[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Problem with iptables Port Forwarding

Les Ritchin wrote:
Hello all,


Here is the script:


# Flush any existing rules and zero the traffic counters
iptables -F
iptables -Z
iptables -t nat -F
iptables -t nat -Z

# Allow forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward

# Disable smurf attack response
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Don't accept source routed packets
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable bad error message protection
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Accept all input on local loopback
iptables -A INPUT -i lo -j ACCEPT

# Filter ADSL traffic - returning traffic is okay, new connections are checked for valid ports, all others are rejected
# If it's an established returning connection, let it through
iptables -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

Also add for OUTPUT (unless default policy is to accept)

iptables -A OUTPUT -o eth1 -m state \

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8080 -j DNAT --to
#iptables -A FORWARD -p tcp -i eth1 -d --dport 80 -j ACCEPT

Uncomment the above

# Allow ICMP
iptables -A INPUT -i eth1 -p icmp -j ACCEPT
# Allow SSH
iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
# Allow HTTP
iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT
# Allow HTTPS
iptables -A INPUT -i eth1 -p tcp --dport 443 -j ACCEPT
# Allow SMTP
iptables -A INPUT -i eth1 -p tcp --dport 25 -j ACCEPT
# Allow POP3
iptables -A INPUT -i eth1 -p tcp --dport 110 -j ACCEPT
# Allow POP3-SSL
iptables -A INPUT -i eth1 -p tcp --dport 995 -j ACCEPT
# Allow Alternate HTTP for APC
iptables -A INPUT -i eth1 -p tcp --dport 8080 -j ACCEPT
# Doesn't match any of the above, reject the packet
iptables -A INPUT -i eth1 -j REJECT

# Allow all staff traffic (defined by all INPUT on ETH0) through if it's a local address
iptables -A INPUT -i eth0 -s -j ACCEPT
# If it doesn't match the above subnet on the internal network, someone may be doing something nasty, so reject the packet
iptables -A INPUT -i eth0 -j REJECT

# This sets up Network Address Translation
# When the packet is ready to be resent, the IP headers are rewritten
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source
iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to-source xxx.xxx.xxx.xxx

Also make sure that the masterswitch isn't configured to only allow traffic from the local network. You can test this by doing a SSH tunnel.

Just in case you don't know how..

ssh -L 8080: <host>

go to http://localhost:8080

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply to: