Firewall Wizards mailing list archives
iptables problem forwarding
From: "Weazy" <opensource () hackerthreads com>
Date: Sun, 30 Mar 2003 11:38:31 -0500
hello folks. i have built an iptables firewall that i am mostly happy with. the main problem that still exists is the firewall will not allow connections i do want to permit. 1. i want to allow ssh 2. want to forward port 3389 to an internal machine. i posted by iptables here hoping someone can see the mistake. i have comment each line so you know what i am trying to do. I have the input policy set as drop. i have tried setting that to accept with no change in results. thank you in advance # setting up modules we neet to support NAT and add protocols with unordinary behavior modprobe iptable_nat modprobe ip_conntrack_ftp ip_nat_ftp modprobe ip_conntrack modprobe ip_conntrack_irc ip_nat_irc #make sure packet forwarding enabled by kernel echo 1 > /proc/sys/net/ipv4/ip_forward #flushing existing tables iptables --flush iptables -t nat --flush #enable connection tracking iptables -I FORWARD -m state --state INVALID -j DROP iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT #allowing one service on this machine ssh iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT iptables -A INPUT -p tcp -i eth1 --dport 22-j ACCEPT iptables -A INPUT -p tcp -i eth1 --dport 22 -j ACCEPT #enable loopback iptables -A INPUT -i lo -p all -j ACCEPT iptables -A OUTPUT -o lo -p all -j ACCEPT # accept established connections iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT #Allow inbound service iptables -A FORWARD --in-interface eth0 --out-interface eth1 -p tcp -d 192.168.0.4 --destination-port 3389 -j ACCEPT #defend against port scans and DDOS attacks #dealing with packets w/o syn flags when they are new iptables -A FORWARD -i eth0 -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "new no-SYN: " iptables -A FORWARD -i eth0 -p tcp ! --syn -m state --state NEW -j DROP iptables -A FORWARD -i eth0 -p tcp --tcp-flags ACK ACK -m state --state NEW -j LOG --log-prefix "New ACK: " #enforcing TCP standards iptables -A INPUT -p tcp --tcp-option \! 2 -j LOG --log-tcp-options --log-prefix "TCP standards not met: " iptables -A INPUT -p tcp --tcp-option \! 2 -j REJECT --reject-with tcp-reset iptables -A INPUT -p tcp -j LOG -m limit --limit 500/hour --limit-burst 500 --log-prefix "MIRROR: " iptables -A INPUT -p tcp -j MIRROR -m limit --limit 500/hour --limit-burst 500 #dropping packets on the internet side going to/from private use multicast also making sure we dont spoof #others or allow internal spoofing #iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP #$iptables -A OUTPUT -o eth0 -s 192.168.0.0/24 -j DROP #allowing all outbound traffic iptables -A FORWARD --in-interface eth1 --out-interface eth0 -j ACCEPT #rewrite all connections coming from private network to use eth0 addres and rewrite response #appropriately iptables -t nat -F iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source x.x.x.x iptables -P INPUT DROP _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- iptables problem forwarding Weazy (Mar 31)