You need to forward internal http requests to the internal server too
When you request a page from an internal machine it is looking for
that page on the router ..
EXTIP="the ip # assigned by your isp"
WEBSERVER="192.168.1.??? of webserver"
-A PREROUTING -p tcp -m tcp -d $EXTIP -i eth1 --dport 80 -j DNAT
--to-destination $WEBSERVER
You also need to route all internal responces as if they came from the
routers assigned ip
-A POSTROUTING -s 192.168.0.0/255.255.0.0 -j SNAT --to-source $EXTIP
and drop any internal output from going out to the world
-A OUTPUT -d 192.168.0.0/255.255.0.0 -o ppp0 -j DROP
You should also add some drop rule so your router is steath to port
scans and microsoft vulnerable ports, this is my list (my internet
interface is eth0 [DSL} not ppp0)
-A INPUT -d 192.168.0.0/255.255.0.0 -i eth0 -j DROP
-A INPUT -p icmp -i eth0 -j DROP
-A INPUT -p udp -m multiport -m udp -i eth0 -j DROP --dports 1900,6000,3128
-A INPUT -p tcp -m tcp -m multiport -i eth0 -j DROP --dports
1720,5000,6000,3128
-A INPUT -p tcp -m tcp -i eth0 --dport 0:1024 -j DROP
# Microsucks DCOM
-A INPUT -p tcp -m tcp -i eth0 --dport 1026:1030 -j DROP
# iana-reserved (Private class A)
-A blocklist -s 10.0.0.0/8 -i eth0 -j DROP
# iana-reserved (Private class B)
-A blocklist -s 172.16.0.0/12 -i eth0 -j DROP
# iana-reserved (Private class C)
-A blocklist -s 192.168.0.0/16 -i eth0 -j DROP
# iana-reserved
-A blocklist -s 223.0.0.0/8 -i eth0 -j DROP
# iana-reserved (IPv4 multicast)
-A blocklist -s 224.0.0.0/3 -i eth0 -j DROP
-A INPUT -p udp -m udp -i eth0 --dport 0:1024 -j DROP
# Microsucks DCOM
-A INPUT -p udp -m udp -i eth0 --dport 1026:1030 -j DROP
COMMIT
Bart wrote:
> I set linux router so it is acting as a gataway to internet for my
> local net.
> it uses masquerading and in addition to that some port forwarding.
> My problem is that if I try to accesss my domain using public ip, lets
> say on port80 it is not forwarded to the webserver, but it is droped
> somewhere at iptables. If I come from outside, everything works great.
> this is my script:
>
> [root@localhost rc.d]# cat firewall
> #!/bin/bash
>
> #defaults
> IPT=/sbin/iptables
>
> #internet interface
> IF1=ppp0
>
> #local network interface
> IF2=eth0
> VPN="eth0 ppp1"
>
> #servers subnet
> SUBNET="192.168.1."
> SSH=253
> SMTP=253
> HTTP=253
> HTTPS=253
> POP3S=253
> VOIP=251
>
> ACTION=""
> #firewall allowed ports - ip type,port
> PORTS="tcp 22 tcp 25 tcp 80 tcp 443 tcp 995 tcp 1723 tcp 47 udp 4569
> udp 5036 udp 5060 tcp 5060 udp 10000:20000"
>
> #forward ports - ip type,port,last ip octet
> FPORTS="tcp 22 253 tcp 25 253 tcp 80 253 tcp 443 253 tcp 995 253 udp
> 4569 251 udp 5036 251 udp 5060 251 tcp 5060 251 udp 10000:20000 251"
>
> /sbin/modprobe iptable_nat
> /sbin/modprobe ip_conntrack
> /sbin/modprobe ip_conntrack_ftp
>
> if [ "$1" = "status" ]
> then
> $IPT -L
> $IPT -t nat -L
> exit
> fi
>
> #delete all rules
> $IPT -F
> $IPT -t nat -F
> $IPT -X block
> $IPT -X pass
> $IPT -X udplog
> $IPT -X tcplog
> $IPT -X icmplog
>
> if [ "$1" = "stop" ]
> then
>
> exit
> fi
>
>
> #masquerading is enabled
> $IPT -t nat -A POSTROUTING -o $IF1 -j MASQUERADE
>
> #enable forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
> echo 1 > $f
> done
>
> $IPT -A INPUT -i lo -j ACCEPT
> $IPT -A OUTPUT -o lo -j ACCEPT
>
> $IPT -N block
> $IPT -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPT -A block -m state --state NEW -i ! $IF1 -j ACCEPT
> $IPT -A block -i $IF1 -m limit -j LOG --log-prefix "Bad packet from
> $IF1:"
> $IPT -A block -i ! $IF1 -m limit -j LOG --log-prefix "Bad packet not
> from $IF1:"
> $IPT -A block -j DROP
>
> #Syn-flood protection:
> $IPT -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
>
> #Furtive port scanner:
> $IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit
> 1/s -j ACCEPT
>
> #Ping of death:
> $IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s
> -j ACCEPT
>
>
> #PORT FORWARDING
> $IPT -L PREROUTING -t nat
>
> set $FPORTS
> while [ $# -gt 0 ] ; do
> $IPT -t nat -A PREROUTING -p $1 --dport $2 -i $IF1 -j DNAT --to
> $SUBNET$3
> shift;shift;shift
> done
>
>
> #LAN allow connections inside the network
> $IPT -A INPUT -i $IF1 -p all --source 192.168.1.0/24 -j ACCEPT
> $IPT -A FORWARD -i $IF1 -p all -d 192.168.1.0/24 -j ACCEPT
>
>
> set $PORTS
> $IPT -N pass
> while [ $# -gt 0 ] ; do
> $IPT -A pass -i $IF1 -p $1 --destination-port $2 -j ACCEPT
> shift;shift;
> done
> $IPT -A INPUT -j pass
> $IPT -A FORWARD -j pass
>
> #logging
> $IPT -N udplog
> $IPT -A udplog -p udp -i $IF1 -m limit -j LOG --log-prefix "UDP from
> $IF1:"
> $IPT -N tcplog
> $IPT -A tcplog -p tcp -i $IF1 -m limit -j LOG --log-prefix "TCP from
> $IF1:"
> $IPT -N icmplog
> $IPT -A icmplog -p icmp -i $IF1 -m limit -j LOG --log-prefix "ICMP from
> $IF1:"
>
> $IPT -A INPUT -j udplog
> $IPT -A INPUT -j tcplog
> $IPT -A INPUT -j icmplog
>
>
> $IPT -A INPUT -j block
> $IPT -A FORWARD -j block
>
>
>
> why packets from lets say 192.168.1.1 are droped and not forwared to
> the webserver if i use public ip???
> how to they travel iptables
>
>
> thanks
>
|
Similar Threads
Linear Mode
