port forwarding to internal network

Wooi Koay wooi@bigfoot.com
Sat, 6 Oct 2001 07:34:51 -0400 

The following is my rc.firewall file.  Notice that at the end of it, I
reforward all packets to port 3389 (for MS terminal service) to one of
the box inside my internal network.  However, I don't seem to be able to
connect to port 3389 from outside.  Am I missing something?  I also
attached results of "iptables -L -nat -vn" and "iptables -L -vn".

Also, eth0 connects to the outside world while eth1 connects to the
internal LAN.  Thanks in advance.

Wooi.


** begin rc.firewall ************************************************
###############################################################
INTERNAL_INTERFACE="eth1"
EXTERNAL_INTERFACE="eth0"
LOOPBACK_INTERFACE="lo"
TCP_PUBLIC_SERVICES="22,25,80,113,143,443"
UDP_PUBLIC_SERVICES="22,25,80,113,143,443"
TCP_PRIVATE_SERVICES="137,138,139,445"
UDP_PRIVATE_SERVICES="137,138,139,445"
EXTERNAL_IP="MY_EXTERNAL_IP"
TRUSTED_HOST="XXX.XXX.XXX.XXX"
###############################################################
# Flust all chains
iptables -F FORWARD
iptables -F OUTPUT
iptables -F INPUT
iptables -F -t nat

# Set the default policy
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP

###############################################################
# Allow unlimited traffic on the loopback interface
###############################################################
iptables -t filter -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -t filter -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT

###############################################################
# Turn on public services
###############################################################
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT

iptables -t filter -A INPUT -m state --state NEW -p tcp -m multiport
--destination-port $TCP_PUBLIC_SERVICES -j ACCEPT

iptables -t filter -A INPUT -m state --state NEW -p udp -m multiport
--destination-port $UDP_PUBLIC_SERVICES -j ACCEPT

###############################################################
# Turn on private services
###############################################################
iptables -t filter -A INPUT -m state --state NEW -p tcp -i
$INTERNAL_INTERFACE -m multiport --destination-port
$TCP_PRIVATE_SERVICES -j ACCEPT

iptables -t filter -A INPUT -m state --state NEW -p udp -i
$INTERNAL_INTERFACE -m multiport --destination-port
$UDP_PRIVATE_SERVICES -j ACCEPT

###############################################################
# Turn on IP Masquerade
###############################################################
# accept packets from internal lan
iptables -t filter -A INPUT -i $INTERNAL_INTERFACE -j ACCEPT

# acccept packets related to connections made by us
iptables -t filter -A FORWARD -i $EXTERNAL_INTERFACE -o
$INTERNAL_INTERFACE -s 0.0.0.0/0 -d 192.168.0.0/24 -m state --state
ESTABLISHED,RELATED -j ACCEPT

# accept packets from inside
iptables -t filter -A FORWARD -i $INTERNAL_INTERFACE -j ACCEPT

# set nat rules
iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -s 192.168.0.0/24
-j SNAT --to-source $EXTERNAL_IP

echo 1 > /proc/sys/net/ipv4/ip_forward


###############################################################
# Route to internal network
###############################################################
#iptables -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to
192.168.0.21:3389
#iptables -t nat -A PREROUTING -p udp --dport 3389 -j DNAT --to
192.168.0.21:3389

iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp --dport 3389
-j DNAT --to 192.168.0.21
iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -p udp --dport 3389
-j DNAT --to 192.168.0.21


###############################################################
# Logging
###############################################################
#iptables -A INPUT -j LOG --log-prefix "ALERT INPUT "

#iptables -A FORWARD -m limit --limit-burst 1 -j LOG --log-level warning
--log-prefix "ALERT FORWARD "

#iptables -A INPUT -p tcp --tcp-flags SYN,ACK,RST ACK -m state --state
NEW -m limit -j LOG --log-prefix "ALERT: possible ACK scan."

#iptables -A INPUT -p tcp --tcp-flags SYN,ACK,RST ACK -m state --state
NEW -j REJECT --reject-with tcp-reset

#iptables -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit
1/s -j LOG --log-prefix "ALERT: possible scan detected"

#iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

#iptables -A INPUT -p tcp --tcp-option 64 -m limit -j LOG --log-prefix
"Invalid tcpopt scan (64):"

#iptables -A INPUT -p tcp --tcp-option 64 -j DROP

#iptables -A INPUT -p tcp --tcp-option 128 -m limit -j LOG --log-prefix
"Invalid tcpopt scan (128):"

#iptables -A INPUT -p tcp --tcp-option 128 -j DROP
			      
** end rc.firewall
**********************************************************


** begin iptables -L -nat -vn
***********************************************
Chain PREROUTING (policy ACCEPT 353 packets, 22093 bytes)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0
0.0.0.0/0          tcp dpt:3389 to:192.168.0.21 
    0     0 DNAT       udp  --  eth0   *       0.0.0.0/0
0.0.0.0/0          udp dpt:3389 to:192.168.0.21 

Chain POSTROUTING (policy ACCEPT 171 packets, 17404 bytes)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 SNAT       all  --  *      eth0    192.168.0.0/24
0.0.0.0/0          to:24.42.113.252 

Chain OUTPUT (policy ACCEPT 166 packets, 17164 bytes)
 pkts bytes target     prot opt in     out     source
destination         

** end iptables -L -nat -vn
*************************************************


** begin iptables -L -vn
****************************************************
Chain INPUT (policy DROP 8 packets, 691 bytes)
 pkts bytes target     prot opt in     out     source
destination         
  132  9240 ACCEPT     all  --  lo     *       0.0.0.0/0
0.0.0.0/0          
 8672  582K ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
    5   256 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW multiport dports 22,25,80,113,143,443 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW multiport dports 22,25,80,113,143,443 
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0
0.0.0.0/0          state NEW multiport dports 137,138,139,445 
    3   712 ACCEPT     udp  --  eth1   *       0.0.0.0/0
0.0.0.0/0          state NEW multiport dports 137,138,139,445 
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0
0.0.0.0/0          

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination         
 3865  539K ACCEPT     all  --  eth0   eth1    0.0.0.0/0
192.168.0.0/24     state RELATED,ESTABLISHED 
 3919  506K ACCEPT     all  --  eth1   *       0.0.0.0/0
0.0.0.0/0          

Chain OUTPUT (policy ACCEPT 12281 packets, 13877050 bytes)
 pkts bytes target     prot opt in     out     source
destination         
  132  9240 ACCEPT     all  --  *      lo      0.0.0.0/0
0.0.0.0/0          
** end iptables -L -vn
******************************************************