I'm having some issues with my port forwards. NAT seems to work ok and one out of the port forwards seem to work (udp port 7887 to machine 192.168.1.100). But not the others.
I doubt that it matters, but eth1 & eth2 are located on a dualport NIC.
WAN internet access is provided with dhcp, so a solution should be WAN_IP independent if possible.
/opt/firewall.sh
#!/bin/sh
WAN="eth1"
LAN="eth2"
#ifconfig $LAN up
#ifconfig $LAN 192.168.1.1 netmask 255.255.255.0
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.ip_forward=1
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i $LAN -j ACCEPT
iptables -A OUTPUT -o $WAN -j ACCEPT
iptables -A OUTPUT -o $LAN -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
# Allow ICMP echo reply/destination unreachable/time exceeded.
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
# SSH
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 22 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 22 -j ACCEPT
# WWW
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 80,443 -j DNAT --to 192.168.1.99
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.99 -m multiport --dports 80,443 -j ACCEPT
# TOR
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 9001,9030 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 9001,9030 -j ACCEPT
# I2P
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 7887 -j DNAT --to 192.168.1.100
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.100 -m multiport --dports 7887 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i $WAN -m multiport --dports 7887 -j DNAT --to 192.168.1.100
iptables -A FORWARD -p udp -i $WAN -o $LAN -d 192.168.1.100 -m multiport --dports 7887 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 8887 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 8887 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i $WAN -m multiport --dports 8887 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p udp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 8887 -j ACCEPT
iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 1047K packets, 80M bytes)
pkts bytes target prot opt in out source destination
5 232 DNAT tcp -- eth1 any anywhere anywhere multiport dports ssh to:192.168.1.250
1 60 DNAT tcp -- eth1 any anywhere anywhere tcp dpt:www to:192.168.1.99:80
0 0 DNAT tcp -- eth1 any anywhere anywhere multiport dports 9001,9030 to:192.168.1.250
0 0 DNAT tcp -- eth1 any anywhere anywhere multiport dports 7887 to:192.168.1.100
12166 4042K DNAT udp -- eth1 any anywhere anywhere multiport dports 7887 to:192.168.1.100
0 0 DNAT tcp -- eth1 any anywhere anywhere multiport dports 8887 to:192.168.1.250
0 0 DNAT udp -- eth1 any anywhere anywhere multiport dports 8887 to:192.168.1.250
Chain POSTROUTING (policy ACCEPT 12313 packets, 4085K bytes)
pkts bytes target prot opt in out source destination
637K 46M MASQUERADE all -- any eth1 anywhere anywhere
Chain OUTPUT (policy ACCEPT 395 packets, 62752 bytes)
pkts bytes target prot opt in out source destination
iptables -L -v
Chain INPUT (policy DROP 9336 packets, 846K bytes)
pkts bytes target prot opt in out source destination
1 76 ACCEPT all -- lo any anywhere anywhere
467 55711 ACCEPT all -- eth2 any anywhere anywhere
64 5598 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-reply
18 1796 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
60586 29M ACCEPT all -- any eth2 anywhere anywhere state RELATED,ESTABLISHED
70888 126M ACCEPT all -- eth2 eth1 anywhere anywhere
0 0 ACCEPT tcp -- eth1 eth2 anywhere 192.168.1.250 multiport dports ssh
0 0 ACCEPT tcp -- any any anywhere 192.168.1.99 tcp dpt:www state NEW,RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth1 eth2 anywhere 192.168.1.250 multiport dports 9001,9030
0 0 ACCEPT tcp -- eth1 eth2 anywhere 192.168.1.100 multiport dports 7887
646 310K ACCEPT udp -- eth1 eth2 anywhere 192.168.1.100 multiport dports 7887
0 0 ACCEPT tcp -- eth1 eth2 anywhere 192.168.1.250 multiport dports 8887
0 0 ACCEPT udp -- eth1 eth2 anywhere 192.168.1.250 multiport dports 8887
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
157 13421 ACCEPT all -- any lo anywhere anywhere
76 9678 ACCEPT all -- any eth1 anywhere anywhere
159 26706 ACCEPT all -- any eth2 anywhere anywhere
Access testing:
me@external-host $ ssh WAN_IP
ssh: connect to host WAN_IP port 22: Connection timed out
me@external-host $ wget WAN_IP
--2012-05-06 15:46:50-- http://WAN_IP/
Connecting to |WAN_IP|:80... failed: Connection timed out.
Access testing logs:
May 8 21:04:18 router kernel: [11692.837693] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=35931 DF PROTO=TCP SPT=52319 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:19 router kernel: [11693.837174] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=24784 DF PROTO=TCP SPT=52320 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:20 router kernel: [11694.835943] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=57280 DF PROTO=TCP SPT=52321 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:21 router kernel: [11695.835159] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=10721 DF PROTO=TCP SPT=52322 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:22 router kernel: [11696.833763] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=19002 DF PROTO=TCP SPT=52323 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:23 router kernel: [11697.832960] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=17468 DF PROTO=TCP SPT=52324 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:24 router kernel: [11698.831733] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=32834 DF PROTO=TCP SPT=52325 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:25 router kernel: [11699.830620] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=28252 DF PROTO=TCP SPT=52326 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:26 router kernel: [11700.829493] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=43537 DF PROTO=TCP SPT=52327 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:27 router kernel: [11701.829118] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=55720 DF PROTO=TCP SPT=52328 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
It turns out that one internal machine was down and that my WAN_IP had changed (due to dhcp).
During my troubleshooting I beefed up the script a bit and it is now fully functional without being overly fancy. Feel free to grap a copy!
/opt/firewall.sh