Home / server / Questions / 293920
In Process
Guapo
Asked: 2011-07-26 09:36:57 +0800 CST

redirecting ports, and allowing full access to the internet for the local network?

  • 772

This is all the rules I currently have on the server:

/usr/sbin/iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 6112 -j DNAT --to 10.0.0.3:6112
/usr/sbin/iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 1513 -j DNAT --to 10.0.0.3:1513

/usr/sbin/iptables -I FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
/usr/sbin/iptables -A FORWARD -i eth0 -j ACCEPT
/usr/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED -j ACCEPT
/usr/sbin/iptables -A FORWARD -j LOG

/usr/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

I need some help with some really basic needs, all I need to allow in this server is people to be able to connect to it on ports 1513 and 6112 in and out as well as being able to ping the server nothing else is need on the firewall for external access.

eth0 is the local network interface and eth1 the external network interface, I use 10.0.0.0/255.255.255.0 as my local network.

Are these rules sufficient for my needs or am I missing anything ?

UPDATE:

root@server:~# iptables -L; iptables -t nat -L; iptables -t mangle -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            state NEW,ESTABLISHED
LOG        all  --  anywhere             anywhere            LOG level warning

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere            tcp dpt:6112 to:10.0.0.3:6112
DNAT       tcp  --  anywhere             anywhere            tcp dpt:fujitsu-dtc to:10.0.0.3:1513

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
firewall linux redirect iptables

2 Answers

  1. You're missing a second line for each of the PREROUTING commands. You've changed the destination IP, but there's nothing in the FORWARD table to actually allow the traffic.

    Try the following extra commands:

    /usr/sbin/iptables -A FORWARD -i eth1 -p tcp --dport 6112 -d 10.0.0.3:6112 -j ACCEPT

    /usr/sbin/iptables -A FORWARD -i eth1 -p tcp --dport 1513 -d 10.0.0.3:1513 -j ACCEPT

    • 0

  2. Look at Shorewall and its example 2-interface solution. It is easy to enable particular ports in and set up masquerading. Your rule will likely include these:

    DNAT        net   loc:10.0.0.3  tcp   1513
DNAT        net   loc:10.0.0.3  tcp   6112
Ping(DNAT)  net   loc:10.0.0.3
    • 0