Re: Can't connect to JUST port 80

Michael Montero Tue, 16 Apr 2002 16:30:20 -0700

Ramin, thanks!  Attached is the file I use to load all my rules.

Michael C. Montero
Chief Technology Officer
Community Connect Inc. Co-founder
[EMAIL PROTECTED]


-=-=-=-=-=  Community Connect Inc.  -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

The Premier Source of Interactive Online Communities    149 Fifth Avenue
http://www.CommunityConnectInc.com/                     New York, NY 10010

http://www.AsianAvenue.com/                     http://www.BlackPlanet.com/
        Click into Asian America                        The World Is Yours

http://www.MiGente.com/
        The Power of Latinos

-----  Your Message May Appear Below This Line

On Tue, 16 Apr 2002, Ramin Alidousti wrote:

> On Tue, Apr 16, 2002 at 07:23:24PM -0400, Michael Montero wrote:
> 
> > I can provide the entire rules file.....but that seems difficult to
> > digest.  Unless you feel that would be best.  I've included below a print
> > out of the entire iptables -v -L output hoping that that's more
> > digestible.
> 
> I'm just trying to help. You have to narrow down the possibilities and see
> where the fault is. Send the rule set  for all the tables and either me or
> someone else would take a look at it. 
> 
> Ramin
> 
> > 
> > I really appreciate the help!  
>

#!/bin/sh

/sbin/insmod ip_tables

###############################################################################
#
#  Configuration
#

IPTABLES="/sbin/iptables"

LOOPBACK="lo"
EXTERNAL="ppp0"
INTERNAL="eth1"

EXTERNAL_NET="0/0"
INTERNAL_NET="192.168.104.0/24"

UNPRIV_PORTS="1024:65535" 

###############################################################################

###############################################################################
#
#  Kernel parameters
#

#
#  Allow forwarding between multiple interfaces.
#
echo 1 > /proc/sys/net/ipv4/ip_forward

#
#  Don't respond to ping.
#
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

#
#  Don't accept source routed packets, they can be used to make it seem
#  like traffic has been generated from inside the network.
#
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

#
#  Don't allow for ICMP redirect acceptance.
#
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

#
#  Enable bad error message protection.
#
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#
#  Log spoofed packets, source routed packets, redirect packets.
#
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

###############################################################################

###############################################################################
#
#  Flush chains and set default policies.  Default policy is very restrictive.
#  We'll handle all input, output and forwarding manually with individual
#  rules.
#

$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -X

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

###############################################################################

###############################################################################
#
#  Special chain for ports to allow to this box.  We may be forwarding other
#  ports (like 22, 25 and 80).  However, they don't need to be included here
#  because we don't want to allow connections for those ports to this box.
#

TCP_ALLOWED_PORTS="7876"

$IPTABLES -N ALLOW_PORTS
$IPTABLES -F ALLOW_PORTS

for PORT in $TCP_ALLOWED_PORTS ;
do
        #
        #  Allow new and established connections to the specified port.
        #
        $IPTABLES -A ALLOW_PORTS -m state --state ESTABLISHED,NEW -p tcp \
                  --dport $PORT -j ACCEPT
done

###############################################################################

###############################################################################
#
#  ICMP - by default we want to drop all incoming and outgoing ICMP packets.
#

#
#  Drop all ICMP packets inbound.
#
$IPTABLES -A INPUT -p icmp -j DROP

#
#  Allow all ICMP packets outbound.
#
$IPTABLES -A OUTPUT -p icmp -j DROP

###############################################################################

###############################################################################
#
#  UDP - the rules below are required for name server look ups
#

#
#  Allow all UDP packets inbound on unprivileged ports only that belong to
#  an established connection.
#
$IPTABLES -A INPUT -i $EXTERNAL -p udp --dport $UNPRIV_PORTS \
          -m state --state ESTABLISHED -j ACCEPT

#
#  Allow all UDP packets outbound that are new connections on unprivileged
#  ports only.
#
$IPTABLES -A OUTPUT -o $EXTERNAL -p udp --sport $UNPRIV_PORTS \
          -m state --state NEW -j ACCEPT

#
#  Forward all UDP packets inbound on unprivileged ports only that belong to
#  an established connection.
#
$IPTABLES -A FORWARD -i $EXTERNAL -p udp --dport $UNPRIV_PORTS \
          -m state --state ESTABLISHED -j ACCEPT

###############################################################################

###############################################################################
#
#  LOOPBACK - allow everything from the loopback device.
#

#
#  Allow all input to loopback.
#
$IPTABLES -A INPUT -i $LOOPBACK -j ACCEPT

#
#  Allow all output from loopback.
#
$IPTABLES -A OUTPUT -o $LOOPBACK -j ACCEPT

###############################################################################

###############################################################################
#
#  External Interface (ppp0/eth0)
#

#
#  Pass all TCP packets inbound on the external interface to a special
#  chain that allows only certain ports.
# 
$IPTABLES -A INPUT -i $EXTERNAL -p tcp -j ALLOW_PORTS

#
#  Allow all TCP packets inbound on the external interface that are bound
#  for an unprivileged port.  This is required for all outbound connections
#  made from the external interface.
#
$IPTABLES -A INPUT -i $EXTERNAL -p tcp --dport $UNPRIV_PORTS \
          -m state --state ESTABLISHED -j ACCEPT

#
#  Allow all TCP packets outbound on the external interface.
#
$IPTABLES -A OUTPUT -o $EXTERNAL -p tcp -j ACCEPT

#
#  Forward all TCP packets inbound on the external interface that are bound
#  for unprivileged ports.
#
$IPTABLES -A FORWARD -i $EXTERNAL -p tcp --dport $UNPRIV_PORTS \
          -m state --state ESTABLISHED -j ACCEPT

###############################################################################

###############################################################################
#
#  Internal Interface (eth1)
#

#
#  Allow all TCP packets inbound from the internal interface that
#  originate from the internal network.
#
$IPTABLES -A INPUT -i $INTERNAL -s $INTERNAL_NET -p tcp -j ACCEPT

#
#  Drop all TCP packets inbound from the internal interface that are not
#  from the internal network.
#
$IPTABLES -A INPUT -i $INTERNAL -s ! $INTERNAL_NET -p tcp -j DROP

#
#  Allow all TCP packets outbound on the internal interface that are
#  destined for the internal network.
#
$IPTABLES -A OUTPUT -o $INTERNAL -d $INTERNAL_NET -p tcp -j ACCEPT

#
#  Drop all TCP packets outbound on the internal interface that are not
#  destined for the internal network.
#
$IPTABLES -A OUTPUT -o $INTERNAL -d ! $INTERNAL_NET -p tcp -j DROP

###############################################################################

###############################################################################
#
#  Masquerading rules.
#

#
#  Perform masquerading for internal network.
#
$IPTABLES -A POSTROUTING -t nat -o $EXTERNAL -j MASQUERADE

#
#  Forward all packets inbound on the internal interface.
#
$IPTABLES -A FORWARD -i $INTERNAL -j ACCEPT

###############################################################################

###############################################################################
#
#  NAT rules.
#

#
#  Forward SSH on port 22.
#

#
#  CCI Offices at 149 5th Avenue
#  (209.11.34.16 206.28.215.90 209.10.193.8)
#
$IPTABLES -A PREROUTING -t nat -i $EXTERNAL -p tcp -s 209.11.34.16 \
          --dport 22 -j DNAT --to 192.168.104.3:22
$IPTABLES -A FORWARD -i $EXTERNAL -p tcp -s 209.11.34.16 -d 192.168.104.3 \
          --dport 22 -j ACCEPT

$IPTABLES -A PREROUTING -t nat -i $EXTERNAL -p tcp -s 206.28.215.90 \
          --dport 22 -j DNAT --to 192.168.104.3:22
$IPTABLES -A FORWARD -i $EXTERNAL -p tcp -s 206.28.215.90 -d 192.168.104.3 \
          --dport 22 -j ACCEPT

$IPTABLES -A PREROUTING -t nat -i $EXTERNAL -p tcp -s 209.10.193.8 \
          --dport 22 -j DNAT --to 192.168.104.3:22
$IPTABLES -A FORWARD -i $EXTERNAL -p tcp -s 209.10.193.8 -d 192.168.104.3 \
          --dport 22 -j ACCEPT

#
#  CR Offices at 23rd Street
#  (63.108.123.17)
#
$IPTABLES -A PREROUTING -t nat -i $EXTERNAL -p tcp -s 63.108.123.17 \
          --dport 22 -j DNAT --to 192.168.104.3:22
$IPTABLES -A FORWARD -i $EXTERNAL -p tcp -s 63.108.123.17 -d 192.168.104.3 \
          --dport 22 -j ACCEPT

#
#  Forward SMTP.
#
$IPTABLES -A PREROUTING -t nat -i $EXTERNAL -p tcp --dport 25 -j DNAT \
          --to 192.168.104.3:25
$IPTABLES -A FORWARD -i $EXTERNAL -p tcp -d 192.168.104.3 --dport 25 -j ACCEPT

#
#  Forward HTTP.
#
$IPTABLES -A PREROUTING -t nat -i $EXTERNAL -p tcp --dport 80 -j DNAT \
          --to 192.168.104.3:80
$IPTABLES -A FORWARD -i $EXTERNAL -p tcp -d 192.168.104.3 --dport 80 -j ACCEPT

#
#  Forward HTTPS.
#
$IPTABLES -A PREROUTING -t nat -i $EXTERNAL -p tcp --dport 443 -j DNAT \
          --to 192.168.104.3:443
$IPTABLES -A FORWARD -i $EXTERNAL -p tcp -d 192.168.104.3 --dport 443 -j ACCEPT

###############################################################################

Re: Can't connect to JUST port 80

Reply via email to