Re: Port Forwarding and opening ports.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tuesday 04 March 2003 03:56 pm, ImpulseFG@netscape.net wrote:
> I have iptables setup to port forward ftp , web, and a game server to
> another server on the local network. It works great. I have also set
> it up so it only accepts incoming and outgoing connections on port 22.
> I'm having 2 problems and a couple of questions.
>
> 1. I can ssh into the machine which is 192.168.1.1 from any computer
> on the local network. But I can't run X programs without allowing all
> incoming and outgoing connections on this machine. I've tried:
> $iptables -A INPUT -i eth1 -j ACCEPT
>             $iptables -A OUTPUT -o eth1 -j ACCEPT
>
> This wouldn't fix the problem. So I tried.
>             $iptables -A INPUT -s 192.168.1.2-192.168.1.255 -j ACCEPT
>             $iptables -A OUTPUT -d 192.168.1.2-192.68.1.255 -j ACCEPT
>
> This didn't work either. Only only accepting all incomeing and
> outgoing connections would.

Try

$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo --j ACCEPT

to let the box talk to itself...

> 2. I'm having problems with the nat features.
>     I want to be able to ssh into the routing machine from of the
> local network but I can't. I have it set to accept local connections
> on port 22 for udp and tcp. But nat is nating the packets before it
> can accept them.
>     The only way I am able to get them to accept them is to disable
> nat. I tried natting all the ports around 22. See the attache script
> but for some reason that wouln't work either.
>
> Does anyone have any idea how to do this?

In your script you have lots of rules with "-j DNAT --to 
192.168.1.2-192.168.1.255" - do you really want to spread all this 
traffic out across all these addresses?  This construction will take any 
connection coming in on a matching port and send it to the first address 
in that list that doesn't currently have traffic, or the one with the 
lowest traffic.

My impression of what you want is that you want to DNAT a handful of 
specific connections to specific destinations, and then allow return 
traffic from the internet to reach the proper client, am I right?  I've 
attached your original script trimmed to the essentials and then 
commented by myself, and also attached a proposed replacement script 
that will allow the local machines to connect out, and outside 
connections only to SSH on the gateway or the three DNATs to "charlee".  
If I'm way off-base on your intentions here I apologize.

j

Attachment: ImpulseFG.rc.firewall-2.4.mailing
Description: application/shellscript

Attachment: ImpulseFG.revised
Description: application/shellscript

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux