Solved

IPTables NAT rules rules

Posted on 2013-12-09
4
428 Views
Last Modified: 2013-12-10
I'm setting up iptables as a NAT router

Basically I want DNAT as follows

84.24.130.18:8001 forwarding to 192.168.0.1:3389
84.24.130.18:8002 forwarding to 192.168.0.2:3389
84.24.130.18:8002 forwarding to 192.168.0.3:3389

Also allow SSH to the box

all other inbound traffic dropped

allow outbound traffic on 80,443 ONLY, drop anything else

eth0 is WAN side 84.24.130.18 , eth1 is LAN (192.168.0.0/24)


I have enabled forwarding in the kernel

Here are my rules so far

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8001 -j DNAT --to-destination 192.168.0.1:3389

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8002 -j DNAT --to-destination 192.168.0.2:3389

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8003 -j DNAT --to-destination 192.168.0.3:3389


iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -i eth1 -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -i eth1 -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 9391 -d 192.168.0.1 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 9392 -d 192.168.0.2 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 3389 -d 192.168.0.3 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 9394 -d 192.168.0.4 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 9395 -d 192.168.0.5 -j ACCEPT


Sadly, none of it works! I am not able to get out on 80,443 and the DNAT does not work either..

What have I missed..?
0
Comment
Question by:mark033
  • 2
4 Comments
 
LVL 76

Expert Comment

by:arnold
ID: 39707864
Look at
 iptables -t filter -L --line-numbers
iptables -t NAT -L --line-numbers
iptables -t DNAT -L --line-numbers

You are using -A which adds the rule to the end and might.
http://www.centos.org/docs/4/html/rhel-sg-en-4/s1-firewall-ipt-fwd.html

You have to make sure that forwarding is enabled on your box.

While the above is for centos, iptables function the same under the various distros.  You may have a different front end to manage it.
0
 
LVL 34

Expert Comment

by:Duncan Roe
ID: 39707994
I always use this command to check iptables rules
{ set -x;for i in filter nat mangle raw;do iptables -t $i -n -v --line-numbers -L;done;set +x; } 2>&1|tee iptables.txt

Open in new window

If you could run that and post iptables.txt then I or anyone else should be able to help you further
0
 
LVL 34

Accepted Solution

by:
Duncan Roe earned 500 total points
ID: 39708016
Rather than use a policy of DROP, I prefer to keep the policy as ACCEPT and have a rule at the end of each table to log the packet before dropping it. That way I can see what I'm dropping - useful when developing. When the system is stable, I comment out the LOG line usually (too much noise). So I define this first
iptables -N logdrop
iptables -A logdrop -p tcp -m tcp --tcp-flags FIN FIN -j DROP
iptables -A logdrop -j LOG --log-level debug
iptables -A logdrop -j DROP

Open in new window

Then I add entries to in input table, ending with this
iptables -A INPUT -j logdrop # last rule

Open in new window

0
 

Author Closing Comment

by:mark033
ID: 39709747
Many thanks Duncan - in the end the issue turned out to be a firewall that sits in front of the server network blocking connections from my workstation into the network the iptables box sits on, rather than anything with my rules (the IP of my machine had changed and we hadn't updated the rule)

I like the approach you outlined re logging and it helped me to confirm no packets from my machine were reaching the WAN interface on the box.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now