Help - Search - Members - Calendar
Full Version: Iptables And Port Forwarding
Linuxhelp > Support > Technical Support
shadowvyce
I'm having difficulty setting up a firewall on a Fedora Core 1 load. I'm attemtping to have a web server behind a firewall as well as having the functionality to add other servers (hosting other ports) behind it as well with the capability to host as the firewall's IP. In addition, I would like any requests coming in for a virutall IP to be redirected to any port I need. I've copied the IPTABLES that currently is working to host just the web server. I've also included the script from which Im basing this from. However, after running this script and restarting iptables I usually get a multiple flags not allowed. Any help (and explainations) would be greatly appreciated.

# Generated by iptables-save v1.2.8 on Thu Mar 25 16:02:10 2004
*nat
:PREROUTING ACCEPT [11:709]
:POSTROUTING ACCEPT [6:312]
:OUTPUT ACCEPT [1:72]
-A PREROUTING -d 208.243.85.235 -i eth0 -j DNAT --to-destination 192.168.237.3
-A POSTROUTING -s 208.243.85.235 -o eth0 -j SNAT --to-source 192.168.237.3
COMMIT
# Completed on Thu Mar 25 16:02:10 2004
# Generated by iptables-save v1.2.8 on Thu Mar 25 16:02:10 2004
*filter
:INPUT ACCEPT [8:669]
:FORWARD ACCEPT [58:24047]
:OUTPUT ACCEPT [9:544]
-A FORWARD -d 192.168.237.3 -i eth0 -o eth1 -p tcp -m multiport --sports -m tcp --sport 1024:65535 -m state --state NEW -j ACCEPT
-A FORWARD -i eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Mar 25 16:02:10 2004

#############################################################
#IPtables script - Although I've never been able to get this to run by sh. I've had to copy #and paste on the command line to get them to run. Got this script from #http://www.siliconvalleyccie.com/linux-hn/iptables-intro.htm#_Toc57743562
#############################################################
#---------------------------------------------------------------
# Load the NAT module
#---------------------------------------------------------------

modprobe iptable_nat

#---------------------------------------------------------------
# Enable routing by modifying the ip_forward /proc filesystem file
#---------------------------------------------------------------

echo 1 > /proc/sys/net/ipv4/ip_forward

#---------------------------------------------------------------
# NAT ALL traffic:
#
# TO: FROM: MAP TO SERVER:
# 97.158.253.26 Anywhere 192.168.1.100
# 97.158.253.27 Anywhere 192.168.1.101
# 97.158.253.28 Anywhere 192.168.1.102
#

# SNAT is used to NAT all other outbound connections initiated
# from the protected network to appear to come from
# IP address 97.158.253.29
#

# POSTROUTING:
# NATs source IP addresses. Frequently used to NAT connections from
# your home network to the Internet

#
# PREROUTING:
# NATs destination IP addresses. Frequently used to NAT
# connections from the Internet to your home network
#
# - Interface eth0 is the internet interface
# - Interface eth1 is the private network interface
#---------------------------------------------------------------
# PREROUTING statements for 1:1 NAT
# (Connections originating from the Internet)

iptables -t nat -A PREROUTING -d 97.158.253.26 -i eth0 -j DNAT --to-destination 192.168.1.100

iptables -t nat -A PREROUTING -d 97.158.253.27 -i eth0 -j DNAT --to-destination 192.168.1.101

iptables -t nat -A PREROUTING -d 97.158.253.28 -i eth0 -j DNAT --to-destination 192.168.1.102

# POSTROUTING statements for 1:1 NAT
# (Connections originating from the home network servers)

iptables -t nat -A POSTROUTING -s 97.158.253.26 -o eth0 -j SNAT --to-source 192.168.1.100

iptables -t nat -A POSTROUTING -s 97.158.253.27 -o eth0 -j SNAT --to-source 192.168.1.101

iptables -t nat -A POSTROUTING -s 97.158.253.28 -o eth0 -j SNAT --to-source 192.168.1.102

# POSTROUTING statements for Many:1 NAT
# (Connections originating from the entire home network)

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT -o eth1 --to-source 97.158.253.29

# Allow forwarding to each of the servers configured for 1:1 NAT
# (For connections originating from the Internet. Notice how you
# use the real IP addresses here)

iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.1.100 -m multiport --dport 80,443,22 -m multiport --sport 1024:65535 -m state --state NEW -j ACCEPT

iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.1.101 -m multiport --dport 80,443,22 -m multiport --sport 1024:65535 -m state --state NEW -j ACCEPT

iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.1.102 -m multiport --dport 80,443,22 -m multiport --sport 1024:65535 -m state --state NEW -j ACCEPT

# Allow forwarding for all New and Established SNAT connections
# originating on the home network AND already established
# DNAT connections

iptables -A FORWARD -t filter -i eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Allow forwarding for all 1:1 NAT connections originating on
# the Internet that have already passed through the NEW forwarding
# statements above

iptables -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT


Thanks again for you help!!!!



Shadowvyce
Robert83
Hi,

I have a test webserver at 217.26.69.17 , and do the same thing what you want to do...

iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-prefix iptables --log-level info
iptables -A drop-and-log-it -j DROP
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth2 -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d xxx.xxx.xxx.xxx --dport 80 -j DNAT --to 192.168.100.2:80
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i eth2 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -s 0/0 -d 0/0 -j drop-and-log-it
iptables -A POSTROUTING -t nat -s 192.168.10.0/255.255.255.0 -o eth1 -j SNAT --to-source xxx.xxx.xxx.xxx
iptables -A POSTROUTING -t nat -s 192.168.100.0/255.255.255.0 -o eth1 -j SNAT -to-source xxx.xxx.xxx.xxx
iptables -A FORWARD -s 0/0 -d 0/0 -j drop-and-log-it

the webserver is in the 192.168.100.x subnet , NOTE IT MUST BE ABLE to go outside the internet, that's why I'm using POSTROUTING -t nat -s 192.168.100.0/255.255.255.0 -o eth1 -j SNAT -to-source xxx.xxx.xxx.xxx

Sincerely
Robert B
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2017 Invision Power Services, Inc.