Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

trouble with IPTABLE script 1

Status
Not open for further replies.
zeland

zeland

IS-IT--Management
Aug 19, 2002
569
MY
The company that I work for had got more public IPs and wishes to publish a few of our servers into the web. I've setup iptables previously but only to share the internet connection and map (DNAT) a few services in. I did some studies and came across this tutorial site -
After reading through I've comup with this script. However nothing or no connections seem to getting through. When I run the script, I get a warning "no chain/target/match by that name" although doing an iptables -L -v shows that the chain does exist.

--== Start Script ==--
#!/bin/sh
# Set Environment Variables
EXT="eth1"
INT="eth0"

EXT_IP="10.0.0.1"
MAILSRV="192.168.0.1"
WEBSRV="192.168.0.2"
DBSRV="192.168.0.2"
FTPSRV="192.168.0.2"
CITRIX_INT="192.168.0.3"
CITRIX_EXT="10.0.0.2"

# Setup Tracking Modules
/sbin/insmod ip_tables
/sbin/insmod ip_conntrack
/sbin/insmod ip_conntrack_ftp
/sbin/insmod iptable_nat
/sbin/insmod ip_nat_ftp
#/sbin/insmod ip_conntrack_irc
#/sbin/insmod ip_nat_irc

# Set default policies to DROP
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F

# Creating User Defined Chains
iptables -N tcp_packets
iptables -N udp_packets
iptables -N icmp_packets

# Starting Ruleset
iptables -A FORWARD -p icmp -j icmp_packets
iptables -A FORWARD -p tcp -j tcp_packets
iptables -A FORWARD -p udp -j udp_packets
iptables -A FORWARD -j LOG

# ICMP Ruleset START
iptables -A icmp_packets -j LOG
# ICMP Ruleset END

# TCP Ruleset START
iptables -A tcp_packets -p tcp --dport 137:139 -j DROP
iptables -A tcp_packets -p tcp -m multiport --dports 21,25,53,80,3000,3306 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A tcp_packets -i $INT -p tcp -s 192.168.0.1 -o $EXT -j ACCEPT
iptables -A tcp_packets -i $INT -p tcp -s 192.168.0.2 -o $EXT -j ACCEPT
iptables -A tcp_packets -i $INT -p tcp -s 192.168.0.3 -o $EXT -j ACCEPT
iptables -A tcp_packets -j LOG
# TCP Ruleset END

# UDP Ruleset SART
iptables -A udp_packets -p udp --dport 53 -j ACCEPT
iptables -A udp_packets -j LOG
# UDP Ruleset END

iptables -A PREROUTING -i $EXT -p tcp --dport 21 -d $EXT_IP -j DNAT --to-destination $FTPSRV:21
iptables -A PREROUTING -i $EXT -p tcp --dport 25 -d $EXT_IP -j DNAT --to-destination $MAILSRV:25
iptables -A PREROUTING -i $EXT -p tcp --dport 80 -d $EXT_IP -j DNAT --to-destination $WEBSRV:80
iptables -A PREROUTING -i $EXT -p tcp --dport 3000 -d $EXT_IP -j DNAT --to-destination $MAILSRV:3000
iptables -A PREROUTING -i $EXT -p tcp --dport 3306 -d $EXT_IP -j DNAT --to-destination $DBSRV:3306
iptables -A PREROUTING -i $EXT -d $CITRIX_EXT -j DNAT --to-destination $CITRIX_INT

# Spoof Prevention
iptables -A PREROUTING -i $EXT -s ! 192.168.1.0/24 -j DROP
iptables -A PREROUTING -i $INT -s 192.168.1.0/24 -j DROP

iptables -A POSTROUTING -o $EXT -s ! $CITRIX_INT -j SNAT --to-source $EXT_IP
iptables -A POSTROUTING -o $EXT -s $CITRIX_INT -j SNAT --to-source $CITRIX_EXT
--== End Script ==-
 
Sort by date Sort by votes
The PREROUTING and POSTROUTING chains do not exist in the filter table (the default). You will have to specify the table to use them ([tt]-t nat[/tt]).

//Daniel
 
Upvote 0 Downvote
DUH... Thought the PRE & POSTROUTING chains were all part of the default system. Oh well, thanks a million!
 
Upvote 0 Downvote
zeland, what are you using to create your scripts? Are you just writing them by hand? Might I suggest using firewall builder ( It has a GUI like Checkpoint's, and it makes configuring rules and NAT a breeze. I have been using it for a while and like it alot.
 
Upvote 0 Downvote
Thanks for the suggestion waresd. I've installed it and it looks promising although a bit confusing at the moment.

I'm an old school type of guy that codes everything by hand in a text editor if possible. I always feel that GUIs are hiding something from me.

After touching up the script a bit more by including "-t nat" in my pre/postrouting rules and a couple of other forwarding rules, I've got everything running on the 10.0.0.1 address but can't get a connection via the 10.0.0.2 address.

Theoretically, eth1 (external, 10.0.0.1) should not accept packets for 10.0.0.2 unless I bind 2 addresses to the same NIC. What would be the best way for me to go about getting eth1 to accept both .1 & .2 packets?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

grazinggoat2
  • Locked
  • Question
Old PIDS after script runs
Replies
0
Views
97
grazinggoat2
grazinggoat2
harro1968
  • Locked
  • Question
Help with ProxyPass
Replies
0
Views
85
harro1968
harro1968
CecilXavier
  • Locked
  • Question
RHEL IDM with Radius not authenticating
Replies
0
Views
124
CecilXavier
CecilXavier
waydown
  • Locked
  • Question
trouble with dracut shell
Replies
0
Views
71
waydown
waydown
mjj4golf2
  • Locked
  • Question
Help with setting up a media server
Replies
2
Views
131
vacunita
vacunita

Part and Inventory Search

Sponsor

Back
Top