Re: can't get portforwarding to work

To: "'debian-firewall@lists.debian.org'" <debian-firewall@lists.debian.org>
Subject: Re: can't get portforwarding to work
From: Vineet Kumar <debian-security@virtual.doorstop.net>
Date: Mon, 22 Oct 2001 12:00:13 -0700
Message-id: <20011022120013.A21074@doorstop.net>
Mail-followup-to: "'debian-firewall@lists.debian.org'" <debian-firewall@lists.debian.org>
In-reply-to: <27525795B28BD311B28D00500481B76022A651@ftrs1.intranet.ftr.nl>
References: <27525795B28BD311B28D00500481B76022A651@ftrs1.intranet.ftr.nl>

* Heusden, Folkert van (f.v.heusden@ftr.nl) [011022 03:18]:
> Hi,
> 
> I have this very simple firewallscript which should a couple of ports to a
> system on the intranet. Symptom; it doesn't work.
> Anyone have a clue what I'm doing wrong here?
> $1 is the interface to the internet (ppp0)
> eth1 is the intranet
> 
> /usr/sbin/iptables -F INPUT
> /usr/sbin/iptables -F OUTPUT
> /usr/sbin/iptables -F FORWARD
> /usr/sbin/iptables -P INPUT ACCEPT
> /usr/sbin/iptables -P FORWARD DROP
> /usr/sbin/iptables -A INPUT -i eth1 -s 192.168.0.0/23 -d 0/0 -j ACCEPT
> /usr/sbin/iptables -A FORWARD -i $1 -o eth1 -p tcp -d 192.168.0.101 --dport
> 25  -j ACCEPT
> /usr/sbin/iptables -A FORWARD -i $1 -o eth1 -p tcp -d 192.168.0.25 --dport
> 80  -j ACCEPT
> /usr/sbin/iptables -A FORWARD -i $1 -o eth1 -p tcp -d 192.168.0.101 --dport
> 110 -j ACCEPT
> /usr/sbin/iptables -A FORWARD -i $1 -o eth1 -p tcp -d 192.168.0.101 --dport
> 10000 -j ACCEPT
> /usr/sbin/iptables -A FORWARD -i $1 -o eth1 -p tcp -d 192.168.0.101 --dport
> 10001 -j ACCEPT
> 
> /usr/sbin/iptables -A FORWARD -i eth1 -o $1 -j ACCEPT
> /usr/sbin/iptables -A FORWARD -o eth1 -i $1 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> 
> /usr/sbin/iptables -A INPUT -i $1 -d 192.168.0.0/24 -j DROP
> /usr/sbin/iptables -A INPUT -i $1 -s 192.168.0.0/24 -d 0/0 -j DROP
> /usr/sbin/iptables -A INPUT -i eth1 -s 0/0 -d 0/0 -j DROP
> /usr/sbin/iptables -t nat -A POSTROUTING -o $1 -s 192.168.0.0/24 -j
> MASQUERADE
> 
> /usr/sbin/iptables -A PREROUTING -t nat -p tcp -d SECRET --dport 25 -j DNAT
> --to-destination 192.168.0.101:25
> /usr/sbin/iptables -A PREROUTING -t nat -p tcp -d SECRET --dport 80 -j DNAT
> --to-destination 192.168.0.25:80
> /usr/sbin/iptables -A PREROUTING -t nat -p tcp -d SECRET --dport 110 -j DNAT
> --to-destination 192.168.0.101:110
> /usr/sbin/iptables -A PREROUTING -t nat -p tcp -d SECRET --dport 10000 -j
> DNAT --to-destination 192.168.0.101:80
> /usr/sbin/iptables -A PREROUTING -t nat -p tcp -d SECRET --dport 10001 -j
> DNAT --to-destination 192.168.0.101:443
> 

You're not allowing the incoming DNAT traffic to pass through your
FORWARD chain. Try adding these:

/usr/sbin/iptables -A FORWARD -o eth0 -i $1 -p tcp -d 192.168.101 --dport 25 -j ACCEPT
/usr/sbin/iptables -A FORWARD -o eth0 -i $1 -p tcp -d 192.168.25 --dport 80 -j ACCEPT
/usr/sbin/iptables -A FORWARD -o eth0 -i $1 -p tcp -d 192.168.101 --dport 110 -j ACCEPT
/usr/sbin/iptables -A FORWARD -o eth0 -i $1 -p tcp -d 192.168.101 --dport 80 -j ACCEPT
/usr/sbin/iptables -A FORWARD -o eth0 -i $1 -p tcp -d 192.168.101 --dport 443 -j ACCEPT

> p.s. what line should I add if i want to shield the other ports? (1-1023,
> not 25,80,110 and ssh)

I'm not sure what you mean by this; Incoming packets on other ports will
either be demasqueraded to an internal host or DROPped in your INPUT
chain.

good times,

-- 
Vineet                                   http://www.anti-dmca.org
Unauthorized use of this .sig may constitute violation of US law.
echo Qba\'g gernq ba zr\!             |tr 'a-zA-Z' 'n-za-mN-ZA-M'

Attachment: pgpY7hngD_uhx.pgp
Description: PGP signature

Reply to:

References:
- can't get portforwarding to work
  - From: "Heusden, Folkert van" <f.v.heusden@ftr.nl>

Prev by Date: Re: iptables admin?
Next by Date: defeating portscans
Previous by thread: can't get portforwarding to work
Next by thread: iptables admin?
Index(es):
- Date
- Thread