Saturday, January 29, 2011

iptables router problem "Help"

The script below does not work without iptables -P INPUT, OUTPUT, FORWARD ACCEPT. I must be missing a rule but can't find it. I'm new to iptables, so I'm hoping one of the geniuses here could help me out. ETH0 is the WAN and ETH1 is LAN.

//edit 2 forwarding is enabled in sysctl.conf. 

#downen network interfaces

ifconfig eth0 down
ifconfig eth1 down

#droppen traffic
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -t nat -F

#verkeer naar buiten toe laten en nat aanzetten
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#RDP forward voor windows servers

iptables -t nat -A PREROUTING -p tcp --dport 3389 -i eth1 -j DNAT --to destination 192.168.2.10
iptables -t nat -A PREROUTING -p tcp --dport 3340 -i eth1 -j DNAT --to destination 192.168.2.12

#toestaan SSH verkeer
iptables -t nat -A PREROUTING -p tcp --dport 22 -i eth0 -j DNAT --to destination 192.168.2.1
iptables -t nat -A PREROUTING -p udp --dport 22 -i eth0 -j DNAT --to destination 192.168.2.1

#toestaan verkeer loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#toestaan lokaal netwerk
iptables -A OUTPUT -o eth1 -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT

#netwerk kaarten aanzetten
ifconfig eth0 XXXXXXXX
ifconfig eth1 192.168.2.1/24
route add default gw XXXXXXXXXX

ifconfig eth0 up
ifconfig eth1 up
From serverfault The_cobra666

  • You must enable ip forwarding with

    echo 1 > /proc/sys/net/ipv4/ip_forward

    You can do this via sysctl too.

    The_cobra666 : It's done with sysctl.conf :)
    TimothyP : I was thinking the same thing... but it doesn't solve his problem. However The_Cobra666 have you tried doing that? just in case?
    From sntg

  • You say that you need to set the policy to accept on all the tables. Does it also work when you set it to accept on just the FORWARD table?

    Also, I'm assuming you are indeed testing only forwarding and not from the local machine? In case of the latter, you need to do this as well:

    iptables -A INPUT --match state --state RELATED,ESTABLISHED -j ACCEPT --match comment --comment "Accept traffic from outgoing connections and stuff like FTP."

    As a sidenote, I'd use the iptables comment option, so iptables -L also gives helpful output.

    The_cobra666 : I was able to solve the problem by setting: iptables -A INPUT -i WAN -j ACCEPT. I'm gessing your solution is a better one? I'm going to try your solution. The machine is a router and proxy server. Those are the only 2 functions it needs to do.
    The_cobra666 : Ok m8, your solution IS correct! THANKS! :D Works fine now. Only have 1 problem left. I cannot connect to my windows servers over RDP. From the logging in iptables, I can tell that the packet is fowarded to the correct server on the correct port. Seems like the packets cannot get back. Any suggestions? The SSH redirection works perfect btw.
    Halfgaar : I don't really know how you intended to setup your box, but why is the forward rule of RDP on a different in-interface than SSH? This question will probably insult you, but since you see the packets arriving, does the windows box allow incoming connections? Can you connect locally?
    From Halfgaar
Posted by Ku XI at 5:34 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)