• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 275
  • Last Modified:

IPtables don't work !

Hi All,

The usual story .. I am new to Linux, so please be gentel

o.k, the story:

I am using RH 7.2 , I have another win2000 prof machine that I would like to connect "behind" the Linux, use the Linux as a firewall.

I am cyrrently using ipchains and it is working fine, the only problem is that I also want to do some Port forwarding, I couldn't make it work with my ipchains, so I descided to give a try to the iptables since it has it built in.

iptalbes just wouldn't work at all, my win2000 cannot access, I don't get any error messages when I type:

iptables -A FORWARD -s 192.168.0.2 -p tcp -j ACCEPT

it just doesn't work ..

I need help with:
1. making my win2000 connect to the internet using iptables.
2. making my Linux forward port requests to something like 2 ports (86 and 84)

Thank you :)
0
asabi
Asked:
asabi
  • 13
  • 6
1 Solution
 
MFCRichCommented:
You cannot combine iptables with ipchains, its one or the other. Also make sure the forwarding is enables on your Linux box.
0
 
asabiAuthor Commented:

1. I am not trying to run them together, when I do my testings I turn ipchains off, and turn the iptables on.

2. Forwarding is enabled otherwise ipchains wouldn't work
no ? or am I wrong and they are not related ?

I just want iptables to work .. :(

Thank you
0
 
ahoffmannCommented:
please post following:

   cat /proc/sys/net/ipv4/ip_forward
   iptables -L -n

probably you simply missed:

  iptables -t nat -A POSTROUTING -o <wan-nic> -j MASQUERADE
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
asabiAuthor Commented:

cat /proc/sys/net/ipv4/ip_forward - 1

iptables -L -n
I get the list of my rules ..

for the FORWARD:
target prot opt source         destination
ACCEPT tcp  --  192.168.0.2     0.0.0.0/0
ACCEPT tcp  --  192.168.0.2/24  0.0.0.0/0

the input and output are empty
0
 
asabiAuthor Commented:
I added the line you gave me and now my computer connects to the internet !!! :)

Now I am still trying to make the IP forwarding to work ..
I have inser
iptables -t nat -A PREROUTING -p tcp --dport 86 -i eth0 -j DNAT --to 192.168.0.2:86

my windows machine is 192.168.0.2, and it has port 86 open.
On the Linux box, eth0 is the internet connection
eth1 is the local network.

did I do it right ?
It doesn't work ..

thnx :-)
0
 
asabiAuthor Commented:
Sorry port forwarding .. :)
0
 
asabiAuthor Commented:
Sorry ...

I also noticed that every time after reboot I need to type this:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Although I am using the:
/sbin/iptables-save
it seems it saves only the rules ..

Do I HAVE to retype
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
after each reboot ?
0
 
ahoffmannCommented:
> did I do it right ?
yes, the command is right, but you mised a corresponding FORWARD rule:

  iptables -I FORWARD 1 -d 192.168.0.2 --dport 86 -j ACCEPT

> Do I HAVE to retype
I'm not shure about the iptables-save command (never used it),
but you need to have a script (in /etc/init.d or alike) with all your rules.
0
 
asabiAuthor Commented:
o.k, cool,

I have added the rules to the rc.d, and the ip forwarding works "automatically"

About the port forwarding:

I think that another problem is that the port is not really opened on the Linux machine (it doesn't really listen to it ..)

how can I open this port on the Linux machine ?
(I am not at home right now, so I can't check it with the FORWARD rule ..)
can it just work without listening from the Linux box ?
Thank you
0
 
ahoffmannCommented:
there is no need to open the port on the linux box (if the linux box is your firewall)
The firewall (packetfilter) simply rewrites the IP header, it does not connect to a port !
0
 
asabiAuthor Commented:
doesn't work, any ideas ? no errors ...
0
 
ahoffmannCommented:
please post complete output of:

  iptables -L -n; iptables -L -n -t nat
0
 
asabiAuthor Commented:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
LOG        icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8 LOG flags 0 level 4
DROP       icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8
LOG        all  --  192.168.0.0/24       0.0.0.0/0          LOG flags 0 level 4
DROP       all  --  192.168.0.0/24       0.0.0.0/0          
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpts:1:21 reject-with tcp-reset
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpts:23:1023 reject-with tcp-reset
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:3128 reject-with tcp-reset
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:5432 reject-with tcp-reset
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:8080 reject-with tcp-reset
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:10000 reject-with tcp-reset
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0          udp dpts:1:52 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0          udp dpts:54:1023 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:2049 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     tcp  --  0.0.0.0/0            192.168.0.2        tcp dpt:86

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:86 to:192.168.0.2:86

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination        
MASQUERADE  all  --  192.168.0.2          0.0.0.0/0          

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
0
 
asabiAuthor Commented:
You probably look at it, hold your head with both your hands and say "what an idiot" right ? :-)

Hope it helps ..
0
 
ahoffmannCommented:
in the INPUT chain you have at the beginning:

LOG   all  --  192.168.0.0/24  0.0.0.0/0  LOG flags 0 level 4
DROP  all  --  192.168.0.0/24  0.0.0.0/0

I'm not shure ho the DROP rule looks like exactly, how did you create it?
But sounds like this rule eats all you packets. You're lucky to have the LOG rule right before, so you may see what was dropped in /var/log/messages.

Rest of tables looks fine.
0
 
asabiAuthor Commented:
o.k, I will try to get rid of the

DROP  all  --  192.168.0.0/24  0.0.0.0/0

and see what happens .., it kind of make sense what you saying .. :-)

Thank you !

0
 
asabiAuthor Commented:
Thank you VERY MUCH !!!

It is working now ...

0
 
ahoffmannCommented:
BTW, your default policy for all chains is ACCEPT,
means that all none-matching packets are accepted. Probably not the purpose of a firewall ;-)
I seggest to use default policy DROP.
0
 
asabiAuthor Commented:
thank you :) I will change that !
0
 
asabiAuthor Commented:
ehhmmm ...

How do I change it without killing my own network ..

I tried to add:

iptables -P INPUT DROP

and than I couldn't do anything from my internal network ..

I know it was not part of my original question, I can open a new one if u like ;-)

but, how can I accept everything from my internal network, and reject everything from the outside while keeping my internet connection running as it is now ..

???
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 13
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now