iptables port forwarding not working
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


comp.security.firewalls archive

iptables port forwarding not working

From: <billchiu@despammed.com>
Date: Thu Sep 15 2005 - 02:23:33 CEST



hi-



following a helpful gentoo guide on iptables I got it to replace my


netgear router, but I've not been able to get port forwarding working.


here are my defs:



iptables -F


iptables -t nat -F


iptables -P INPUT ACCEPT


iptables -P OUTPUT ACCEPT


iptables -P FORWARD DROP



export LAN=eth0


export WAN=eth1



iptables -I INPUT 1 -i ${LAN} -j ACCEPT


iptables -I INPUT 1 -i lo -j ACCEPT



iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT


iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT


iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT


iptables -A INPUT -p TCP --dport www -i ${WAN} -j ACCEPT


iptables -A INPUT -p TCP --dport https -i ${WAN} -j ACCEPT


iptables -A INPUT -p TCP --dport smtp -i ${WAN} -j ACCEPT


iptables -A INPUT -p TCP --dport auth -i ${WAN} -j ACCEPT


iptables -A INPUT -p TCP --dport imaps -i ${WAN} -j ACCEPT


iptables -A INPUT -p TCP --dport ssmtp -i ${WAN} -j ACCEPT



iptables -A INPUT -p TCP -i ${LAN} -d 0/0 --dport 0:1023 -j DROP


iptables -A INPUT -p UDP -i ${LAN} -d 0/0 --dport 0:1023 -j DROP


iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP


iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT


iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT


iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE



iptables -t nat -A PREROUTING -p tcp --dport 902 -i ${WAN} -j DNAT --to


192.168.0.201


iptables -t nat -A PREROUTING -p tcp --dport 3389 -i ${WAN} -j DNAT


--to 192.168.0.201


iptables -t nat -A PREROUTING -p tcp --dport 7004 -i ${WAN} -j DNAT


--to 192.168.0.201


iptables -t nat -A PREROUTING -p tcp --dport 6346 -i ${WAN} -j DNAT


--to 192.168.0.201


iptables -t nat -A PREROUTING -p tcp --dport 6883 -i ${WAN} -j DNAT


--to 192.168.0.201



echo 1 > /proc/sys/net/ipv4/ip_forward


for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f; done


/etc/init.d/iptables save



Also, when building kernel 2.4.22, I didn't find the option for "IP


range match support" within IP: Networking Options -> IP: Netfilter


Configuration  ---> IP tables support, so I just skipped it.  Did I do


bad?



What's off?



Bill


Received on Thu Sep 29 20:07:45 2005