[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

IPTables NAT rules rules

Posted on 2013-12-09
4
Medium Priority
?
459 Views
Last Modified: 2013-12-10
I'm setting up iptables as a NAT router

Basically I want DNAT as follows

84.24.130.18:8001 forwarding to 192.168.0.1:3389
84.24.130.18:8002 forwarding to 192.168.0.2:3389
84.24.130.18:8002 forwarding to 192.168.0.3:3389

Also allow SSH to the box

all other inbound traffic dropped

allow outbound traffic on 80,443 ONLY, drop anything else

eth0 is WAN side 84.24.130.18 , eth1 is LAN (192.168.0.0/24)


I have enabled forwarding in the kernel

Here are my rules so far

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8001 -j DNAT --to-destination 192.168.0.1:3389

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8002 -j DNAT --to-destination 192.168.0.2:3389

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8003 -j DNAT --to-destination 192.168.0.3:3389


iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -i eth1 -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -i eth1 -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 9391 -d 192.168.0.1 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 9392 -d 192.168.0.2 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 3389 -d 192.168.0.3 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 9394 -d 192.168.0.4 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 9395 -d 192.168.0.5 -j ACCEPT


Sadly, none of it works! I am not able to get out on 80,443 and the DNAT does not work either..

What have I missed..?
0
Comment
Question by:mark033
  • 2
4 Comments
 
LVL 81

Expert Comment

by:arnold
ID: 39707864
Look at
 iptables -t filter -L --line-numbers
iptables -t NAT -L --line-numbers
iptables -t DNAT -L --line-numbers

You are using -A which adds the rule to the end and might.
http://www.centos.org/docs/4/html/rhel-sg-en-4/s1-firewall-ipt-fwd.html

You have to make sure that forwarding is enabled on your box.

While the above is for centos, iptables function the same under the various distros.  You may have a different front end to manage it.
0
 
LVL 35

Expert Comment

by:Duncan Roe
ID: 39707994
I always use this command to check iptables rules
{ set -x;for i in filter nat mangle raw;do iptables -t $i -n -v --line-numbers -L;done;set +x; } 2>&1|tee iptables.txt

Open in new window

If you could run that and post iptables.txt then I or anyone else should be able to help you further
0
 
LVL 35

Accepted Solution

by:
Duncan Roe earned 2000 total points
ID: 39708016
Rather than use a policy of DROP, I prefer to keep the policy as ACCEPT and have a rule at the end of each table to log the packet before dropping it. That way I can see what I'm dropping - useful when developing. When the system is stable, I comment out the LOG line usually (too much noise). So I define this first
iptables -N logdrop
iptables -A logdrop -p tcp -m tcp --tcp-flags FIN FIN -j DROP
iptables -A logdrop -j LOG --log-level debug
iptables -A logdrop -j DROP

Open in new window

Then I add entries to in input table, ending with this
iptables -A INPUT -j logdrop # last rule

Open in new window

0
 

Author Closing Comment

by:mark033
ID: 39709747
Many thanks Duncan - in the end the issue turned out to be a firewall that sits in front of the server network blocking connections from my workstation into the network the iptables box sits on, rather than anything with my rules (the IP of my machine had changed and we hadn't updated the rule)

I like the approach you outlined re logging and it helped me to confirm no packets from my machine were reaching the WAN interface on the box.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses
Course of the Month20 days, 12 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question