assign the internal TCP/IP network and IP address
INTNET="192.168.20.0/24"
INTIP="192.168.20.1/24"
echo "  Internal Network: $INTNET"
echo "  Internal IP:      $INTIP"
echo "  ---"




# Setting a few other local variables
#
UNIVERSE="0.0.0.0/0"

#======================================================================
#== No editing beyond this line is required for initial MASQ testing ==

# Need to verify that all modules have all required dependencies
#
echo "  - Verifying that all kernel modules are ok"
$DEPMOD -a

echo -en "    Loading kernel modules: "

# With the new IPTABLES code, the core MASQ functionality is now either
# modular or compiled into the kernel.  This HOWTO shows ALL IPTABLES
# options as MODULES.  If your kernel is compiled correctly, there is
# NO need to load the kernel modules manually.  
#
#  NOTE: The following items are listed ONLY for informational reasons.
#        There is no reason to manual load these modules unless your
#        kernel is either mis-configured or you intentionally disabled
#        the kernel module autoloader.
#

# Upon the commands of starting up IP Masq on the server, the
# following kernel modules will be automatically loaded:
#
# NOTE:  Only load the IP MASQ modules you need.  All current IP MASQ 
#        modules are shown below but are commented out from loading.
# ===============================================================

#Load the main body of the IPTABLES module - "ip_tables"
#  - Loaded automatically when the "iptables" command is invoked
#
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_tables, "
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
   $INSMOD ip_tables
fi


#Load the IPTABLES filtering module - "iptable_filter" 
#
#  - Loaded automatically when filter policies are activated


#Load the stateful connection tracking framework - "ip_conntrack"
#
# The conntrack  module in itself does nothing without other specific 
# conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
# module
#
#  - This module is loaded automatically when MASQ functionality is 
#    enabled 
#
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_conntrack, "
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
   $INSMOD ip_conntrack
fi


#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -e "ip_conntrack_ftp, "
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
   $INSMOD ip_conntrack_ftp
fi


#Load the IRC tracking mechanism for full IRC tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "                             ip_conntrack_irc, "
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
   $INSMOD ip_conntrack_irc
fi


#Load the general IPTABLES NAT code - "iptable_nat"
#  - Loaded automatically when MASQ functionality is turned on
# 
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "iptable_nat, "
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
   $INSMOD iptable_nat
fi


#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -e "ip_nat_ftp"
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
   $INSMOD ip_nat_ftp
fi

echo "  ---"

# Just to be complete, here is a list of the remaining kernel modules 
# and their function.  Please note that several modules should be only
# loaded by the correct master kernel module for proper operation.
# --------------------------------------------------------------------
#
#    ipt_mark       - this target marks a given packet for future action.
#                     This automatically loads the ipt_MARK module
#
#    ipt_tcpmss     - this target allows to manipulate the TCP MSS
#                     option for braindead remote firewalls.
#                     This automatically loads the ipt_TCPMSS module
#
#    ipt_limit      - this target allows for packets to be limited to
#                     to many hits per sec/min/hr
#
#    ipt_multiport  - this match allows for targets within a range
#                     of port numbers vs. listing each port individually
#
#    ipt_state      - this match allows to catch packets with various
#                     IP and TCP flags set/unset
#
#    ipt_unclean    - this match allows to catch packets that have invalid
#                     IP/TCP flags set
#
#    iptable_filter - this module allows for packets to be DROPped, 
#                     REJECTed, or LOGged.  This module automatically 
#                     loads the following modules:
#
#                     ipt_LOG - this target allows for packets to be 
#                               logged
#
#                     ipt_REJECT - this target DROPs the packet and returns 
#                                  a configurable ICMP packet back to the 
#                                  sender.
# 
#    iptable_mangle - this target allows for packets to be manipulated
#                     for things like the TCPMSS option, etc.


#CRITICAL:  Enable IP forwarding since it is disabled by default since
#
#           Redhat Users:  you may try changing the options in
#                          /etc/sysconfig/network from:
#
#                       FORWARD_IPV4=false
#                             to
#                       FORWARD_IPV4=true
#
echo "  Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward


# Dynamic IP users:
#
#   If you get your IP address dynamically from SLIP, PPP, or DHCP, 
#   enable the following option.  This enables dynamic-address hacking
#   which makes the life with Diald and similar programs much easier.
#
echo "  Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "  ---"

#############################################################################
#
# Enable Stronger IP forwarding and Masquerading
#
#  NOTE:  In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.
#
#  NOTE #2:  The following is an example for an internal LAN address in the
#            192.168.1.x network with a 255.255.255.0 or a "24" bit subnet 
#            mask connecting to the Internet on external interface "eth0".  
#            This example will MASQ internal traffic out to the Internet 
#            but not allow non-initiated traffic into your internal network.
#
#            
#         ** Please change the above network numbers, subnet mask, and your 
#         *** Internet connection interface name to match your setup
#         

#Clearing any previous configuration
#
#  Unless specified, the defaults for INPUT, OUTPUT, and FORWARD to DROP
#
#    You CANNOT change this to REJECT as it isn't a vaild policy setting.
#    If you want REJECT, you must explictly REJECT at the end of a giving 
#    INPUT, OUTPUT, or FORWARD chain
#
echo "  Clearing any existing rules and setting default policy to REJECT.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT 
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT 
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD 
$IPTABLES -F -t nat

#Not needed and it will only load the unneeded kernel module
#$IPTABLES -F -t mangle
#
# Flush the user chain.. if it exists
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
   $IPTABLES -F drop-and-log-it
fi
#
# Delete all User-specified chains
$IPTABLES -X
#
# Reset all IPTABLES counters
$IPTABLES -Z


#Configuring specific CHAINS for later use in the ruleset
#
#  NOTE:  Some users prefer to have their firewall silently
#         "DROP" packets while others prefer to use "REJECT"
#         to send ICMP error messages back to the remote 
#         machine.  The default is "REJECT" but feel free to
#         change this below.
#
# NOTE: Without the --log-level set to "info", every single
#       firewall hit will goto ALL vtys.  This is a very big
#       pain.
#
echo "  Creating a DROP chain.."
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info 
$IPTABLES -A drop-and-log-it -j REJECT

echo -e "\n   - Loading INPUT rulesets"


#######################################################################
# INPUT: Incoming traffic from various interfaces.  All rulesets are 
#        already flushed and set to a default policy of DROP. 
#

# loopback interfaces are valid.
#
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT


# local interface, local machines, going anywhere is valid
#
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT


# remote interface, claiming to be local machines, IP spoofing, get lost
#
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it


# external interface, from any source, for ICMP traffic is valid
#
#  If you would like your machine to "ping" from the Internet, 
#  enable this next line
#
$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT


# remote interface, any source, going to permanent PPP address is valid
#
#$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT


# Allow any related traffic coming back to the MASQ server in
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
 ESTABLISHED,RELATED -j ACCEPT


# ----- Begin OPTIONAL INPUT Section -----
#

# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
#
#$IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT
#$IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT

# HTTPd - Enable the following lines if you run an EXTERNAL WWW server
#
#    NOTE:  This is NOT needed for simply enabling PORTFW.  This is ONLY 
#           for users that plan on running Apache on the MASQ server itself
#
#echo -e "      - Allowing EXTERNAL access to the WWW server"
#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
# -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
#
echo -e "      - Allowing EXTERNAL access to INSECURE services"
$IPTABLES -A INPUT -p tcp -m multiport --dport 21,23,25,53,80,110,199,1994,1998,1999 -j ACCEPT
$IPTABLES -A INPUT -p udp -m multiport --dport 21,23,25,53,80,110,199,1994,1998,1999 -j ACCEPT

echo -e "      - Allowing EXTERNAL access to SECURE services"
$IPTABLES -A INPUT -p tcp -m multiport --dport 22,47,143,443,993,1723 -j ACCEPT
$IPTABLES -A INPUT -p udp -m multiport --dport 22,47,143,443,993,1723 -j ACCEPT
#
# ----- End OPTIONAL INPUT Section -----



# Catch all rule, all other incoming is denied and logged. 
#
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it


echo -e "   - Loading OUTPUT rulesets"

#######################################################################
# OUTPUT: Outgoing traffic from various interfaces.  All rulesets are 
#         already flushed and set to a default policy of DROP. 
#

# loopback interface is valid.
#
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT


# local interfaces, any source going to local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT


# local interface, any source going to local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT


# outgoing to local net on remote interface, stuffed routing, deny
#
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it


# anything else outgoing on remote interface is valid
#
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT


# ----- Begin OPTIONAL OUTPUT Section -----
#

# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
#         - Remove BOTH #s all the #s if you need this functionality.
#
#$IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 \
# -d 255.255.255.255 --dport 68 -j ACCEPT
#$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 \
# -d 255.255.255.255 --dport 68 -j ACCEPT
#
# ----- End OPTIONAL OUTPUT Section -----


# Catch all rule, all other outgoing is denied and logged. 
#
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it


echo -e "   - Loading FORWARD rulesets"

#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
#

# ----- Begin OPTIONAL FORWARD Section -----
#
$IPTABLES -A FORWARD -d 192.168.20.246 -p tcp --dport 22 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -d 216.161.174.4 --dport 8241 -j DNAT --to-destination 192.168.20.246:22
#
# ----- End OPTIONAL FORWARD Section -----


echo "     - FWD: Allow all connections OUT and only existing/related IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED \
 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

# Catch all rule, all other forwarding is denied and logged. 
#
$IPTABLES -A FORWARD -j drop-and-log-it


echo "     - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF"
#
#More liberal form
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#
#Stricter form
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP


#######################################################################
echo -e "\nStronger rc.firewall-2.4 $FWVER done.\n"

Re: Port Forwarding Problem

[Willi Dyck]

On Tue, Feb 25, 2003 at 11:06:55AM -0700, Tom Smith wrote:
> Having problem forwarding 216.161.174.4 port 8241 to 192.168.20.246 port 22.
> 
> I added the following rule to run DNAT:
> $IPTABLES -t nat -A PREROUTING -p tcp -d 216.161.174.4 --dport 8241 -j 
> DNAT --to-destination 192.168.20.246:22

Good.

> What I saw when trying to connect to the port from a remote host was:
> uccinet kernel: IN=eth1 OUT=eth0 SRC=64.158.129.226 DST=192.168.20.246 
> LEN=60 TOS=0x10 PREC=0x00 TTL=45 ID=63685 DF PROTO=TCP SPT=2030 DPT=22 
> WINDOW=5840 RES=0x00 SYN URGP=0
> 
> I later learned that I also needed some FORWARD rules to make it work. 
> The default script had most of them. I added:
> $IPTABLES -A FORWARD -d 192.168.20.246 -p tcp --dport 22 -j ACCEPT

Better. Much better would be a second rule which allows the way back
from 192.168.20.246.

$IPTABLES -A FORWARD -s 192.168.20.246 -p tcp --sport 22 -j ACCEPT

What I see in your 'iptables -nL' output is that you allow everything
in the FORWARD chain which has a state ESTABLISHED and/or RELATED, thus
the second rule above isn't necessery. Does 192.168.20.246 have routing
entry back to the inet? Also, what is the output of 'iptables -nvL
FORWARD'?

> Chain FORWARD (policy DROP)
> target     prot opt source               destination         
> ACCEPT     tcp  --  0.0.0.0/0            192.168.20.246     tcp dpt:22 
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED 
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          
> drop-and-log-it  all  --  0.0.0.0/0            0.0.0.0/0          

Regards -- Willi

-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GPA/CS dx s-:- a-- C++$ UL/S+++>++++ P++>+++ L+++(++++)$ !E W+ N- o?
K? !w 0? !M V- PS++(---) !PE Y+ PGP++ t-- !5 X+ R- !tv b+(++) DI++
D+++ G e+ h-- r y?
------END GEEK CODE BLOCK------

Re: Port Forwarding Problem

[Tom Smith]

[-- Attachment #1: Type: text/plain, Size: 1867 bytes --]

Found the problem...the GATEWAY on 20.246 was set to a different router 
and not the firewall.

It started working after I changed it--thanks for your help!!!

Willi Dyck wrote:

>On Tue, Feb 25, 2003 at 11:06:55AM -0700, Tom Smith wrote:
>  
>
>>Having problem forwarding 216.161.174.4 port 8241 to 192.168.20.246 port 22.
>>
>>I added the following rule to run DNAT:
>>$IPTABLES -t nat -A PREROUTING -p tcp -d 216.161.174.4 --dport 8241 -j 
>>DNAT --to-destination 192.168.20.246:22
>>    
>>
>
>Good.
>
>  
>
>>What I saw when trying to connect to the port from a remote host was:
>>uccinet kernel: IN=eth1 OUT=eth0 SRC=64.158.129.226 DST=192.168.20.246 
>>LEN=60 TOS=0x10 PREC=0x00 TTL=45 ID=63685 DF PROTO=TCP SPT=2030 DPT=22 
>>WINDOW=5840 RES=0x00 SYN URGP=0
>>
>>I later learned that I also needed some FORWARD rules to make it work. 
>>The default script had most of them. I added:
>>$IPTABLES -A FORWARD -d 192.168.20.246 -p tcp --dport 22 -j ACCEPT
>>    
>>
>
>Better. Much better would be a second rule which allows the way back
>from 192.168.20.246.
>
>$IPTABLES -A FORWARD -s 192.168.20.246 -p tcp --sport 22 -j ACCEPT
>
>What I see in your 'iptables -nL' output is that you allow everything
>in the FORWARD chain which has a state ESTABLISHED and/or RELATED, thus
>the second rule above isn't necessery. Does 192.168.20.246 have routing
>entry back to the inet? Also, what is the output of 'iptables -nvL
>FORWARD'?
>
>  
>
>>Chain FORWARD (policy DROP)
>>target     prot opt source               destination         
>>ACCEPT     tcp  --  0.0.0.0/0            192.168.20.246     tcp dpt:22 
>>ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED 
>>ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          
>>drop-and-log-it  all  --  0.0.0.0/0            0.0.0.0/0          
>>    
>>
>
>Regards -- Willi
>
>  
>

[-- Attachment #2: Type: text/html, Size: 2396 bytes --]

Re: Port Forwarding Problem

[Arnt Karlsen]

On Tue, 25 Feb 2003 11:06:55 -0700, 
Tom Smith <tom@openadventures.org> wrote in message 
<3E5BB0BF.2070401@openadventures.org>:

> RedHat 7.3 w/ Kernel 2.4.9-13

..you want 2.4.18-24.7.x, _several_ errata fixes.

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Re: Port Forwarding Problem

[Arnt Karlsen]

On Tue, 25 Feb 2003 21:09:18 -0700, 
Tom Smith <tom@openadventures.org> top posted, er, top mailed in 
message <3E5C3DEE.70104@openadventures.org>:
> 
> Arnt Karlsen wrote:
> 
> >On Tue, 25 Feb 2003 11:06:55 -0700, 
> >Tom Smith <tom@openadventures.org> wrote in message 
> ><3E5BB0BF.2070401@openadventures.org>:
> >
> >  
> >
> >>RedHat 7.3 w/ Kernel 2.4.9-13
> >>    
> >>
> >
> >..you want 2.4.18-24.7.x, _several_ errata fixes.
> >
> >  
> >
> 
> 
> Yeah, I'm planning for that. Problem is...I have to have PPTP support 
> and I simply haven't had the time to test the latest PoPToP-enabled 
> kernel (2.4.18-18).

..get the "kernelmod" tarball instead, install 2.4.18-24.7.x, 
reboot to that, and run kernelmod, to make your own. 
Find it over at the poptop sourceforge site.

..more people may need this, so I cc.

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Re: Port Forwarding Problem

[Samuel Díaz García]

Without having a look into your scripts, I think you need:

1) Allow INPUT into filter table to the port.
2) Allow FORDWARD into filter table to the redirected conection.

Good luck.

Julian Labuschagne writes:

> Hi everyone I'm a bit new to iptables so please bear with me on this one
> ;)
>
> I wrote a small firewall that basicaly nats users through my gateway
> machine only allowing certain hosts on my network Web DNS and Mail access.
>
> This section works fine.
>
> But I also want to port forward any connections from outside to port 800
> to a host running inside my LAN.
> I added a rule in the PREROUTING table to do this.
>
> But it seems that no connection gets forwarded.
>
> If I set my default policies to ACCEPT and add the PREROUTING rule it
> actualy does the port forwarding correctly.
>
> I attached a copy of the firewall I wrote with this message.
>
> Please can someone have a look through it for me cause I'm sure I'm just
> missing something.
>
> Kind Regards Julian.
>
>
>



Samuel D�az Garc�a
Director Gerente
ArcosCom Wireless, S.L.L.

mailto:samueldg@arcoscom.com
http://www.arcoscom.com
m�vil: 651 93 72 48
tlfn.: 956 70 13 15
fax:   956 70 34 83

Port Forwarding Problem

[Julian Labuschagne]

Hi everyone I'm a bit new to iptables so please bear with me on this one ;)

I wrote a small firewall that basicaly nats users through my gateway 
machine only allowing certain hosts on my network Web DNS and Mail access.

This section works fine.

But I also want to port forward any connections from outside to port 800 
to a host running inside my LAN.
I added a rule in the PREROUTING table to do this.

But it seems that no connection gets forwarded.

If I set my default policies to ACCEPT and add the PREROUTING rule it 
actualy does the port forwarding correctly.

I attached a copy of the firewall I wrote with this message.

Please can someone have a look through it for me cause I'm sure I'm just 
missing something.

Kind Regards Julian.

Port Forwarding Problem

[Julian Labuschagne]

[-- Attachment #1: Type: text/plain, Size: 749 bytes --]

Hi everyone I'm a bit new to iptables so please bear with me on this one ;)

I wrote a small firewall that basicaly nats users through my gateway
machine only allowing certain hosts on my network Web DNS and Mail access.

This section works fine.

But I also want to port forward any connections from outside to port 800
to a host running inside my LAN.
I added a rule in the PREROUTING table to do this.

But it seems that no connection gets forwarded.

If I set my default policies to ACCEPT and add the PREROUTING rule it
actualy does the port forwarding correctly.

I attached a copy of the firewall I wrote with this message.

Please can someone have a look through it for me cause I'm sure I'm just
missing something.

Kind Regards Julian.




[-- Attachment #2: custom.firewall --]
[-- Type: text/plain, Size: 2297 bytes --]

#!/bin/bash

# Set path to iptables binary
IPTABLES=/usr/sbin/iptables

#
# Loopback IP and Interface
#
LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# Internet IP and Interface
#
INET_IP=`/sbin/ifconfig ppp0 | grep "inet addr" | cut -d: -f2 | cut -d ' ' -f1`
INET_IFACE="ppp0"

#
# LAN Range, IP Address and Interface
#
LAN_IP="192.168.1.1"
LAN_IP_RANGE="192.168.1.0/24"
LAN_BCAST_ADRESS="192.168.1.255"
LAN_IFACE="eth0"

# 
# Set default policies
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# Flush Chains
#
$IPTABLES -F
$IPTABLES -t nat -F

#
# Allow loopback interface
#
$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT
$IPTABLES -A OUTPUT -o $LO_IFACE -j ACCEPT

# Output Chain
$IPTABLES -A OUTPUT -o $INET_IFACE -p tcp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -o $INET_IFACE -p udp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -o $INET_IFACE -p tcp --dport 25 -j ACCEPT
$IPTABLES -A OUTPUT -o $INET_IFACE -p tcp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -o $INET_IFACE -p tcp --dport 110 -j ACCEPT

# Input Chain
$IPTABLES -A INPUT -i $INET_IFACE -p tcp -m state --state established,related -j ACCEPT
$IPTABLES -A INPUT -i $INET_IFACE -p udp -m state --state established,related -j ACCEPT

$IPTABLES -A INPUT -i $INET_IFACE -p tcp --dport 800 -j ACCEPT
$IPTABLES -A INPUT -i $INET_IFACE -p udp --dport 800 -j ACCEPT

# Forward Chain
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -o $LAN_IFACE -j ACCEPT

#
# Allow ICMP
#
$IPTABLES -A OUTPUT -o $INET_IFACE -p icmp -j ACCEPT
$IPTABLES -A INPUT -i $INET_IFACE -p icmp -j ACCEPT

#
# Users allowed internet access
#
$IPTABLES -A INPUT -i $LAN_IFACE -s 192.168.1.143 -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN_IFACE -d 192.168.1.143 -j ACCEPT

$IPTABLES -A INPUT -i $LAN_IFACE -s 192.168.1.5 -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN_IFACE -d 192.168.1.5 -j ACCEPT

$IPTABLES -A INPUT -i $LAN_IFACE -s 192.168.1.8 -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN_IFACE -d 192.168.1.8 -j ACCEPT


#
# Add port forwarding rule
#
$IPTABLES -A PREROUTING -t nat -p tcp -d $INET_IP --dport 800 -j DNAT --to 192.168.1.5:800
$IPTABLES -A PREROUTING -t nat -p udp -d $INET_IP --dport 800 -j DNAT --to 192.168.1.5:800

#
# Masquerade LAN users (Internet Sharing)
#
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

Re: Port Forwarding Problem

[Julian Labuschagne]

[-- Attachment #1: Type: text/plain, Size: 1062 bytes --]

Samuel Díaz García wrote:

> Without having a look into your scripts, I think you need:
> 1) Allow INPUT into filter table to the port.
> 2) Allow FORDWARD into filter table to the redirected conection.
> Good luck.
>
Line 56: $IPTABLES -A INPUT -i $INET_IFACE -p tcp --dport 800 -j ACCEPT
Line 57: $IPTABLES -A INPUT -i $INET_IFACE -p udp --dport 800 -j ACCEPT
Line 58:
Line 59: # Forward Chain
Line 60: $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
Line 61: $IPTABLES -A FORWARD -o $LAN_IFACE -j ACCEPT

Line 85: $IPTABLES -A PREROUTING -t nat -p tcp -d $INET_IP --dport 800 
-j DNAT --to 192.168.1.5:800
Line 86: $IPTABLES -A PREROUTING -t nat -p udp -d $INET_IP --dport 800 
-j DNAT --to 192.168.1.5:800

This is a few lines from the attached firewall.
I think you may be reffering to these lines of the firewall script.

On Lines 56,57 I allow connections to my gateway on port 800
On Lines 60,61 I allow all connections in the forwarding chain.
And on Lines 85,86 is the port forwarding rules.

Kind Regards Julian.







[-- Attachment #2: custom.firewall --]
[-- Type: text/plain, Size: 2297 bytes --]

#!/bin/bash

# Set path to iptables binary
IPTABLES=/usr/sbin/iptables

#
# Loopback IP and Interface
#
LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# Internet IP and Interface
#
INET_IP=`/sbin/ifconfig ppp0 | grep "inet addr" | cut -d: -f2 | cut -d ' ' -f1`
INET_IFACE="ppp0"

#
# LAN Range, IP Address and Interface
#
LAN_IP="192.168.1.1"
LAN_IP_RANGE="192.168.1.0/24"
LAN_BCAST_ADRESS="192.168.1.255"
LAN_IFACE="eth0"

# 
# Set default policies
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# Flush Chains
#
$IPTABLES -F
$IPTABLES -t nat -F

#
# Allow loopback interface
#
$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT
$IPTABLES -A OUTPUT -o $LO_IFACE -j ACCEPT

# Output Chain
$IPTABLES -A OUTPUT -o $INET_IFACE -p tcp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -o $INET_IFACE -p udp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -o $INET_IFACE -p tcp --dport 25 -j ACCEPT
$IPTABLES -A OUTPUT -o $INET_IFACE -p tcp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -o $INET_IFACE -p tcp --dport 110 -j ACCEPT

# Input Chain
$IPTABLES -A INPUT -i $INET_IFACE -p tcp -m state --state established,related -j ACCEPT
$IPTABLES -A INPUT -i $INET_IFACE -p udp -m state --state established,related -j ACCEPT

$IPTABLES -A INPUT -i $INET_IFACE -p tcp --dport 800 -j ACCEPT
$IPTABLES -A INPUT -i $INET_IFACE -p udp --dport 800 -j ACCEPT

# Forward Chain
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -o $LAN_IFACE -j ACCEPT

#
# Allow ICMP
#
$IPTABLES -A OUTPUT -o $INET_IFACE -p icmp -j ACCEPT
$IPTABLES -A INPUT -i $INET_IFACE -p icmp -j ACCEPT

#
# Users allowed internet access
#
$IPTABLES -A INPUT -i $LAN_IFACE -s 192.168.1.143 -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN_IFACE -d 192.168.1.143 -j ACCEPT

$IPTABLES -A INPUT -i $LAN_IFACE -s 192.168.1.5 -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN_IFACE -d 192.168.1.5 -j ACCEPT

$IPTABLES -A INPUT -i $LAN_IFACE -s 192.168.1.8 -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN_IFACE -d 192.168.1.8 -j ACCEPT


#
# Add port forwarding rule
#
$IPTABLES -A PREROUTING -t nat -p tcp -d $INET_IP --dport 800 -j DNAT --to 192.168.1.5:800
$IPTABLES -A PREROUTING -t nat -p udp -d $INET_IP --dport 800 -j DNAT --to 192.168.1.5:800

#
# Masquerade LAN users (Internet Sharing)
#
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

Re: Port Forwarding Problem

[Taylor, Grant]

I do not recall seeing the original post so I did not see your firewall rule set.  If you have your default policy for the FORWARD chain set to DROP you will need to explicitly allow the traffic that you are trying to port forward in your FORWARD table.  For example you will need something like this:

iptables -t filter -A FORWARD -i $INet -o $LAN -p tcp --dport 800 -d $IP_of_server_to_forward_to -j ACCEPT
iptables -t filter -A FORWARD -i $INet -o $LAN -p udp --dport 800 -d $IP_of_server_to_forward_to -j ACCEPT
iptables -t filter -A FORWARD -i $LAN -o $INet -p tcp --dport 800 -s $IP_of_server_to_forward_to -j ACCEPT
iptables -t filter -A FORWARD -i $LAN -o $INet -p udp --dport 800 -s $IP_of_server_to_forward_to -j ACCEPT

I added rules for both TCP and UDP as I did not know which protocol you are running.  If you don't need one or the other just take the pair (in and out) of rules out.



Grant. . . .

Samuel Díaz García wrote:
> Without having a look into your scripts, I think you need:
> 1) Allow INPUT into filter table to the port.
> 2) Allow FORDWARD into filter table to the redirected conection.
> Good luck.
> Julian Labuschagne writes:
> 
>> Hi everyone I'm a bit new to iptables so please bear with me on this 
>> one ;)
>> I wrote a small firewall that basicaly nats users through my gateway 
>> machine only allowing certain hosts on my network Web DNS and Mail 
>> access.
>> This section works fine.
>> But I also want to port forward any connections from outside to port 
>> 800 to a host running inside my LAN.
>> I added a rule in the PREROUTING table to do this.
>> But it seems that no connection gets forwarded.
>> If I set my default policies to ACCEPT and add the PREROUTING rule it 
>> actualy does the port forwarding correctly.
>> I attached a copy of the firewall I wrote with this message.
>> Please can someone have a look through it for me cause I'm sure I'm 
>> just missing something.
>> Kind Regards Julian.
>>  
>>
> 
> 
> 
> Samuel D�az Garc�a
> Director Gerente
> ArcosCom Wireless, S.L.L.
> mailto:samueldg@arcoscom.com
> http://www.arcoscom.com
> m�vil: 651 93 72 48
> tlfn.: 956 70 13 15
> fax:   956 70 34 83
> 
> 
> 

Re: Port Forwarding Problem

[Jason Opperisano]

On Fri, Apr 15, 2005 at 10:40:39AM +0200, Samuel Díaz García wrote:
> Without having a look into your scripts, I think you need:
> 
> 1) Allow INPUT into filter table to the port.
> 2) Allow FORDWARD into filter table to the redirected conection.

that's not exactly sagely advice.  in a port-forwarding situation, all
you need is the nat PREROUTING DNAT rule and a filter FORWARD rule.
since the destination IP is translated "prerouting" the translated
packet will never traverse the filter INPUT chain.

three line guide to "port-forwarding:"

  iptables -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 800 \
    -j DNAT --to-destination $INSIDE_HOST

  iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

  iptables -A FORWARD -i $EXT_IF -p tcp --syn \
    -d $INSIDE_HOST --dport 800 -j ACCEPT

-j

--
"Brian: She's a whiney little runt isn't she?
 Brian: What? I said runt."
        --Family Guy

Port Forwarding Problem

[George Esperanza]

Hello everyone!

I have just installed a Slackware Linux 10.1 as my
firewall and my Internet gateway and i have a Web
server inside my private Network.  I'm trying to test
if i can forward all incoming http request to my Web
server.  I've found  a simple script and modified it
to work for my IP settings, but its not working.  I've
been searching this for almost 2 days now and still
can't make it to work. 

I have Slackware 9.0 with iptables scripts (running at
home) that has forwarding rules which is working
perfectly.  I tried that script too in Slackware 10.1
but still not working.  

Please help... 

George

Here's my script:

#!/bin/sh

IPTPATH="/usr/sbin/iptables"
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" >
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" >
/proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" >
/proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A OUTPUT -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state INVALID -j DROP

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED
-j ACCEPT

# eth0 - internal network
# eth1 - external network (with static IP)
$IPT -A OUTPUT -d 0/0 -m state --state NEW -p tcp -m
multiport \
        --dport 80,443 -o eth1 -j ACCEPT
$IPT -A FORWARD -d 0/0 -m state --state NEW -p tcp -m
multiport \
        --dport 80,443 -o eth1 -i eth0 -j ACCEPT

$IPT -A OUTPUT -o eth1 -j LOG
$IPT -A FORWARD -j LOG

$IPT -t nat -A POSTROUTING -o eth1 -j SNAT --to
X.X.X.X
$IPT -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.X
--dport 80 -j DNAT \
    --to 192.168.0.10:80


		
____________________________________________________
Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs 
 

Port Forwarding Problem

[Ivan Hernandez]

I have a problem that seems difficult to resolve.

On a LAN a set of computers in the range 192.168.1.x that have already 
assigned a default gw 192.168.1.1 run an application that must connect 
to an internet server 234.56.78.9 to the tcp port 4444 much like a 
telnet app.

The 192.168.1.1 gw does no serves internet  in any way so the 
192.168.1.x network is isolated except for 1 computer, that has 2 nic's 
and is the computer running linux that i need to configure.

That machine has eth0 with 192.168.1.2 and an eth1 with an internet 
address 200.100.23.4.

Now, i can't touch routing on the clients, and clients only can see 
192.168.1.2. I used simpleproxy this way:
simpleproxy -L 4444 -R 234.56.78.9:4444
to solve the problem, but there is any chance to solve it with iptables???

As clients don't have 192.168.1.2 as router, it seems difficult to use 
DNAT because packets are sent to internet, but as 192.168.1.x -> 
234.56.78.9 so they never come back.

Ideally it should receive packets on eth0 like 192.168.1.x -> 
192.168.1.2:4444, and send them to eth1 as 200.100.23.4 -> 
234.56.78.9:4444 and manage the responses to send back the packets 
234.56.78.9:4444 -> 200.100.23.4 from eth1 to 192.168.1.2:4444 -> 
192.168.1.x on eth0

i hope i have found a way to explain the problem!!!
Thanks a lot

Ivan Hernandez
Kiu System Solutions

Re: Port Forwarding Problem

[Grant Taylor]

On 4/24/2008 2:17 PM, Ivan Hernandez wrote:
> On a LAN a set of computers in the range 192.168.1.x that have already 
> assigned a default gw 192.168.1.1 run an application that must connect 
> to an internet server 234.56.78.9 to the tcp port 4444 much like a 
> telnet app.
> 
> The 192.168.1.1 gw does no serves internet  in any way so the 
> 192.168.1.x network is isolated except for 1 computer, that has 2 nic's 
> and is the computer running linux that i need to configure.

<snip>

Is there something preventing you from moving your Linux system to 
192.168.1.1, i.e. a device that is already there?

If there is a device at 192.168.1.1 what sort of control do you have 
over it?  Can you configure it to use 192.168.1.2 as its default gateway?

I would make your Linux system be the default gateway for the 
192.168.1.x network, either by being 192.168.1.1 or by having 
192.168.1.1 use 192.168.1.2 as its default gateway.

This way, your client systems can use 192.168.1.1 as the default gateway 
for the network, even if it is by way of 192.168.1.2.



Grant. . . .

Port forwarding problem

[Carlos Mtz-Troncoso]

Hi fellows.

Google, howtos and examples couldn't help me, now I am here. I am using 
a CentOS 5.5. with kernel 2.6.18-194.17.1.el5, iptables version 1.3.5.

My server has 2 network cards, eth0 is for Internet with an IP address 
fixed, and eth1, 10.1.1.1/16 is for local network (10.1.0.0/16). In this 
server I have OpenVPN working well and the is used as gateway.

My script worked well and the last change was to add a port forwarding: 
the traffic from IP public port 2020 is sent to a internal web sever 
10.1.1.7:80. The internal server has as gateway 10.1.1.1 (my Linux 
IPTables box).

My problem is that the port forwarding is not working, here is my script.


LOOP=127.0.0.1

/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X

iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -A INPUT -i eth0 -s $LOOP -j DROP
iptables -A FORWARD -i eth0 -s $LOOP -j DROP
iptables -A INPUT -i eth0 -d $LOOP -j DROP
iptables -A FORWARD -i eth0 -d $LOOP -j DROP

iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP

iptables -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP
iptables -A FORWARD -p udp --sport 500:4500 -o eth0 -j DROP
iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP
iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP

iptables -I FORWARD -o eth0 -p tcp -m multiport --dports 
25,81,3389,12796,32976,10443,50,500,4500,2020,80 -j ACCEPT
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -j DROP

iptables -A INPUT -s $LOOP -j ACCEPT
iptables -A INPUT -d $LOOP -j ACCEPT

# Permitir pings entrantes (pueden desabilitarse)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 222 -j ACCEPT
iptables -A INPUT -p tcp --dport 2020 -j ACCEPT

iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -p udp --dport 5000 -j ACCEPT

iptables -I FORWARD -i tun0 -o eth1 -j ACCEPT
iptables -I FORWARD -i eth1 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -I FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tap0 -o eth1 -j ACCEPT
iptables -I FORWARD -i eth1 -o tap0 -j ACCEPT
iptables -I FORWARD -i tap0 -o eth0 -j ACCEPT
iptables -I FORWARD -i eth0 -o tap0 -j ACCEPT

iptables -A INPUT -i eth1 -j ACCEPT
iptables -A FORWARD -i eth0 -j ACCEPT

iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i eth0 -d x.x.x.130 --dport 2020 
-j DNAT --to 10.1.1.7:80
iptables -t nat -A POSTROUTING -j SNAT -o eth0 --to-source x.x.x.130


Where is my error?

Thanks in advance.

Carlos

Re: Port forwarding problem

[Pascal Hambourg]

Hello,

Carlos Mtz-Troncoso a écrit :
> 
> My server has 2 network cards, eth0 is for Internet with an IP address 
> fixed, and eth1, 10.1.1.1/16 is for local network (10.1.0.0/16). In this 
> server I have OpenVPN working well and the is used as gateway.
> 
> My script worked well and the last change was to add a port forwarding: 
> the traffic from IP public port 2020 is sent to a internal web sever 
> 10.1.1.7:80. The internal server has as gateway 10.1.1.1 (my Linux 
> IPTables box).
> 
> My problem is that the port forwarding is not working, here is my script.
[...]
> Where is my error?

IMO the rule in FORWARD accepting the port-forwarded packets is missing.

Re: Port forwarding problem

[Carlos Mtz-Troncoso]

Thanks Pascal for your answer.

I had that rule but I deleted, I just add again

iptables -A FORWARD -p tcp -i eth0 -d 10.1.1.7 --dport 80 -j ACCEPT

but it doesn't work.



On 10/16/2010 08:13 AM, Pascal Hambourg wrote:
> Hello,
>
> Carlos Mtz-Troncoso a écrit :
>>
>> My server has 2 network cards, eth0 is for Internet with an IP address
>> fixed, and eth1, 10.1.1.1/16 is for local network (10.1.0.0/16). In this
>> server I have OpenVPN working well and the is used as gateway.
>>
>> My script worked well and the last change was to add a port forwarding:
>> the traffic from IP public port 2020 is sent to a internal web sever
>> 10.1.1.7:80. The internal server has as gateway 10.1.1.1 (my Linux
>> IPTables box).
>>
>> My problem is that the port forwarding is not working, here is my script.
> [...]
>> Where is my error?
>
> IMO the rule in FORWARD accepting the port-forwarded packets is missing.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Port forwarding problem

[Pascal Hambourg]

Carlos Mtz-Troncoso a écrit :
> Thanks Pascal for your answer.
> 
> I had that rule but I deleted, I just add again
> 
> iptables -A FORWARD -p tcp -i eth0 -d 10.1.1.7 --dport 80 -j ACCEPT
> 
> but it doesn't work.

Maybe because of the rule ordering ? Your script weirdly mixes -I and -A
commands, and has a "-I FORWARD -j DROP" rule which inserts a plain
"DROP everything" at the very beginning of the chain. As a result, any
rule created before or appended after this one has no effect.

Re: Port forwarding problem

[Carlos Mtz-Troncoso]

Pascal you are right!

I just changed some -I for -A and moved
iptables -A FORWARD -j DROP
to the end and it works!

It was a fool error, I know that ACL order is crucial!

Thanks a lot for your help

On 10/16/2010 08:37 AM, Pascal Hambourg wrote:
> Carlos Mtz-Troncoso a écrit :
>> Thanks Pascal for your answer.
>>
>> I had that rule but I deleted, I just add again
>>
>> iptables -A FORWARD -p tcp -i eth0 -d 10.1.1.7 --dport 80 -j ACCEPT
>>
>> but it doesn't work.
>
> Maybe because of the rule ordering ? Your script weirdly mixes -I and -A
> commands, and has a "-I FORWARD -j DROP" rule which inserts a plain
> "DROP everything" at the very beginning of the chain. As a result, any
> rule created before or appended after this one has no effect.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Port forwarding problem

[Pascal Hambourg]

Carlos Mtz-Troncoso a écrit :
> 
> I just changed some -I for -A and moved
> iptables -A FORWARD -j DROP
> to the end and it works!

Why not set the default policy to DROP instead of that terminal rule ?
This way you could append new rules more easily.