Help on iptables setting on forwarding

Hi,
I set up my Linux box for IP Masquerading according to "how-to". I used
iptables settings accordingly to the strong firewall rulesets. The
suggested rulesets allow all traffic to be masqueraded from the internal
interface. Please suggest rulesets on allowing ONLY port 80 and pert 443
to be forwarded from the internal interface.

I tried to modify:

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 80 -j ACCEPT

but it did not work.

Thanks.

Regards
Alan

Alan wrote:
[snip]
> suggested rulesets allow all traffic to be masqueraded from the internal
> interface. Please suggest rulesets on allowing ONLY port 80 and pert 443
> to be forwarded from the internal interface.
>
> I tried to modify:
>
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 80 -j ACCEPT
>
> but it did not work.
>

Without seeing the rest of your script I'd guess that you're not
allowing the packets returning from the destination web server through.
Try something like the following:

$IPTABLES -A FORWARD -p TCP -i $INTIF -o $EXTIF --dport 80 -m state
--state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $EXTIF -o $INTIF --sport 80 -m state
--state ESTABLISHED -j ACCEPT

The above should be 2 iptables commands, sorry if my newsreader has
broken the lines strangley.

--
Steve Webster
Remove the 'nospam' to get my email address.

Hello,
I think you need the folloing entries in your NAT table.
The first rule forwards the incoming packets to the HTTP server.
The second rule allows you access to the HTTP server from the inside using
your externel IP address.

$IPTABLES -t nat -A PREROUTING -p TCP -i $EXTIF -d $EXTIP --dport 80 \
-j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INTIF -d $EXTIP --dport 80 \
-j DNAT --to-destination $DMZ_HTTP_IP

$IPTABLES -t nat -A PREROUTING -p TCP -i $EXTIF -d $EXTIP --dport 443 \
-j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INTIF -d $EXTIP --dport 443 \
-j DNAT --to-destination $DMZ_HTTP_IP

Additionally you will the following forwarding rules. If you do not have
your HTTP server in a DMZ you only need two rules and you have to replace
the $DMZIF with your $INTIF.

$IPTABLES -A FORWARD -p TCP -i $EXTIF -o $DMZIF -d $DMZ_HTTP_IP \
--dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $DMZIF -o $EXTIF --sport 80 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $INTIF -o $DMZIF -d $DMZ_HTTP_IP \
--dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $DMZIF -o $INTIF --sport 80 \
-m state --state ESTABLISHED,RELATED -j ACCEPT

I think the rules for HTTPS you can figure out yourself.

Bye,
Peter

On Thu, 23 Oct 2003 08:29:07 +0800, Alan wrote:

> Hi,
> I set up my Linux box for IP Masquerading according to "how-to". I used
> iptables settings accordingly to the strong firewall rulesets. The
> suggested rulesets allow all traffic to be masqueraded from the internal
> interface. Please suggest rulesets on allowing ONLY port 80 and pert 443
> to be forwarded from the internal interface.
>
> I tried to modify:
>
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 80 -j ACCEPT
>
> but it did not work.
>
> Thanks.
>
> Regards
> Alan

Peter Eberz wrote:

> Hello,
> I think you need the folloing entries in your NAT table.
> The first rule forwards the incoming packets to the HTTP server.
> The second rule allows you access to the HTTP server from the inside using
> your externel IP address.
>
> $IPTABLES -t nat -A PREROUTING -p TCP -i $EXTIF -d $EXTIP --dport 80 \
> -j DNAT --to-destination $DMZ_HTTP_IP
> $IPTABLES -t nat -A PREROUTING -p TCP -i $INTIF -d $EXTIP --dport 80 \
> -j DNAT --to-destination $DMZ_HTTP_IP
>
> $IPTABLES -t nat -A PREROUTING -p TCP -i $EXTIF -d $EXTIP --dport 443 \
> -j DNAT --to-destination $DMZ_HTTP_IP
> $IPTABLES -t nat -A PREROUTING -p TCP -i $INTIF -d $EXTIP --dport 443 \
> -j DNAT --to-destination $DMZ_HTTP_IP

These would be rules if the OP were running a webserver in a DMZ. I think he was
trying to limit outbound traffic from his LAN to only HTTP and HTTPS. *Assuming*
that is the case, all a person needs is:

Make sure your FORWARD chain has a default policy of DROP or REJECT so only
add in 2 rules to traffic you want is alowed to leave, then allow the
outbound packets:

$IPTABLES -A FORWARD -p tcp -o $EXTIF -s $LAN --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -o $EXTIF -s $LAN --dport 443 -j ACCEPT

Add a rule to NAT the packets. No need to write bunches of rules specifying
only specific ports to be NAT'd since the FORWARD chain won't be allowing
any outbound packets to any other ports anyway. That way when he discovers that
he needs to allow a few more ports, which will happen at some point, all he
needs to do is add a single rule to the FORWARD chain and it's fixed.

$IPTABLES -t nat -A PREROUTING -p tcp -i $INTIF -d $EXTIP -s $LAN --dport 80 \
-j SNAT --to $EXTIF

Then allow all related packets back in. Again, writing bunches of rules to allow
each type of traffic back in just wastes CPU. If your outbound rules are solid,
there can't be any other RELATED or ESTABLISHED packets coming back except those
which you expressly allowed out.

$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF -d $LAN \
-m state --state ESTABLISHED,RELATED -j ACCEPT

bryan

--
A Freudian slip is when you say one thing but mean your mother.