?
Solved

hosting more server

Posted on 2003-03-18
16
Medium Priority
?
307 Views
Last Modified: 2010-03-18
Linux server with two NIC. 1st NIC assigned with public IP connected with adsl router which in turn connected to DSL connection. 2nd  NIC with private ip connected with local Lan.

A domain name is registered and is assigned to 1st NIC IP. It is acting as web server and ftp server.

Now we wish to make one local server in LAN with private ip available to public / external network.

we wish to connect it from outside to this server. It is a oracle apps server.

How we can do that?

NAT or DNAT will help me do that?
0
Comment
Question by:hithayath
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 8
16 Comments
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 8169036
provided you are not using the same ports:

iptables -I PREROUTING -t nat -i externalinterfase -p tcp -d ex.ter.nal.ip --dport externalport -j DNAT --to-destination in.ter.nal.ip:internalport
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 8169366
sorry: I forgot to mention you need to open the external port in the firewall :)
0
 

Author Comment

by:hithayath
ID: 8172907
thanks for the information. i have added but still nothing seems to be satisfy my requirment.

actually what i have done
is

i am having a linux box holding two nic

1st nic - eth1 - having public ip 6x.xx.xx.xx - connected with dsl router

2nd nic - eth0 - having private ip 10.0.0.1 - connected to Lan

3. it is acting as a router, so my lan pc are able to browse internet through this linux box

4. i am having registerd domain mybox.com assigned to above public ip 6x.xx.xx.xx. so when i hit www.mybox.com it is coming to my box.

5. now i am having a solaris box having 10.0.0.2 in my lan.
my external users available outside my location wish to connect to this box via internet. As i am not having any other public IP, is it possible to host this pc.

so i have tried your nating rule
iptables -I PREROUTING -t nat -i eth1 -p tcp -d 6x.xx.xx.xx --dport 8000 -j DNAT --to-destination 10.0.0.2

it is not bring any result

i have tried http://mybox.com:8000 - no page display

is this the correct way or any other way available for this.



0
Optimum High-Definition Video Viewing and Control

The ATEN VM0404HA 4x4 4K HDMI Matrix Switch supports 4K resolutions of UHD (3840 x 2160) and DCI (4096 x 2160) with refresh rates of 30 Hz (4:4:4) and 60 Hz (4:2:0). It is ideal for applications where the routing of 4K digital signals is required.

 

Author Comment

by:hithayath
ID: 8172923
thanks for the information. i have added but still nothing seems to be satisfy my requirment.

actually what i have done
is

i am having a linux box holding two nic

1st nic - eth1 - having public ip 6x.xx.xx.xx - connected with dsl router

2nd nic - eth0 - having private ip 10.0.0.1 - connected to Lan

3. it is acting as a router, so my lan pc are able to browse internet through this linux box

4. i am having registerd domain mybox.com assigned to above public ip 6x.xx.xx.xx. so when i hit www.mybox.com it is coming to my box.

5. now i am having a solaris box having 10.0.0.2 in my lan.
my external users available outside my location wish to connect to this box via internet. As i am not having any other public IP, is it possible to host this pc.

so i have tried your nating rule
iptables -I PREROUTING -t nat -i eth1 -p tcp -d 6x.xx.xx.xx --dport 8000 -j DNAT --to-destination 10.0.0.2:8000

it is not bring any result

i have tried http://mybox.com:8000 - no page display

is this the correct way or any other way available for this.



0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 8174848
change the rule like this:

iptables -I PREROUTING -t nat -i eth1 -p tcp -d 6x.xx.xx.xx --dport 8000 -j DNAT --to-destination 10.0.0.2:80


(you forgot to tell the port to your firewall :)

if still it's not working, then post here the output of
iptables -L -v --table nat

and of
iptables -L -v
0
 

Author Comment

by:hithayath
ID: 8194249
for testing purpose i have disabled all my iptables  rules ( firewall - iptables running on the same server)except the only one nat rule.

Outputs as follows afer enabling nat rule

root@myhost root]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

[root@myhost root]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

[root@myhost root]# iptables -L -v --table nat
Chain PREROUTING (policy ACCEPT 465 packets, 42560 bytes)
pkts bytes target     prot opt in     out     source               destination

   0     0 DNAT       tcp  --  eth1   any     anywhere             myhost         tcp dpt:8000 to:10.0.0.2:80

Chain POSTROUTING (policy ACCEPT 304 packets, 18598 bytes)
pkts bytes target     prot opt in     out     source               destination


Chain OUTPUT (policy ACCEPT 15 packets, 1026 bytes)
pkts bytes target     prot opt in     out     source               destination



[root@myhost root]# iptables -L -v
Chain INPUT (policy ACCEPT 831 packets, 184K bytes)
pkts bytes target     prot opt in     out     source               destination


Chain FORWARD (policy ACCEPT 3650 packets, 429K bytes)
pkts bytes target     prot opt in     out     source               destination


Chain OUTPUT (policy ACCEPT 358 packets, 26680 bytes)
pkts bytes target     prot opt in     out     source               destination


i have tried like this after setting the rule

get into browser http://6x.xx.xx.xx:8000 it is giving no page display

but able to get into http://10.0.0.2:80

what will be the problem. let me know.

Wheather i have understood the nating correctly or not???

expecting your reply
0
 
LVL 19

Accepted Solution

by:
Gabriel Orozco earned 150 total points
ID: 8199164
yeap. your problem is that you are trying to access to the external ip:port from inside, while the rule is in effect for outside only.

if you want it to work from inside also, then add this rule:

iptables -I PREROUTING -t nat -i eth0 -p tcp -d 6x.xx.xx.xx --dport 8000 -j DNAT --to-destination 10.0.0.2:80

please note I have changed the eth1 to eth0

this and the other rule can be reduced to this:

iptables -I PREROUTING -t nat -p tcp -d 6x.xx.xx.xx --dport 8000 -j DNAT --to-destination 10.0.0.2:80

so, please just delete the "-i eth1" from the rule you already have, and try again :)
0
 

Author Comment

by:hithayath
ID: 8200355
yes, i am trying from inside only. Now only i have notified the defect. thanks a lot for the information.
Now it is working fine
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 8206708
why a B?
0
 

Author Comment

by:hithayath
ID: 8209607
hi,
  i have enabled my other firewall rules as below after that my nat rule is not working

iptable -L -v

[root@test]# iptables -L -v
Chain INPUT (policy DROP 124 packets, 14739 bytes)
pkts bytes target     prot opt in     out     source               destination

   0     0 DROP       all  --  eth1   any     anywhere             192.168.0.0/16    
   0     0 syn-flood_INT_IF  tcp  --  eth0   any     anywhere             anywhere
   tcp flags:FIN,SYN,RST,ACK/RST
   0     0 syn-flood_EXT_IF  tcp  --  eth1   any     anywhere             anywhere
   tcp flags:FIN,SYN,RST,ACK/RST
   0     0 DROP       tcp  --  eth0   any     anywhere             anywhere
      tcp flags:!SYN,RST,ACK/SYN state NEW
   9   360 DROP       tcp  --  eth1   any     anywhere             anywhere
      tcp flags:!SYN,RST,ACK/SYN state NEW
   0     0 LOG        all  -f  eth0   any     anywhere             anywhere
      LOG level warning prefix `IPTABLES FRAGMENTS eth0: '
   0     0 DROP       all  -f  eth0   any     anywhere             anywhere

   0     0 LOG        all  -f  eth1   any     anywhere             anywhere
      LOG level warning prefix `IPTABLES FRAGMENTS eth1: '
   0     0 DROP       all  -f  eth1   any     anywhere             anywhere

   0     0 DROP       all  --  eth1   any     anywhere             172.16.0.0/1
6
   0     0 LOG        tcp  --  eth0   any     anywhere             anywhere
      multiport dports 12345,12346,ingreslock,27665,31337 LOG level warning prefix
      `IPTABLES Trojan INT_IF: '
   0     0 LOG        udp  --  eth0   any     anywhere             anywhere
      multiport dports 12345,12346,27444,31335,31337 LOG level warning prefix
      `IPTABLES Trojan INT_IF: '
   0     0 DROP       tcp  --  eth0   any     anywhere             anywhere
      multiport dports 12345,12346,ingreslock,27665,31337
   0     0 DROP       udp  --  eth0   any     anywhere             anywhere
      multiport dports 12345,12346,27444,31335,31337
   0     0 LOG        tcp  --  eth1   any     anywhere             anywhere
      multiport dports 12345,12346,ingreslock,27665,31337 LOG level warning prefix
      `IPTABLES Trojan EXT_IF: '
   0     0 LOG        udp  --  eth1   any     anywhere             anywhere
      multiport dports 12345,12346,27444,31335,31337 LOG level warning prefix `
IPTABLES Trojan EXT_IF: '
   0     0 DROP       tcp  --  eth1   any     anywhere             anywhere
      multiport dports 12345,12346,ingreslock,27665,31337
   0     0 DROP       udp  --  eth1   any     anywhere             anywhere
      multiport dports 12345,12346,27444,31335,31337
   0     0 ACCEPT     icmp --  eth0   any     anywhere             anywhere
      state RELATED,ESTABLISHED
   0     0 ACCEPT     icmp --  eth1   any     anywhere             anywhere
      state RELATED,ESTABLISHED
  40  6274 ACCEPT     udp  --  eth1   any     nameserver1      anywhere
      state ESTABLISHED
   0     0 ACCEPT     udp  --  eth1   any     nameserver2         anywhere
      state ESTABLISHED
   1   148 ACCEPT     udp  --  eth1   any     nameserver3  anywhere
          state ESTABLISHED
 230  9516 ACCEPT     all  --  any    any     anywhere             anywhere
      state RELATED,ESTABLISHED
   0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
      state NEW,RELATED,ESTABLISHED
   1    44 ACCEPT     tcp  --  eth0   any     anywhere             anywhere
      multiport dports ftp-data,ftp,ssh,telnet,smtp,http,pop2,pop3 state NEW,ES
TABLISHED
   1    44 ACCEPT     tcp  --  eth1   any     anywhere             anywhere
      multiport dports http,ftp-data,ftp,smtp state NEW,ESTABLISHED
   0     0 ACCEPT     tcp  --  eth1   any     anywhere             anywhere
      tcp spts:1024:65535 dpts:1024:65535 state ESTABLISHED

Chain FORWARD (policy DROP 121 packets, 18415 bytes)
pkts bytes target     prot opt in     out     source               destination

   0     0 ACCEPT     icmp --  eth0   eth1    anywhere             anywhere
      state NEW,ESTABLISHED
 126  8199 ACCEPT     udp  --  eth0   eth1    anywhere             nameserver1
 udp dpt:domain state NEW,ESTABLISHED
  55  3794 ACCEPT     udp  --  eth0   eth1    anywhere             nameserver2
      udp dpt:domain state NEW,ESTABLISHED
  15   928 ACCEPT     udp  --  eth0   eth1    anywhere             nameserver3
  udp dpt:domain state NEW,ESTABLISHED
4155  417K ACCEPT     tcp  --  eth0   eth1    anywhere             anywhere
      multiport dports ftp-data,ftp,ssh,telnet,smtp,http,pop3,8000,ms-sql-s sta
te NEW,ESTABLISHED
   0     0 ACCEPT     udp  --  eth0   eth1    anywhere             anywhere
      multiport dports ftp-data,ftp,ssh,telnet,smtp,http,pop3,8000,ms-sql-s sta
te NEW,ESTABLISHED
   0     0 ACCEPT     tcp  --  eth0   eth1    anywhere             anywhere
      multiport dports irc,https state NEW,ESTABLISHED
   0     0 ACCEPT     udp  --  eth0   eth1    anywhere             anywhere
      multiport dports irc,https state NEW,ESTABLISHED
   0     0 ACCEPT     tcp  --  eth0   eth1    anywhere             anywhere
      tcp dpt:ftp-data state ESTABLISHED
   0     0 ACCEPT     tcp  --  eth0   eth1    anywhere             anywhere
      tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
4348 3959K ACCEPT     all  --  eth1   eth0    anywhere             anywhere
      state RELATED,ESTABLISHED

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination

   0     0 DROP       all  --  any    eth1    10.0.0.0/8           anywhere

   0     0 DROP       all  --  any    eth1    anywhere             10.0.0.0/8

   0     0 DROP       all  --  any    eth1    172.16.0.0/16        anywhere

   0     0 DROP       all  --  any    eth1    anywhere             172.16.0.0/1
6
   0     0 DROP       all  --  any    eth1    192.168.0.0/16       anywhere

   0     0 DROP       all  --  any    eth1    anywhere             192.168.0.0/
16
   0     0 ACCEPT     icmp --  any    eth0    anywhere             anywhere
      state NEW,RELATED,ESTABLISHED
   1   186 ACCEPT     icmp --  any    eth1    anywhere             anywhere
      state NEW,RELATED,ESTABLISHED
  41  2905 ACCEPT     udp  --  any    eth1    anywhere             nameserver1
       udp dpt:domain state NEW,ESTABLISHED
   1    71 ACCEPT     udp  --  any    eth1    anywhere             nameserver2
      udp dpt:domain state NEW,ESTABLISHED
   1    71 ACCEPT     udp  --  any    eth1    anywhere             nameserver3
   udp dpt:domain state NEW,ESTABLISHED
   5   977 ACCEPT     all  --  any    eth1    anywhere             anywhere
      state RELATED,ESTABLISHED
   0     0 ACCEPT     all  --  any    lo      anywhere             anywhere
      state NEW,RELATED,ESTABLISHED
 183 12085 ACCEPT     tcp  --  any    eth0    anywhere             anywhere
      multiport sports ftp-data,ftp,ssh,telnet,smtp,http,pop2,pop3 state NEW,ES
TABLISHED
   0     0 ACCEPT     tcp  --  any    eth1    anywhere             anywhere
      multiport sports http,ftp-data,ftp,smtp state NEW,ESTABLISHED
   0     0 ACCEPT     tcp  --  any    eth0    anywhere             anywhere
      multiport dports ftp-data,ftp,http,smtp state NEW,ESTABLISHED
   0     0 ACCEPT     tcp  --  any    eth1    anywhere             anywhere
      multiport dports ftp-data,ftp,ssh,smtp,http state NEW,ESTABLISHED
   0     0 ACCEPT     tcp  --  any    eth1    anywhere             anywhere
      tcp dpt:ftp-data state NEW,RELATED,ESTABLISHED
   0     0 ACCEPT     tcp  --  any    eth1    anywhere             anywhere
      tcp dpt:ftp state NEW,RELATED,ESTABLISHED
   0     0 ACCEPT     tcp  --  any    eth1    anywhere             anywhere
      tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED

Chain syn-flood_EXT_IF (1 references)
pkts bytes target     prot opt in     out     source               destination

   0     0 RETURN     all  --  any    any     anywhere             anywhere
      limit: avg 1/sec burst 4
   0     0 DROP       all  --  any    any     anywhere             anywhere


Chain syn-flood_INT_IF (1 references)
pkts bytes target     prot opt in     out     source               destination

   0     0 RETURN     all  --  any    any     anywhere             anywhere
      limit: avg 1/sec burst 4
   0     0 DROP       all  --  any    any     anywhere             anywhere


if i remove all other rules enabling only my previous nat rule it is working fine.

What will be the problem

i am getting hits in iptables - L -v --t nat
under that prerouting rule

Any idea about nating a oracle apps server. I am able to do nating for weblogic, jboss, IIS servers lying on Lan but not for oracle apps.

0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 8211069
for a B...

but ok.

add the rule *at the end* not in the middle or in the beginning.

as it is an insert, if you insert the last, it will be the first rule and nothing will block it.
0
 

Author Comment

by:hithayath
ID: 8217202
i have tried inserting the rule at the end even then it is not working.


# Documentation
# -------------
# "Standard Settings".
# - IPTABLES="/usr/sbin/iptables"       => This defines the path where your "iptables" executable is. You can find it by using "whereis iptables"
# - INT_IF="eth0"                  => Change "eth0" to the name of your INTERNAL NIC (Network Interface Card) eg: "eth0" "eth1" "eth2"
# - BROADCAST="xx.xx.xx.xx/16"            => Change the IP to the BROADCAST address of your network. eg: "192.168.0.255/24" "192.168.1.255/24"
# - EXT_IF="eth1"                  => This is you EXTERNAL INTERFACE, if you use dial up it is "ppp0", if you use broadband it is one of your Ethernets.
# - FORWARD_PORTS_1="22,80"            => These are the ports which will be FORWARDED from your INTERNAL INTERFACE to your EXTERNAL INTERFACE (maximum 15 ports)
# - FORWARD_PORTS_2="194,443"            => Same as above, this is just here if you need more than 15 ports (To prevent error messages you should enter at least one port in here)
# - TCP_SERVICES_IN_INT_IF="6"            => Server ports you want to export to your LOCAL NETWORK. (To prevent error messages enter at least one value, port 6 is Unassigned)
# - TCP_SERVICES_IN_EXT_IF="80"            => Server ports you want to export to your EXTERNAL INTERFACE (Internet). (To prevent error messages enter at least one value, port 6 is Unassigned)
# - TCP_SERVICES_OUT_INT_IF="22,80"      => If you want to access ports from the machine where you install the firewall INSIDE your network you need to specify the ports. (To prevent error messages enter at least one value, port 6 is Unassigned)
# - TCP_SERVICES_OUT_EXT_IF="22,80"      => Ports you want to connect to OUTSIDE your local network from the machine where the firewall is installed. (To prevent error messages enter at least one value, port 6 is Unassigned)
# - NAMESERVER_1="dns1"      => The IP of your EXTERNAL DNS1/NAMESERVER (you can get the IP from your ISP)
# - NAMESERVER_2="dns2"      => The IP of your EXTERNAL DNS2/NAMESERVER (you can get the IP from your ISP)
# - LOOPBACK="127.0.0.0/8"            => This is your loopback IP, don't change this unless you know what you are doing
# - CLASS_A="10.0.0.0/8"            => This will block a /8 (Class A) IP coming in through your EXTERNAL interface, because it will be spoofed.
# - CLASS_B=172.16.0.0/16"            => This will block a /16 (Class B) IP coming in through your EXTERNAL interface, because it will be spoofed.
# - CLASS_C="192.168.0.0/16"             => This will block a /24 (Class C) IP coming in through your EXTERNAL interface, because it will be spoofed.
# - XSERVER_PORTS="6000:6063"            => Most X servers listen at these ports, this will block the specified ports
# - ICQ_PORT_TCP="5190"                  => This is the default port where ICQ connects to the ICQ network
# - ICQ_PORT_UDP="4000"                  => This is the default port where ICQ connects to the ICQ network
# - TROJAN_PORTS_TCP="12345,12346"      => This will block INCOMING requests for Trojans on your Network tcp. You can add more ports (max 15 ports) or use port 6 to disable this feature.
# - TROJAN_PORTS_UDP="27444,31335"      => This will block INCOMING requests for Trojans on your Network udp. You can add more ports (max 15 ports) or use port 6 to disable this feature.
#
#
##########
# Standard Settings
IPTABLES="/sbin/iptables"
INT_IF="eth0"
BROADCAST="10.0.0.255/16"
EXT_IF="eth1"
FORWARD_PORTS_1="20,21,22,23,25,80,110,8000,1433,7001"
FORWARD_PORTS_2="194,443"
# To open port for Local network on firewall machine - ports opened below are http port, smtp port , pop3 port, ssh
TCP_SERVICES_IN_INT_IF="20,21,22,23,25,80,109,110,7001"
TCP_SERVICES_IN_EXT_IF="80,20,21,25,7001"
# To open ports in firewall machine to local network
TCP_SERVICES_OUT_INT_IF="20,21,80,25,7001"
# To open ports in firewall machine to external network
TCP_SERVICES_OUT_EXT_IF="20,21,22,25,80,7001"
NAMESERVER_1="dns1"
NAMESERVER_2="dns2"
NAMESERVER_3="dns3"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/16"
CLASS_C="192.168.0.0/16"
UP_PORTS="1024:65535"
XSERVER_PORTS="6000:6063"
ICQ_PORT_TCP="5190"
ICQ_PORT_UDP="4000"
TROJAN_PORTS_TCP="12345,12346,1524,27665,31337"
TROJAN_PORTS_UDP="12345,12346,27444,31335,31337"
#
#
echo "Starting Firewall ....."
# Load appropriate modules.
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
#
##########
# Flush Rules
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -F POSTROUTING
#
#
##########
# Changing Kernel Parameters, you need CONFIG_SYSCTL defined in your kernel
#
# SYN Cookie Protection
/bin/echo "1" > /proc/sys/net/ipv4/tcp_syncookies

# Disable response to ping
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Disable response to broadcasts
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Don't accept source routed packets
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects

# Disable ICMP redirect acceptance
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

# Enable bad error message protection
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Turn on reverse path filtering
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo "1" > ${interface}
done

# Log spoofed packets, source routed packets, redirect packets
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

#Enable IP forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
#
#
##########
# Rules
#
# Standard Rules
$IPTABLES -P INPUT DROP

#if i diable this rule, it is working
$IPTABLES -P FORWARD DROP

$IPTABLES -P OUTPUT DROP
#
# Deny packets claiming to be to or from a /8,/16,/24 (Class A,B,C) Network ($EXT_IF)
$IPTABLES -A INPUT -i $EXT_IF -s $CLASS_A -j DROP
$IPTABLES -A INPUT -i $EXT_IF -d $CLASS_A -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s $CLASS_B -j DROP
$IPTABLES -A INPUT -i $EXT_IF -d $CLASS_B -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s $CLASS_C -j DROP
$IPTABLES -A INPUT -i $EXT_IF -d $CLASS_C -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -s $CLASS_A -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -d $CLASS_A -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -s $CLASS_B -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -d $CLASS_B -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -s $CLASS_C -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -d $CLASS_C -j DROP
#
# Firewall syn/flood and port scanner protection $INT_IF
$IPTABLES -N syn-flood_INT_IF
$IPTABLES -F syn-flood_INT_IF
$IPTABLES -A INPUT -i $INT_IF -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j syn-flood_INT_IF
#$IPTABLES -A INPUT -i $INT_IF -p tcp --syn -j syn-flood_INT_IF
$IPTABLES -A syn-flood_INT_IF -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood_INT_IF -j DROP
#
# Firewall syn/flood and port scanner protection $EXT_IF
$IPTABLES -N syn-flood_EXT_IF
$IPTABLES -F syn-flood_EXT_IF
$IPTABLES -A INPUT -i $EXT_IF -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j syn-flood_EXT_IF
#$IPTABLES -A INPUT -i $EXT_IF -p tcp --syn -j syn-flood_EXT_IF
$IPTABLES -A syn-flood_EXT_IF -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood_EXT_IF -j DROP
#
#  Make sure NEW tcp connections are SYN packets
$IPTABLES -A INPUT -i $INT_IF -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A INPUT -i $EXT_IF -p tcp ! --syn -m state --state NEW -j DROP
#
# Block incoming fragments $INT_IF
$IPTABLES -A INPUT -i $INT_IF -f -j LOG --log-prefix "IPTABLES FRAGMENTS $INT_IF: "
$IPTABLES -A INPUT -i $INT_IF -f -j DROP
#
# Block incoming fragments $EXT_IF
$IPTABLES -A INPUT -i $EXT_IF -f -j LOG --log-prefix "IPTABLES FRAGMENTS $EXT_IF: "
$IPTABLES -A INPUT -i $EXT_IF -f -j DROP
#
# Drop broadcast packets
$IPTABLES -A INPUT -i $EXT_IF -d $BROADCAST -j DROP
#
# Trojan protection
$IPTABLES -A INPUT -i $INT_IF -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j LOG --log-prefix "IPTABLES Trojan INT_IF: "
$IPTABLES -A INPUT -i $INT_IF -p udp -m multiport --dport $TROJAN_PORTS_UDP -j LOG --log-prefix "IPTABLES Trojan INT_IF: "
$IPTABLES -A INPUT -i $INT_IF -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j DROP
$IPTABLES -A INPUT -i $INT_IF -p udp -m multiport --dport $TROJAN_PORTS_UDP -j DROP
$IPTABLES -A INPUT -i $EXT_IF -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j LOG --log-prefix "IPTABLES Trojan EXT_IF: "
$IPTABLES -A INPUT -i $EXT_IF -p udp -m multiport --dport $TROJAN_PORTS_UDP -j LOG --log-prefix "IPTABLES Trojan EXT_IF: "
$IPTABLES -A INPUT -i $EXT_IF -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j DROP
$IPTABLES -A INPUT -i $EXT_IF -p udp -m multiport --dport $TROJAN_PORTS_UDP -j DROP

#
# ICQ INPUT/OUTPUT rules (I get the error message that the hostname is not found, if somebody knows why PLZ let me know)
#$IPTABLES -A OUTPUT -o $EXT_IF -p udp -d icq.mirabilis.com --dport $ICQ_PORT_UDP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A OUTPUT -o $EXT_IF -p tcp -d login.icq.com --dport $ICQ_PORT_TCP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#
# icmp INPUT/OUTPUT rules $INT_IF. For a list of icmp types check the end of this file.
$IPTABLES -A INPUT -i $INT_IF -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $INT_IF -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -i $INT_IF -p icmp --icmp-type 0 -j DROP
#
# icmp INPUT/OUTPUT rules $EXT_IF. For a list of icmp types check the end of this file.
$IPTABLES -A INPUT -i $EXT_IF -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -i $EXT_IF -p icmp --icmp-type 0 -j DROP
#
# Nameserver INPUT/OUTPUT
$IPTABLES -A INPUT -i $EXT_IF -p udp -s $NAMESERVER_1 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p udp -s $NAMESERVER_2 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p udp -s $NAMESERVER_3 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p udp -d $NAMESERVER_1 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p udp -d $NAMESERVER_2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p udp -d $NAMESERVER_3 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
#
# INPUT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i lo -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $INT_IF -p tcp -m multiport --dport $TCP_SERVICES_IN_INT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p tcp -m multiport --dport $TCP_SERVICES_IN_EXT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
#$IPTABLES -A INPUT  -i $EXT_IF -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
#$IPTABLES -A INPUT  -i $EXT_IF -p tcp --sport 20 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT  -i $EXT_IF -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED -j ACCEPT

# FORWARD
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -d $NAMESERVER_1 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -d $NAMESERVER_2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -d $NAMESERVER_3 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -m multiport --dport $FORWARD_PORTS_1 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -m multiport --dport $FORWARD_PORTS_1 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -m multiport --dport $FORWARD_PORTS_2 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -m multiport --dport $FORWARD_PORTS_2 -m state --state NEW,ESTABLISHED -j ACCEPT
#$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -d icq.mirabilis.com --dport $ICQ_PORT_UDP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -d login.icq.com --dport $ICQ_PORT_TCP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
#$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT

# OUTPUT
$IPTABLES -A OUTPUT -o $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o lo -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $INT_IF -p tcp -m multiport --sport $TCP_SERVICES_IN_INT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p tcp -m multiport --sport $TCP_SERVICES_IN_EXT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $INT_IF -p tcp -m multiport --dport $TCP_SERVICES_OUT_INT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p tcp -m multiport --dport $TCP_SERVICES_OUT_EXT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p tcp --dport 20 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# POSTROUTING
$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE

# PREROUTING


echo "Firewall STARTED"

### END ###


If I disable the $IPTABLES -P FORWARD DROP, it is working.
what will be the problem....?


0
 

Author Comment

by:hithayath
ID: 8217206
i have tried inserting the rule at the end even then it is not working.


# Documentation
# -------------
# "Standard Settings".
# - IPTABLES="/usr/sbin/iptables"       => This defines the path where your "iptables" executable is. You can find it by using "whereis iptables"
# - INT_IF="eth0"                  => Change "eth0" to the name of your INTERNAL NIC (Network Interface Card) eg: "eth0" "eth1" "eth2"
# - BROADCAST="xx.xx.xx.xx/16"            => Change the IP to the BROADCAST address of your network. eg: "192.168.0.255/24" "192.168.1.255/24"
# - EXT_IF="eth1"                  => This is you EXTERNAL INTERFACE, if you use dial up it is "ppp0", if you use broadband it is one of your Ethernets.
# - FORWARD_PORTS_1="22,80"            => These are the ports which will be FORWARDED from your INTERNAL INTERFACE to your EXTERNAL INTERFACE (maximum 15 ports)
# - FORWARD_PORTS_2="194,443"            => Same as above, this is just here if you need more than 15 ports (To prevent error messages you should enter at least one port in here)
# - TCP_SERVICES_IN_INT_IF="6"            => Server ports you want to export to your LOCAL NETWORK. (To prevent error messages enter at least one value, port 6 is Unassigned)
# - TCP_SERVICES_IN_EXT_IF="80"            => Server ports you want to export to your EXTERNAL INTERFACE (Internet). (To prevent error messages enter at least one value, port 6 is Unassigned)
# - TCP_SERVICES_OUT_INT_IF="22,80"      => If you want to access ports from the machine where you install the firewall INSIDE your network you need to specify the ports. (To prevent error messages enter at least one value, port 6 is Unassigned)
# - TCP_SERVICES_OUT_EXT_IF="22,80"      => Ports you want to connect to OUTSIDE your local network from the machine where the firewall is installed. (To prevent error messages enter at least one value, port 6 is Unassigned)
# - NAMESERVER_1="dns1"      => The IP of your EXTERNAL DNS1/NAMESERVER (you can get the IP from your ISP)
# - NAMESERVER_2="dns2"      => The IP of your EXTERNAL DNS2/NAMESERVER (you can get the IP from your ISP)
# - LOOPBACK="127.0.0.0/8"            => This is your loopback IP, don't change this unless you know what you are doing
# - CLASS_A="10.0.0.0/8"            => This will block a /8 (Class A) IP coming in through your EXTERNAL interface, because it will be spoofed.
# - CLASS_B=172.16.0.0/16"            => This will block a /16 (Class B) IP coming in through your EXTERNAL interface, because it will be spoofed.
# - CLASS_C="192.168.0.0/16"             => This will block a /24 (Class C) IP coming in through your EXTERNAL interface, because it will be spoofed.
# - XSERVER_PORTS="6000:6063"            => Most X servers listen at these ports, this will block the specified ports
# - ICQ_PORT_TCP="5190"                  => This is the default port where ICQ connects to the ICQ network
# - ICQ_PORT_UDP="4000"                  => This is the default port where ICQ connects to the ICQ network
# - TROJAN_PORTS_TCP="12345,12346"      => This will block INCOMING requests for Trojans on your Network tcp. You can add more ports (max 15 ports) or use port 6 to disable this feature.
# - TROJAN_PORTS_UDP="27444,31335"      => This will block INCOMING requests for Trojans on your Network udp. You can add more ports (max 15 ports) or use port 6 to disable this feature.
#
#
##########
# Standard Settings
IPTABLES="/sbin/iptables"
INT_IF="eth0"
BROADCAST="10.0.0.255/16"
EXT_IF="eth1"
FORWARD_PORTS_1="20,21,22,23,25,80,110,8000,1433,7001"
FORWARD_PORTS_2="194,443"
# To open port for Local network on firewall machine - ports opened below are http port, smtp port , pop3 port, ssh
TCP_SERVICES_IN_INT_IF="20,21,22,23,25,80,109,110,7001"
TCP_SERVICES_IN_EXT_IF="80,20,21,25,7001"
# To open ports in firewall machine to local network
TCP_SERVICES_OUT_INT_IF="20,21,80,25,7001"
# To open ports in firewall machine to external network
TCP_SERVICES_OUT_EXT_IF="20,21,22,25,80,7001"
NAMESERVER_1="dns1"
NAMESERVER_2="dns2"
NAMESERVER_3="dns3"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/16"
CLASS_C="192.168.0.0/16"
UP_PORTS="1024:65535"
XSERVER_PORTS="6000:6063"
ICQ_PORT_TCP="5190"
ICQ_PORT_UDP="4000"
TROJAN_PORTS_TCP="12345,12346,1524,27665,31337"
TROJAN_PORTS_UDP="12345,12346,27444,31335,31337"
#
#
echo "Starting Firewall ....."
# Load appropriate modules.
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
#
##########
# Flush Rules
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -F POSTROUTING
#
#
##########
# Changing Kernel Parameters, you need CONFIG_SYSCTL defined in your kernel
#
# SYN Cookie Protection
/bin/echo "1" > /proc/sys/net/ipv4/tcp_syncookies

# Disable response to ping
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Disable response to broadcasts
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Don't accept source routed packets
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects

# Disable ICMP redirect acceptance
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

# Enable bad error message protection
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Turn on reverse path filtering
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo "1" > ${interface}
done

# Log spoofed packets, source routed packets, redirect packets
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

#Enable IP forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
#
#
##########
# Rules
#
# Standard Rules
$IPTABLES -P INPUT DROP

#if i diable this rule, it is working
$IPTABLES -P FORWARD DROP

$IPTABLES -P OUTPUT DROP
#
# Deny packets claiming to be to or from a /8,/16,/24 (Class A,B,C) Network ($EXT_IF)
$IPTABLES -A INPUT -i $EXT_IF -s $CLASS_A -j DROP
$IPTABLES -A INPUT -i $EXT_IF -d $CLASS_A -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s $CLASS_B -j DROP
$IPTABLES -A INPUT -i $EXT_IF -d $CLASS_B -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s $CLASS_C -j DROP
$IPTABLES -A INPUT -i $EXT_IF -d $CLASS_C -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -s $CLASS_A -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -d $CLASS_A -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -s $CLASS_B -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -d $CLASS_B -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -s $CLASS_C -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -d $CLASS_C -j DROP
#
# Firewall syn/flood and port scanner protection $INT_IF
$IPTABLES -N syn-flood_INT_IF
$IPTABLES -F syn-flood_INT_IF
$IPTABLES -A INPUT -i $INT_IF -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j syn-flood_INT_IF
#$IPTABLES -A INPUT -i $INT_IF -p tcp --syn -j syn-flood_INT_IF
$IPTABLES -A syn-flood_INT_IF -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood_INT_IF -j DROP
#
# Firewall syn/flood and port scanner protection $EXT_IF
$IPTABLES -N syn-flood_EXT_IF
$IPTABLES -F syn-flood_EXT_IF
$IPTABLES -A INPUT -i $EXT_IF -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j syn-flood_EXT_IF
#$IPTABLES -A INPUT -i $EXT_IF -p tcp --syn -j syn-flood_EXT_IF
$IPTABLES -A syn-flood_EXT_IF -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood_EXT_IF -j DROP
#
#  Make sure NEW tcp connections are SYN packets
$IPTABLES -A INPUT -i $INT_IF -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A INPUT -i $EXT_IF -p tcp ! --syn -m state --state NEW -j DROP
#
# Block incoming fragments $INT_IF
$IPTABLES -A INPUT -i $INT_IF -f -j LOG --log-prefix "IPTABLES FRAGMENTS $INT_IF: "
$IPTABLES -A INPUT -i $INT_IF -f -j DROP
#
# Block incoming fragments $EXT_IF
$IPTABLES -A INPUT -i $EXT_IF -f -j LOG --log-prefix "IPTABLES FRAGMENTS $EXT_IF: "
$IPTABLES -A INPUT -i $EXT_IF -f -j DROP
#
# Drop broadcast packets
$IPTABLES -A INPUT -i $EXT_IF -d $BROADCAST -j DROP
#
# Trojan protection
$IPTABLES -A INPUT -i $INT_IF -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j LOG --log-prefix "IPTABLES Trojan INT_IF: "
$IPTABLES -A INPUT -i $INT_IF -p udp -m multiport --dport $TROJAN_PORTS_UDP -j LOG --log-prefix "IPTABLES Trojan INT_IF: "
$IPTABLES -A INPUT -i $INT_IF -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j DROP
$IPTABLES -A INPUT -i $INT_IF -p udp -m multiport --dport $TROJAN_PORTS_UDP -j DROP
$IPTABLES -A INPUT -i $EXT_IF -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j LOG --log-prefix "IPTABLES Trojan EXT_IF: "
$IPTABLES -A INPUT -i $EXT_IF -p udp -m multiport --dport $TROJAN_PORTS_UDP -j LOG --log-prefix "IPTABLES Trojan EXT_IF: "
$IPTABLES -A INPUT -i $EXT_IF -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j DROP
$IPTABLES -A INPUT -i $EXT_IF -p udp -m multiport --dport $TROJAN_PORTS_UDP -j DROP

#
# ICQ INPUT/OUTPUT rules (I get the error message that the hostname is not found, if somebody knows why PLZ let me know)
#$IPTABLES -A OUTPUT -o $EXT_IF -p udp -d icq.mirabilis.com --dport $ICQ_PORT_UDP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A OUTPUT -o $EXT_IF -p tcp -d login.icq.com --dport $ICQ_PORT_TCP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#
# icmp INPUT/OUTPUT rules $INT_IF. For a list of icmp types check the end of this file.
$IPTABLES -A INPUT -i $INT_IF -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $INT_IF -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -i $INT_IF -p icmp --icmp-type 0 -j DROP
#
# icmp INPUT/OUTPUT rules $EXT_IF. For a list of icmp types check the end of this file.
$IPTABLES -A INPUT -i $EXT_IF -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -i $EXT_IF -p icmp --icmp-type 0 -j DROP
#
# Nameserver INPUT/OUTPUT
$IPTABLES -A INPUT -i $EXT_IF -p udp -s $NAMESERVER_1 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p udp -s $NAMESERVER_2 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p udp -s $NAMESERVER_3 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p udp -d $NAMESERVER_1 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p udp -d $NAMESERVER_2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p udp -d $NAMESERVER_3 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
#
# INPUT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i lo -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $INT_IF -p tcp -m multiport --dport $TCP_SERVICES_IN_INT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p tcp -m multiport --dport $TCP_SERVICES_IN_EXT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
#$IPTABLES -A INPUT  -i $EXT_IF -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
#$IPTABLES -A INPUT  -i $EXT_IF -p tcp --sport 20 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT  -i $EXT_IF -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED -j ACCEPT

# FORWARD
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -d $NAMESERVER_1 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -d $NAMESERVER_2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -d $NAMESERVER_3 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -m multiport --dport $FORWARD_PORTS_1 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -m multiport --dport $FORWARD_PORTS_1 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -m multiport --dport $FORWARD_PORTS_2 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -m multiport --dport $FORWARD_PORTS_2 -m state --state NEW,ESTABLISHED -j ACCEPT
#$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -d icq.mirabilis.com --dport $ICQ_PORT_UDP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -d login.icq.com --dport $ICQ_PORT_TCP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
#$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT

# OUTPUT
$IPTABLES -A OUTPUT -o $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o lo -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $INT_IF -p tcp -m multiport --sport $TCP_SERVICES_IN_INT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p tcp -m multiport --sport $TCP_SERVICES_IN_EXT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $INT_IF -p tcp -m multiport --dport $TCP_SERVICES_OUT_INT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p tcp -m multiport --dport $TCP_SERVICES_OUT_EXT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p tcp --dport 20 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# POSTROUTING
$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE

# PREROUTING
iptables -I PREROUTING -t nat -p tcp -d 6x.xx.xx.xx --dport 7001 -j DNAT --to-destination 10.0.0.2:7001


echo "Firewall STARTED"

### END ###


If I disable the $IPTABLES -P FORWARD DROP, it is working.
what will be the problem....?


0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 8217879
add also
$IPTABLES -I FORWARD -d 10.0.0.2 -j ACCEPT

and check.
0
 

Author Comment

by:hithayath
ID: 8218822
i have identified the problem is with FORWARD chains. If i disable IPTABLES -P FORWARD DROP at the intial lines (accepting all forwarding) or add a new rule to my existing rules iptables -A FORWARD -i - eth1 -o eth0 -j ACCEPT ( accepting all the forwarding ), it is working. But i don't want to forward everything from eth1 to eth0. I wish to forward only specific port. What rule will more efficient?


0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 8218948
it's because of that, I told you to add a rule only to one IP.

let's make it a mix:

$iptables -A FORWARD -i eth1 -o eth0 -d FORWARD -d 10.0.0.2/32 -j ACCEPT


Ok. I hope you hare satisfied enough with the help :-)


Regards
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question