Hello all,
I do have an office with Several PC's and we share the internet
connection using iptables and our
DNS server we also have Mail and FTP Server. Our ISP keep changing
there rules and they start
blocking some port like 25, 21 and 143. so the best solution i could
think of is to use vpn service
with a static ip address to use instead of my ISP ip address.
After I got my vpn service with a static ip address, it seem i am
unable to port forward and
cannot access my server from the internet.
my network infrastructure is like this:
Main DNS server with 2 NIC's: /etc/network/interfaces
Code:
auto lo eth0 eth1
iface lo inet loopback
#internet
iface eth0 inet static
address 10.0.0.2
netmask 255.255.255.192
gateway 10.0.0.1
#local
iface eth1 inet static
address 10.0.1.1
netmask 255.255.255.240
/etc/resolv.conf
Code:
nameserver 127.0.0.1
/etc/bind/options.conf
Code:
options {
directory "/var/cache/bind";
forwarders {208.67.222.222; 208.67.220.220;};
auth-nxdomain no;
allow-query { any; };
recursion no;
version "0";
listen-on-v6 { any; };
};
Mail server /etc/network/interfaces
Code:
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 10.0.1.3
netmask 255.255.255.240
gateway 10.0.1.1
/etc/resolv.conf
Code:
nameserver 10.0.1.1
-----------------------------------------------------------------
Other clients on local network
Code:
address 10.0.1.x
netmask 255.255.255.240
gateway 10.0.1.1
nameserver 10.0.1.1
-----------------------------------------------------------------
and here what i did so far
iptables script:
-----------------------------------------------------------------
Code:
{ # Define networks
iWAN=eth0
iWANIP=10.0.0.2
iVPN=tun0
iLAN=eth1
lNet=10.0.1.0/24
lIP="10.0.1.1"
PubIP="68.168.223.46"
VPNIP="10.8.0.6"
UNIVERSE="0.0.0.0/0"
}
{ # Disable Firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
}
{ # LoadModules
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
}
{ # Enabling IP forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#Enable packet forwarding to function as a router"
iptables --append FORWARD --in-interface $iLAN -j ACCEPT
#Enable MASQUERADE to function as a NAT router"
iptables --table nat --append POSTROUTING --out-interface $iWAN -j
MASQUERADE
iptables --table nat --append POSTROUTING --out-interface $iVPN -j
MASQUERADE
}
{ # Creating a DROP chain
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-level info
iptables -A drop-and-log-it -j REJECT
}
{ # Port Forwarding
#Add a rule to allow related packets to the forward: "
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
#Add a rule for each port:"
iptables --append FORWARD --in-interface $iVPN -p tcp -m tcp
--dport 53 -j ACCEPT
iptables --append FORWARD --in-interface $iVPN -p udp -m udp
--dport 53 -j ACCEPT
iptables --append FORWARD --in-interface $iVPN -p tcp -m tcp
--dport 80 -j ACCEPT
iptables --append FORWARD --in-interface $iVPN -p tcp -m tcp
--dport 110 -j ACCEPT
iptables --append FORWARD --in-interface $iVPN -p tcp -m tcp
--dport 143 -j ACCEPT
iptables --append FORWARD --in-interface $iVPN -p tcp -m tcp
--dport 25 -j ACCEPT
#actual port forwarding:"
iptables -t nat -A PREROUTING -i $iVPN -p tcp -m tcp --dport 53 -j
DNAT --to-destination 10.0.1.1
iptables -t nat -A PREROUTING -i $iVPN -p udp -m udp --dport 53 -j
DNAT --to-destination 10.0.1.1
iptables -t nat -A PREROUTING -i $iVPN -p tcp -m tcp --dport 80 -j
DNAT --to-destination 10.0.1.2
iptables -t nat -A PREROUTING -i $iVPN -p tcp -m tcp --dport 110 -j
DNAT --to-destination 10.0.1.3
iptables -t nat -A PREROUTING -i $iVPN -p tcp -m tcp --dport 25 -j
DNAT --to-destination 10.0.1.3
iptables -t nat -A PREROUTING -i $iVPN -p tcp -m tcp --dport 143 -j
DNAT --to-destination 10.0.1.3
}
iptables -t nat -L -n -v
----------------------------------------
Code:
Chain PREROUTING (policy ACCEPT 9474 packets, 684K bytes)
pkts bytes target prot opt in out source
destination
0 0 DNAT tcp -- tun0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53 to:10.0.1.1
0 0 DNAT udp -- tun0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53 to:10.0.1.1
0 0 DNAT tcp -- tun0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 to:10.0.1.2
0 0 DNAT tcp -- tun0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:110 to:10.0.1.3
0 0 DNAT tcp -- tun0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25 to:10.0.1.3
0 0 DNAT tcp -- tun0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:143 to:10.0.1.3
Chain POSTROUTING (policy ACCEPT 551 packets, 39296 bytes)
pkts bytes target prot opt in out source
destination
0 0 MASQUERADE all -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 MASQUERADE all -- * tun0 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 8288 packets, 650K bytes)
pkts bytes target prot opt in out source destination
route -n
----------------------------------------
Code:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.6 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.8.0.1 10.8.0.6 255.255.255.255 UGH 0 0 0 tun0
68.168.223.45 10.0.0.1 255.255.255.255 UGH 0 0 0 eth0
10.0.1.0 0.0.0.0 255.255.255.240 U 0 0 0 eth1
10.0.0.0 0.0.0.0 255.255.255.192 U 0 0 0 eth0
0.0.0.0 10.8.0.6 128.0.0.0 UG 0 0 0 tun0
128.0.0.0 10.8.0.6 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 10.0.0.1 0.0.0.0 UG 100 0 0 eth0
ifconfig
----------------------------------------
Code:
eth0 Link encap:Ethernet HWaddr 00:30:4f:1c:49:f8
inet addr:10.0.0.2 Bcast:10.0.0.63 Mask:255.255.255.192
inet6 addr: fe80::230:4fff:fe1c:49f8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:237225 errors:0 dropped:0 overruns:0 frame:0
TX packets:240397 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:162233252 (162.2 MB) TX bytes:46279818 (46.2 MB)
Interrupt:11 Base address:0xc000
eth1 Link encap:Ethernet HWaddr 00:08:54:41:42:88
inet addr:10.0.1.1 Bcast:10.0.1.15 Mask:255.255.255.240
inet6 addr: fe80::208:54ff:fe41:4288/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:481444 errors:0 dropped:0 overruns:0 frame:0
TX packets:461148 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:138833837 (138.8 MB) TX bytes:194547673 (194.5 MB)
Interrupt:10 Base address:0xc400
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:5770 errors:0 dropped:0 overruns:0 frame:0
TX packets:5770 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:622634 (622.6 KB) TX bytes:622634 (622.6 KB)
tun0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.5 P-t-P:10.8.0.6 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:127546 errors:0 dropped:0 overruns:0 frame:0
TX packets:148752 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:66371419 (66.3 MB) TX bytes:19781324 (19.7 MB)
Any help would be much much much much appreciated.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
