Help with forwarding in iptables

[novafire]

I am setting up a masqing box for my DSL connection and am having trouble getting forwarding to work. I have followed many HOWTO's from various sites including this HOWTO

I want to, for example, forward all incoming connections at port 80 to my internal WWW server (192.168.0.110). My connection to the internet from my local internal LAN works just fine, but when I try to connect to my external IP:80 from the outside world looking in the web browser just hangs. I have tried the same with port 22 for SSH, with similar results. Any tips would be great. The forwarding lines are at the bottom of the included script, but I think something might need to be changed elsewhere in the script which is almost copied line by line from the URL above -- with minor modifications for my setup.

#!/bin/sh
IPTABLES=/sbin/iptables

EXTIF="eth0"
INTIF="eth1"

/sbin/depmod -a
/sbin/insmod ip_tables
/sbin/insmod ip_conntrack
/sbin/insmod ip_conntrack_ftp
/sbin/insmod ip_conntrack_irc
/sbin/insmod iptable_nat
/sbin/insmod ip_nat_ftp

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

PORTFWIP=192.168.0.110

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A PREROUTING -t nat -p tcp -d 207.X.X.X --dport 80 -j DNAT --to 192.168.0.110:80

 

[Barnaby W. Füi]

man iptables still confuses the hell out of me....i need some major help with it....so a bump for you! (even though you're at the top, ignore that )

in my situation, i have my firewall box, which i want to be serving http and ftp, i also need to be able to use stuff like morpheus and aim from behind the firewall...

 

[novafire]

I was able to get services on the firewall such as WWW, ftp, and SSH working fine, it is just a matter of allowing connections to those specific ports. If you want I can post some examples.

But ya, iptables is not the simplest topic to learn, i read about 100 pages of HOWTO's today, and the worst part is each HOWTO author does things differently and add in the sometimes broken english and typos and it gets worse, hehe.

Good luck.

 

[Barnaby W. Füi]

<< I was able to get services on the firewall such as WWW, ftp, and SSH working fine, it is just a matter of allowing connections to those specific ports. If you want I can post some examples.

But ya, iptables is not the simplest topic to learn, i read about 100 pages of HOWTO's today, and the worst part is each HOWTO author does things differently and add in the sometimes broken english and typos and it gets worse, hehe.

Good luck. >>


yeah like the one i was reading most recently, there were all these options he listed that were supposed to be in .config but they WERENT!! and i was using a newer kernel (2.4.17 vs. 2.4.7)...he wasnt clear at all on whether i needed to patch the kernel or install this or that or whatever.

 

[Koinonia]

hey nova, whats the difference between iptable and ipchains? just wondering, im having a headache looking through HOWTOs like you were

 

[novafire]

ipchains is the older Kernel 2.2.x firewall/masq implementation
and iptables it the newer Kernel 2.4.x version.

ipchains _can_ be used under Kernel 2.4.x, but iptables is a better overall setup and is more robust. Use iptables if you can, some people claim ipchains can however still be considered a valid setup for simple setups.

Hope this helps a bit.

 

[Koinonia]

interesting information.

thanks, ill take this into consideration, and use your resources for now.

 

[novafire]

Glad to be able to help a few others out with iptables,

anyone have any thoughts on my problem?

 

[FUBAR]

I know you probably don't want to look at another person's script and try to figure it out, but this is what I got. It came from here basically with some mods.

Here's a link to the script rc.firewall

This script has vnc forwarded into the fw box and to another pc. It also allows the fw to accept ssh, ftp, and I think web. Also blocks some other nasty stuff


Edit: my bad... wrong site for the first link. this is a good howto and has the stronger scripts in section 6.4, but you knew that already cuz it's the same link as yours

 

[novafire]

Thanks for the example FUBAR, but I am still having no luck, I tried scripts from that link before I even posted here and now your script, (with minor modifications of course, just change the IPs and such and forwarded port 80 just like you did with the VNC ports, interfaces are the same as my setup) and it still will not work -- Web Browsers from the outside just time out.

I am beginning to think something lower level is not configured properly, did I miss something? Something that would allow seemingly perfect MASQing and connection directly to the fw, but no forwarding through it.

I made sure my hosts.allow is "ALL: ALL" (for testing purposes only for now) and cannot think of anything else; a module maybe?

BTW, I have tried on both a Mandrake 8.1 and SuSE 7.3 installation.

Any further insight would be grand.

 

[novafire]

I looked at my syslog, here is a line that continuesly pops up whenever I attempt a connection to one of the should-be forwarded ports:

Feb 3 10:18:02 jenner kernel: IPT FORWARD packet died: IN=eth0 OUT=eth1 SRC=144.92.164.197 DST=192.168.0.110 LEN=60 TOS=0x00 PREC=0x00 TTL=60 ID=43854 PROTO=TCP SPT=39452 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0

 

[FUBAR]

Everything that I could find online seems to point to a rule denying access when you get that error. The only thing is that they usually add a rule that has "packet died" in it when they post their sample rules... do you have one that has that in it?

Perhaps its the ordering of things. I think packets use the first rule that they match, so you can't deny all then add rules, I think you have to deny all at the end. Just a thought... it's been a while since I worked on ipt rules.

 

[novafire]

I have INPUT, OUTPUT, and FORWARD accepting all as the default policy, so I do not think that is it.