no connection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I am using the following iptables script:
# eth0 is the Local network
# eth1 is the External network

*filter
:INPUT   DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT  DROP [0:0]

#allow traffic from the firewall to go out
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow local loopback connections
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Allow all connections to the local network
-A INPUT -i eth0 -s 123.123.123.0/24 -j ACCEPT
-A OUTPUT -o eth0 -d 123.123.123.0/24 -j ACCEPT

# drop INVALID connections
-A INPUT   -m state --state INVALID -j DROP
-A OUTPUT  -m state --state INVALID -j DROP
-A FORWARD -m state --state INVALID -j DROP

# allow all established and related
-A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow connectionsto my ISP's DNS servers
-A OUTPUT -d 206.13.31.12 -m state --state NEW -p udp --dport 53 -o eth1 -j ACCEPT -A FORWARD -d 206.13.31.12 -m state --state NEW -p udp --dport 53 -i eth0 -o eth1 -j ACCEPT
-A OUTPUT -d 206.13.28.12 -m state --state NEW -p udp --dport 53 -o eth1 -j ACCEPT -A FORWARD -d 206.13.28.12 -m state --state NEW -p udp --dport 53 -i eth0 -o eth1 -j ACCEPT 

# allow outgoing conections web servers
-A OUTPUT -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport http -o eth1 -j ACCEPT -A FORWARD -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport http -o eth1 -i eth0 -j ACCEPT
-A OUTPUT -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport https -o eth1 -j ACCEPT -A FORWARD -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport https -o eth1 -i eth0 -j ACCEPT 

# allow outgoing conections ntp
-A OUTPUT -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 123 -o eth1 -j ACCEPT -A FORWARD -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 123 -o eth1 -i eth0 -j ACCEPT 

# Log all other attempts to out-going connection
-A OUTPUT   -o eth1 -j LOG --log-level info --log-prefix "[ATTEMPTED] "
-A FORWARD  -o eth1 -j ACCEPT

-A FORWARD  -j LOG --log-level info --log-prefix "[FWD-] "
-A FORWARD  -o eth0 -j ACCEPT

COMMIT

*nat
-A POSTROUTING -o eth1 -j SNAT --to 71.133.232.116

#port forward port 80
-A PREROUTING -d 71.133.232.116 -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 123.123.123.2:80 

COMMIT

#----
I was expecting the firewall (external ip 71.133.232.116) to send the packets to the web server (123.123.123.2), but it appears that the packets are not going anywhere. 

Test:
use a machine whose gateway is not 71.133.232.116 and execute:
wget http://71.133.232.116/
1. On the log file of the firewall, I see a log record indicating that the "[FWD-]" log was hit. 
2. On the web server, I see no record in the access log file.
3. No response is received to the wget command.
Isn't the prerouting command enough to get the packets to go? What do I need to do to get iptables to actually send the packet? 
--
William Perry
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux