Re: Masquerade and DNAT with iptables

To: Liviu Marciu <liviunow@rdslink.ro>
Cc: debian-isp@lists.debian.org
Subject: Re: Masquerade and DNAT with iptables
From: Mark Devin <mdevin@ozemail.com.au>
Date: Mon, 26 May 2003 10:33:09 +1000
Message-id: <[🔎] 3ED160C5.6060500@ozemail.com.au>
In-reply-to: <4214792460.20030525121904@rdslink.ro>
References: <[🔎] 15510615023.20030523174430@rdslink.ro> <[🔎] 1053778839.19452.11.camel@flathead> <468018890.20030524191228@rdslink.ro> <[🔎] 1053818689.19451.45.camel@flathead> <4214792460.20030525121904@rdslink.ro>

Liviu Marciu wrote:
> Hello,
>
> I'm writing to you after I received your extensive email on the DNAT
> rule,
> thank you, I also think it covers all the subject.
> But my script still doesn't work.
>
> the iptables version that I'm using is 1.2.6a.
> This is the script I'm using, the masquerade for the local network
> works fine but the webserver(192.168.0.222) from the Lan is still not
visible from
> the internet.
> Please note that this is not intended to be a firewall script, I
> really have no interest in security.
>
>
> #!/bin/sh
> /sbin/modprobe ip_tables
> /sbin/modprobe ip_conntrack
> #/sbin/modprobe iptable_filter
> #/sbin/modprobe iptable_mangle
> /sbin/modprobe iptable_nat
> #/sbin/modprobe ipt_LOG
> #/sbin/modprobe ipt_limit
> #/sbin/modprobe ipt_state
> #/sbin/modprobe ipt_owner
> #/sbin/modprobe ipt_REJECT
> /sbin/modprobe ipt_MASQUERADE
> /sbin/modprobe ip_conntrack_ftp
> /sbin/modprobe ip_conntrack_irc
> /sbin/modprobe ip_nat_ftp
> /sbin/modprobe ip_nat_irc
>
>
> echo "1" > /proc/sys/net/ipv4/ip_forward
> echo "1" > /proc/sys/net/ipv4/ip_dynaddr
>
> iptables -t nat -A POSTROUTING -j MASQUERADE
>
> iptables -t nat -A PREROUTING -p TCP -i eth0 --dport 8080 -j DNAT
--to-destination 192.168.0.222:80
> iptables -A FORWARD -i eth0 -o eth1 -p tcp --syn --dport 80 -j ACCEPT
>
I am not sure if you need ip_dynaddr switched on.  It is related to ISDN
dialin I think?  If you have an ethernet connection to the internet via
ADSL, cable etc. then you shouldn't need to set that.  I don't.

Also, since you are having so much trouble getting it to work initially
and are not concerned about security then set the default policies to
ACCEPT.  But make sure you change it later because a default policy of
ACCEPT is a bad idea.

Start with something like the following:

-- snip --
IPTABLES="/sbin/iptables"

modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe ipt_limit
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe iptable_nat
modprobe ip_nat_ftp

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Enable always defragging Protection (obsolete now - kernel does it)
# echo 1 > /proc/sys/net/ipv4/ip_always_defrag

# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Enable bad error message Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Enable IP spoofing protection - turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 > $f
done

# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
    echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
    echo 0 > $f
done

# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
    echo 0 > $f
done

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
    echo 1 > $f
done

# Enable IP forwarding (for NAT)
echo 1 > /proc/sys/net/ipv4/ip_forward

# Flush all chains including the user defined ones
$IPTABLES -F
$IPTABLES -t nat -F

#Delete all user defined chains
$IPTABLES -X
$IPTABLES -t nat -X

# Set the default policies
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

$IPTABLES -N la_debug
$IPTABLES -A la_debug -j LOG --log-prefix "Debug_Accept_::"
$IPTABLES -A la_debug -j ACCEPT


# Allow unlimited traffic on the loopback interface
$IPTABLES -A INPUT  -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# SNAT (Masquerading) for LAN --> Internet.
# Nb. These will be de-NATted automatically (using connection tracking).
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -s $LAN_IPRANGE \
    -j SNAT --to-source $INET_IPADDR

#------------------------- DNAT Rules -------------------------------#
# HTTP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp \
	--dport $PF_HTTP_PORT \
    	-j DNAT --to-destination $LINUX_SERVER_IPADDR
-- end snip --

I hope this helps you a little more.  Note that I have just cut and
paste things here from a working firewall doing both DNAT and SNAT.
However, you will have to define some of the variables I have used such
as $LINUX_SERVER_IPADDR, $INET_IFACE eg.
LINUX_SERVER_IPADDR="192.168.0.222"
INET_IFACE="eth0"
etc. and these definitions will have to be defined before they are used
in the script (obviously).  And use the la_debug target to help with
debugging.  For example, you can add a rule to the FORWARD chain to log
and accept all packets.
eg.
$IPTABLES -A FORWARD -j la_debug

Note that this will cause a lot of logging but if you are only
interested in the tcp port 80 stuff then this would be more specific:
$IPTABLES -A FORWARD -p tcp --dport 80 -j la_debug

Best of luck.
Regards.
Mark.

Reply to:

References:
- Masquerade and DNAT with iptables
  - From: Liviu Marciu <liviunow@rdslink.ro>
- Re: Masquerade and DNAT with iptables
  - From: Mark Devin <mdevin@ozemail.com.au>
- Re: Re[2]: Masquerade and DNAT with iptables
  - From: Mark Devin <mdevin@ozemail.com.au>

Prev by Date: VPN gateway
Next by Date: Re: VPN gateway
Previous by thread: Re: Re[2]: Masquerade and DNAT with iptables
Next by thread: OT: German KK-applications and domain transfers
Index(es):
- Date
- Thread