If I am understanding your question, you are trying to get your friend to connect to a server you have access to by "bouncing off" of your machine. I am assuming that your friend is NOT behind your firewall but on his own connection to the internet?
If this is the case, one thing that stands out here is the fact that you are using NAT to accomplish this. This is possible. I was doing the same sort of thing at my company for internal people that were trying to connect to a NAT'd address from internally. The problem that arises is that you create a "3 point TRIANGLE" path for your data using the rules you show here. Point A= Friend's machine Point B= Your Firewall Point C= Outside Server Packets pass from A to B to C then back to A. Your friend sends a packet (tries to make a connection to your IP address) to the "server". Your box takes that packet and rewrites its destination address to be the outside server and forwards it on. The outside server gets this packet, processes it and tries to respond. Of course, it doesn't know about the "NAT" so it sends its response back to your friends machine directly. When your friend's machine gets the packet from the Server, it doesn't know what to do with it. The packet appears as trash because it doesn't come from any machine that it sent data too. The solution is to put a SNAT rule into the firewall. This rule SNAT's any of these connections to your IP address and will preserve the proper packet routing. Of course, there are some issues with this. 1. All data that your friend transmits will go across your network link. 2. Anything that your friend does will appear to be coming from your network and can open you up to liability for his actions as they will appear to be your own. ----- Original Message ----- From: "Rabalder" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, April 14, 2002 3:07 AM Subject: Mapping mail & news to a friend > Hello list > > I have a RH 7.2 boks, with 2.4.18 kernel and latest iptables installed > and working well. > I have generated a rc.firewall from > http://www.linux-firewall-tools.com/linux/ and modified it a little > for my needs, and its working well > I then have a friend without access to mail & news, and I want to > create a mapping for him > As a start I have tried to figure out how to do the new part of it but > it wont work > I have this in my box > ppp0 = my network interface > $IPADDR = my ip gained from a scriptline > 193.213.112.21:119 = my newsserver and its port > > > $IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp -d $IPADDR --dport 33333 > -j DNAT --to-destination 193.213.112.21:119 > > $IPTABLES -A FORWARD -i ppp0 -o ppp0 -p tcp -d $IPADDR --dport 33333 > -j ACCEPT > > With these two lines I want to let my friend communicate with the > newsserver true my computer, and I also want to let him gain access to > a mailserver the same way, but I dont get it to work. > > Are anyone able to help me with a working ruleset for this? > > Here is the most important part of my rc.firewall with this two lines > in for my friend so you can see what I have done. > > #!/bin/sh > # /etc/rc.d/rc.firewall > # Invoked from /etc/ppp/ip-up, or > # from /sbin/ifup-local, or > # from /etc/sysconfig/network-scripts/ifup-post. > > echo -e "\n\nLoading simple rc.firewall version $FWVER..\n" > > # > -------------------------------------------------------------------------- -- > # Some definitions for easy maintenance. > # EDIT THESE TO SUIT YOUR SYSTEM AND ISP. > > EXTERNAL_INTERFACE="ppp0" # Internet connected interface > LOOPBACK_INTERFACE="lo" # or your local naming > convention > LOCAL_INTERFACE_1="eth1" # internal LAN interface > echo " External Interface: $EXTERNAL_INTERFACE" > echo " Internal Interface: $LOCAL_INTERFACE_1" > IPADDR=$(/sbin/ifconfig | /bin/grep P-t-P | /usr/bin/cut -c 21-38 | > /bin/awk '{print $1}' ) > > > > LOCALNET_1="192.168.1.0/24" # whatever private range you > use > > ANYWHERE="0/0" # match any IP address > > DHCP_SERVER="0/0" > NAMESERVER_1="148.122.208.99" # everyone must have > at least one > NAMESERVER_2="148.122.161.3" > > SMTP_SERVER="0/0" # Your ISP mail gateway. Your > relay. > POP_SERVER="pop.online.no" # Your ISP pop mail server. > NEWS_SERVER="0/0" # Your ISP news server > > LOOPBACK="127.0.0.0/8" # reserved loopback address > range > CLASS_A="10.0.0.0/8" # class A private networks > CLASS_B="172.16.0.0/12" # class B private networks > CLASS_C="192.168.0.0/16" # class C private networks > BROADCAST_SRC="0.0.0.0" # broadcast source address > BROADCAST_DEST="255.255.255.255" # broadcast destination > address > PRIVPORTS="0:1023" # well known, privileged port > range > UNPRIVPORTS="1024:65535" # unprivileged port range > > # > -------------------------------------------------------------------------- -- > > NFS_PORT="2049" # (TCP/UDP) NFS > SOCKS_PORT="1080" # (TCP) Socks > OPENWINDOWS_PORT="2000" # (TCP) openwindows > > # X Windows port allocation begins at 6000 and increments to 6063 > # for each additional server running. > XWINDOW_PORTS="6000:6063" # (TCP) X windows > > # The SSH client starts at 1023 and works down to 513 for each > # additional simultaneous connection originating from a privileged > port. > # Clients can optionally be configured to use only unprivileged ports. > SSH_LOCAL_PORTS="1022:65535" # port range for local clients > SSH_REMOTE_PORTS="513:65535" # port range for remote > clients > > # traceroute usually uses -S 32769:65535 -D 33434:33523 > TRACEROUTE_SRC_PORTS="32769:65535" > TRACEROUTE_DEST_PORTS="33434:33523" > # > -------------------------------------------------------------------------- - > IPTABLES=/sbin/iptables > echo -en " loading modules: " > echo " - Verifying that all kernel modules are ok" > /sbin/depmod -a > echo -en "ip_tables, " > /sbin/modprobe ip_tables > echo -en "ip_conntrack, " > /sbin/modprobe ip_conntrack > echo -en "ip_conntrack_ftp, " > /sbin/modprobe ip_conntrack_ftp > echo -en "ip_conntrack_irc, " > /sbin/modprobe ip_conntrack_irc > echo -en "iptable_nat, " > /sbin/modprobe iptable_nat > echo -en "ip_nat_ftp, " > /sbin/modprobe ip_nat_ftp > echo -en "ip_nat_irc, " > /sbin/modprobe ip_nat_irc > echo -en "ipt_multiport, " > /sbin/modprobe ipt_multiport > echo ". Done loading modules." > echo ". Vi har bekreftet at det virker s� langt." > # > -------------------------------------------------------------------------- -- > > # Enable IP Forwarding, if it isn't already > echo " enabling forwarding.." > echo "1" > /proc/sys/net/ipv4/ip_forward > > echo " enabling DynamicAddr.." > echo "1" > /proc/sys/net/ipv4/ip_dynaddr > > # Enable TCP SYN Cookie Protection > echo "1" > /proc/sys/net/ipv4/tcp_syncookies > > # Enable broadcast echo Protection > echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts > > # Enable bad error message Protection > echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses > > # Enable IP spoofing protection > # turn on Source Address Verification > for f in /proc/sys/net/ipv4/conf/*/rp_filter; do > echo 1 > $f > done > > # Disable ICMP Redirect Acceptance > for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do > echo 0 > $f > done > > for f in /proc/sys/net/ipv4/conf/*/send_redirects; do > echo 0 > $f > done > > # Disable Source Routed Packets > for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do > echo 0 > $f > done > > # Log Spoofed Packets, Source Routed Packets, Redirect Packets > for f in /proc/sys/net/ipv4/conf/*/log_martians; do > echo 1 > $f > done > # > -------------------------------------------------------------------------- -- > # Default policy is DROP > # Explicitly accept desired INCOMING & OUTGOING connections > > $IPTABLES -P INPUT DROP > $IPTABLES -F INPUT > $IPTABLES -P OUTPUT DROP > $IPTABLES -F OUTPUT > $IPTABLES -P FORWARD DROP > $IPTABLES -F FORWARD > $IPTABLES -t nat -F > $IPTABLES -F > echo " Kontrollpunkt A1" > # > -------------------------------------------------------------------------- -- > # LOOPBACK > > # Unlimited traffic on the loopback interface. > > $IPTABLES -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT > $IPTABLES -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT > > # > -------------------------------------------------------------------------- -- > # Unlimited traffic within the local network. > > # All internal machines have access to the fireall machine. > > $IPTABLES -A INPUT -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -j ACCEPT > $IPTABLES -A OUTPUT -o $LOCAL_INTERFACE_1 -d $LOCALNET_1 -j ACCEPT > > # > -------------------------------------------------------------------------- -- > # Masquerade internal traffic. > > # All internal traffic is masqueraded externally. > # WARNING: > # The iptables functionality is under development. > # No filters are applied. Just masquerading. > > $IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -o $LOCAL_INTERFACE_1 -m > state \ > --state ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A FORWARD -i $LOCAL_INTERFACE_1 -o $EXTERNAL_INTERFACE -j > ACCEPT > $IPTABLES -A FORWARD -j LOG > > echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" > $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -j MASQUERADE > echo " Kontrollpunkt A2" > # > -------------------------------------------------------------------------- -- > # SPOOFING & BAD ADDRESSES > # Refuse spoofed packets. > # Ignore blatantly illegal source addresses. > # Protect yourself from sending to bad addresses. > > # Refuse incoming packets pretending to be from the external > address. > $IPTABLES -A INPUT -s $IPADDR -j DROP > > # > -------------------------------------------------------------------------- -- > # NOTE: > # The symbolic names used in /etc/services for the port numbers > vary by > # supplier. Using them is less error prone and more meaningful, > though. > > # > -------------------------------------------------------------------------- -- > # TCP UNPRIVILEGED PORTS > # Avoid ports subject to protocol & system administration problems. > > # NFS: establishing a TCP connection > $IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \ > --destination-port $NFS_PORT -j DROP > $IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \ > --destination-port $NFS_PORT -j REJECT > > # openwindows: establishing a connection > $IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \ > --destination-port $OPENWINDOWS_PORT -j DROP > $IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \ > --destination-port $OPENWINDOWS_PORT -j REJECT > > > # Xwindows: establishing a connection > $IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \ > --destination-port $XWINDOW_PORTS -j DROP > $IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \ > --destination-port $XWINDOW_PORTS -j REJECT > > # SOCKS: establishing a connection > $IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \ > --destination-port $SOCKS_PORT -j DROP > $IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \ > --destination-port $SOCKS_PORT -j REJECT > > # > -------------------------------------------------------------------------- -- > # UDP UNPRIVILEGED PORTS > # Avoid ports subject to protocol & system administration problems. > > $IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p udp \ > --destination-port $NFS_PORT -j DROP > > # UDP INCOMING TRACEROUTE > # traceroute usually uses -S 32769:65535 -D 33434:33523 > > $IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p udp \ > --source-port $TRACEROUTE_SRC_PORTS \ > --destination-port $TRACEROUTE_DEST_PORTS -j DROP > > # > -------------------------------------------------------------------------- -- > > $IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \ > -d $IPADDR -j ACCEPT > > # ------------------------------------------------------------------ > # THIS PART IS FOR MY FRIEND > > $IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp -d $IPADDR --dport 33333 > -j DNAT --to-destination 193.213.112.21:119 > > $IPTABLES -A FORWARD -i ppp0 -o ppp0 -p tcp -d $IPADDR --dport 33333 > -j ACCEPT > > Mvh > Roger Mauseth > >
