Firewall Wizards mailing list archives

RE: iptables problem forwarding

From: "Josh Welch" <jwelch () buffalowildwings com>
Date: Mon, 31 Mar 2003 17:23:20 -0600

i have built an iptables firewall that i am mostly happy with. the main
problem that still exists is the firewall will not allow connections i do
want to permit.

1. i want to allow ssh
2. want to forward port 3389 to an internal machine.


<snip>



# setting up modules we neet to support NAT and add protocols with
unordinary behavior
modprobe iptable_nat
modprobe ip_conntrack_ftp ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_irc ip_nat_irc

#make sure packet forwarding enabled by kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

#flushing existing tables
iptables --flush
iptables -t nat --flush

#enable connection tracking
iptables -I FORWARD -m state --state INVALID -j DROP
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

#allowing one service on this machine ssh
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 22-j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 22 -j ACCEPT

#enable loopback
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT

# accept established connections
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT


#Allow inbound service
iptables -A FORWARD --in-interface eth0 --out-interface eth1 -p tcp -d
192.168.0.4 --destination-port 3389 -j ACCEPT


This confuses me right here. Is 192.168.0.4 the actual IP machines are
requesting? Or is there a public IP that you want forwarded to that address
if they are trying to hit 3389? I'm kind of guessing the second one by the
content of you message. If that is the case I think you would need to have
something like this:
iptables -A FORWARD --in-interface eth0 --out-interface eth1 -p tcp -d
YOUR.PUBLIC.I.P --destination-port 3389 -j ACCEPT
And then something like this in your NAT section:
-A PREROUTING -i eth0 -p tcp -m tcp -d YOUR.PUBLIC.I.P --dport 3389 -j
DNAT --to-destination 192.168.0.4:443
If I am making an incorrect assumption, you can feel free to tell me to blow
it out my arse :)

Josh

<snip>

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: iptables problem forwarding Josh Welch (Apr 01)
- <Possible follow-ups>
- Re: iptables problem forwarding Marco Thorbruegge (Apr 01)
- Re: iptables problem forwarding Luca Berra (Apr 01)