Re: How to do port forwarding dynamically

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Friday 21 February 2003 07:59 pm, Dhirendra Pal Singh wrote:
> Hi All,
> I am trying to set up a web server inside my home lan. Firewall is
> running on the gatewaty.
> Below is the script for the firewall... (its very simple.. I
> downloaded it from the net)

> echo "   enabling forwarding.."
> echo "1" > /proc/sys/net/ipv4/ip_forward

Best not to do this until you've already created the rules, and the DROP 
policy.

> echo "   enabling DynamicAddr.."
> echo "1" > /proc/sys/net/ipv4/ip_dynaddr
>
> echo "   clearing any existing rules and setting default policy.."
> $IPTABLES -P INPUT ACCEPT

This is NOT a good idea.  This allows anybody on the internet to have 
unrestricted access to all ports on your firewall/gateway.  (unless you 
DNAT them to another machine, or have a rule that explicitly DROPs 
something)  You want a DROP policy instead, and then ACCEPT only traffic 
that needs to access the gateway machine itself.  A simple, more-secure 
(but still not tight) approach is to have a DROP policy on INPUT, then 
use:

$IPTABLES -A INPUT -i $INTIF1 -j ACCEPT
$IPTABLES -A INPUT -i $INTIF2 -j ACCEPT

which allows all machines on the local networks unrestricted access to 
the gateway itself (this is a separate matter from forwarding!) but 
ignores connection attempts from the outside world.  Even better would 
be to ACCEPT ONLY the absolute bare minimum.  Under normal operation 
nobody (internet _OR_ LAN) should need access to the firewall box 
itself.  If you do all your work on the machine sitting in front of it 
with it's own keyboard and monitor, and it's not offering other services 
then you can probably work just fine with DROP policy for INPUT (and 
even OUTPUT).  If there are services that the gateway offers to the LAN 
(mailserver, DNS, filesharing, whatever) then you should have ACCEPT 
rules for the necessary ports on INPUT chain, and limit them as above to 
ONLY the LAN, never the internet.  


>************************ I have stripped off the comments for
> simplicity. Now when I want to open a port and forward it I am trying
> to execute the following 2 commands...
>
> $iptables -A INPUT -j ACCEPT -p tcp --syn --destination-port 5000
> $iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 5000 -j DNAT
> --to-destination 192.168.1.30:80
>
> Shouldnt this forward port 5000 to the internal box on port 80. But

Nope.  This DNATs port 5000 incoming to port 80 on the internal box, and 
ACCEPTs syn to port 5000 on the gateway.  You want the PREROUTING rule 
as is, (but "-i $EXTIF" would fit the script style better...) but the 
second rule should be:

$IPTABLES -A FORWARD -i $EXTIF -p tcp --dport 80 -j ACCEPT

Differences:  This is FORWARD chain, which is where packets to be 
forwarded will go instead of INPUT.  The destination port is now 80, not 
5000, since the DNAT rule already changed the DPORT when it changed the 
destIP.

> this is not working. Can someone please help me to correct this
> script. Actually I want just 2 lines which I can run for any port and
> can open and forward it to anymachine of my choice...
>
> Any quick help would be very much appreciated...
> Thanks and advance..
> Dp

INPUT is for connections directly to the firewall machine, or responses 
to something initiated by the machine itself.  OUTPUT is for connections 
initiated by the firewall machine, or responses to something that came 
in INPUT.  FORWARD is for connections that are only passing through.

j




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux