Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- port-forwarding & iptables help, please?
- Greg Russell
January 17, 2009, 1:05 am
rate this thread
serious help with 2 related items, please.
First I need some intelligent criticism and helpful re-structuring of the
following iptables rule set. The FORWARD chain seems wide open for one
Second I need help to properly port forward public requests https://
a.b.c.d/ where eth1 is publicly accessible, allowing w.x.y.1/23 to our
:FORWARD ACCEPT [eth0:0]
:INPUT DROP [eth1:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -m state -i eth1 --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p tcp --syn -s w.x.y.1/23 --dport 8317 -m state --
state NEW -j ACCEPT
-A INPUT -m state -i eth1 --state NEW -j LOG --log-level 7 --log-prefix
:PREROUTING ACCEPT [1471:303908]
:INPUT ACCEPT [636:240607]
:FORWARD ACCEPT [832:63181]
:OUTPUT ACCEPT [437:39285]
:POSTROUTING ACCEPT [1269:102466]
:PREROUTING ACCEPT [203:14045]
:POSTROUTING ACCEPT [192:12653]
:OUTPUT ACCEPT [20:1217]
-A PREROUTING -i eth1 -p tcp --syn -s w.x.y.0/23 --dport 8317 -j
DNAT --to-destination 10.0.0.9:443
-A POSTROUTING -o eth1 -j MASQUERADE
Re: port-forwarding & iptables help, please?
Every packet forwarded anywhere is accepted. To close it, use
:FORWARD DROP [0:0]
Now you need to accept packets initiating new connections and packets
related to an established connection
-A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
(this is rather wide open, for it accepts _any_ packet related to _any_
established connection, if your paranoia forbids this, narrow it down...)
-A FORWARD -i eth1 -d 10.0.0.9 -m state --state NEW -j ACCEPT
(this is also rather open, to restrict this rule to TCP you can add '-p
tcp --syn' and more)
The second last rule is not needed here. Packets to be forwarded somewhere
are filtered in FORWARD chain. It's determined by table nat, which of the
filter table's chains apply.
- » System intrusion detection, primarily on linux servers with a handful of others
- — Previous thread in » Linux Security
- » Cloud Ace Technologies is offering Implementation Services on Cloud Computing, Cloud Serv...
- — Newest thread in » Linux Security