Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 464
  • Last Modified:

IPTables NAT rules rules

I'm setting up iptables as a NAT router

Basically I want DNAT as follows

84.24.130.18:8001 forwarding to 192.168.0.1:3389
84.24.130.18:8002 forwarding to 192.168.0.2:3389
84.24.130.18:8002 forwarding to 192.168.0.3:3389

Also allow SSH to the box

all other inbound traffic dropped

allow outbound traffic on 80,443 ONLY, drop anything else

eth0 is WAN side 84.24.130.18 , eth1 is LAN (192.168.0.0/24)


I have enabled forwarding in the kernel

Here are my rules so far

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8001 -j DNAT --to-destination 192.168.0.1:3389

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8002 -j DNAT --to-destination 192.168.0.2:3389

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8003 -j DNAT --to-destination 192.168.0.3:3389


iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -i eth1 -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -i eth1 -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 9391 -d 192.168.0.1 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 9392 -d 192.168.0.2 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 3389 -d 192.168.0.3 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 9394 -d 192.168.0.4 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 9395 -d 192.168.0.5 -j ACCEPT


Sadly, none of it works! I am not able to get out on 80,443 and the DNAT does not work either..

What have I missed..?
0
mark033
Asked:
mark033
  • 2
1 Solution
 
arnoldCommented:
Look at
 iptables -t filter -L --line-numbers
iptables -t NAT -L --line-numbers
iptables -t DNAT -L --line-numbers

You are using -A which adds the rule to the end and might.
http://www.centos.org/docs/4/html/rhel-sg-en-4/s1-firewall-ipt-fwd.html

You have to make sure that forwarding is enabled on your box.

While the above is for centos, iptables function the same under the various distros.  You may have a different front end to manage it.
0
 
Duncan RoeSoftware DeveloperCommented:
I always use this command to check iptables rules
{ set -x;for i in filter nat mangle raw;do iptables -t $i -n -v --line-numbers -L;done;set +x; } 2>&1|tee iptables.txt

Open in new window

If you could run that and post iptables.txt then I or anyone else should be able to help you further
0
 
Duncan RoeSoftware DeveloperCommented:
Rather than use a policy of DROP, I prefer to keep the policy as ACCEPT and have a rule at the end of each table to log the packet before dropping it. That way I can see what I'm dropping - useful when developing. When the system is stable, I comment out the LOG line usually (too much noise). So I define this first
iptables -N logdrop
iptables -A logdrop -p tcp -m tcp --tcp-flags FIN FIN -j DROP
iptables -A logdrop -j LOG --log-level debug
iptables -A logdrop -j DROP

Open in new window

Then I add entries to in input table, ending with this
iptables -A INPUT -j logdrop # last rule

Open in new window

0
 
mark033Author Commented:
Many thanks Duncan - in the end the issue turned out to be a firewall that sits in front of the server network blocking connections from my workstation into the network the iptables box sits on, rather than anything with my rules (the IP of my machine had changed and we hadn't updated the rule)

I like the approach you outlined re logging and it helped me to confirm no packets from my machine were reaching the WAN interface on the box.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now