Solved

IPTables NAT rules rules

Posted on 2013-12-09
4
437 Views
Last Modified: 2013-12-10
I'm setting up iptables as a NAT router

Basically I want DNAT as follows

84.24.130.18:8001 forwarding to 192.168.0.1:3389
84.24.130.18:8002 forwarding to 192.168.0.2:3389
84.24.130.18:8002 forwarding to 192.168.0.3:3389

Also allow SSH to the box

all other inbound traffic dropped

allow outbound traffic on 80,443 ONLY, drop anything else

eth0 is WAN side 84.24.130.18 , eth1 is LAN (192.168.0.0/24)


I have enabled forwarding in the kernel

Here are my rules so far

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8001 -j DNAT --to-destination 192.168.0.1:3389

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8002 -j DNAT --to-destination 192.168.0.2:3389

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8003 -j DNAT --to-destination 192.168.0.3:3389


iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -i eth1 -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -i eth1 -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 9391 -d 192.168.0.1 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 9392 -d 192.168.0.2 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 3389 -d 192.168.0.3 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 9394 -d 192.168.0.4 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 9395 -d 192.168.0.5 -j ACCEPT


Sadly, none of it works! I am not able to get out on 80,443 and the DNAT does not work either..

What have I missed..?
0
Comment
Question by:mark033
  • 2
4 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 39707864
Look at
 iptables -t filter -L --line-numbers
iptables -t NAT -L --line-numbers
iptables -t DNAT -L --line-numbers

You are using -A which adds the rule to the end and might.
http://www.centos.org/docs/4/html/rhel-sg-en-4/s1-firewall-ipt-fwd.html

You have to make sure that forwarding is enabled on your box.

While the above is for centos, iptables function the same under the various distros.  You may have a different front end to manage it.
0
 
LVL 34

Expert Comment

by:Duncan Roe
ID: 39707994
I always use this command to check iptables rules
{ set -x;for i in filter nat mangle raw;do iptables -t $i -n -v --line-numbers -L;done;set +x; } 2>&1|tee iptables.txt

Open in new window

If you could run that and post iptables.txt then I or anyone else should be able to help you further
0
 
LVL 34

Accepted Solution

by:
Duncan Roe earned 500 total points
ID: 39708016
Rather than use a policy of DROP, I prefer to keep the policy as ACCEPT and have a rule at the end of each table to log the packet before dropping it. That way I can see what I'm dropping - useful when developing. When the system is stable, I comment out the LOG line usually (too much noise). So I define this first
iptables -N logdrop
iptables -A logdrop -p tcp -m tcp --tcp-flags FIN FIN -j DROP
iptables -A logdrop -j LOG --log-level debug
iptables -A logdrop -j DROP

Open in new window

Then I add entries to in input table, ending with this
iptables -A INPUT -j logdrop # last rule

Open in new window

0
 

Author Closing Comment

by:mark033
ID: 39709747
Many thanks Duncan - in the end the issue turned out to be a firewall that sits in front of the server network blocking connections from my workstation into the network the iptables box sits on, rather than anything with my rules (the IP of my machine had changed and we hadn't updated the rule)

I like the approach you outlined re logging and it helped me to confirm no packets from my machine were reaching the WAN interface on the box.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Read about achieving the basic levels of HRIS security in the workplace.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question