PDA

View Full Version : [ubuntu] Iptables forward to ip



lefsaker
November 26th, 2010, 02:25 PM
Read the last post!

Hi, I've been searching and trying different solutions for several days now, but I don't think Iptables likes me :(

My current setup:
WAN - Router - Switch - Ubuntu Server 10.10 w/Iptables - Switch - Nodes

IFs:
- eth0 = WAN (Static 192.168.1.60)
- eth1 = LAN (static 192.168.50.1)

My wish is to use the Ubuntu Server as a firewall for a separate network. I've managed to block all incoming traffic, and allow all outgoing, as well as opening port 22 for SSH on the LinuxBox itself.

I'm trying to forward traffic on specific ports coming from the WAN to the LAN. E.g. port 80.
I've tried commands and configurations from about 50 different pages now, but I'm still unable to connect to my webserver (Static 192.168.50.3) from outside the firewall.

My current IPtables configuration is as follows:


# Generated by iptables-save v1.4.4 on Fri Nov 26 14:12:41 2010
*filter
:INPUT DROP [65:6378]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [45:5905]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i eth1 -o eth0 -j ACCEPT
COMMIT
# Completed on Fri Nov 26 14:12:41 2010
# Generated by iptables-save v1.4.4 on Fri Nov 26 14:12:41 2010
*nat
:PREROUTING ACCEPT [90:7886]
:OUTPUT ACCEPT [3:195]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -d 192.168.50.1/32 -j DNAT --to-destination 192.168.1.1
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.50.3:80
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Nov 26 14:12:41 2010
# Generated by iptables-save v1.4.4 on Fri Nov 26 14:12:41 2010
*mangle
:PREROUTING ACCEPT [1168:608654]
:INPUT ACCEPT [129:12491]
:FORWARD ACCEPT [1039:596163]
:OUTPUT ACCEPT [45:5905]
:POSTROUTING ACCEPT [1084:602068]
COMMIT


Any obvious epic failures?

miegiel
November 26th, 2010, 08:05 PM
Don't know what the -m switch is for, but using it twice seems odd.


# Generated by iptables-save v1.4.4 on Fri Nov 26 14:12:41 2010
*filter
:INPUT DROP [65:6378]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [45:5905]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i eth1 -o eth0 -j ACCEPT
COMMIT
# Completed on Fri Nov 26 14:12:41 2010
# Generated by iptables-save v1.4.4 on Fri Nov 26 14:12:41 2010
*nat
:PREROUTING ACCEPT [90:7886]
:OUTPUT ACCEPT [3:195]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -d 192.168.50.1/32 -j DNAT --to-destination 192.168.1.1
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.50.3:80
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Nov 26 14:12:41 2010
# Generated by iptables-save v1.4.4 on Fri Nov 26 14:12:41 2010
*mangle
:PREROUTING ACCEPT [1168:608654]
:INPUT ACCEPT [129:12491]
:FORWARD ACCEPT [1039:596163]
:OUTPUT ACCEPT [45:5905]
:POSTROUTING ACCEPT [1084:602068]
COMMIT

lefsaker
November 28th, 2010, 07:03 PM
I have no idea why Iptables adds that to the rules.

The script I'm running@boot is:


*mangle
:PREROUTING ACCEPT [1514:223287]
:INPUT ACCEPT [1236:97698]
:FORWARD ACCEPT [260:124661]
:OUTPUT ACCEPT [591:64316]
:POSTROUTING ACCEPT [829:187697]
COMMIT
# Completed on Fri Nov 26 14:11:08 2010
# Generated by iptables-save v1.4.4 on Fri Nov 26 14:11:08 2010
*nat
:PREROUTING ACCEPT [101:10730]
:OUTPUT ACCEPT [3:252]
:POSTROUTING ACCEPT [2:168]
-A PREROUTING -d 192.168.50.1/32 -j DNAT --to-destination 192.168.1.1
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.50.3:80
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Nov 26 14:11:08 2010
# Generated by iptables-save v1.4.4 on Fri Nov 26 14:11:08 2010
*filter
:INPUT DROP [81:9814]
:FORWARD DROP [22:1280]
:OUTPUT ACCEPT [592:64416]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i eth1 -o eth0 -j ACCEPT
COMMIT



What the iptables-save command gives me after running that script:


*filter
:INPUT DROP [48:5603]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [161:31065]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i eth1 -o eth0 -j ACCEPT
COMMIT
# Completed on Sun Nov 28 19:02:18 2010
# Generated by iptables-save v1.4.4 on Sun Nov 28 19:02:18 2010
*nat
:PREROUTING ACCEPT [50:5182]
:OUTPUT ACCEPT [5:319]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -d 192.168.50.1/32 -j DNAT --to-destination 192.168.1.1
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.50.3:80
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Sun Nov 28 19:02:18 2010
# Generated by iptables-save v1.4.4 on Sun Nov 28 19:02:18 2010
*mangle
:PREROUTING ACCEPT [339:28600]
:INPUT ACCEPT [329:28104]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [161:31065]
:POSTROUTING ACCEPT [161:31065]
COMMIT

lefsaker
November 29th, 2010, 08:36 AM
I found a solution :D

http://www.hackorama.com/network/portfwd.shtml



/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xxx --dport 8888 -j DNAT --to 192.168.0.2:80
/sbin/iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 80 -j ACCEPT