You need to add a source nat "SNAT" entry to your rule set for each "connection" you want to bouce off you:
> >> $IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp -d $IPADDR --dport 33333 > >> -j DNAT --to-destination 193.213.112.21:119 > >> > >> $IPTABLES -A FORWARD -i ppp0 -o ppp0 -p tcp -d $IPADDR --dport 33333 > >> -j ACCEPT $IPTABLES -t nat -A POSTROUTING -o ppp0 -p tcp -d $IPADDR --dport 33333 -j SNAT --to $MYIPADDRESS The rule you would need to add would look something like above. I wrote this quick without testing. But this is like the rule we used at my company ----- Original Message ----- From: "Rabalder" <[EMAIL PROTECTED]> To: "Jason Pappas" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Sunday, April 14, 2002 5:34 AM Subject: Re: Mapping mail & news to a friend > On Sun, 14 Apr 2002 04:53:04 -0400, you wrote: > > >If I am understanding your question, you are trying to get your friend to > >connect to a server you have access to by "bouncing off" of your machine. I > >am assuming that your friend is NOT behind your firewall but on his own > >connection to the internet? > > Yes this is correct, I will only bounce this connections for him > > > >If this is the case, one thing that stands out here is the fact that you are > >using NAT to accomplish this. This is possible. I was doing the same sort > >of thing at my company for internal people that were trying to connect to a > >NAT'd address from internally. The problem that arises is that you create a > >"3 point TRIANGLE" path for your data using the rules you show here. > > > >Point A= Friend's machine > >Point B= Your Firewall > >Point C= Outside Server > > > >Packets pass from A to B to C then back to A. Your friend sends a packet > >(tries to make a connection to your IP address) to the "server". Your box > >takes that packet and rewrites its destination address to be the outside > >server and forwards it on. The outside server gets this packet, processes > >it and tries to respond. Of course, it doesn't know about the "NAT" so it > >sends its response back to your friends machine directly. When your > >friend's machine gets the packet from the Server, it doesn't know what to do > >with it. The packet appears as trash because it doesn't come from any > >machine that it sent data too. > > > >The solution is to put a SNAT rule into the firewall. This rule SNAT's any > >of these connections to your IP address and will preserve the proper packet > >routing. Of course, there are some issues with this. > >1. All data that your friend transmits will go across your network link. > >2. Anything that your friend does will appear to be coming from your network > >and can open you up to liability for his actions as they will appear to be > >your own. > You are correct on all of this, and yes, I know that I am "taking > resposibility" for his actions. > But I simply dont understand exactly how to do it. > My friend has a static ip, should I build rules that involves his ip, > so this service can not be accessed from other machines than his, and > probably I should LOG everything too. > > Can you help me create the correct ruleset for this, as I am very > confused about what to do? > I am very new to iptables. (I also strugling to understand and make > rules to let people access my ftp server on my windowsboks behind the > firewalled linuxboxs, but that I will work on, on my own for some > time, to try to figure out myself) > > > > > > > > > >----- Original Message ----- > >From: "Rabalder" <[EMAIL PROTECTED]> > >To: <[EMAIL PROTECTED]> > >Sent: Sunday, April 14, 2002 3:07 AM > >Subject: Mapping mail & news to a friend > > > > > >> Hello list > >> > >> I have a RH 7.2 boks, with 2.4.18 kernel and latest iptables installed > >> and working well. > >> I have generated a rc.firewall from > >> http://www.linux-firewall-tools.com/linux/ and modified it a little > >> for my needs, and its working well > >> I then have a friend without access to mail & news, and I want to > >> create a mapping for him > >> As a start I have tried to figure out how to do the new part of it but > >> it wont work > >> I have this in my box > >> ppp0 = my network interface > >> $IPADDR = my ip gained from a scriptline > >> 193.213.112.21:119 = my newsserver and its port > >> > >> > >> $IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp -d $IPADDR --dport 33333 > >> -j DNAT --to-destination 193.213.112.21:119 > >> > >> $IPTABLES -A FORWARD -i ppp0 -o ppp0 -p tcp -d $IPADDR --dport 33333 > >> -j ACCEPT > >> > >> With these two lines I want to let my friend communicate with the > >> newsserver true my computer, and I also want to let him gain access to > >> a mailserver the same way, but I dont get it to work. > >> > >> Are anyone able to help me with a working ruleset for this? > >> > >> Here is the most important part of my rc.firewall with this two lines > >> in for my friend so you can see what I have done. > >> > >> #!/bin/sh > >> # /etc/rc.d/rc.firewall > >> # Invoked from /etc/ppp/ip-up, or > >> # from /sbin/ifup-local, or > >> # from /etc/sysconfig/network-scripts/ifup-post. > >> > >> echo -e "\n\nLoading simple rc.firewall version $FWVER..\n" > >> > >> # > >> ------------------------------------------------------------------------- - > >-- > >> # Some definitions for easy maintenance. > >> # EDIT THESE TO SUIT YOUR SYSTEM AND ISP. > >> > >> EXTERNAL_INTERFACE="ppp0" # Internet connected interface > >> LOOPBACK_INTERFACE="lo" # or your local naming > >> convention > >> LOCAL_INTERFACE_1="eth1" # internal LAN interface > >> echo " External Interface: $EXTERNAL_INTERFACE" > >> echo " Internal Interface: $LOCAL_INTERFACE_1" > >> IPADDR=$(/sbin/ifconfig | /bin/grep P-t-P | /usr/bin/cut -c 21-38 | > >> /bin/awk '{print $1}' ) > >> > >> > >> > >> LOCALNET_1="192.168.1.0/24" # whatever private range you > >> use > >> > >> ANYWHERE="0/0" # match any IP address > >> > >> DHCP_SERVER="0/0" > >> NAMESERVER_1="148.122.208.99" # everyone must have > >> at least one > >> NAMESERVER_2="148.122.161.3" > >> > >> SMTP_SERVER="0/0" # Your ISP mail gateway. Your > >> relay. > >> POP_SERVER="pop.online.no" # Your ISP pop mail server. > >> NEWS_SERVER="0/0" # Your ISP news server > >> > >> LOOPBACK="127.0.0.0/8" # reserved loopback address > >> range > >> CLASS_A="10.0.0.0/8" # class A private networks > >> CLASS_B="172.16.0.0/12" # class B private networks > >> CLASS_C="192.168.0.0/16" # class C private networks > >> BROADCAST_SRC="0.0.0.0" # broadcast source address > >> BROADCAST_DEST="255.255.255.255" # broadcast destination > >> address > >> PRIVPORTS="0:1023" # well known, privileged port > >> range > >> UNPRIVPORTS="1024:65535" # unprivileged port range > >> > >> # > >> ------------------------------------------------------------------------- - > >-- > >> > >> NFS_PORT="2049" # (TCP/UDP) NFS > >> SOCKS_PORT="1080" # (TCP) Socks > >> OPENWINDOWS_PORT="2000" # (TCP) openwindows > >> > >> # X Windows port allocation begins at 6000 and increments to 6063 > >> # for each additional server running. > >> XWINDOW_PORTS="6000:6063" # (TCP) X windows > >> > >> # The SSH client starts at 1023 and works down to 513 for each > >> # additional simultaneous connection originating from a privileged > >> port. > >> # Clients can optionally be configured to use only unprivileged ports. > >> SSH_LOCAL_PORTS="1022:65535" # port range for local clients > >> SSH_REMOTE_PORTS="513:65535" # port range for remote > >> clients > >> > >> # traceroute usually uses -S 32769:65535 -D 33434:33523 > >> TRACEROUTE_SRC_PORTS="32769:65535" > >> TRACEROUTE_DEST_PORTS="33434:33523" > >> # > >> ------------------------------------------------------------------------- - > >- > >> IPTABLES=/sbin/iptables > >> echo -en " loading modules: " > >> echo " - Verifying that all kernel modules are ok" > >> /sbin/depmod -a > >> echo -en "ip_tables, " > >> /sbin/modprobe ip_tables > >> echo -en "ip_conntrack, " > >> /sbin/modprobe ip_conntrack > >> echo -en "ip_conntrack_ftp, " > >> /sbin/modprobe ip_conntrack_ftp > >> echo -en "ip_conntrack_irc, " > >> /sbin/modprobe ip_conntrack_irc > >> echo -en "iptable_nat, " > >> /sbin/modprobe iptable_nat > >> echo -en "ip_nat_ftp, " > >> /sbin/modprobe ip_nat_ftp > >> echo -en "ip_nat_irc, " > >> /sbin/modprobe ip_nat_irc > >> echo -en "ipt_multiport, " > >> /sbin/modprobe ipt_multiport > >> echo ". Done loading modules." > >> echo ". Vi har bekreftet at det virker s� langt." > >> # > >> ------------------------------------------------------------------------- - > >-- > >> > >> # Enable IP Forwarding, if it isn't already > >> echo " enabling forwarding.." > >> echo "1" > /proc/sys/net/ipv4/ip_forward > >> > >> echo " enabling DynamicAddr.." > >> echo "1" > /proc/sys/net/ipv4/ip_dynaddr > >> > >> # Enable TCP SYN Cookie Protection > >> echo "1" > /proc/sys/net/ipv4/tcp_syncookies > >> > >> # Enable broadcast echo Protection > >> echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts > >> > >> # Enable bad error message Protection > >> echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses > >> > >> # Enable IP spoofing protection > >> # turn on Source Address Verification > >> for f in /proc/sys/net/ipv4/conf/*/rp_filter; do > >> echo 1 > $f > >> done > >> > >> # Disable ICMP Redirect Acceptance > >> for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do > >> echo 0 > $f > >> done > >> > >> for f in /proc/sys/net/ipv4/conf/*/send_redirects; do > >> echo 0 > $f > >> done > >> > >> # Disable Source Routed Packets > >> for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do > >> echo 0 > $f > >> done > >> > >> # Log Spoofed Packets, Source Routed Packets, Redirect Packets > >> for f in /proc/sys/net/ipv4/conf/*/log_martians; do > >> echo 1 > $f > >> done > >> # > >> ------------------------------------------------------------------------- - > >-- > >> # Default policy is DROP > >> # Explicitly accept desired INCOMING & OUTGOING connections > >> > >> $IPTABLES -P INPUT DROP > >> $IPTABLES -F INPUT > >> $IPTABLES -P OUTPUT DROP > >> $IPTABLES -F OUTPUT > >> $IPTABLES -P FORWARD DROP > >> $IPTABLES -F FORWARD > >> $IPTABLES -t nat -F > >> $IPTABLES -F > >> echo " Kontrollpunkt A1" > >> # > >> ------------------------------------------------------------------------- - > >-- > >> # LOOPBACK > >> > >> # Unlimited traffic on the loopback interface. > >> > >> $IPTABLES -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT > >> $IPTABLES -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT > >> > >> # > >> ------------------------------------------------------------------------- - > >-- > >> # Unlimited traffic within the local network. > >> > >> # All internal machines have access to the fireall machine. > >> > >> $IPTABLES -A INPUT -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -j ACCEPT > >> $IPTABLES -A OUTPUT -o $LOCAL_INTERFACE_1 -d $LOCALNET_1 -j ACCEPT > >> > >> # > >> ------------------------------------------------------------------------- - > >-- > >> # Masquerade internal traffic. > >> > >> # All internal traffic is masqueraded externally. > >> # WARNING: > >> # The iptables functionality is under development. > >> # No filters are applied. Just masquerading. > >> > >> $IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -o $LOCAL_INTERFACE_1 -m > >> state \ > >> --state ESTABLISHED,RELATED -j ACCEPT > >> $IPTABLES -A FORWARD -i $LOCAL_INTERFACE_1 -o $EXTERNAL_INTERFACE -j > >> ACCEPT > >> $IPTABLES -A FORWARD -j LOG > >> > >> echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" > >> $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -j MASQUERADE > >> echo " Kontrollpunkt A2" > >> # > >> ------------------------------------------------------------------------- - > >-- > >> # SPOOFING & BAD ADDRESSES > >> # Refuse spoofed packets. > >> # Ignore blatantly illegal source addresses. > >> # Protect yourself from sending to bad addresses. > >> > >> # Refuse incoming packets pretending to be from the external > >> address. > >> $IPTABLES -A INPUT -s $IPADDR -j DROP > >> > >> # > >> ------------------------------------------------------------------------- - > >-- > >> # NOTE: > >> # The symbolic names used in /etc/services for the port numbers > >> vary by > >> # supplier. Using them is less error prone and more meaningful, > >> though. > >> > >> # > >> ------------------------------------------------------------------------- - > >-- > >> # TCP UNPRIVILEGED PORTS > >> # Avoid ports subject to protocol & system administration problems. > >> > >> # NFS: establishing a TCP connection > >> $IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \ > >> --destination-port $NFS_PORT -j DROP > >> $IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \ > >> --destination-port $NFS_PORT -j REJECT > >> > >> # openwindows: establishing a connection > >> $IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \ > >> --destination-port $OPENWINDOWS_PORT -j DROP > >> $IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \ > >> --destination-port $OPENWINDOWS_PORT -j REJECT > >> > >> > >> # Xwindows: establishing a connection > >> $IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \ > >> --destination-port $XWINDOW_PORTS -j DROP > >> $IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \ > >> --destination-port $XWINDOW_PORTS -j REJECT > >> > >> # SOCKS: establishing a connection > >> $IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \ > >> --destination-port $SOCKS_PORT -j DROP > >> $IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \ > >> --destination-port $SOCKS_PORT -j REJECT > >> > >> # > >> ------------------------------------------------------------------------- - > >-- > >> # UDP UNPRIVILEGED PORTS > >> # Avoid ports subject to protocol & system administration problems. > >> > >> $IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p udp \ > >> --destination-port $NFS_PORT -j DROP > >> > >> # UDP INCOMING TRACEROUTE > >> # traceroute usually uses -S 32769:65535 -D 33434:33523 > >> > >> $IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p udp \ > >> --source-port $TRACEROUTE_SRC_PORTS \ > >> --destination-port $TRACEROUTE_DEST_PORTS -j DROP > >> > >> # > >> ------------------------------------------------------------------------- - > > Mvh > Roger Mauseth > >
