On Sun, Dec 09, 2001 at 06:52:49PM +0000, Am?rico Rocha wrote: > > Hi all, > > I'm trying to forward port ssh (22) to another computer > on my intranet > > The network topology is simple: 192.168.0.12, is connected > on eth0 to dhcp, and eth1 acts as a NAT to the intranet > consisting on 9 computers. > > here's the firwall script (iptables) i use: > > #!/bin/sh > ######################################### > # Script created using EasyTables v0.8.4-3 > # by Roi Dayan > ######################################### > #printf "." > IPC=/usr/local/sbin/iptables > IF=eth0 > #IP=`/sbin/ifconfig $IF | grep inet | cut -d : -f 2 | cut -d \ -f 1` > #MASK=`/sbin/ifconfig $IF | grep Mas | cut -d : -f 4` > #NET=$IP/$MASK > > #printf "." > #Delete user made chains. Flush and zero the chains. > $IPC -F > $IPC -X > $IPC -Z > $IPC -t nat -F > $IPC -t nat -X > $IPC -t nat -Z > > #Creating custom chains. > $IPC -N LDROP > $IPC -A LDROP -p tcp -j LOG --log-level debug --log-prefix "DROP " > $IPC -A LDROP -p udp -j LOG --log-level debug --log-prefix "DROP " > $IPC -A LDROP -p icmp -j LOG --log-level debug --log-prefix "DROP " > $IPC -A LDROP -f -j LOG --log-level warning --log-prefix "DROP " > $IPC -A LDROP -j DROP > $IPC -N LREJECT > $IPC -A LREJECT -p tcp -j LOG --log-level debug --log-prefix "REJECT " > $IPC -A LREJECT -p udp -j LOG --log-level debug --log-prefix "REJECT " > $IPC -A LREJECT -p icmp -j LOG --log-level debug --log-prefix "REJECT " > $IPC -A LREJECT -f -j LOG --log-level warning --log-prefix "REJECT " > $IPC -A LREJECT -j REJECT > $IPC -N LACCEPT > $IPC -A LACCEPT -p tcp -j LOG --log-level debug --log-prefix "ACCEPT " > $IPC -A LACCEPT -p udp -j LOG --log-level debug --log-prefix "ACCEPT " > $IPC -A LACCEPT -p icmp -j LOG --log-level debug --log-prefix "ACCEPT " > $IPC -A LACCEPT -f -j LOG --log-level warning --log-prefix "ACCEPT " > $IPC -A LACCEPT -j ACCEPT > $IPC -N TREJECT > $IPC -A TREJECT -p tcp -j REJECT --reject-with tcp-reset > $IPC -A TREJECT -p ! tcp -j REJECT --reject-with icmp-port-unreachable > $IPC -A TREJECT -j REJECT > $IPC -N LTREJECT > $IPC -A LTREJECT -p tcp -j REJECT --reject-with tcp-reset > $IPC -A LTREJECT -p ! tcp -j REJECT --reject-with icmp-port-unreachable > $IPC -A LTREJECT -p tcp -j LOG --log-level debug --log-prefix "REJECT " > $IPC -A LTREJECT -p udp -j LOG --log-level debug --log-prefix "REJECT " > $IPC -A LTREJECT -p icmp -j LOG --log-level debug --log-prefix "REJECT " > $IPC -A LTREJECT -f -j LOG --log-level warning --log-prefix "REJECT " > $IPC -A LTREJECT -p tcp -j REJECT --reject-with tcp-reset > $IPC -A LTREJECT -p ! tcp -j REJECT --reject-with icmp-port-unreachable > $IPC -A LTREJECT -j REJECT > > > #printf "." > #Modules to help certain services > #/sbin/depmod -a >/dev/null 2>&1 > #/sbin/modprobe ip_masq_ftp >/dev/null 2>&1 > #/sbin/modprobe ip_masq_raudio >/dev/null 2>&1 > #/sbin/modprobe ip_masq_irc >/dev/null 2>&1 > #/sbin/modprobe ip_masq_icq >/dev/null 2>&1 > #/sbin/modprobe ip_masq_quake >/dev/null 2>&1 > #/sbin/modprobe ip_masq_user >/dev/null 2>&1 > #/sbin/modprobe ip_masq_vdolive >/dev/null 2>&1 > > #printf "." > #Allow all traffic on the loopback interface (lo) > $IPC -I INPUT -i lo -j ACCEPT > $IPC -I OUTPUT -o lo -j ACCEPT > $IPC -I INPUT -i ! lo -s 127.0.0.0/255.0.0.0 -j DROP Should this be: $IPC -I INPUT -i ! lo -d 127.0.0.0/255.0.0.0 -j DROP I think you are trying to drop packets to destination loopback that are actually coming from somewhere else (ie. not the lo interface). > > #printf "." > #Allow connections with the ack bit set. > #(They are from an established connections) > $IPC -A INPUT -p tcp ! --syn -i $IF -j ACCEPT > > #printf "." > #Turn on source address verification in kernel > if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then > for f in /proc/sys/net/ipv4/conf/*/rp_filter; do > echo 1 > $f > done > fi > > #printf "." > #Turn on syn cookies protection in kernel > if [ -e /proc/sys/net/ipv4/tcp_syncookies ] > then > echo 1 > /proc/sys/net/ipv4/tcp_syncookies > fi > > #printf "." > #Set up kernel to handle dynamic IP masquerading > if [ -e /proc/sys/net/ipv4/ip_dynaddr ] > then > echo 1 > /proc/sys/net/ipv4/ip_dynaddr > fi > > #printf "." > #to enable ip MASQUERADE and automatic defragmention (for masquerading) > echo 1 > /proc/sys/net/ipv4/ip_forward > #echo 1 > /proc/sys/net/ipv4/ip_always_defrag > > #printf "." > #timeouts > #$IPC -M -S 14400 60 600 > > #printf "." > #Block nonroutable IPs > $IPC -A INPUT -j DROP -s 10.0.0.0/8 -i $IF > $IPC -A INPUT -j DROP -s 127.0.0.0/8 -i $IF > $IPC -A INPUT -j DROP -s 172.16.0.0/12 -i $IF > $IPC -A INPUT -j DROP -s 192.168.0.0/16 -i $IF > > #printf "." > #Block Back Orifice > $IPC -A INPUT -p tcp -i $IF --dport 31337 -j LDROP > $IPC -A INPUT -p udp -i $IF --dport 31337 -j LDROP > > #Block NetBus > $IPC -A INPUT -p tcp -i $IF --dport 12345:12346 -j LDROP > $IPC -A INPUT -p udp -i $IF --dport 12345:12346 -j LDROP > > #Block Trin00 > $IPC -A INPUT -p tcp -i $IF --dport 1524 -j LDROP > $IPC -A INPUT -p tcp -i $IF --dport 27665 -j LDROP > $IPC -A INPUT -p udp -i $IF --dport 27444 -j LDROP > $IPC -A INPUT -p udp -i $IF --dport 31335 -j LDROP > > #printf "." > #Block Multicast > $IPC -A INPUT -s 224.0.0.0/8 -d 0/0 -j DROP > $IPC -A INPUT -s 0/0 -d 224.0.0.0/8 -j DROP > > #printf "." > #PortsRules > > #FTP(21) > $IPC -A INPUT -p tcp -i $IF --dport 21 -j LACCEPT > > #SSH > $IPC -A INPUT -p tcp -i $IF --dport 22 -j LACCEPT > > #Telnet > $IPC -A INPUT -p tcp -i $IF --dport 23 -j LACCEPT > > #SMTP > $IPC -A INPUT -p tcp -i $IF --dport 25 -j LACCEPT > > #WWW > $IPC -A INPUT -p tcp -s 0/0 -i $IF --dport 80 -j LACCEPT > $IPC -A INPUT -p tcp -i $IF --dport 80 -j LACCEPT > > #Rejecting (not denying) ident requests. > $IPC -A INPUT -p tcp -i $IF --dport 113 -j TREJECT > $IPC -A INPUT -p udp -i $IF --dport 113 -j TREJECT > #Blocking access to the X Server ports. > $IPC -A INPUT -p tcp -i $IF --dport 5999:6003 -j LDROP > $IPC -A INPUT -p udp -i $IF --dport 5999:6003 -j LDROP > $IPC -A INPUT -p tcp -i $IF --dport 7100 -j LDROP > #printf "." > > #Settings for internal interfaces (LAN) - Internet Connection Share. > $IPC -A FORWARD -i $IF -j ACCEPT > $IPC -A FORWARD -o $IF -j ACCEPT > $IPC -t nat -A POSTROUTING -o $IF -j MASQUERADE > #printf "." > #printf "." > #Settings for internal interfaces (LAN). > InternalIP=`/sbin/ifconfig eth1 | grep inet | cut -d : -f 2 | cut -d \ -f 1` > InternalMASK=`/sbin/ifconfig eth1 | grep Mas | cut -d : -f 4` > InternalNET=$InternalIP/$InternalMASK > $IPC -A INPUT -i eth1 -j ACCEPT > $IPC -A OUTPUT -o eth1 -j ACCEPT > $IPC -A INPUT -i ! eth1 -s $InternalNET -j DROP > #printf "." > > > #printf "." > ### Custom rules should be added here ### > > ######################################### > > #printf "." > #Set telnet, www, smtp, pop3 and FTP for minimum delay > #$IPC -A OUTPUT -p tcp -d 0/0 80 -t 0x01 0x10 > #$IPC -A OUTPUT -p tcp -d 0/0 22 -t 0x01 0x10 > #$IPC -A OUTPUT -p tcp -d 0/0 23 -t 0x01 0x10 > #$IPC -A OUTPUT -p tcp -d 0/0 21 -t 0x01 0x10 > #$IPC -A OUTPUT -p tcp -d 0/0 110 -t 0x01 0x10 > #$IPC -A OUTPUT -p tcp -d 0/0 25 -t 0x01 0x10 > > $IPC -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos Minimize-Delay > $IPC -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos Minimize-Delay > $IPC -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos Minimize-Delay > $IPC -t mangle -A OUTPUT -p tcp --dport 80 -j TOS --set-tos Minimize-Delay > $IPC -t mangle -A OUTPUT -p tcp --dport 110 -j TOS --set-tos Minimize-Delay > $IPC -t mangle -A OUTPUT -p tcp --dport 25 -j TOS --set-tos Minimize-Delay > #printf "." > #Set ftp-data for maximum throughput > #$IPC -A OUTPUT -p tcp -d 0/0 20 -t 0x01 0x08 > > $IPC -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos Maximize-Throughput > #printf "." > #Allow ICMP > $IPC -A INPUT -p icmp -i $IF -j ACCEPT > $IPC -A OUTPUT -p icmp -o $IF -j ACCEPT > > #printf "." > #Open ports for established connections > $IPC -A INPUT -m state --state ESTABLISHED -j ACCEPT > $IPC -A INPUT -m state --state RELATED -j ACCEPT > $IPC -A INPUT -p tcp -i $IF --dport 1023:65535 -j ACCEPT > $IPC -A INPUT -p udp -i $IF --dport 1023:65535 -j ACCEPT > > #printf "." > #Set default rule on MASQUERADE chain to DROP > $IPC -P FORWARD DROP > > #printf "." > #DROP everything else > $IPC -P OUTPUT ACCEPT > $IPC -A INPUT -i $IF -j LDROP > #printf "." > ###################### Port-Forwarding ???..... ################################ > # $IPC -A PREROUTING -t nat -p tcp -i eth0 -o eth1 --dport 22 -j DNAT --to 192.168.0.8 > # $IPC -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.0.8 --dport 22 -j ACCEPT > > The last two lines on this script are commented; the portforwrd didn't work > > I'm running debian 2.2r4 (potato) on both machines, but i have apt-get'ed > all the necessary packages so i could use iptables and kernel 2.4. > I think the rules should be something like: $IPC -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to 192.168.0.8 $IPC A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.0.8 --dport 22 -j ACCEPT I don't think that you specify the out interface in the PREROUTING chain. This may be the cause of your error. Also, check the comments I made above. I am not totally sure of this - perhaps better ask the same on debian-firewall list. Cheers. Mark.
Attachment:
pgp3HYzcvg65D.pgp
Description: PGP signature