Problem with iptables Port Forwarding
Hello all,
I have a Debian Sarge box with 2 ethernet cards. eth0 is the internal
card and has the static IP 192.168.0.91. eth1 is the external interface
card and does not have an IP, as it is a bridged connection to the ADSL
modem (PPPoE). ppp0 has a static IP set by the ISP (which is referred to
as xxx.xxx.xxx.xxx). The box runs a web and email server (Apache, Exim
and Dovecot).
I have written an iptables script that allows selected ports through on
the external interface, and allows users to use the ADSL connection from
the local network.
Recently, they asked me to install an APC masterswitch which has a web
interface on standard port 80. They wanted to be able to use it from
outside of the network, so I decided to redirect port 8080 to the switch
at the gateway. The switch has the static IP address of 192.168.0.10.
Unfortunately, the redirection bit is the only thing I can't get
working. I've read and re-read Rusty Russell's NAT howto and followed
his example. I've switched the order of iptables commands around in the
script and have tried turning off DROP and REJECT commands also as a
troubleshooting measure (for these reasons, there might be a few
superfluous commands).
Any help with this problem would be greatly appreciated. Also, please
let me know if I've created any gaping security holes ;)
Here is the script:
#!/bin/bash
# Flush any existing rules and zero the traffic counters
iptables -F
iptables -Z
iptables -t nat -F
iptables -t nat -Z
# Allow forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
# Disable smurf attack response
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Don't accept source routed packets
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
# Enable bad error message protection
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Accept all input on local loopback
iptables -A INPUT -i lo -j ACCEPT
# Filter ADSL traffic - returning traffic is okay, new connections are
checked for valid ports, all others are rejected
# If it's an established returning connection, let it through
iptables -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8080 -j DNAT --to
192.168.0.10:80
#iptables -A FORWARD -p tcp -i eth1 -d 192.168.0.10 --dport 80 -j ACCEPT
# Allow ICMP
iptables -A INPUT -i eth1 -p icmp -j ACCEPT
# Allow SSH
iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
# Allow HTTP
iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT
# Allow HTTPS
iptables -A INPUT -i eth1 -p tcp --dport 443 -j ACCEPT
# Allow SMTP
iptables -A INPUT -i eth1 -p tcp --dport 25 -j ACCEPT
# Allow POP3
iptables -A INPUT -i eth1 -p tcp --dport 110 -j ACCEPT
# Allow POP3-SSL
iptables -A INPUT -i eth1 -p tcp --dport 995 -j ACCEPT
# Allow Alternate HTTP for APC
iptables -A INPUT -i eth1 -p tcp --dport 8080 -j ACCEPT
# Doesn't match any of the above, reject the packet
iptables -A INPUT -i eth1 -j REJECT
# Allow all staff traffic (defined by all INPUT on ETH0) through if it's
a local address
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j ACCEPT
# If it doesn't match the above subnet on the internal network, someone
may be doing something nasty, so reject the packet
iptables -A INPUT -i eth0 -j REJECT
# This sets up Network Address Translation
# When the packet is ready to be resent, the IP headers are rewritten
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.0.91
iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to-source xxx.xxx.xxx.xxx
--
Les
Reply to: