UDP for HTTP forwarding??? Prerouting, postrouting, output

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I am confused with the IPTables. Please see attachment for the script. 
Some input will be greatly appreciated for one of these questions. (I know
these are long questions!)
 
Basically, we want to forward packets from [$Fido] to [$AtlasDev], the
script works, but my questions remain:
1. Why do we need UDP for forwarding the HTTP packets?  (I tried to disable
Udp lines, but then the script will not work!)

2. What the purpose of PREROUTING, POSTROUTING and OUTPUT?  (We need all of
them in the script to make the HTTP work, but ssh only needs PREROUTING and
POSTROUTING. We guess that HTTP need to send packets back to the client,
while SSH builds up a channel so no need for OUTPUT. Is this guessing
correct? )





#!/bin/sh

# created on Oct 9, 2003 for testing the firewall using IPTables

# Define variables
Fido="150.135.44.245"  
AtlasDev="150.135.45.96"
SpatialDev="150.135.45.97"
GeoDev="150.135.45.31"
AtlasFtp="150.135.45.98"
HTTP_Port="80"
SSH_Port="22"
FTP_Port="20:21"


IP_Accept_All="150.135.47.43"
INT="150.135.45.0/16"

echo "***Fido =" $Fido
echo "***AtlasDev =" $AtlasDev
echo "***SpatialDev =" $SpatialDev
echo "***GeoDev =" $GeoDev
echo "***AtlasFtp =" $AtlasFtp
echo "***HTTP_Port =" $HTTP_Port
echo "***FTP_Port =" $FTP_Port


# Flush all chains
iptables -F
iptables -t nat -F

#set the dafault policies; close everything
iptables -P INPUT DROP   # DROP is ok, but for SMB, ..
iptables -P OUTPUT DROP 
iptables -P FORWARD ACCEPT  # modify this


################################################
# Allow all outgoing Internet access
################################################
iptables -A OUTPUT  -s 150.135.44.245  -d 0/0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Allow all outgoing FORWARD ...error
## iptables -A FORWARD  -d $Fido -j ACCEPT

#######################################################
# Allow all traffic from IP_Accept_All  (e.g Samba,...)
#######################################################
if [ "$IP_Accept_All" != "" ]; then
    iptables -A INPUT -s $IP_Accept_All -j ACCEPT
fi

############## Deny and Log everything else
#iptables -N logdeny
#iptables -A logdeny -j LOG --log-prefix "iptables: "
#iptables -A logdeny -j DROP

#???????????????????????????????????????
#Allow all outgoing FORWARD ...error !!!!!
#iptables -A FORWARD  -d $AtlasDev -j ACCEPT
#iptables -A FORWARD  -d $Fido -j ACCEPT
###########################################3




##########################################################
# HTTP:  Forward to Atlas Dev (150.135.45.96 or 10.10.45.96)    #
##########################################################
if [ "$Fido" != "" ]; then
    echo 1 >/proc/sys/net/ipv4/ip_forward
    echo 1 >/proc/sys/net/ipv4/conf/all/rp_filter
fi

# UDP is needed, don't know why

if [ "$AtlasDev" != "" ]; then
    iptables -t nat -A PREROUTING -i eth0 --dst $Fido -p tcp --dport $HTTP_Port -j DNAT --to $AtlasDev
    iptables -t nat -A PREROUTING -i eth0 --dst $Fido -p udp --dport $HTTP_Port -j DNAT --to $AtlasDev

    iptables -t nat -A POSTROUTING -p udp --dst $AtlasDev --dport $HTTP_Port -j SNAT --to-source $Fido
    iptables -t nat -A POSTROUTING -p tcp --dst $AtlasDev --dport $HTTP_Port -j SNAT --to-source $Fido

    iptables -t nat -A OUTPUT --dst $Fido -p tcp --dport $HTTP_Port -j DNAT --to-destination $AtlasDev
    iptables -t nat -A OUTPUT --dst $Fido -p udp --dport $HTTP_Port -j DNAT --to-destination $AtlasDev

fi


##########################################################
# Allow SSH
##########################################################

if [ "$AtlasDev" != "" ]; then
    iptables -t nat -A PREROUTING -i eth0 --dst $Fido -p tcp --dport $SSH_Port -j DNAT --to $AtlasDev
    iptables -t nat -A PREROUTING -i eth0 --dst $Fido -p udp --dport $SSH_Port -j DNAT --to $AtlasDev

    iptables -t nat -A POSTROUTING -p udp --dst $AtlasDev --dport $SSH_Port -j SNAT --to-source $Fido
    iptables -t nat -A POSTROUTING -p tcp --dst $AtlasDev --dport $SSH_Port -j SNAT --to-source $Fido

############ no need to have OUTPUT for ssh ##############################
#    iptables -t nat -A OUTPUT --dst $Fido -p tcp --dport $SSH_Port -j DNAT --to-destination $AtlasDev
#    iptables -t nat -A OUTPUT --dst $Fido -p udp --dport $SSH_Port -j DNAT --to-destination $AtlasDev

fi

######### previous scripts
#iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,ACK,FIN,RST SYN --dst $Fido --dport 80 -j ACCEPT


echo "Done! Atlas Firewall packet filter policy applied!"
echo ""
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux