Re: Problem with iptables Port Forwarding

To: debian-firewall@lists.debian.org
Subject: Re: Problem with iptables Port Forwarding
From: Robert Vangel <vangelr@rfgt.net>
Date: Mon, 16 May 2005 13:54:31 +0800
Message-id: <[🔎] 42883597.9030208@rfgt.net>
In-reply-to: <[🔎] 428815EF.9060305@perthweb.com.au>
References: <[🔎] 428815EF.9060305@perthweb.com.au>

Les Ritchin wrote:

Hello all,

[snip]


Here is the script:

#!/bin/bash

# Flush any existing rules and zero the traffic counters
iptables -F
iptables -Z
iptables -t nat -F
iptables -t nat -Z

# Allow forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward

# Disable smurf attack response
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Don't accept source routed packets
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable bad error message protection
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Accept all input on local loopback
iptables -A INPUT -i lo -j ACCEPT

# Filter ADSL traffic - returning traffic is okay, new connections arechecked for valid ports, all others are rejected

# If it's an established returning connection, let it through
iptables -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT


Also add for OUTPUT (unless default policy is to accept)

iptables -A OUTPUT -o eth1 -m state \
	--state RELATED,ESTABLISHED -j ACCEPT

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8080 -j DNAT --to192.168.0.10:80
#iptables -A FORWARD -p tcp -i eth1 -d 192.168.0.10 --dport 80 -j ACCEPT


Uncomment the above


# Allow ICMP
iptables -A INPUT -i eth1 -p icmp -j ACCEPT
# Allow SSH
iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
# Allow HTTP
iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT
# Allow HTTPS
iptables -A INPUT -i eth1 -p tcp --dport 443 -j ACCEPT
# Allow SMTP
iptables -A INPUT -i eth1 -p tcp --dport 25 -j ACCEPT
# Allow POP3
iptables -A INPUT -i eth1 -p tcp --dport 110 -j ACCEPT
# Allow POP3-SSL
iptables -A INPUT -i eth1 -p tcp --dport 995 -j ACCEPT
# Allow Alternate HTTP for APC
iptables -A INPUT -i eth1 -p tcp --dport 8080 -j ACCEPT
# Doesn't match any of the above, reject the packet
iptables -A INPUT -i eth1 -j REJECT

# Allow all staff traffic (defined by all INPUT on ETH0) through if it'sa local address

iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j ACCEPT

# If it doesn't match the above subnet on the internal network, someonemay be doing something nasty, so reject the packet

iptables -A INPUT -i eth0 -j REJECT

# This sets up Network Address Translation
# When the packet is ready to be resent, the IP headers are rewritten
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.0.91
iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to-source xxx.xxx.xxx.xxx

Also make sure that the masterswitch isn't configured to only allowtraffic from the local network. You can test this by doing a SSH tunnel.


Just in case you don't know how..

ssh -L 8080:192.168.0.10:80 <host>

go to http://localhost:8080

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply to:

Follow-Ups:
- Re: Problem with iptables Port Forwarding
  - From: Robert Vangel <vangelr@rfgt.net>

References:
- Problem with iptables Port Forwarding
  - From: Les Ritchin <les@perthweb.com.au>

Prev by Date: Problem with iptables Port Forwarding
Next by Date: Re: Problem with iptables Port Forwarding
Previous by thread: Problem with iptables Port Forwarding
Next by thread: Re: Problem with iptables Port Forwarding
Index(es):
- Date
- Thread