Solved

IPtables don't work !

Posted on 2002-06-10
20
237 Views
Last Modified: 2010-04-20
Hi All,

The usual story .. I am new to Linux, so please be gentel

o.k, the story:

I am using RH 7.2 , I have another win2000 prof machine that I would like to connect "behind" the Linux, use the Linux as a firewall.

I am cyrrently using ipchains and it is working fine, the only problem is that I also want to do some Port forwarding, I couldn't make it work with my ipchains, so I descided to give a try to the iptables since it has it built in.

iptalbes just wouldn't work at all, my win2000 cannot access, I don't get any error messages when I type:

iptables -A FORWARD -s 192.168.0.2 -p tcp -j ACCEPT

it just doesn't work ..

I need help with:
1. making my win2000 connect to the internet using iptables.
2. making my Linux forward port requests to something like 2 ports (86 and 84)

Thank you :)
0
Comment
Question by:asabi
  • 13
  • 6
20 Comments
 
LVL 4

Expert Comment

by:MFCRich
ID: 7069708
You cannot combine iptables with ipchains, its one or the other. Also make sure the forwarding is enables on your Linux box.
0
 
LVL 1

Author Comment

by:asabi
ID: 7070042

1. I am not trying to run them together, when I do my testings I turn ipchains off, and turn the iptables on.

2. Forwarding is enabled otherwise ipchains wouldn't work
no ? or am I wrong and they are not related ?

I just want iptables to work .. :(

Thank you
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7070583
please post following:

   cat /proc/sys/net/ipv4/ip_forward
   iptables -L -n

probably you simply missed:

  iptables -t nat -A POSTROUTING -o <wan-nic> -j MASQUERADE
0
 
LVL 1

Author Comment

by:asabi
ID: 7071662

cat /proc/sys/net/ipv4/ip_forward - 1

iptables -L -n
I get the list of my rules ..

for the FORWARD:
target prot opt source         destination
ACCEPT tcp  --  192.168.0.2     0.0.0.0/0
ACCEPT tcp  --  192.168.0.2/24  0.0.0.0/0

the input and output are empty
0
 
LVL 1

Author Comment

by:asabi
ID: 7071689
I added the line you gave me and now my computer connects to the internet !!! :)

Now I am still trying to make the IP forwarding to work ..
I have inser
iptables -t nat -A PREROUTING -p tcp --dport 86 -i eth0 -j DNAT --to 192.168.0.2:86

my windows machine is 192.168.0.2, and it has port 86 open.
On the Linux box, eth0 is the internet connection
eth1 is the local network.

did I do it right ?
It doesn't work ..

thnx :-)
0
 
LVL 1

Author Comment

by:asabi
ID: 7071708
Sorry port forwarding .. :)
0
 
LVL 1

Author Comment

by:asabi
ID: 7071719
Sorry ...

I also noticed that every time after reboot I need to type this:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Although I am using the:
/sbin/iptables-save
it seems it saves only the rules ..

Do I HAVE to retype
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
after each reboot ?
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 200 total points
ID: 7072145
> did I do it right ?
yes, the command is right, but you mised a corresponding FORWARD rule:

  iptables -I FORWARD 1 -d 192.168.0.2 --dport 86 -j ACCEPT

> Do I HAVE to retype
I'm not shure about the iptables-save command (never used it),
but you need to have a script (in /etc/init.d or alike) with all your rules.
0
 
LVL 1

Author Comment

by:asabi
ID: 7073248
o.k, cool,

I have added the rules to the rc.d, and the ip forwarding works "automatically"

About the port forwarding:

I think that another problem is that the port is not really opened on the Linux machine (it doesn't really listen to it ..)

how can I open this port on the Linux machine ?
(I am not at home right now, so I can't check it with the FORWARD rule ..)
can it just work without listening from the Linux box ?
Thank you
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7073561
there is no need to open the port on the linux box (if the linux box is your firewall)
The firewall (packetfilter) simply rewrites the IP header, it does not connect to a port !
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 1

Author Comment

by:asabi
ID: 7074566
doesn't work, any ideas ? no errors ...
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7075130
please post complete output of:

  iptables -L -n; iptables -L -n -t nat
0
 
LVL 1

Author Comment

by:asabi
ID: 7075606
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
LOG        icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8 LOG flags 0 level 4
DROP       icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8
LOG        all  --  192.168.0.0/24       0.0.0.0/0          LOG flags 0 level 4
DROP       all  --  192.168.0.0/24       0.0.0.0/0          
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpts:1:21 reject-with tcp-reset
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpts:23:1023 reject-with tcp-reset
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:3128 reject-with tcp-reset
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:5432 reject-with tcp-reset
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:8080 reject-with tcp-reset
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:10000 reject-with tcp-reset
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0          udp dpts:1:52 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0          udp dpts:54:1023 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:2049 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     tcp  --  0.0.0.0/0            192.168.0.2        tcp dpt:86

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:86 to:192.168.0.2:86

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination        
MASQUERADE  all  --  192.168.0.2          0.0.0.0/0          

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
0
 
LVL 1

Author Comment

by:asabi
ID: 7075618
You probably look at it, hold your head with both your hands and say "what an idiot" right ? :-)

Hope it helps ..
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7076254
in the INPUT chain you have at the beginning:

LOG   all  --  192.168.0.0/24  0.0.0.0/0  LOG flags 0 level 4
DROP  all  --  192.168.0.0/24  0.0.0.0/0

I'm not shure ho the DROP rule looks like exactly, how did you create it?
But sounds like this rule eats all you packets. You're lucky to have the LOG rule right before, so you may see what was dropped in /var/log/messages.

Rest of tables looks fine.
0
 
LVL 1

Author Comment

by:asabi
ID: 7076272
o.k, I will try to get rid of the

DROP  all  --  192.168.0.0/24  0.0.0.0/0

and see what happens .., it kind of make sense what you saying .. :-)

Thank you !

0
 
LVL 1

Author Comment

by:asabi
ID: 7079880
Thank you VERY MUCH !!!

It is working now ...

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7080187
BTW, your default policy for all chains is ACCEPT,
means that all none-matching packets are accepted. Probably not the purpose of a firewall ;-)
I seggest to use default policy DROP.
0
 
LVL 1

Author Comment

by:asabi
ID: 7080375
thank you :) I will change that !
0
 
LVL 1

Author Comment

by:asabi
ID: 7080578
ehhmmm ...

How do I change it without killing my own network ..

I tried to add:

iptables -P INPUT DROP

and than I couldn't do anything from my internal network ..

I know it was not part of my original question, I can open a new one if u like ;-)

but, how can I accept everything from my internal network, and reject everything from the outside while keeping my internet connection running as it is now ..

???
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Best way to split and output to csv in bash 2 61
AWS CLI - Issue with name display 2 51
Linux as a middle box 7 64
How code a 301 redirect for folder files -> 1 file 2 23
SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now