[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

can't get portforwarding to work



Hi,

I have this very simple firewallscript which should a couple of ports to a
system on the intranet. Symptom; it doesn't work.
Anyone have a clue what I'm doing wrong here?
$1 is the interface to the internet (ppp0)
eth1 is the intranet

/usr/sbin/iptables -F INPUT
/usr/sbin/iptables -F OUTPUT
/usr/sbin/iptables -F FORWARD
/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P FORWARD DROP
/usr/sbin/iptables -A INPUT -i eth1 -s 192.168.0.0/23 -d 0/0 -j ACCEPT
/usr/sbin/iptables -A FORWARD -i $1 -o eth1 -p tcp -d 192.168.0.101 --dport
25  -j ACCEPT
/usr/sbin/iptables -A FORWARD -i $1 -o eth1 -p tcp -d 192.168.0.25 --dport
80  -j ACCEPT
/usr/sbin/iptables -A FORWARD -i $1 -o eth1 -p tcp -d 192.168.0.101 --dport
110 -j ACCEPT
/usr/sbin/iptables -A FORWARD -i $1 -o eth1 -p tcp -d 192.168.0.101 --dport
10000 -j ACCEPT
/usr/sbin/iptables -A FORWARD -i $1 -o eth1 -p tcp -d 192.168.0.101 --dport
10001 -j ACCEPT

/usr/sbin/iptables -A FORWARD -i eth1 -o $1 -j ACCEPT
/usr/sbin/iptables -A FORWARD -o eth1 -i $1 -m state --state
ESTABLISHED,RELATED -j ACCEPT

/usr/sbin/iptables -A INPUT -i $1 -d 192.168.0.0/24 -j DROP
/usr/sbin/iptables -A INPUT -i $1 -s 192.168.0.0/24 -d 0/0 -j DROP
/usr/sbin/iptables -A INPUT -i eth1 -s 0/0 -d 0/0 -j DROP
/usr/sbin/iptables -t nat -A POSTROUTING -o $1 -s 192.168.0.0/24 -j
MASQUERADE

/usr/sbin/iptables -A PREROUTING -t nat -p tcp -d SECRET --dport 25 -j DNAT
--to-destination 192.168.0.101:25
/usr/sbin/iptables -A PREROUTING -t nat -p tcp -d SECRET --dport 80 -j DNAT
--to-destination 192.168.0.25:80
/usr/sbin/iptables -A PREROUTING -t nat -p tcp -d SECRET --dport 110 -j DNAT
--to-destination 192.168.0.101:110
/usr/sbin/iptables -A PREROUTING -t nat -p tcp -d SECRET --dport 10000 -j
DNAT --to-destination 192.168.0.101:80
/usr/sbin/iptables -A PREROUTING -t nat -p tcp -d SECRET --dport 10001 -j
DNAT --to-destination 192.168.0.101:443

p.s. what line should I add if i want to shield the other ports? (1-1023,
not 25,80,110 and ssh)



Reply to: