Firewall Wizards mailing list archives

Re: iptables problem forwarding

From: Luca Berra <bluca () comedia it>
Date: Tue, 1 Apr 2003 08:23:43 +0200

On Sun, Mar 30, 2003 at 11:38:31AM -0500, Weazy wrote:

hello folks.

i have built an iptables firewall that i am mostly happy with. the main
problem that still exists is the firewall will not allow connections i do
want to permit.

1. i want to allow ssh
2. want to forward port 3389 to an internal machine.


i posted by iptables here hoping someone can see the mistake.
i have comment each line so you know what i am trying to do. I have the
input policy set as drop. i have tried setting that to accept with no change
in results.

thank you in advance

the topology is not clear
which are the ip address of your interfaces? ok i can guess
eth0 is a private net and eth1 is an external ip (cable modem or
similar)
is 192.168.0.4 routed from outside? i guess not.
with forward do you mean doing port forwarindg?

#allowing one service on this machine ssh
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT

udp 22 ?????

#Allow inbound service
iptables -A FORWARD --in-interface eth0 --out-interface eth1 -p tcp -d
192.168.0.4 --destination-port 3389 -j ACCEPT

if you want to do port forwarding to internal machine use:
-t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to-destination 192.168.0.4

iptables -A INPUT -p tcp -j LOG -m limit --limit 500/hour --limit-burst
500 --log-prefix "MIRROR: "
iptables -A INPUT -p tcp -j MIRROR -m limit --limit 500/hour --limit-burst
500

why on earth might you be doing that?????

iptables -t nat -F
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source x.x.x.x

ouch, i tought eth1 was the external interface

L.

--
Luca Berra -- bluca () comedia it
       Communication Media & Services S.r.l.
/"\
\ /     ASCII RIBBON CAMPAIGN
 X        AGAINST HTML MAIL
/ \
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: iptables problem forwarding Josh Welch (Apr 01)
- <Possible follow-ups>
- Re: iptables problem forwarding Marco Thorbruegge (Apr 01)
- Re: iptables problem forwarding Luca Berra (Apr 01)