iptables forwarding help
Steven Buehler
steve at ibushost.com
Thu Jun 16 20:27:47 UTC 2011
I have been googling and researching iptables and forwarding all day and
still can't figure this out. I am trying to set up some port forwarding.
Since I couldn't get it to work with my current firewall, I cleared it and
am using the following script. For this test I am trying to forward port
2222 on eth0 (the WAN) to another servers port 22 on the internal network
which should get to it on eth1. I am running a new install of a Redhat
2.6 kernel.
Here is my script, followed by the output and an iptables -vnL. I am really
hoping that someone can spot my mistake so that I can get this working. Not
sure if I have left something out of this installation or not.
Thanks in Advance
Steve
-----script-----------------------------------------------------------------
-
#!/bin/sh
#
# The location of the iptables and kernel module programs
IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
IFCONFIG=/sbin/ifconfig
GREP=/bin/grep
AWK=/bin/awk
SED=/bin/sed
#Setting the EXTERNAL and INTERNAL interfaces for the network
EXTIF="eth0"
INTIF="eth1"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
EXTIP="`$IFCONFIG $EXTIF | $GREP 'inet addr' | $AWK '{print $2}' | $SED -e
's/.*://'`"
echo -en " loading modules: "
# Need to verify that all modules have all required dependencies
#
echo " - Verifying that all kernel modules are ok"
$DEPMOD -a
echo
"----------------------------------------------------------------------"
#Load the main body of the IPTABLES module - "iptable"
echo -en "ip_tables, "
$MODPROBE ip_tables
#Load the stateful connection tracking framework - "ip_conntrack"
echo -en "ip_conntrack, "
$MODPROBE ip_conntrack
#Load the FTP tracking mechanism for full FTP tracking
echo -en "ip_conntrack_ftp, "
$MODPROBE ip_conntrack_ftp
#Load the IRC tracking mechanism for full IRC tracking
echo -en "ip_conntrack_irc, "
$MODPROBE ip_conntrack_irc
#Load the general IPTABLES NAT code - "iptable_nat"
echo -en "iptable_nat, "
$MODPROBE iptable_nat
#Loads the FTP NAT functionality into the core IPTABLES code
echo -en "ip_nat_ftp, "
$MODPROBE ip_nat_ftp
#Loads the IRC NAT functionality into the core IPTABLES code
# Required to support NAT of IRC DCC requests
#
# Disabled by default -- remove the "#" on the next line to activate
#
#echo -e "ip_nat_irc"
#$MODPROBE ip_nat_irc
echo ""
echo
"----------------------------------------------------------------------"
echo -e " Done loading modules.\n"
#CRITICAL: Enable IP forwarding since it is disabled by default since
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
#Clearing any previous configuration
echo " Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
#$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo " FWD: Allow all connections OUT and only existing and related ones
IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# Allow forwarding of new and existing port 2222 connections from the
external
# interface. This rule is required as our default FORWARD policy is DENY.
#
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 2222 -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
#Enable PORTFW of this port 2222 traffic from the external interface
#
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 2222 -m state \
--state NEW,ESTABLISHED,RELATED -j DNAT --to 10.55.121.190:22
echo -e "\ndone.\n"
------end of
script----------------------------------------------------------------------
----------------
-----------
Gives this output:
External Interface: eth0
Internal Interface: eth1
loading modules: - Verifying that all kernel modules are ok
----------------------------------------------------------------------
ip_tables, ip_conntrack, ip_conntrack_ftp, ip_conntrack_irc, iptable_nat,
ip_nat_ftp,
----------------------------------------------------------------------
Done loading modules.
Enabling forwarding..
Clearing any existing rules and setting default policy..
FWD: Allow all connections OUT and only existing and related ones IN
Enabling SNAT (MASQUERADE) functionality on eth0
done.
--------
iptables -vnL
Chain INPUT (policy ACCEPT 96 packets, 8090 bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 3 packets, 180 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 4
0 0 ACCEPT tcp -- eth0 eth1 0.0.0.0/0
0.0.0.0/0 tcp dpt:2222 state NEW,RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 88 packets, 8248 bytes)
pkts bytes target prot opt in out source
destination
Chain RH-Firewall-1-INPUT (0 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 255
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT all -- * * 10.0.0.0/8
0.0.0.0/0
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:631
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:631
77 5728 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
More information about the redhat-list
mailing list