iptables forwarding help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I have been googling and researching iptables and forwarding all day and
still can't figure this out.  I am trying to set up some port forwarding.
Since I couldn't get it to work with my current firewall, I cleared it and
am using the following script.  For this test I am trying to forward port
2222 on eth0 (the WAN) to another servers port 22 on the internal network
which should get to it on eth1.    I am running a new install of a Redhat
2.6 kernel.

 

Here is my script, followed by the output and an iptables -vnL.  I am really
hoping that someone can spot my mistake so that I can get this working.  Not
sure if I have left something out of this installation or not.

Thanks in Advance

Steve

-----script-----------------------------------------------------------------
-

#!/bin/sh

#

# The location of the iptables and kernel module programs

IPTABLES=/sbin/iptables

DEPMOD=/sbin/depmod

MODPROBE=/sbin/modprobe

IFCONFIG=/sbin/ifconfig

GREP=/bin/grep

AWK=/bin/awk

SED=/bin/sed

 

#Setting the EXTERNAL and INTERNAL interfaces for the network

EXTIF="eth0"

INTIF="eth1"

echo "   External Interface:  $EXTIF"

echo "   Internal Interface:  $INTIF"

 

EXTIP="`$IFCONFIG $EXTIF | $GREP 'inet addr' | $AWK '{print $2}' | $SED -e
's/.*://'`"

 

echo -en "   loading modules: "

 

# Need to verify that all modules have all required dependencies

#

echo "  - Verifying that all kernel modules are ok"

$DEPMOD -a

 

echo
"----------------------------------------------------------------------"

 

#Load the main body of the IPTABLES module - "iptable"

echo -en "ip_tables, "

$MODPROBE ip_tables

 

#Load the stateful connection tracking framework - "ip_conntrack"

echo -en "ip_conntrack, "

$MODPROBE ip_conntrack

 

#Load the FTP tracking mechanism for full FTP tracking

echo -en "ip_conntrack_ftp, "

$MODPROBE ip_conntrack_ftp

 

#Load the IRC tracking mechanism for full IRC tracking

echo -en "ip_conntrack_irc, "

$MODPROBE ip_conntrack_irc

 

#Load the general IPTABLES NAT code - "iptable_nat"

echo -en "iptable_nat, "

$MODPROBE iptable_nat

 

#Loads the FTP NAT functionality into the core IPTABLES code

echo -en "ip_nat_ftp, "

$MODPROBE ip_nat_ftp

 

#Loads the IRC NAT functionality into the core IPTABLES code

# Required to support NAT of IRC DCC requests

#

# Disabled by default -- remove the "#" on the next line to activate

#

#echo -e "ip_nat_irc"

#$MODPROBE ip_nat_irc

echo ""

echo
"----------------------------------------------------------------------"

 

echo -e "   Done loading modules.\n"

 

#CRITICAL:  Enable IP forwarding since it is disabled by default since

echo "   Enabling forwarding.."

echo "1" > /proc/sys/net/ipv4/ip_forward

 

#Clearing any previous configuration

echo "   Clearing any existing rules and setting default policy.."

$IPTABLES -P INPUT ACCEPT

$IPTABLES -F INPUT

$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -F OUTPUT

#$IPTABLES -P FORWARD DROP

$IPTABLES -F FORWARD

$IPTABLES -t nat -F

 

echo "   FWD: Allow all connections OUT and only existing and related ones
IN"

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

$IPTABLES -A FORWARD -j LOG

 

echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

 

# Allow forwarding of new and existing port 2222 connections from the
external

# interface.  This rule is required as our default FORWARD policy is DENY.

#

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 2222 -m state \

--state NEW,ESTABLISHED,RELATED -j ACCEPT

 

 

#Enable PORTFW of this port 2222 traffic from the external interface

#

$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 2222 -m state \

--state NEW,ESTABLISHED,RELATED -j DNAT --to 10.55.121.190:22

 

echo -e "\ndone.\n"

 

 

------end of
script----------------------------------------------------------------------
----------------

-----------

Gives this output:

   External Interface:  eth0

   Internal Interface:  eth1

   loading modules:   - Verifying that all kernel modules are ok

----------------------------------------------------------------------

ip_tables, ip_conntrack, ip_conntrack_ftp, ip_conntrack_irc, iptable_nat,
ip_nat_ftp, 

----------------------------------------------------------------------

   Done loading modules.

 

   Enabling forwarding..

   Clearing any existing rules and setting default policy..

   FWD: Allow all connections OUT and only existing and related ones IN

   Enabling SNAT (MASQUERADE) functionality on eth0

 

done.

 

 

 

--------

iptables -vnL

Chain INPUT (policy ACCEPT 96 packets, 8090 bytes)

pkts bytes target     prot opt in     out     source
destination         

 

Chain FORWARD (policy ACCEPT 3 packets, 180 bytes)

pkts bytes target     prot opt in     out     source
destination         

    0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED 

    0     0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0
0.0.0.0/0           

    0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0           LOG flags 0 level 4 

    0     0 ACCEPT     tcp  --  eth0   eth1    0.0.0.0/0
0.0.0.0/0           tcp dpt:2222 state NEW,RELATED,ESTABLISHED 

 

Chain OUTPUT (policy ACCEPT 88 packets, 8248 bytes)

pkts bytes target     prot opt in     out     source
destination         

 

Chain RH-Firewall-1-INPUT (0 references)

pkts bytes target     prot opt in     out     source
destination         

    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0
0.0.0.0/0           

    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp type 255 

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:80 

    0     0 ACCEPT     all  --  *      *       10.0.0.0/8
0.0.0.0/0           

    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0
0.0.0.0/0           

    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0
0.0.0.0/0           

    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
224.0.0.251         udp dpt:5353 

    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0           udp dpt:631 

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:631 

   77  5728 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED 

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           state NEW tcp dpt:22 

    0     0 REJECT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           reject-with icmp-host-prohibited

-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list


[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux