Re: my iptables script

To: Tarragon Allen <tarragon@onthe.net.au>
Cc: debian-firewall@lists.debian.org
Subject: Re: my iptables script
From: Jule Slootbeek <jslootbeek@clarku.edu>
Date: Wed, 03 Sep 2003 22:00:05 -0400
Message-id: <[🔎] 1062640805.1002.31.camel@coltrane>
In-reply-to: <[🔎] 200309041132.03196.tarragon@onthe.net.au>
References: <1062371226.1599.95.camel@coltrane> <200309011017.37884.tarragon@onthe.net.au> <[🔎] 1062638150.1002.2.camel@coltrane> <[🔎] 200309041132.03196.tarragon@onthe.net.au>

Tarragon,

a pair of these rules:
(eth0: external)
iptables -A FORWARD -m state --state NEW -p tcp -i eth0 -d 192.168.0.2
--dport 2401
iptables -t nat -A POSTROUTING -i eth0 -p tcp --dport 2401 -j DNAT
--to-destination 192.168.0.1:2401

still does not show the port 2401 open with an nmap localhost op the
gateway. I hope i understood your changes correctly. Logically this
should work.

Jule

On Wed, 2003-09-03 at 21:32, Tarragon Allen wrote:
> On Thursday 04 September 2003 11:15, Jule Slootbeek wrote:
> > Hi,
> > Thank you for your feedback, I took your advise i think..:) and this is
> > what i came up with
> >
> >  echo "Setting firewall rules..."
> >     #ipforwarding and masquerading
> >     iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j
> > MASQUERADE
> >     iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> >     iptables -A INPUT -i lo -j ACCEPT
> >     iptables -A OUTPUT -m state --state NEW -j ACCEPT
> >     iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> >     iptables -A FORWARD -m state --state NEW -s 192.168.0.0/24 -j ACCEPT
> >     # allows for forwarding
> >     iptables -A FORWARD -m state --state NEW -p tcp -s 140.232.x.x
> > --dport 2401 -j ACCEPT
> >     iptables -A FORWARD -m state --state NEW -p tcp -s 140.232.x.x
> > --dport 22 -j ACCEPT
> >     iptables -A FORWARD -m state --state NEW -p tcp -s 140.232.x.x
> > --dport 80 -j ACCEPT
> >
> > #redirecting ports
> >     iptables -t nat -A PREROUTING -d 140.232.x.x1 -p tcp --dport 2401 -j
> > DNAT --to-destination 192.168.0.2:2401
> >     iptables -t nat -A PREROUTING -d 140.232.x.x -p tcp --dport 80 -j
> > DNAT --to-destination 192.168.0.2:80
> >     iptables -t nat -A PREROUTING -d 140.232.x.x -p tcp --dport 22 -j
> > DNAT --to-destination 192.168.0.3:22
> > ;;
> >
> > but now when i run the firewall, ports 2401 and 80 are not open, (nmap
> > localhost) and nmap 140.232.x.x times out. I'm not sure what's wrong.
> > TIA,
> >
> > Jule
> 
> First things first, I have to ask the obvious : have you enabled forwarding?
> 
> sysctl -w net/ipv4/ip_forward=1
> 
> Secondly, you are defining a source address of 140.232.x.x in your FORWARD 
> rules, that should be destination address, not source address. Also, you may 
> need to use the internal end-point rather than the external address in those 
> FORWARD rules, ie: 192.168.0.2 instead of 140.232.x.x. I'd also use '-i eth0' 
> for those FORWARD rules (or whatever your externel interface is, ppp0 or 
> whatever).
> 
> Hope this helps.
> 
> t
> -- 
> GPG: http://n12turbo.com/tarragon/public.key
>

Reply to:

Follow-Ups:
- Re: my iptables script
  - From: uberthold <uberthold@enaikoon.de>

References:
- Re: my iptables script
  - From: Jule Slootbeek <jslootbeek@clarku.edu>
- Re: my iptables script
  - From: Tarragon Allen <tarragon@onthe.net.au>

Prev by Date: Re: my iptables script
Next by Date: Re: my iptables script
Previous by thread: Re: my iptables script
Next by thread: Re: my iptables script
Index(es):
- Date
- Thread