Find the answer to your Linux question:
Results 1 to 2 of 2
Hello to all of you out there I have modify mi iptables rules to block everything and later set the rules to open services. Here goes my config. Code: #!/bin/bash ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2006
    Posts
    26

    Nat server with iptables -P FORWARD set to DROP problem


    Hello to all of you out there

    I have modify mi iptables rules to block everything and later set the rules to open services.
    Here goes my config.
    Code:
    #!/bin/bash
    
    #WAN side values
    WAN_IP="my_public_ip"
    WAN_DEV="eth0"
    
    #LAN side values
    LAN_IP1="192.168.1.1"
    LAN_IP2="192.168.2.1"
    LAN_IP3="192.168.3.1"
    LAN_NET1="192.168.1.0/24"
    LAN_NET2="192.168.2.0/24"
    LAN_NET3="192.168.3.0/24"
    LAN_DEV="eth1"
    
    #Old rules flush
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    
    ##Packets forward
    echo "1" > /proc/sys/net/ipv4/ip_forward
    echo "ip_forward done"
    
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD DROP
    echo "Drop politics done"
    
    ##Accept conections related, established
    iptables -A INPUT -i $WAN_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -i $LAN_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o $WAN_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o $LAN_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -i $WAN_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -i $LAN_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
    
    ##Drop Invalid packages
    iptables -A INPUT -m state --state INVALID -j DROP
    iptables -A OUTPUT -m state --state INVALID -j DROP
    iptables -A FORWARD -m state --state INVALID -j DROP
    
    ##Loopback free
    iptables -A INPUT -i lo -s 127.0.0.0/8 -j ACCEPT
    iptables -A OUTPUT -o lo -s 127.0.0.0/8 -j ACCEPT
    echo "loopback done"
    
    ##SSH from cdeonline.net
    iptables -A INPUT -i $WAN_DEV -s xxx.xxx.xxx.xxx -p tcp --dport 22 -j ACCEPT
    iptables -A INPUT -i $WAN_DEV -s xxx.xxx.xxx.xxx -p udp --dport 22 -j ACCEPT
    
    ##ICMP traffic allow for LAN, and only ping for WAN
    iptables -A INPUT -i $LAN_DEV -p icmp --icmp-type any -j ACCEPT
    iptables -A INPUT -i $LAN_DEV -j ACCEPT
    iptables -A OUTPUT -o $LAN_DEV -p icmp --icmp-type any -j ACCEPT
    
    iptables -A INPUT -i $WAN_DEV -p icmp --icmp-type 8 -j ACCEPT
    iptables -A OUTPUT -o $WAN_DEV -p icmp --icmp-type 8 -j ACCEPT
    echo "icmp done"
    
    ##Allow all trafic to the server from and to internal network
    iptables -A INPUT -i $LAN_DEV -s $LAN_NET1 -j ACCEPT
    iptables -A INPUT -i $LAN_DEV -s $LAN_NET2 -j ACCEPT
    iptables -A INPUT -i $LAN_DEV -s $LAN_NET3 -j ACCEPT
    
    iptables -A OUTPUT -o $LAN_DEV -d $LAN_NET1 -j ACCEPT
    iptables -A OUTPUT -o $LAN_DEV -d $LAN_NET2 -j ACCEPT
    iptables -A OUTPUT -o $LAN_DEV -d $LAN_NET3 -j ACCEPT
    echo "Trafic to and from internal lan done"
    
    ##Now lets open some ports :)
    
    ##Free for test
    iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -s 192.168.1.250 -j ACCEPT
    iptables -A FORWARD -i $WAN_DEV -o $LAN_DEV -d 192.168.1.250 -j ACCEPT
    echo "Free"
    iptables -A INPUT -p tcp --dport 55043 -j ACCEPT
    iptables -t nat -A PREROUTING -p tcp --dport 55043 -i $WAN_DEV -j DNAT --to-destination 192.168.1.250
    echo "  free torrent done"
    iptables -A INPUT -p tcp --dport 18603 -j ACCEPT
    iptables -A INPUT -p udp --dport 48117 -j ACCEPT
    iptables -t nat -A PREROUTING -p tcp --dport 18603 -i $WAN_DEV -j DNAT --to-destination 192.168.1.250
    iptables -t nat -A PREROUTING -p udp --dport 48117 -i $WAN_DEV -j DNAT --to-destination 192.168.1.250
    echo "  free emule done"
    iptables -A INPUT -i $WAN_DEV -s xxx.xxx.xxx.xxx -p tcp --dport 5900 -j ACCEPT
    iptables -t nat -A PREROUTING -p tcp --dport 5900 -i $WAN_DEV -j DNAT --to-destination 192.168.1.250
    echo "  free vnc done"
    echo "  free test done"
    
    ##MSN
    iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 1863 -j ACCEPT
    #iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p udp --dport 1863 -j ACCEPT
            ##File Transfer
            iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 6891:6910 -j ACCEPT
            iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p udp --dport 6891:6910 -j ACCEPT
    
    ##Yahoo Messenger
    iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 5050 -j ACCEPT
    #iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p udp --dport 5050 -j ACCEPT
    
    #AIM
    iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 5190 -j ACCEPT
    #iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 5190 -j ACCEPT
    echo "MSN, Yahoo Messenger and AIM done"
    
    ##http
    iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 80 -j ACCEPT
    iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 8008 -j ACCEPT
    iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 8080 -j ACCEPT
    
    ##https
    iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 443 -j ACCEPT
    echo "http and https done"
    
    ##ftp
    iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 20 -j ACCEPT
    iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 21 -j ACCEPT
    echo "ftp done"
    
    ##ssh
    iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 22 -j ACCEPT
    iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p udp --dport 22 -j ACCEPT
    echo "ssh done"
    
    ##smtp
    iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 25 -j ACCEPT
    iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p udp --dport 25 -j ACCEPT
    iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 465 -j ACCEPT
    echo "smtp done"
    
    ##kerberos
    iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 88 -j ACCEPT
    echo "kerberos done"
    
    ##pop2 y pop3
    iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 109 -j ACCEPT
    iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 110 -j ACCEPT
    echo "pop2 and pop3 done"
    
    ##imap4
    iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 143 -j ACCEPT
    iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p udp --dport 143 -j ACCEPT
    echo "imap4 done"
    ##P2P trafic drop
    iptables -A FORWARD -m ipp2p --ipp2p -j LOG --log-prefix "p2p-traffic: "
    iptables -A FORWARD -m ipp2p --ipp2p -j DROP
    echo "p2p done"
    
    ##PING
    iptables -A FORWARD -i LAN_DEV -p icmp --icmp-type any -j ACCEPT
    
    ##Transparent squid
    iptables -t nat -A PREROUTING -i $LAN_DEV -s $LAN_NET1 -p tcp --dport 80 -j REDIRECT --to-port 3128
    iptables -t nat -A PREROUTING -i $LAN_DEV -s $LAN_NET2 -p tcp --dport 80 -j REDIRECT --to-port 3128
    iptables -t nat -A PREROUTING -i $LAN_DEV -s $LAN_NET3 -p tcp --dport 80 -j REDIRECT --to-port 3128
    echo "squid done"
    
    ##Masquerade of internal trafic going to internet
    iptables -t nat -A POSTROUTING -s $LAN_NET1 -j SNAT --to-source $WAN_IP
    iptables -t nat -A POSTROUTING -s $LAN_NET2 -j SNAT --to-source $WAN_IP
    iptables -t nat -A POSTROUTING -s $LAN_NET3 -j SNAT --to-source $WAN_IP
    echo "SNAT done"
    but the nat does not work, i can't ping to Google fron any of the clients, they resolv the ip of google, but don't recive answer, i don't understand, What am i doing wrong? all the port to navigate and messenger are open, but it only works if i put the -P FORWARD to ACCEPT. Can anyone help me please?

  2. #2
    Just Joined!
    Join Date
    Apr 2008
    Location
    Catalonia
    Posts
    35
    I think you must allow the the connections bidirectionally since you use DROP as the default FORWARD policy. As an example, for HTTP:

    Code:
    ##http
    iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 80 -j ACCEPT
    iptables -A FORWARD -i $WAN_DEV -o $LAN_DEV -p tcp --sport 80 -j ACCEPT
    Here you can see my config: http://www.linuxforums.org/forum/ser...-problems.html

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •