Solved

IPtables don't work !

Posted on 2002-06-10
20
231 Views
Last Modified: 2010-04-20
Hi All,

The usual story .. I am new to Linux, so please be gentel

o.k, the story:

I am using RH 7.2 , I have another win2000 prof machine that I would like to connect "behind" the Linux, use the Linux as a firewall.

I am cyrrently using ipchains and it is working fine, the only problem is that I also want to do some Port forwarding, I couldn't make it work with my ipchains, so I descided to give a try to the iptables since it has it built in.

iptalbes just wouldn't work at all, my win2000 cannot access, I don't get any error messages when I type:

iptables -A FORWARD -s 192.168.0.2 -p tcp -j ACCEPT

it just doesn't work ..

I need help with:
1. making my win2000 connect to the internet using iptables.
2. making my Linux forward port requests to something like 2 ports (86 and 84)

Thank you :)
0
Comment
Question by:asabi
  • 13
  • 6
20 Comments
 
LVL 4

Expert Comment

by:MFCRich
Comment Utility
You cannot combine iptables with ipchains, its one or the other. Also make sure the forwarding is enables on your Linux box.
0
 
LVL 1

Author Comment

by:asabi
Comment Utility

1. I am not trying to run them together, when I do my testings I turn ipchains off, and turn the iptables on.

2. Forwarding is enabled otherwise ipchains wouldn't work
no ? or am I wrong and they are not related ?

I just want iptables to work .. :(

Thank you
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
please post following:

   cat /proc/sys/net/ipv4/ip_forward
   iptables -L -n

probably you simply missed:

  iptables -t nat -A POSTROUTING -o <wan-nic> -j MASQUERADE
0
 
LVL 1

Author Comment

by:asabi
Comment Utility

cat /proc/sys/net/ipv4/ip_forward - 1

iptables -L -n
I get the list of my rules ..

for the FORWARD:
target prot opt source         destination
ACCEPT tcp  --  192.168.0.2     0.0.0.0/0
ACCEPT tcp  --  192.168.0.2/24  0.0.0.0/0

the input and output are empty
0
 
LVL 1

Author Comment

by:asabi
Comment Utility
I added the line you gave me and now my computer connects to the internet !!! :)

Now I am still trying to make the IP forwarding to work ..
I have inser
iptables -t nat -A PREROUTING -p tcp --dport 86 -i eth0 -j DNAT --to 192.168.0.2:86

my windows machine is 192.168.0.2, and it has port 86 open.
On the Linux box, eth0 is the internet connection
eth1 is the local network.

did I do it right ?
It doesn't work ..

thnx :-)
0
 
LVL 1

Author Comment

by:asabi
Comment Utility
Sorry port forwarding .. :)
0
 
LVL 1

Author Comment

by:asabi
Comment Utility
Sorry ...

I also noticed that every time after reboot I need to type this:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Although I am using the:
/sbin/iptables-save
it seems it saves only the rules ..

Do I HAVE to retype
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
after each reboot ?
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 200 total points
Comment Utility
> did I do it right ?
yes, the command is right, but you mised a corresponding FORWARD rule:

  iptables -I FORWARD 1 -d 192.168.0.2 --dport 86 -j ACCEPT

> Do I HAVE to retype
I'm not shure about the iptables-save command (never used it),
but you need to have a script (in /etc/init.d or alike) with all your rules.
0
 
LVL 1

Author Comment

by:asabi
Comment Utility
o.k, cool,

I have added the rules to the rc.d, and the ip forwarding works "automatically"

About the port forwarding:

I think that another problem is that the port is not really opened on the Linux machine (it doesn't really listen to it ..)

how can I open this port on the Linux machine ?
(I am not at home right now, so I can't check it with the FORWARD rule ..)
can it just work without listening from the Linux box ?
Thank you
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
there is no need to open the port on the linux box (if the linux box is your firewall)
The firewall (packetfilter) simply rewrites the IP header, it does not connect to a port !
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:asabi
Comment Utility
doesn't work, any ideas ? no errors ...
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
please post complete output of:

  iptables -L -n; iptables -L -n -t nat
0
 
LVL 1

Author Comment

by:asabi
Comment Utility
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
LOG        icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8 LOG flags 0 level 4
DROP       icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8
LOG        all  --  192.168.0.0/24       0.0.0.0/0          LOG flags 0 level 4
DROP       all  --  192.168.0.0/24       0.0.0.0/0          
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpts:1:21 reject-with tcp-reset
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpts:23:1023 reject-with tcp-reset
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:3128 reject-with tcp-reset
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:5432 reject-with tcp-reset
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:8080 reject-with tcp-reset
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:10000 reject-with tcp-reset
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0          udp dpts:1:52 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0          udp dpts:54:1023 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:2049 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     tcp  --  0.0.0.0/0            192.168.0.2        tcp dpt:86

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:86 to:192.168.0.2:86

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination        
MASQUERADE  all  --  192.168.0.2          0.0.0.0/0          

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
0
 
LVL 1

Author Comment

by:asabi
Comment Utility
You probably look at it, hold your head with both your hands and say "what an idiot" right ? :-)

Hope it helps ..
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
in the INPUT chain you have at the beginning:

LOG   all  --  192.168.0.0/24  0.0.0.0/0  LOG flags 0 level 4
DROP  all  --  192.168.0.0/24  0.0.0.0/0

I'm not shure ho the DROP rule looks like exactly, how did you create it?
But sounds like this rule eats all you packets. You're lucky to have the LOG rule right before, so you may see what was dropped in /var/log/messages.

Rest of tables looks fine.
0
 
LVL 1

Author Comment

by:asabi
Comment Utility
o.k, I will try to get rid of the

DROP  all  --  192.168.0.0/24  0.0.0.0/0

and see what happens .., it kind of make sense what you saying .. :-)

Thank you !

0
 
LVL 1

Author Comment

by:asabi
Comment Utility
Thank you VERY MUCH !!!

It is working now ...

0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
BTW, your default policy for all chains is ACCEPT,
means that all none-matching packets are accepted. Probably not the purpose of a firewall ;-)
I seggest to use default policy DROP.
0
 
LVL 1

Author Comment

by:asabi
Comment Utility
thank you :) I will change that !
0
 
LVL 1

Author Comment

by:asabi
Comment Utility
ehhmmm ...

How do I change it without killing my own network ..

I tried to add:

iptables -P INPUT DROP

and than I couldn't do anything from my internal network ..

I know it was not part of my original question, I can open a new one if u like ;-)

but, how can I accept everything from my internal network, and reject everything from the outside while keeping my internet connection running as it is now ..

???
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

After running Ubuntu some time, you will be asked to download updates for fixing bugs and security updates. All the packages you download replace the previous ones, except for the kernel, also called "linux-image". This is due to the fact that w…
The purpose of this article is to demonstrate how we can use conditional statements using Python.
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now