troubleshooting Question

Please can someone help me with my "Fire-Masq" I just need to be able to see internal servers as well as external Web.

Avatar of paddyhaig
paddyhaig asked on
Linux Networking
14 Comments1 Solution386 ViewsLast Modified:
I am looking for a little help with an IPtables init.d script issue.  

Below is my predicament.

I decided to turn am old computer that I have into a NAT router/firewall for my internal network.
I installed two ethernet cards (eth0 & eth1 ) and installed RedHat Linux 7.3.
I also downloaded a NAT script from the Internet that uses IPTABLES.

I set the router/firewall up so that "eth0" is my WAN ( Public IP ) and "eth1" is my LAN ( Internal IP )

On my LAN ( Internal network ) I have 3 servers and 1 workstation, and also a  wireless AP, that is used for
my wireless laptop and for my Neighbors wireless Internet connection. Oh and also the Linux router that
I am trying to configure here.

Here is how my network is presently configured.

1, The Linux router/firewall uses "eth0" conected to the Internet ( Public IP: 23.456.789.1 )

The router/firewall also doubles up as a DNS server for my domain.

and "eth1" my Private IP: 192.168.0.1 is connected to a 24 port switch.


Also connected to the above switch are the following systems:

Wireless Access Point ( IP: 192.168.0.2 ) This uses 192.168.1.0/24 for an 802.11b wireless network.
DataBase server       ( IP: 192.168.0.5 )
Mail Server           ( IP: 192.168.0.6 )
Web server            ( IP: 192.168.0.7 )
Static Workstation    ( IP: 192.168.0.14 )

The netmask for the above Ethernet wired network is: /28

My Problem:

Although it is quite possible to access the Web sites hosted on my Web server from outside of my network via the Internet, it

does not seem to be possible to access the Web sites from inside my network. The same aplies to my mail server. e.g. From my

work station or my wireless laptop I cannot pull up any Web sites hosted on my web server. I also cannot access my e-mail

using my domain name as a server name. ( I have to use an IP address )

One note:  I would not believe that this could work at all, if it were not for the fact that it working just fine when I used

a Linksys Hardware router. I could pull up any web pages that were hosted on my web server without a problem.

Also just to let you know, the DNS seems to be working fine. I can ping my domain names from my internal network and they

seem to resolve correctly with the correct external IP  of 23.456.789.1.

They just will not come up in my browser. I think it has to do with the port mapping possibly, but my experiance with

IPTABLES is somewhat limited.


Here is the present IPTABLES script that I am using.

-------------------------------------------------------------------------------------------------------------------

#!/bin/sh
# description: nat
# chkconfig: 2345 99 00

case "$1" in
'start')
        #!/bin/bash
        # Do iptables based masquerading and firewalling.

        # Set default PATH
        export PATH=/sbin:/usr/sbin:/bin:/usr/bin

        # Load NAT modules
        modprobe iptable_nat
        modprobe ip_nat_ftp
        modprobe ip_nat_irc

        # Load connection-tracking modules
        modprobe ip_conntrack
        modprobe ip_conntrack_ftp
        modprobe ip_conntrack_irc

        # Disable response to broadcasts.
        echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

        # Don't accept source routed packets.
        echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

        # Disable ICMP redirect acceptance.
        echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

        # Enable bad error message protection
        echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

        # Log spoofed packets, source routed packets, redirect packets
        echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

        # Turn on IP forwarding
        echo 1 > /proc/sys/net/ipv4/ip_forward


# Clean old iptables
        iptables -F
        iptables -X
        iptables -Z

        # Allow forwarding through the internal interface
        iptables -A FORWARD -i eth1 -j ACCEPT
        iptables -A FORWARD -o eth1 -j ACCEPT
        iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

        # Default forward policy to DROP
        iptables -P FORWARD DROP

        # Do masquerading through eth0
        iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


        # Port Forwarding
        iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.0.1:22
        iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 222 -j DNAT --to-destination 192.168.0.6:22
        iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.0.7:21
        iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.0.6:25
        iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.0.6:110
        iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.7:80
        iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.6:8080

        # Firewall Rules

        # Loopback - Allow unlimited traffic
        iptables -A INPUT -i lo -j ACCEPT
        iptables -A OUTPUT -o lo -j ACCEPT

        # SYN-Flooding Protection
        iptables -N syn-flood
        iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
        iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
        iptables -A syn-flood -j DROP

        # Make sure that new TCP connections are SYN packets
        iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP

        # Fragments : Don't trust the little buggers. Send 'em to hell.
        iptables -A INPUT -i eth0 -f -j LOG --log-level debug --log-prefix "IPTABLES FRAGMENTS: "
        iptables -A INPUT -i eth0 -f -j DROP

        # Refuse spoofed packets claiming to be the loopback
        iptables -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP

        # Allow BootP/DHCP UDP requests
        iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 67:68 -j ACCEPT

        # DNS
        # Allow UDP and TCP packets in for DNS client from nameservers
        iptables -A INPUT -i eth0 -p udp -s 0/0 --sport 53 -m state --state ESTABLISHED -j ACCEPT
        iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 53 -j ACCEPT
        iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
        iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 53 -j ACCEPT

        # SSH
        # allow all sshd incoming connections (including the port fw)
        iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 22 -j ACCEPT
        iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 2222 -j ACCEPT

        # HTTP
        # allow all http/https incoming/return connections
        iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
        iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT
        iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 80 -j ACCEPT
        iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 443 -j ACCEPT

        # FTP
        # allow all ftpd incoming connections
        iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 21 -j ACCEPT

        # Enable active ftp transfers
        iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT

        # Enable passive ftp transfers
        iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j

ACCEPT

        # Enable ident probes (IRC)
        iptables -t filter -A INPUT -i eth0 -p tcp -d 0/0 --dport 113 -j ACCEPT

        # Allow ICMP in if it is related to other connections
        iptables -A INPUT -i eth0 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

        # Allow bot traffic through
        iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 8676 -j ACCEPT

        # enable dcc
        iptables -A INPUT -i eth0 -p tcp -m state --state RELATED -j ACCEPT

        # LOGGING:

        # UDP, log & drop
        iptables -A INPUT -i eth0 -p udp -j LOG --log-level debug --log-prefix "IPTABLES UDP-IN: "
        iptables -A INPUT -i eth0 -p udp -j DROP

        # ICMP, log & drop
        iptables -A INPUT -i eth0 -p icmp -j LOG --log-level debug --log-prefix "IPTABLES ICMP-IN: "
        iptables -A INPUT -i eth0 -p icmp -j DROP

        # Windows NetBIOS noise, log & drop
        iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j LOG --log-level debug --log-prefix "IPTABLES NETBIOS-IN: "
        iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j DROP

        # IGMP noise, log & drop
        iptables -A INPUT -i eth0 -p 2 -j LOG --log-level debug --log-prefix "IPTABLES IGMP-IN: "
        iptables -A INPUT -i eth0 -p 2 -j DROP

        # TCP, log & drop
        iptables -A INPUT -i eth0 -p tcp -j LOG --log-level debug --log-prefix "IPTABLES TCP-IN: "
        iptables -A INPUT -i eth0 -p tcp -j DROP

        # Anything else not allowed, log & drop
#       iptables -A INPUT -i eth0 -j LOG --log-level debug --log-prefix "IPTABLES UNKNOWN-IN: "
#       iptables -A INPUT -i eth0 -j DROP


        touch /var/lock/subsys/nat
        ;;
'stop')
        rm -f /var/lock/subsys/nat
        ;;
*)
        echo "Usage: $0 { start | stop }"
        ;;
esac
exit 0


I solemly promise to share this script with all those on the Internet that want it, if I can get it going correctly.
ASKER CERTIFIED SOLUTION
-CrashOverride-

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 14 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 14 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros