[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 384
  • Last Modified:

hosting more server

Linux server with two NIC. 1st NIC assigned with public IP connected with adsl router which in turn connected to DSL connection. 2nd  NIC with private ip connected with local Lan.

A domain name is registered and is assigned to 1st NIC IP. It is acting as web server and ftp server.

Now we wish to make one local server in LAN with private ip available to public / external network.

we wish to connect it from outside to this server. It is a oracle apps server.

How we can do that?

NAT or DNAT will help me do that?
0
hithayath
Asked:
hithayath
  • 8
  • 8
1 Solution
 
Gabriel OrozcoSolution ArchitectCommented:
provided you are not using the same ports:

iptables -I PREROUTING -t nat -i externalinterfase -p tcp -d ex.ter.nal.ip --dport externalport -j DNAT --to-destination in.ter.nal.ip:internalport
0
 
Gabriel OrozcoSolution ArchitectCommented:
sorry: I forgot to mention you need to open the external port in the firewall :)
0
 
hithayathAuthor Commented:
thanks for the information. i have added but still nothing seems to be satisfy my requirment.

actually what i have done
is

i am having a linux box holding two nic

1st nic - eth1 - having public ip 6x.xx.xx.xx - connected with dsl router

2nd nic - eth0 - having private ip 10.0.0.1 - connected to Lan

3. it is acting as a router, so my lan pc are able to browse internet through this linux box

4. i am having registerd domain mybox.com assigned to above public ip 6x.xx.xx.xx. so when i hit www.mybox.com it is coming to my box.

5. now i am having a solaris box having 10.0.0.2 in my lan.
my external users available outside my location wish to connect to this box via internet. As i am not having any other public IP, is it possible to host this pc.

so i have tried your nating rule
iptables -I PREROUTING -t nat -i eth1 -p tcp -d 6x.xx.xx.xx --dport 8000 -j DNAT --to-destination 10.0.0.2

it is not bring any result

i have tried http://mybox.com:8000 - no page display

is this the correct way or any other way available for this.



0
Learn to develop an Android App

Want to increase your earning potential in 2018? Pad your resume with app building experience. Learn how with this hands-on course.

 
hithayathAuthor Commented:
thanks for the information. i have added but still nothing seems to be satisfy my requirment.

actually what i have done
is

i am having a linux box holding two nic

1st nic - eth1 - having public ip 6x.xx.xx.xx - connected with dsl router

2nd nic - eth0 - having private ip 10.0.0.1 - connected to Lan

3. it is acting as a router, so my lan pc are able to browse internet through this linux box

4. i am having registerd domain mybox.com assigned to above public ip 6x.xx.xx.xx. so when i hit www.mybox.com it is coming to my box.

5. now i am having a solaris box having 10.0.0.2 in my lan.
my external users available outside my location wish to connect to this box via internet. As i am not having any other public IP, is it possible to host this pc.

so i have tried your nating rule
iptables -I PREROUTING -t nat -i eth1 -p tcp -d 6x.xx.xx.xx --dport 8000 -j DNAT --to-destination 10.0.0.2:8000

it is not bring any result

i have tried http://mybox.com:8000 - no page display

is this the correct way or any other way available for this.



0
 
Gabriel OrozcoSolution ArchitectCommented:
change the rule like this:

iptables -I PREROUTING -t nat -i eth1 -p tcp -d 6x.xx.xx.xx --dport 8000 -j DNAT --to-destination 10.0.0.2:80


(you forgot to tell the port to your firewall :)

if still it's not working, then post here the output of
iptables -L -v --table nat

and of
iptables -L -v
0
 
hithayathAuthor Commented:
for testing purpose i have disabled all my iptables  rules ( firewall - iptables running on the same server)except the only one nat rule.

Outputs as follows afer enabling nat rule

root@myhost root]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

[root@myhost root]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

[root@myhost root]# iptables -L -v --table nat
Chain PREROUTING (policy ACCEPT 465 packets, 42560 bytes)
pkts bytes target     prot opt in     out     source               destination

   0     0 DNAT       tcp  --  eth1   any     anywhere             myhost         tcp dpt:8000 to:10.0.0.2:80

Chain POSTROUTING (policy ACCEPT 304 packets, 18598 bytes)
pkts bytes target     prot opt in     out     source               destination


Chain OUTPUT (policy ACCEPT 15 packets, 1026 bytes)
pkts bytes target     prot opt in     out     source               destination



[root@myhost root]# iptables -L -v
Chain INPUT (policy ACCEPT 831 packets, 184K bytes)
pkts bytes target     prot opt in     out     source               destination


Chain FORWARD (policy ACCEPT 3650 packets, 429K bytes)
pkts bytes target     prot opt in     out     source               destination


Chain OUTPUT (policy ACCEPT 358 packets, 26680 bytes)
pkts bytes target     prot opt in     out     source               destination


i have tried like this after setting the rule

get into browser http://6x.xx.xx.xx:8000 it is giving no page display

but able to get into http://10.0.0.2:80

what will be the problem. let me know.

Wheather i have understood the nating correctly or not???

expecting your reply
0
 
Gabriel OrozcoSolution ArchitectCommented:
yeap. your problem is that you are trying to access to the external ip:port from inside, while the rule is in effect for outside only.

if you want it to work from inside also, then add this rule:

iptables -I PREROUTING -t nat -i eth0 -p tcp -d 6x.xx.xx.xx --dport 8000 -j DNAT --to-destination 10.0.0.2:80

please note I have changed the eth1 to eth0

this and the other rule can be reduced to this:

iptables -I PREROUTING -t nat -p tcp -d 6x.xx.xx.xx --dport 8000 -j DNAT --to-destination 10.0.0.2:80

so, please just delete the "-i eth1" from the rule you already have, and try again :)
0
 
hithayathAuthor Commented:
yes, i am trying from inside only. Now only i have notified the defect. thanks a lot for the information.
Now it is working fine
0
 
Gabriel OrozcoSolution ArchitectCommented:
why a B?
0
 
hithayathAuthor Commented:
hi,
  i have enabled my other firewall rules as below after that my nat rule is not working

iptable -L -v

[root@test]# iptables -L -v
Chain INPUT (policy DROP 124 packets, 14739 bytes)
pkts bytes target     prot opt in     out     source               destination

   0     0 DROP       all  --  eth1   any     anywhere             192.168.0.0/16    
   0     0 syn-flood_INT_IF  tcp  --  eth0   any     anywhere             anywhere
   tcp flags:FIN,SYN,RST,ACK/RST
   0     0 syn-flood_EXT_IF  tcp  --  eth1   any     anywhere             anywhere
   tcp flags:FIN,SYN,RST,ACK/RST
   0     0 DROP       tcp  --  eth0   any     anywhere             anywhere
      tcp flags:!SYN,RST,ACK/SYN state NEW
   9   360 DROP       tcp  --  eth1   any     anywhere             anywhere
      tcp flags:!SYN,RST,ACK/SYN state NEW
   0     0 LOG        all  -f  eth0   any     anywhere             anywhere
      LOG level warning prefix `IPTABLES FRAGMENTS eth0: '
   0     0 DROP       all  -f  eth0   any     anywhere             anywhere

   0     0 LOG        all  -f  eth1   any     anywhere             anywhere
      LOG level warning prefix `IPTABLES FRAGMENTS eth1: '
   0     0 DROP       all  -f  eth1   any     anywhere             anywhere

   0     0 DROP       all  --  eth1   any     anywhere             172.16.0.0/1
6
   0     0 LOG        tcp  --  eth0   any     anywhere             anywhere
      multiport dports 12345,12346,ingreslock,27665,31337 LOG level warning prefix
      `IPTABLES Trojan INT_IF: '
   0     0 LOG        udp  --  eth0   any     anywhere             anywhere
      multiport dports 12345,12346,27444,31335,31337 LOG level warning prefix
      `IPTABLES Trojan INT_IF: '
   0     0 DROP       tcp  --  eth0   any     anywhere             anywhere
      multiport dports 12345,12346,ingreslock,27665,31337
   0     0 DROP       udp  --  eth0   any     anywhere             anywhere
      multiport dports 12345,12346,27444,31335,31337
   0     0 LOG        tcp  --  eth1   any     anywhere             anywhere
      multiport dports 12345,12346,ingreslock,27665,31337 LOG level warning prefix
      `IPTABLES Trojan EXT_IF: '
   0     0 LOG        udp  --  eth1   any     anywhere             anywhere
      multiport dports 12345,12346,27444,31335,31337 LOG level warning prefix `
IPTABLES Trojan EXT_IF: '
   0     0 DROP       tcp  --  eth1   any     anywhere             anywhere
      multiport dports 12345,12346,ingreslock,27665,31337
   0     0 DROP       udp  --  eth1   any     anywhere             anywhere
      multiport dports 12345,12346,27444,31335,31337
   0     0 ACCEPT     icmp --  eth0   any     anywhere             anywhere
      state RELATED,ESTABLISHED
   0     0 ACCEPT     icmp --  eth1   any     anywhere             anywhere
      state RELATED,ESTABLISHED
  40  6274 ACCEPT     udp  --  eth1   any     nameserver1      anywhere
      state ESTABLISHED
   0     0 ACCEPT     udp  --  eth1   any     nameserver2         anywhere
      state ESTABLISHED
   1   148 ACCEPT     udp  --  eth1   any     nameserver3  anywhere
          state ESTABLISHED
 230  9516 ACCEPT     all  --  any    any     anywhere             anywhere
      state RELATED,ESTABLISHED
   0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
      state NEW,RELATED,ESTABLISHED
   1    44 ACCEPT     tcp  --  eth0   any     anywhere             anywhere
      multiport dports ftp-data,ftp,ssh,telnet,smtp,http,pop2,pop3 state NEW,ES
TABLISHED
   1    44 ACCEPT     tcp  --  eth1   any     anywhere             anywhere
      multiport dports http,ftp-data,ftp,smtp state NEW,ESTABLISHED
   0     0 ACCEPT     tcp  --  eth1   any     anywhere             anywhere
      tcp spts:1024:65535 dpts:1024:65535 state ESTABLISHED

Chain FORWARD (policy DROP 121 packets, 18415 bytes)
pkts bytes target     prot opt in     out     source               destination

   0     0 ACCEPT     icmp --  eth0   eth1    anywhere             anywhere
      state NEW,ESTABLISHED
 126  8199 ACCEPT     udp  --  eth0   eth1    anywhere             nameserver1
 udp dpt:domain state NEW,ESTABLISHED
  55  3794 ACCEPT     udp  --  eth0   eth1    anywhere             nameserver2
      udp dpt:domain state NEW,ESTABLISHED
  15   928 ACCEPT     udp  --  eth0   eth1    anywhere             nameserver3
  udp dpt:domain state NEW,ESTABLISHED
4155  417K ACCEPT     tcp  --  eth0   eth1    anywhere             anywhere
      multiport dports ftp-data,ftp,ssh,telnet,smtp,http,pop3,8000,ms-sql-s sta
te NEW,ESTABLISHED
   0     0 ACCEPT     udp  --  eth0   eth1    anywhere             anywhere
      multiport dports ftp-data,ftp,ssh,telnet,smtp,http,pop3,8000,ms-sql-s sta
te NEW,ESTABLISHED
   0     0 ACCEPT     tcp  --  eth0   eth1    anywhere             anywhere
      multiport dports irc,https state NEW,ESTABLISHED
   0     0 ACCEPT     udp  --  eth0   eth1    anywhere             anywhere
      multiport dports irc,https state NEW,ESTABLISHED
   0     0 ACCEPT     tcp  --  eth0   eth1    anywhere             anywhere
      tcp dpt:ftp-data state ESTABLISHED
   0     0 ACCEPT     tcp  --  eth0   eth1    anywhere             anywhere
      tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
4348 3959K ACCEPT     all  --  eth1   eth0    anywhere             anywhere
      state RELATED,ESTABLISHED

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination

   0     0 DROP       all  --  any    eth1    10.0.0.0/8           anywhere

   0     0 DROP       all  --  any    eth1    anywhere             10.0.0.0/8

   0     0 DROP       all  --  any    eth1    172.16.0.0/16        anywhere

   0     0 DROP       all  --  any    eth1    anywhere             172.16.0.0/1
6
   0     0 DROP       all  --  any    eth1    192.168.0.0/16       anywhere

   0     0 DROP       all  --  any    eth1    anywhere             192.168.0.0/
16
   0     0 ACCEPT     icmp --  any    eth0    anywhere             anywhere
      state NEW,RELATED,ESTABLISHED
   1   186 ACCEPT     icmp --  any    eth1    anywhere             anywhere
      state NEW,RELATED,ESTABLISHED
  41  2905 ACCEPT     udp  --  any    eth1    anywhere             nameserver1
       udp dpt:domain state NEW,ESTABLISHED
   1    71 ACCEPT     udp  --  any    eth1    anywhere             nameserver2
      udp dpt:domain state NEW,ESTABLISHED
   1    71 ACCEPT     udp  --  any    eth1    anywhere             nameserver3
   udp dpt:domain state NEW,ESTABLISHED
   5   977 ACCEPT     all  --  any    eth1    anywhere             anywhere
      state RELATED,ESTABLISHED
   0     0 ACCEPT     all  --  any    lo      anywhere             anywhere
      state NEW,RELATED,ESTABLISHED
 183 12085 ACCEPT     tcp  --  any    eth0    anywhere             anywhere
      multiport sports ftp-data,ftp,ssh,telnet,smtp,http,pop2,pop3 state NEW,ES
TABLISHED
   0     0 ACCEPT     tcp  --  any    eth1    anywhere             anywhere
      multiport sports http,ftp-data,ftp,smtp state NEW,ESTABLISHED
   0     0 ACCEPT     tcp  --  any    eth0    anywhere             anywhere
      multiport dports ftp-data,ftp,http,smtp state NEW,ESTABLISHED
   0     0 ACCEPT     tcp  --  any    eth1    anywhere             anywhere
      multiport dports ftp-data,ftp,ssh,smtp,http state NEW,ESTABLISHED
   0     0 ACCEPT     tcp  --  any    eth1    anywhere             anywhere
      tcp dpt:ftp-data state NEW,RELATED,ESTABLISHED
   0     0 ACCEPT     tcp  --  any    eth1    anywhere             anywhere
      tcp dpt:ftp state NEW,RELATED,ESTABLISHED
   0     0 ACCEPT     tcp  --  any    eth1    anywhere             anywhere
      tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED

Chain syn-flood_EXT_IF (1 references)
pkts bytes target     prot opt in     out     source               destination

   0     0 RETURN     all  --  any    any     anywhere             anywhere
      limit: avg 1/sec burst 4
   0     0 DROP       all  --  any    any     anywhere             anywhere


Chain syn-flood_INT_IF (1 references)
pkts bytes target     prot opt in     out     source               destination

   0     0 RETURN     all  --  any    any     anywhere             anywhere
      limit: avg 1/sec burst 4
   0     0 DROP       all  --  any    any     anywhere             anywhere


if i remove all other rules enabling only my previous nat rule it is working fine.

What will be the problem

i am getting hits in iptables - L -v --t nat
under that prerouting rule

Any idea about nating a oracle apps server. I am able to do nating for weblogic, jboss, IIS servers lying on Lan but not for oracle apps.

0
 
Gabriel OrozcoSolution ArchitectCommented:
for a B...

but ok.

add the rule *at the end* not in the middle or in the beginning.

as it is an insert, if you insert the last, it will be the first rule and nothing will block it.
0
 
hithayathAuthor Commented:
i have tried inserting the rule at the end even then it is not working.


# Documentation
# -------------
# "Standard Settings".
# - IPTABLES="/usr/sbin/iptables"       => This defines the path where your "iptables" executable is. You can find it by using "whereis iptables"
# - INT_IF="eth0"                  => Change "eth0" to the name of your INTERNAL NIC (Network Interface Card) eg: "eth0" "eth1" "eth2"
# - BROADCAST="xx.xx.xx.xx/16"            => Change the IP to the BROADCAST address of your network. eg: "192.168.0.255/24" "192.168.1.255/24"
# - EXT_IF="eth1"                  => This is you EXTERNAL INTERFACE, if you use dial up it is "ppp0", if you use broadband it is one of your Ethernets.
# - FORWARD_PORTS_1="22,80"            => These are the ports which will be FORWARDED from your INTERNAL INTERFACE to your EXTERNAL INTERFACE (maximum 15 ports)
# - FORWARD_PORTS_2="194,443"            => Same as above, this is just here if you need more than 15 ports (To prevent error messages you should enter at least one port in here)
# - TCP_SERVICES_IN_INT_IF="6"            => Server ports you want to export to your LOCAL NETWORK. (To prevent error messages enter at least one value, port 6 is Unassigned)
# - TCP_SERVICES_IN_EXT_IF="80"            => Server ports you want to export to your EXTERNAL INTERFACE (Internet). (To prevent error messages enter at least one value, port 6 is Unassigned)
# - TCP_SERVICES_OUT_INT_IF="22,80"      => If you want to access ports from the machine where you install the firewall INSIDE your network you need to specify the ports. (To prevent error messages enter at least one value, port 6 is Unassigned)
# - TCP_SERVICES_OUT_EXT_IF="22,80"      => Ports you want to connect to OUTSIDE your local network from the machine where the firewall is installed. (To prevent error messages enter at least one value, port 6 is Unassigned)
# - NAMESERVER_1="dns1"      => The IP of your EXTERNAL DNS1/NAMESERVER (you can get the IP from your ISP)
# - NAMESERVER_2="dns2"      => The IP of your EXTERNAL DNS2/NAMESERVER (you can get the IP from your ISP)
# - LOOPBACK="127.0.0.0/8"            => This is your loopback IP, don't change this unless you know what you are doing
# - CLASS_A="10.0.0.0/8"            => This will block a /8 (Class A) IP coming in through your EXTERNAL interface, because it will be spoofed.
# - CLASS_B=172.16.0.0/16"            => This will block a /16 (Class B) IP coming in through your EXTERNAL interface, because it will be spoofed.
# - CLASS_C="192.168.0.0/16"             => This will block a /24 (Class C) IP coming in through your EXTERNAL interface, because it will be spoofed.
# - XSERVER_PORTS="6000:6063"            => Most X servers listen at these ports, this will block the specified ports
# - ICQ_PORT_TCP="5190"                  => This is the default port where ICQ connects to the ICQ network
# - ICQ_PORT_UDP="4000"                  => This is the default port where ICQ connects to the ICQ network
# - TROJAN_PORTS_TCP="12345,12346"      => This will block INCOMING requests for Trojans on your Network tcp. You can add more ports (max 15 ports) or use port 6 to disable this feature.
# - TROJAN_PORTS_UDP="27444,31335"      => This will block INCOMING requests for Trojans on your Network udp. You can add more ports (max 15 ports) or use port 6 to disable this feature.
#
#
##########
# Standard Settings
IPTABLES="/sbin/iptables"
INT_IF="eth0"
BROADCAST="10.0.0.255/16"
EXT_IF="eth1"
FORWARD_PORTS_1="20,21,22,23,25,80,110,8000,1433,7001"
FORWARD_PORTS_2="194,443"
# To open port for Local network on firewall machine - ports opened below are http port, smtp port , pop3 port, ssh
TCP_SERVICES_IN_INT_IF="20,21,22,23,25,80,109,110,7001"
TCP_SERVICES_IN_EXT_IF="80,20,21,25,7001"
# To open ports in firewall machine to local network
TCP_SERVICES_OUT_INT_IF="20,21,80,25,7001"
# To open ports in firewall machine to external network
TCP_SERVICES_OUT_EXT_IF="20,21,22,25,80,7001"
NAMESERVER_1="dns1"
NAMESERVER_2="dns2"
NAMESERVER_3="dns3"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/16"
CLASS_C="192.168.0.0/16"
UP_PORTS="1024:65535"
XSERVER_PORTS="6000:6063"
ICQ_PORT_TCP="5190"
ICQ_PORT_UDP="4000"
TROJAN_PORTS_TCP="12345,12346,1524,27665,31337"
TROJAN_PORTS_UDP="12345,12346,27444,31335,31337"
#
#
echo "Starting Firewall ....."
# Load appropriate modules.
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
#
##########
# Flush Rules
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -F POSTROUTING
#
#
##########
# Changing Kernel Parameters, you need CONFIG_SYSCTL defined in your kernel
#
# SYN Cookie Protection
/bin/echo "1" > /proc/sys/net/ipv4/tcp_syncookies

# Disable response to ping
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Disable response to broadcasts
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Don't accept source routed packets
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects

# Disable ICMP redirect acceptance
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

# Enable bad error message protection
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Turn on reverse path filtering
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo "1" > ${interface}
done

# Log spoofed packets, source routed packets, redirect packets
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

#Enable IP forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
#
#
##########
# Rules
#
# Standard Rules
$IPTABLES -P INPUT DROP

#if i diable this rule, it is working
$IPTABLES -P FORWARD DROP

$IPTABLES -P OUTPUT DROP
#
# Deny packets claiming to be to or from a /8,/16,/24 (Class A,B,C) Network ($EXT_IF)
$IPTABLES -A INPUT -i $EXT_IF -s $CLASS_A -j DROP
$IPTABLES -A INPUT -i $EXT_IF -d $CLASS_A -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s $CLASS_B -j DROP
$IPTABLES -A INPUT -i $EXT_IF -d $CLASS_B -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s $CLASS_C -j DROP
$IPTABLES -A INPUT -i $EXT_IF -d $CLASS_C -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -s $CLASS_A -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -d $CLASS_A -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -s $CLASS_B -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -d $CLASS_B -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -s $CLASS_C -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -d $CLASS_C -j DROP
#
# Firewall syn/flood and port scanner protection $INT_IF
$IPTABLES -N syn-flood_INT_IF
$IPTABLES -F syn-flood_INT_IF
$IPTABLES -A INPUT -i $INT_IF -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j syn-flood_INT_IF
#$IPTABLES -A INPUT -i $INT_IF -p tcp --syn -j syn-flood_INT_IF
$IPTABLES -A syn-flood_INT_IF -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood_INT_IF -j DROP
#
# Firewall syn/flood and port scanner protection $EXT_IF
$IPTABLES -N syn-flood_EXT_IF
$IPTABLES -F syn-flood_EXT_IF
$IPTABLES -A INPUT -i $EXT_IF -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j syn-flood_EXT_IF
#$IPTABLES -A INPUT -i $EXT_IF -p tcp --syn -j syn-flood_EXT_IF
$IPTABLES -A syn-flood_EXT_IF -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood_EXT_IF -j DROP
#
#  Make sure NEW tcp connections are SYN packets
$IPTABLES -A INPUT -i $INT_IF -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A INPUT -i $EXT_IF -p tcp ! --syn -m state --state NEW -j DROP
#
# Block incoming fragments $INT_IF
$IPTABLES -A INPUT -i $INT_IF -f -j LOG --log-prefix "IPTABLES FRAGMENTS $INT_IF: "
$IPTABLES -A INPUT -i $INT_IF -f -j DROP
#
# Block incoming fragments $EXT_IF
$IPTABLES -A INPUT -i $EXT_IF -f -j LOG --log-prefix "IPTABLES FRAGMENTS $EXT_IF: "
$IPTABLES -A INPUT -i $EXT_IF -f -j DROP
#
# Drop broadcast packets
$IPTABLES -A INPUT -i $EXT_IF -d $BROADCAST -j DROP
#
# Trojan protection
$IPTABLES -A INPUT -i $INT_IF -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j LOG --log-prefix "IPTABLES Trojan INT_IF: "
$IPTABLES -A INPUT -i $INT_IF -p udp -m multiport --dport $TROJAN_PORTS_UDP -j LOG --log-prefix "IPTABLES Trojan INT_IF: "
$IPTABLES -A INPUT -i $INT_IF -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j DROP
$IPTABLES -A INPUT -i $INT_IF -p udp -m multiport --dport $TROJAN_PORTS_UDP -j DROP
$IPTABLES -A INPUT -i $EXT_IF -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j LOG --log-prefix "IPTABLES Trojan EXT_IF: "
$IPTABLES -A INPUT -i $EXT_IF -p udp -m multiport --dport $TROJAN_PORTS_UDP -j LOG --log-prefix "IPTABLES Trojan EXT_IF: "
$IPTABLES -A INPUT -i $EXT_IF -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j DROP
$IPTABLES -A INPUT -i $EXT_IF -p udp -m multiport --dport $TROJAN_PORTS_UDP -j DROP

#
# ICQ INPUT/OUTPUT rules (I get the error message that the hostname is not found, if somebody knows why PLZ let me know)
#$IPTABLES -A OUTPUT -o $EXT_IF -p udp -d icq.mirabilis.com --dport $ICQ_PORT_UDP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A OUTPUT -o $EXT_IF -p tcp -d login.icq.com --dport $ICQ_PORT_TCP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#
# icmp INPUT/OUTPUT rules $INT_IF. For a list of icmp types check the end of this file.
$IPTABLES -A INPUT -i $INT_IF -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $INT_IF -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -i $INT_IF -p icmp --icmp-type 0 -j DROP
#
# icmp INPUT/OUTPUT rules $EXT_IF. For a list of icmp types check the end of this file.
$IPTABLES -A INPUT -i $EXT_IF -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -i $EXT_IF -p icmp --icmp-type 0 -j DROP
#
# Nameserver INPUT/OUTPUT
$IPTABLES -A INPUT -i $EXT_IF -p udp -s $NAMESERVER_1 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p udp -s $NAMESERVER_2 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p udp -s $NAMESERVER_3 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p udp -d $NAMESERVER_1 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p udp -d $NAMESERVER_2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p udp -d $NAMESERVER_3 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
#
# INPUT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i lo -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $INT_IF -p tcp -m multiport --dport $TCP_SERVICES_IN_INT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p tcp -m multiport --dport $TCP_SERVICES_IN_EXT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
#$IPTABLES -A INPUT  -i $EXT_IF -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
#$IPTABLES -A INPUT  -i $EXT_IF -p tcp --sport 20 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT  -i $EXT_IF -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED -j ACCEPT

# FORWARD
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -d $NAMESERVER_1 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -d $NAMESERVER_2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -d $NAMESERVER_3 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -m multiport --dport $FORWARD_PORTS_1 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -m multiport --dport $FORWARD_PORTS_1 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -m multiport --dport $FORWARD_PORTS_2 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -m multiport --dport $FORWARD_PORTS_2 -m state --state NEW,ESTABLISHED -j ACCEPT
#$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -d icq.mirabilis.com --dport $ICQ_PORT_UDP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -d login.icq.com --dport $ICQ_PORT_TCP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
#$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT

# OUTPUT
$IPTABLES -A OUTPUT -o $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o lo -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $INT_IF -p tcp -m multiport --sport $TCP_SERVICES_IN_INT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p tcp -m multiport --sport $TCP_SERVICES_IN_EXT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $INT_IF -p tcp -m multiport --dport $TCP_SERVICES_OUT_INT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p tcp -m multiport --dport $TCP_SERVICES_OUT_EXT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p tcp --dport 20 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# POSTROUTING
$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE

# PREROUTING


echo "Firewall STARTED"

### END ###


If I disable the $IPTABLES -P FORWARD DROP, it is working.
what will be the problem....?


0
 
hithayathAuthor Commented:
i have tried inserting the rule at the end even then it is not working.


# Documentation
# -------------
# "Standard Settings".
# - IPTABLES="/usr/sbin/iptables"       => This defines the path where your "iptables" executable is. You can find it by using "whereis iptables"
# - INT_IF="eth0"                  => Change "eth0" to the name of your INTERNAL NIC (Network Interface Card) eg: "eth0" "eth1" "eth2"
# - BROADCAST="xx.xx.xx.xx/16"            => Change the IP to the BROADCAST address of your network. eg: "192.168.0.255/24" "192.168.1.255/24"
# - EXT_IF="eth1"                  => This is you EXTERNAL INTERFACE, if you use dial up it is "ppp0", if you use broadband it is one of your Ethernets.
# - FORWARD_PORTS_1="22,80"            => These are the ports which will be FORWARDED from your INTERNAL INTERFACE to your EXTERNAL INTERFACE (maximum 15 ports)
# - FORWARD_PORTS_2="194,443"            => Same as above, this is just here if you need more than 15 ports (To prevent error messages you should enter at least one port in here)
# - TCP_SERVICES_IN_INT_IF="6"            => Server ports you want to export to your LOCAL NETWORK. (To prevent error messages enter at least one value, port 6 is Unassigned)
# - TCP_SERVICES_IN_EXT_IF="80"            => Server ports you want to export to your EXTERNAL INTERFACE (Internet). (To prevent error messages enter at least one value, port 6 is Unassigned)
# - TCP_SERVICES_OUT_INT_IF="22,80"      => If you want to access ports from the machine where you install the firewall INSIDE your network you need to specify the ports. (To prevent error messages enter at least one value, port 6 is Unassigned)
# - TCP_SERVICES_OUT_EXT_IF="22,80"      => Ports you want to connect to OUTSIDE your local network from the machine where the firewall is installed. (To prevent error messages enter at least one value, port 6 is Unassigned)
# - NAMESERVER_1="dns1"      => The IP of your EXTERNAL DNS1/NAMESERVER (you can get the IP from your ISP)
# - NAMESERVER_2="dns2"      => The IP of your EXTERNAL DNS2/NAMESERVER (you can get the IP from your ISP)
# - LOOPBACK="127.0.0.0/8"            => This is your loopback IP, don't change this unless you know what you are doing
# - CLASS_A="10.0.0.0/8"            => This will block a /8 (Class A) IP coming in through your EXTERNAL interface, because it will be spoofed.
# - CLASS_B=172.16.0.0/16"            => This will block a /16 (Class B) IP coming in through your EXTERNAL interface, because it will be spoofed.
# - CLASS_C="192.168.0.0/16"             => This will block a /24 (Class C) IP coming in through your EXTERNAL interface, because it will be spoofed.
# - XSERVER_PORTS="6000:6063"            => Most X servers listen at these ports, this will block the specified ports
# - ICQ_PORT_TCP="5190"                  => This is the default port where ICQ connects to the ICQ network
# - ICQ_PORT_UDP="4000"                  => This is the default port where ICQ connects to the ICQ network
# - TROJAN_PORTS_TCP="12345,12346"      => This will block INCOMING requests for Trojans on your Network tcp. You can add more ports (max 15 ports) or use port 6 to disable this feature.
# - TROJAN_PORTS_UDP="27444,31335"      => This will block INCOMING requests for Trojans on your Network udp. You can add more ports (max 15 ports) or use port 6 to disable this feature.
#
#
##########
# Standard Settings
IPTABLES="/sbin/iptables"
INT_IF="eth0"
BROADCAST="10.0.0.255/16"
EXT_IF="eth1"
FORWARD_PORTS_1="20,21,22,23,25,80,110,8000,1433,7001"
FORWARD_PORTS_2="194,443"
# To open port for Local network on firewall machine - ports opened below are http port, smtp port , pop3 port, ssh
TCP_SERVICES_IN_INT_IF="20,21,22,23,25,80,109,110,7001"
TCP_SERVICES_IN_EXT_IF="80,20,21,25,7001"
# To open ports in firewall machine to local network
TCP_SERVICES_OUT_INT_IF="20,21,80,25,7001"
# To open ports in firewall machine to external network
TCP_SERVICES_OUT_EXT_IF="20,21,22,25,80,7001"
NAMESERVER_1="dns1"
NAMESERVER_2="dns2"
NAMESERVER_3="dns3"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/16"
CLASS_C="192.168.0.0/16"
UP_PORTS="1024:65535"
XSERVER_PORTS="6000:6063"
ICQ_PORT_TCP="5190"
ICQ_PORT_UDP="4000"
TROJAN_PORTS_TCP="12345,12346,1524,27665,31337"
TROJAN_PORTS_UDP="12345,12346,27444,31335,31337"
#
#
echo "Starting Firewall ....."
# Load appropriate modules.
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
#
##########
# Flush Rules
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -F POSTROUTING
#
#
##########
# Changing Kernel Parameters, you need CONFIG_SYSCTL defined in your kernel
#
# SYN Cookie Protection
/bin/echo "1" > /proc/sys/net/ipv4/tcp_syncookies

# Disable response to ping
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Disable response to broadcasts
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Don't accept source routed packets
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects

# Disable ICMP redirect acceptance
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

# Enable bad error message protection
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Turn on reverse path filtering
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo "1" > ${interface}
done

# Log spoofed packets, source routed packets, redirect packets
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

#Enable IP forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
#
#
##########
# Rules
#
# Standard Rules
$IPTABLES -P INPUT DROP

#if i diable this rule, it is working
$IPTABLES -P FORWARD DROP

$IPTABLES -P OUTPUT DROP
#
# Deny packets claiming to be to or from a /8,/16,/24 (Class A,B,C) Network ($EXT_IF)
$IPTABLES -A INPUT -i $EXT_IF -s $CLASS_A -j DROP
$IPTABLES -A INPUT -i $EXT_IF -d $CLASS_A -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s $CLASS_B -j DROP
$IPTABLES -A INPUT -i $EXT_IF -d $CLASS_B -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s $CLASS_C -j DROP
$IPTABLES -A INPUT -i $EXT_IF -d $CLASS_C -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -s $CLASS_A -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -d $CLASS_A -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -s $CLASS_B -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -d $CLASS_B -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -s $CLASS_C -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -d $CLASS_C -j DROP
#
# Firewall syn/flood and port scanner protection $INT_IF
$IPTABLES -N syn-flood_INT_IF
$IPTABLES -F syn-flood_INT_IF
$IPTABLES -A INPUT -i $INT_IF -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j syn-flood_INT_IF
#$IPTABLES -A INPUT -i $INT_IF -p tcp --syn -j syn-flood_INT_IF
$IPTABLES -A syn-flood_INT_IF -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood_INT_IF -j DROP
#
# Firewall syn/flood and port scanner protection $EXT_IF
$IPTABLES -N syn-flood_EXT_IF
$IPTABLES -F syn-flood_EXT_IF
$IPTABLES -A INPUT -i $EXT_IF -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j syn-flood_EXT_IF
#$IPTABLES -A INPUT -i $EXT_IF -p tcp --syn -j syn-flood_EXT_IF
$IPTABLES -A syn-flood_EXT_IF -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood_EXT_IF -j DROP
#
#  Make sure NEW tcp connections are SYN packets
$IPTABLES -A INPUT -i $INT_IF -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A INPUT -i $EXT_IF -p tcp ! --syn -m state --state NEW -j DROP
#
# Block incoming fragments $INT_IF
$IPTABLES -A INPUT -i $INT_IF -f -j LOG --log-prefix "IPTABLES FRAGMENTS $INT_IF: "
$IPTABLES -A INPUT -i $INT_IF -f -j DROP
#
# Block incoming fragments $EXT_IF
$IPTABLES -A INPUT -i $EXT_IF -f -j LOG --log-prefix "IPTABLES FRAGMENTS $EXT_IF: "
$IPTABLES -A INPUT -i $EXT_IF -f -j DROP
#
# Drop broadcast packets
$IPTABLES -A INPUT -i $EXT_IF -d $BROADCAST -j DROP
#
# Trojan protection
$IPTABLES -A INPUT -i $INT_IF -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j LOG --log-prefix "IPTABLES Trojan INT_IF: "
$IPTABLES -A INPUT -i $INT_IF -p udp -m multiport --dport $TROJAN_PORTS_UDP -j LOG --log-prefix "IPTABLES Trojan INT_IF: "
$IPTABLES -A INPUT -i $INT_IF -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j DROP
$IPTABLES -A INPUT -i $INT_IF -p udp -m multiport --dport $TROJAN_PORTS_UDP -j DROP
$IPTABLES -A INPUT -i $EXT_IF -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j LOG --log-prefix "IPTABLES Trojan EXT_IF: "
$IPTABLES -A INPUT -i $EXT_IF -p udp -m multiport --dport $TROJAN_PORTS_UDP -j LOG --log-prefix "IPTABLES Trojan EXT_IF: "
$IPTABLES -A INPUT -i $EXT_IF -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j DROP
$IPTABLES -A INPUT -i $EXT_IF -p udp -m multiport --dport $TROJAN_PORTS_UDP -j DROP

#
# ICQ INPUT/OUTPUT rules (I get the error message that the hostname is not found, if somebody knows why PLZ let me know)
#$IPTABLES -A OUTPUT -o $EXT_IF -p udp -d icq.mirabilis.com --dport $ICQ_PORT_UDP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A OUTPUT -o $EXT_IF -p tcp -d login.icq.com --dport $ICQ_PORT_TCP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#
# icmp INPUT/OUTPUT rules $INT_IF. For a list of icmp types check the end of this file.
$IPTABLES -A INPUT -i $INT_IF -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $INT_IF -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -i $INT_IF -p icmp --icmp-type 0 -j DROP
#
# icmp INPUT/OUTPUT rules $EXT_IF. For a list of icmp types check the end of this file.
$IPTABLES -A INPUT -i $EXT_IF -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -i $EXT_IF -p icmp --icmp-type 0 -j DROP
#
# Nameserver INPUT/OUTPUT
$IPTABLES -A INPUT -i $EXT_IF -p udp -s $NAMESERVER_1 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p udp -s $NAMESERVER_2 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p udp -s $NAMESERVER_3 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p udp -d $NAMESERVER_1 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p udp -d $NAMESERVER_2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p udp -d $NAMESERVER_3 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
#
# INPUT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i lo -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $INT_IF -p tcp -m multiport --dport $TCP_SERVICES_IN_INT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p tcp -m multiport --dport $TCP_SERVICES_IN_EXT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
#$IPTABLES -A INPUT  -i $EXT_IF -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
#$IPTABLES -A INPUT  -i $EXT_IF -p tcp --sport 20 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT  -i $EXT_IF -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED -j ACCEPT

# FORWARD
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -d $NAMESERVER_1 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -d $NAMESERVER_2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -d $NAMESERVER_3 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -m multiport --dport $FORWARD_PORTS_1 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -m multiport --dport $FORWARD_PORTS_1 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -m multiport --dport $FORWARD_PORTS_2 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -m multiport --dport $FORWARD_PORTS_2 -m state --state NEW,ESTABLISHED -j ACCEPT
#$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -d icq.mirabilis.com --dport $ICQ_PORT_UDP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -d login.icq.com --dport $ICQ_PORT_TCP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
#$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT

# OUTPUT
$IPTABLES -A OUTPUT -o $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o lo -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $INT_IF -p tcp -m multiport --sport $TCP_SERVICES_IN_INT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p tcp -m multiport --sport $TCP_SERVICES_IN_EXT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $INT_IF -p tcp -m multiport --dport $TCP_SERVICES_OUT_INT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p tcp -m multiport --dport $TCP_SERVICES_OUT_EXT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p tcp --dport 20 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# POSTROUTING
$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE

# PREROUTING
iptables -I PREROUTING -t nat -p tcp -d 6x.xx.xx.xx --dport 7001 -j DNAT --to-destination 10.0.0.2:7001


echo "Firewall STARTED"

### END ###


If I disable the $IPTABLES -P FORWARD DROP, it is working.
what will be the problem....?


0
 
Gabriel OrozcoSolution ArchitectCommented:
add also
$IPTABLES -I FORWARD -d 10.0.0.2 -j ACCEPT

and check.
0
 
hithayathAuthor Commented:
i have identified the problem is with FORWARD chains. If i disable IPTABLES -P FORWARD DROP at the intial lines (accepting all forwarding) or add a new rule to my existing rules iptables -A FORWARD -i - eth1 -o eth0 -j ACCEPT ( accepting all the forwarding ), it is working. But i don't want to forward everything from eth1 to eth0. I wish to forward only specific port. What rule will more efficient?


0
 
Gabriel OrozcoSolution ArchitectCommented:
it's because of that, I told you to add a rule only to one IP.

let's make it a mix:

$iptables -A FORWARD -i eth1 -o eth0 -d FORWARD -d 10.0.0.2/32 -j ACCEPT


Ok. I hope you hare satisfied enough with the help :-)


Regards
0

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 8
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now