another iptables thread

sveri80 · 2008-11-24 10:42:30

Hi all,

first of all the situation.
I have a lan with several clients (192.168.15.x)
and one of them is an Exchange Server.

As an Router i am trying to setup ubuntu server.
Which works in some disciplines but not in others.
I got an dhcp and internet routing working
for the lan clients.

But i cannot access the internal exchange server
from the outside. So what i need is a routing to
port 80, 443 and 25 from the ubuntu server to the
exchange client.

I tried several iptable scripts, but nothing did help.

Here are the relevant parts of the script:
iptables -A FORWARD -p tcp -m multiport --dports 20,21,80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to -destination 192.168.15.1:80

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.15.1:443

#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.15.1

#iptables -A FORWARD -i eth1 -m state --state NEW -p tcp -d 192.168.15.1 --dport 80 -j ACCEPT

#iptables -t nat -A POSTROUTING -o eth2 -p tcp --dport 80 -j SNAT --to-source $LAN_IP

As you can see i tried every combination i found on the
internet and it seems to work a bit.
When i try to access my lan with my external ip
it always takes ages until i get the page load error.
I just cannot figure out what is exactly wrong.

Some advice would be great.

Below is the whole script just if somebody
needs it.

Thanks in Advance
Sven

#!/bin/bash
# ---------------------------------------------------------------------
# Linux-iptables-Firewallskript, Copyright (c) 2008 under the GPL
# Autogenerated by iptables Generator v1.22 (c) 2002-2008 by Harald Bertram
# Please visit http://harry.homelinux.org for new versions of
# the iptables Generator (c).
#
# This Script was generated by request from:
# sssssrichter@gmx.de on: 2008-11-19 17:12.41 MET.
#
# If you have questions about the iptables Generator or about
# your Firewall-Skript feel free to take a look at out website or
# send me an E-Mail to webmaster@harry.homelinux.org.
#
# My special thanks are going to Lutz Heinrich (trinitywork at hotmail dot com)
# who made lots of Beta-Testing and gave me lots of well qualified
# Feedback that made me able to improve the iptables Generator.
# --------------------------------------------------------------------

case "$1" in
start)
echo "Starte IP-Paketfilter"

# iptables-Modul
modprobe ip_tables
# Connection-Tracking-Module
modprobe ip_conntrack
# Das Modul ip_conntrack_irc ist erst bei Kerneln >= 2.4.19 verfuegbar
modprobe ip_conntrack_irc
modprobe ip_conntrack_ftp

# Tabelle flushen
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X

# Default-Policies setzen
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# MY_REJECT-Chain
iptables -N MY_REJECT

# MY_REJECT fuellen
iptables -A MY_REJECT -p tcp -m limit --limit 7200/h -j LOG --log-prefix "REJECT TCP "
iptables -A MY_REJECT -p tcp -j REJECT --reject-with tcp-reset
iptables -A MY_REJECT -p udp -m limit --limit 7200/h -j LOG --log-prefix "REJECT UDP "
iptables -A MY_REJECT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A MY_REJECT -p icmp -m limit --limit 7200/h -j LOG --log-prefix "DROP ICMP "
iptables -A MY_REJECT -p icmp -j DROP
iptables -A MY_REJECT -m limit --limit 7200/h -j LOG --log-prefix "REJECT OTHER "
iptables -A MY_REJECT -j REJECT --reject-with icmp-proto-unreachable

# MY_DROP-Chain
iptables -N MY_DROP
iptables -A MY_DROP -m limit --limit 7200/h -j LOG --log-prefix "PORTSCAN DROP "
iptables -A MY_DROP -j DROP

# Alle verworfenen Pakete protokollieren
iptables -A INPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "INPUT INVALID "
iptables -A OUTPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "OUTPUT INVALID "
iptables -A FORWARD -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "FORWARD INVALID "

# Korrupte Pakete zurueckweisen
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP

# Stealth Scans etc. DROPpen
# Keine Flags gesetzt
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j MY_DROP

# SYN und FIN gesetzt
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP

# SYN und RST gleichzeitig gesetzt
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP

# FIN und RST gleichzeitig gesetzt
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP

# FIN ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP

# PSH ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP

# URG ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j MY_DROP

# Loopback-Netzwerk-Kommunikation zulassen
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Maximum Segment Size (MSS) für das Forwarding an PMTU anpassen
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# Connection-Tracking aktivieren
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ! eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -dports 1024:65536
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# SSH
iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 22 -j ACCEPT

# OPENVPN_V1
iptables -A INPUT -i eth1 -m state --state NEW -p udp --dport 5000 -j ACCEPT

# OPENVPN_V2
iptables -A INPUT -i eth1 -m state --state NEW -p udp --dport 1194 -j ACCEPT

# ICMP Echo-Request (ping) zulassen und beantworten
iptables -A INPUT -m state --state NEW -p icmp --icmp-type echo-request -j ACCEPT

# IP-Adresse des LAN-Interfaces ermitteln
LAN_IP=$(ifconfig eth2 | head -n 2 | tail -n 1 | cut -d: -f2 | cut -d" " -f 1)

# NAT fuer HTTP
# iptables -A FORWARD -p tcp -m multiport --dports 20,21,80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.15.1:80
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.15.1:443

#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.15.1
#iptables -A FORWARD -i eth1 -m state --state NEW -p tcp -d 192.168.15.1 --dport 80 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
#iptables -t nat -A POSTROUTING -o eth2 -p tcp --dport 80 -j SNAT --to-source $LAN_IP

# NAT fuer HTTPS
#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j DNAT --to-destination 192.168.15.1
#iptables -A FORWARD -i eth1 -m state --state NEW -p tcp -d 192.168.15.1 --dport 443 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
#iptables -t nat -A POSTROUTING -o eth2 -p tcp --dport 443 -j SNAT --to-source $LAN_IP

# NAT fuer SMTP
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to-destination 192.168.15.1
iptables -A FORWARD -i eth1 -m state --state NEW -p tcp -d 192.168.15.1 --dport 25 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
iptables -t nat -A POSTROUTING -o eth2 -p tcp --dport 25 -j SNAT --to-source $LAN_IP

# LAN-Zugriff auf eth2
iptables -A INPUT -m state --state NEW -i eth2 -j ACCEPT

# Default-Policies mit REJECT
iptables -A INPUT -j MY_REJECT
iptables -A OUTPUT -j MY_REJECT
iptables -A FORWARD -j MY_REJECT

# Forwarding/Routing
echo "Aktiviere IP-Routing"
echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null

# SYN-Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null

# Stop Source-Routing
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_source_route 2> /dev/null; done

# Stop Redirecting
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_redirects 2> /dev/null; done

# Reverse-Path-Filter
for i in /proc/sys/net/ipv4/conf/*; do echo 2 > $i/rp_filter 2> /dev/null; done

# Log Martians
for i in /proc/sys/net/ipv4/conf/*; do echo 1 > $i/log_martians 2> /dev/null; done

# BOOTP-Relaying ausschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/bootp_relay 2> /dev/null; done

# Proxy-ARP ausschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/proxy_arp 2> /dev/null; done

# Ungültige ICMP-Antworten ignorieren
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 2> /dev/null

# ICMP Echo-Broadcasts ignorieren
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null

# Max. 500/Sekunde (5/Jiffie) senden
echo 5 > /proc/sys/net/ipv4/icmp_ratelimit

# Speicherallozierung und -timing für IP-De/-Fragmentierung
echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh
echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh
echo 30 > /proc/sys/net/ipv4/ipfrag_time

# TCP-FIN-Timeout zum Schutz vor DoS-Attacken setzen
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout

# Maximal 3 Antworten auf ein TCP-SYN
echo 3 > /proc/sys/net/ipv4/tcp_retries1

# TCP-Pakete maximal 15x wiederholen
echo 15 > /proc/sys/net/ipv4/tcp_retries2

;;

stop)
echo "Stoppe IP-Paketfilter"
# Tabelle flushen
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
echo "Deaktiviere IP-Routing"
echo 0 > /proc/sys/net/ipv4/ip_forward

# Default-Policies setzen
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
;;

status)
echo "Tabelle filter"
iptables -L -vn
echo "Tabelle nat"
iptables -t nat -L -vn
echo "Tabelle mangle"
iptables -t mangle -L -vn
;;

*)
echo "Fehlerhafter Aufruf"
echo "Syntax: $0 {start|stop|status}"
exit 1
;;

esac

RedShift · 2008-11-24 14:30:54

Learn iptables first before you start messing with scripts from other people.

sveri80 · 2008-11-24 17:21:14

RedShift wrote:

Learn iptables first before you start messing with scripts from other people.

Thank you for that great hint.
I dont want to mention that i already read the half iptables tutorial on:
http://iptables-tutorial.frozentux.net/ … orial.html

And i did try out a lot before i found that generator.
Like i said, i just cannot get it working, all i need is a script which is known to be working
somewhere else.

Inbetween i get the feeling that its not the itptables script that is not working but
some Setting on the Exchange Server side.

So, if you got something useful to say i'd really appreciate it.

Thanks in Advance
Sven

fukawi2 · 2008-11-24 22:01:48

RedShift wrote:

Learn iptables first before you start messing with scripts from other people.

Wow. What a productive and helpful reply. Obviously he is trying to learn - by experimentation, by asking on the forums and by reading howto's.

While I don't have an answer off the top of my head, I'll be subscribing to the thread so I can learn too.

RedShift · 2008-11-24 22:47:20

The correct way to forward a port is like this:

-A PREROUTING -i eth1 -p tcp -m tcp --dport 113 -j DNAT --to-destination 192.168.0.110

where eth1 is the incoming interface (thus where the internet is connected to).

Don't try to do everything at once, start by a few little things untill you know how those work and then start combining them.

sveri80 · 2008-12-03 19:03:21

Hm, sry i didnt find time to try earlier.

I did what you suggested and just used a small script:

# iptables-Modul
modprobe ip_tables
# Connection-Tracking-Module
modprobe ip_conntrack
# Das Modul ip_conntrack_irc ist erst bei Kerneln >= 2.4.19 verfuegbar
modprobe ip_conntrack_irc
modprobe ip_conntrack_ftp

# Tabelle flushen
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X

# Default-Policies setzen
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Alle verworfenen Pakete protokollieren
iptables -A INPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "INPUT INVALID "
iptables -A OUTPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "OUTPUT INVALID "
iptables -A FORWARD -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "FORWARD INVALID "

# Loopback-Netzwerk-Kommunikation zulassen
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Connection-Tracking aktivieren
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ! eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.15.1
iptables -A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.15.1

# ICMP Echo-Request (ping) zulassen und beantworten
iptables -A INPUT -m state --state NEW -p icmp --icmp-type echo-request -j ACCEPT

# IP-Adresse des LAN-Interfaces ermitteln
LAN_IP=$(ifconfig eth2 | head -n 2 | tail -n 1 | cut -d: -f2 | cut -d" " -f 1)

# LAN-Zugriff auf eth2
iptables -A INPUT -m state --state NEW -i eth2 -j ACCEPT

# Forwarding/Routing
echo "Aktiviere IP-Routing"
echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null

And i cannot get it working. Phew, this really drives me insane.
I achieved a lot of things in the last years, learned a lot of
things by doing it myself. But this seems to stop me.
I already tried out so much that i dont know what else i
can do.

I am lost in my lan between all the packages flooding around

Arch Linux

#1 2008-11-24 10:42:30

another iptables thread

#2 2008-11-24 14:30:54

Re: another iptables thread

#3 2008-11-24 17:21:14

Re: another iptables thread

#4 2008-11-24 22:01:48

Re: another iptables thread

#5 2008-11-24 22:47:20

Re: another iptables thread

#6 2008-12-03 19:03:21

Re: another iptables thread

Board footer