IP Forwading from Local IP to Live IP

Taylor, Grant gtaylor at riverviewtech.net
Tue Apr 19 21:12:13 CEST 2005


> LOCALLINK="eth0"
> GLOBALLINK="eth1"
> ROUTER="yes"
> NAT="10.0.0.3"
> INTERFACES="lo eth0 eth1"
> SERVICES="8080 80"
> 
> if [ "$1" = "start" ]
> then
>         echo "Starting firewall..."
>         iptables --flush
>         iptables --table nat --flush
>         iptables --delete-chain
>         iptables --table nat --delete-chain
>         iptables -P INPUT DROP
>         iptables -A INPUT -i ! ${GLOBALLINK} -j ACCEPT
>         iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>         #enable public access to certain services
>         for x in ${SERVICES}
>         do
>             iptables -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT
>         done
>        iptables -A INPUT -p tcp -i ${GLOBALLINK} -j REJECT --reject-with tcp-reset
>        iptables -A INPUT -p udp -i ${GLOBALLINK} -j REJECT --reject-with icmp-port-unreachable
>         #explicitly disable ECN
>         if [ -e /proc/sys/net/ipv4/tcp_ecn ]
>         then
>                 echo 0 > /proc/sys/net/ipv4/tcp_ecn
>         fi
> 
>         #disable spoofing on all interfaces
>         for x in ${INTERFACES}
>         do
>                 echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
>         done
> 
>         if [ "$ROUTER" = "yes" ]
>         then
>                 #we're a router of some kind, enable IP forwarding
>                 echo 1 > /proc/sys/net/ipv4/ip_forward
>                 if [ "$NAT" = "dynamic" ]
>                 then
>                         #dynamic IP address, use masquerading
>                         echo "Enabling masquerading (dynamic ip)..."
>                         iptables --table nat --append POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
>                         iptables --table nat --append POSTROUTING --out-interface ${GLOBALLINK} -j MASQUERADE
>                         iptables --append FORWARD --in-interface ${LOCALLINK} -j ACCEPT
> 
> #################################
> iptables -t nat -A PREROUTING -i $GLOBALLINK -d 203.87.141.9 -p tcp --dport
> 8080 -j DNAT --to-destination 192.168.1.11:8080
> iptables -t nat -A PREROUTING -i $GLOBALLINK -d 203.87.141.9 -p udp --dport
> 8080 -j DNAT --to-destination 192.168.1.11:8080
> iptables -t nat -A POSTROUTING -o $LOCALLINK -d 192.168.1.11 -p tcp --dport
> 8080 -j SNAT --to-source 192.168.1.1
> iptables -t nat -A POSTROUTING -o $LOCALLINK -d 192.168.1.11 -p udp --dport
> 8080 -j SNAT --to-source 192.168.1.1
> #################################
> 
>                 elif [ "$NAT" != "" ]
>                 then
>                         #static IP, use SNAT
>                         echo "Enabling SNAT (static ip)..."
>                         iptables --table nat --append POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
>                         iptables --table nat --append POSTROUTING --out-interface ${GLOBALLINK} -j SNAT --to-source ${NAT}
>                         iptables --append FORWARD --in-interface ${LOCALLINK} -j ACCEPT
> 
>                 fi
>         fi
> 
> elif [ "$1" = "stop" ]
> then
>         echo "Stopping firewall..."
>         iptables -F INPUT
>         iptables -F FORWARD
>         iptables -P INPUT ACCEPT
>         #turn off NAT/masquerading, if any
>         iptables -t nat -F POSTROUTING
> fi

Try moving your rules form the section that you have them in the the "then...fi" block below where they are at presently. Based on the fact that you have NAT set to something other than dynamic the section that you have your rules in will never be called.



Grant. . . .



More information about the netfilter mailing list