iptables 1.2.7+ is screwed up

[jburnett]

For some reason scripts arent working on 1.2.7+ of iptables. Here is a basic script that doesnt work. I've confirmed this with gentoo and linux distros with 1.2.7+ version of iptables.
Script on works with 1.2.6a



Hello and good morning!
I am having a heck of a time. I spent all day trying to figure out why
my IPtables script isnt working on my new firewall machine.

Old box ( WORKING ) Slackware 8.1 - iptables 1.2.6a
New box ( NOT WORKING ) Gentoo - iptables 1.2.8

I did check the gentoo kernel and it has everything the Slackware box
has. Plus I've read the documentation and I've done this for a while. I
did re-compile iptables to conform with the new kernel on gentoo.

For some reason httpd is filtered on the gentoo box and open on the
slackware box. I even tried using webmin to setup up everything
identical but no go.


Yes apache is bound to the internal IP. I can reach apache from any
internal machine.

All I want to do is keep my apache box on the local network and forward
the requests from the firewall to my internal apache server.
The firewall is also the gateway for internet access for the local
workstations.


Apache = 192.168.1.1
Firewall - external IP = 209.145.93.99

My current rc.firewall script works on slack but not gentoo ( 1.2.6a not
1.2.8 of iptables):


# !/bin/sh

# now to flush/clear out the iptables first
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter


echo "1" > /proc/sys/net/ipv4/conf/all/forwarding

modprobe ip_conntrack
modprobe ip_conntrack_ftp


iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to 209.145.93.99

echo " Forwarding http traffic to Gadaffi.solarplex.org "
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 209.145.93.99 --dport 80
-j DNAT --to-destination 192.168.1.1:80

iptables -A FORWARD -p tcp -i eth1 -d 192.168.1.1 --dport 80 -j ACCEPT


# now to list the iptables
iptables -L -t nat
iptables -L

[genlee]

What is the error?

[jburnett]

There is no error. Read my message. Short Version:


For some reason httpd is filtered on the gentoo box and open on the
slackware box. I even tried using webmin to setup up everything
identical but no go.

[jburnett]

Working Box:
61/tcp open ni-mail
62/tcp open acas

Not Working Box:
61/tcp filtered ni-mail
62/tcp filtered acas


Actual Script:
# !/bin/sh

# now to flush/clear out the iptables first
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter


echo "1" > /proc/sys/net/ipv4/conf/all/forwarding

modprobe ip_conntrack
modprobe ip_conntrack_ftp



ptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to 209.145.93.100
iptables -t nat -A PREROUTING -p tcp -s ! 192.168.2.0/24 --dport 61 -i eth0 -j DNAT --to 192.168.1.240:23
iptables -t nat -A PREROUTING -p tcp -s ! 192.168.2.0/24 --dport 62 -i eth0 -j DNAT --to 192.168.1.4:23
iptables -t nat -A PREROUTING -p tcp -s ! 192.168.2.0/24 --dport 63 -i eth0 -j DNAT --to 192.168.1.7:23



# now to list the iptables
iptables -L -t nat
iptables -L

[Dolda2000]

Code:

for t in $(cat /proc/net/ip_tables_names); do echo $t; iptables -t $t -L -n; done

What does that return after running the script? Are the tables just empty, or has anything been entered?

In any case, instead of having a script doing this for you, I believe that it's a better idea to generate the tables by hand, and then using iptables-save and iptables-restore to do the work of automatic configuration. Might just be me, though.

I can't find the definition of EXTIF in your script, even though you're using it later on. Did you just leave that out accidently?