Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

Re: iptables problem forwarding
From: Luca Berra <bluca () comedia it>
Date: Tue, 1 Apr 2003 08:23:43 +0200
On Sun, Mar 30, 2003 at 11:38:31AM -0500, Weazy wrote:

hello folks.

i have built an iptables firewall that i am mostly happy with. the main
problem that still exists is the firewall will not allow connections i do
want to permit.

1. i want to allow ssh
2. want to forward port 3389 to an internal machine.


i posted by iptables here hoping someone can see the mistake.
i have comment each line so you know what i am trying to do. I have the
input policy set as drop. i have tried setting that to accept with no change
in results.

thank you in advance

the topology is not clear
which are the ip address of your interfaces? ok i can guess
eth0 is a private net and eth1 is an external ip (cable modem or
similar)
is 192.168.0.4 routed from outside? i guess not.
with forward do you mean doing port forwarindg?


#allowing one service on this machine ssh
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT

udp 22 ?????


#Allow inbound service
iptables -A FORWARD --in-interface eth0 --out-interface eth1 -p tcp -d
192.168.0.4 --destination-port 3389 -j ACCEPT

if you want to do port forwarding to internal machine use:
-t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to-destination 192.168.0.4


iptables -A INPUT -p tcp -j LOG -m limit --limit 500/hour --limit-burst
500 --log-prefix "MIRROR: "
iptables -A INPUT -p tcp -j MIRROR -m limit --limit 500/hour --limit-burst
500

why on earth might you be doing that?????


iptables -t nat -F
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source x.x.x.x

ouch, i tought eth1 was the external interface

L.

--
Luca Berra -- bluca () comedia it
       Communication Media & Services S.r.l.
/"\
\ /     ASCII RIBBON CAMPAIGN
 X        AGAINST HTML MAIL
/ \
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]