Find the answer to your Linux question:
Results 1 to 2 of 2
Hello to all of you out there I have modify mi iptables rules to block everything and later set the rules to open services. Here goes my config. Code: #!/bin/bash ...
  1. 05-23-2008 #1
    Ronin_tekorei
    Ronin_tekorei is offline
    Just Joined!
    Join Date
    May 2006
    Posts
    26

    Nat server with iptables -P FORWARD set to DROP problem

    Hello to all of you out there

    I have modify mi iptables rules to block everything and later set the rules to open services.
    Here goes my config.
    Code:
    #!/bin/bash

#WAN side values
WAN_IP="my_public_ip"
WAN_DEV="eth0"

#LAN side values
LAN_IP1="192.168.1.1"
LAN_IP2="192.168.2.1"
LAN_IP3="192.168.3.1"
LAN_NET1="192.168.1.0/24"
LAN_NET2="192.168.2.0/24"
LAN_NET3="192.168.3.0/24"
LAN_DEV="eth1"

#Old rules flush
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

##Packets forward
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "ip_forward done"

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
echo "Drop politics done"

##Accept conections related, established
iptables -A INPUT -i $WAN_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $LAN_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $WAN_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $LAN_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $WAN_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT

##Drop Invalid packages
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP

##Loopback free
iptables -A INPUT -i lo -s 127.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -o lo -s 127.0.0.0/8 -j ACCEPT
echo "loopback done"

##SSH from cdeonline.net
iptables -A INPUT -i $WAN_DEV -s xxx.xxx.xxx.xxx -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i $WAN_DEV -s xxx.xxx.xxx.xxx -p udp --dport 22 -j ACCEPT

##ICMP traffic allow for LAN, and only ping for WAN
iptables -A INPUT -i $LAN_DEV -p icmp --icmp-type any -j ACCEPT
iptables -A INPUT -i $LAN_DEV -j ACCEPT
iptables -A OUTPUT -o $LAN_DEV -p icmp --icmp-type any -j ACCEPT

iptables -A INPUT -i $WAN_DEV -p icmp --icmp-type 8 -j ACCEPT
iptables -A OUTPUT -o $WAN_DEV -p icmp --icmp-type 8 -j ACCEPT
echo "icmp done"

##Allow all trafic to the server from and to internal network
iptables -A INPUT -i $LAN_DEV -s $LAN_NET1 -j ACCEPT
iptables -A INPUT -i $LAN_DEV -s $LAN_NET2 -j ACCEPT
iptables -A INPUT -i $LAN_DEV -s $LAN_NET3 -j ACCEPT

iptables -A OUTPUT -o $LAN_DEV -d $LAN_NET1 -j ACCEPT
iptables -A OUTPUT -o $LAN_DEV -d $LAN_NET2 -j ACCEPT
iptables -A OUTPUT -o $LAN_DEV -d $LAN_NET3 -j ACCEPT
echo "Trafic to and from internal lan done"

##Now lets open some ports :)

##Free for test
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -s 192.168.1.250 -j ACCEPT
iptables -A FORWARD -i $WAN_DEV -o $LAN_DEV -d 192.168.1.250 -j ACCEPT
echo "Free"
iptables -A INPUT -p tcp --dport 55043 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 55043 -i $WAN_DEV -j DNAT --to-destination 192.168.1.250
echo "  free torrent done"
iptables -A INPUT -p tcp --dport 18603 -j ACCEPT
iptables -A INPUT -p udp --dport 48117 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 18603 -i $WAN_DEV -j DNAT --to-destination 192.168.1.250
iptables -t nat -A PREROUTING -p udp --dport 48117 -i $WAN_DEV -j DNAT --to-destination 192.168.1.250
echo "  free emule done"
iptables -A INPUT -i $WAN_DEV -s xxx.xxx.xxx.xxx -p tcp --dport 5900 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 5900 -i $WAN_DEV -j DNAT --to-destination 192.168.1.250
echo "  free vnc done"
echo "  free test done"

##MSN
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 1863 -j ACCEPT
#iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p udp --dport 1863 -j ACCEPT
        ##File Transfer
        iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 6891:6910 -j ACCEPT
        iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p udp --dport 6891:6910 -j ACCEPT

##Yahoo Messenger
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 5050 -j ACCEPT
#iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p udp --dport 5050 -j ACCEPT

#AIM
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 5190 -j ACCEPT
#iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 5190 -j ACCEPT
echo "MSN, Yahoo Messenger and AIM done"

##http
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 8008 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 8080 -j ACCEPT

##https
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 443 -j ACCEPT
echo "http and https done"

##ftp
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 20 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 21 -j ACCEPT
echo "ftp done"

##ssh
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p udp --dport 22 -j ACCEPT
echo "ssh done"

##smtp
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p udp --dport 25 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 465 -j ACCEPT
echo "smtp done"

##kerberos
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 88 -j ACCEPT
echo "kerberos done"

##pop2 y pop3
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 109 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 110 -j ACCEPT
echo "pop2 and pop3 done"

##imap4
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 143 -j ACCEPT
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p udp --dport 143 -j ACCEPT
echo "imap4 done"
##P2P trafic drop
iptables -A FORWARD -m ipp2p --ipp2p -j LOG --log-prefix "p2p-traffic: "
iptables -A FORWARD -m ipp2p --ipp2p -j DROP
echo "p2p done"

##PING
iptables -A FORWARD -i LAN_DEV -p icmp --icmp-type any -j ACCEPT

##Transparent squid
iptables -t nat -A PREROUTING -i $LAN_DEV -s $LAN_NET1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i $LAN_DEV -s $LAN_NET2 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i $LAN_DEV -s $LAN_NET3 -p tcp --dport 80 -j REDIRECT --to-port 3128
echo "squid done"

##Masquerade of internal trafic going to internet
iptables -t nat -A POSTROUTING -s $LAN_NET1 -j SNAT --to-source $WAN_IP
iptables -t nat -A POSTROUTING -s $LAN_NET2 -j SNAT --to-source $WAN_IP
iptables -t nat -A POSTROUTING -s $LAN_NET3 -j SNAT --to-source $WAN_IP
echo "SNAT done"
    but the nat does not work, i can't ping to Google fron any of the clients, they resolv the ip of google, but don't recive answer, i don't understand, What am i doing wrong? all the port to navigate and messenger are open, but it only works if i put the -P FORWARD to ACCEPT. Can anyone help me please?
    Reply With Quote Reply With Quote
  2. 05-28-2008 #2
    jordi
    jordi is offline
    Just Joined!
    Join Date
    Apr 2008
    Location
    Catalonia
    Posts
    29
    I think you must allow the the connections bidirectionally since you use DROP as the default FORWARD policy. As an example, for HTTP:

    Code:
    ##http
iptables -A FORWARD -i $LAN_DEV -o $WAN_DEV -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i $WAN_DEV -o $LAN_DEV -p tcp --sport 80 -j ACCEPT
    Here you can see my config: http://www.linuxforums.org/forum/ser...-problems.html
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules

...