Hello, I'm trying to setup a new firewall, and I've been experiencing some strange problem when trying to redirect ports from the external interface to a host on the internal network. (I need users to have access to the internal pop3 box)
I'm using R.H. 7.1. with kernel 2.4.18 and iptables-1.2.6a (both userspace and kernel updated with newest netfilter) I've used the same setup on a different place & different box (same RedHat setup), and had no trouble at all. I'm completely puzzled about this. Maybe somebody on the list can help. If you need any more information just contact me. Thanks in advance, -- Omar Castaneda This is my current script: #############################################################3 IPTABLES=/usr/local/sbin/iptables EXTIF="eth1" INTIF="eth0" EXTIP="148.223.7.178" INTNET="192.168.0.0/24" INTIP="192.168.0.253/24" UNIVERSE="0.0.0.0/0" echo "1" > /proc/sys/net/ipv4/ip_forward $IPTABLES -P INPUT DROP $IPTABLES -F INPUT $IPTABLES -P OUTPUT DROP $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -F -t nat if [ -n "`$IPTABLES -L | $GREP d-a-l-i`" ]; then $IPTABLES -F d-a-l-i fi $IPTABLES -X $IPTABLES -Z $IPTABLES -N d-a-l-i $IPTABLES -A d-a-l-i -j LOG --log-level info $IPTABLES -A d-a-l-i -j DROP # FORWARDING PORTFWIP="192.168.0.254" PORT=110 $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport $PORT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport $PORT -j DNAT --to $PORTFWIP:$PORT # loopback interfaces are valid. $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT # local interface, local machines, going anywhere is valid $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT # remote interface, claiming to be local machines, IP spoofing, get lost $IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j d-a-l-i # external interface, from any source, for ICMP traffic is valid $IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT # remote interface, any source, going to permanent PPP address is valid $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT # Allow any related traffic coming back to the MASQ server in $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT # Catch all rule, all other incoming is denied and logged. $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j d-a-l-i # loopback interface is valid. $IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT # local interfaces, any source going to local net is valid $IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT # local interface, any source going to local net is valid $IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT # outgoing to local net on remote interface, stuffed routing, deny $IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j d-a-l-i # anything else outgoing on remote interface is valid $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT # Catch all rule, all other outgoing is denied and logged. $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j d-a-l-i $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT # Catch all rule, all other forwarding is denied and logged. $IPTABLES -A FORWARD -j d-a-l-i $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP # Squid transparent proxy $IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT --to-port 3128 ################################################################### this is the "tcpdump -q port 110" result when someone (209.51.13.240) tries to connect to the external interface port 110 18:30:37.412896 eth1 < 209.51.13.240.32888 > 148.223.7.178.pop3: tcp 0 (DF) 18:30:37.412972 eth0 > 209.51.13.240.32888 > 192.168.0.1.pop3: tcp 0 (DF) 18:30:40.422344 eth1 < 209.51.13.240.32888 > 148.223.7.178.pop3: tcp 0 (DF) 18:30:40.422371 eth0 > 209.51.13.240.32888 > 192.168.0.1.pop3: tcp 0 (DF) this is a succesfull connection on different firewall 19:42:20.048610 eth0 < 209.51.13.240.32892 > 216.199.114.130.pop3: tcp 0 (DF) 19:42:20.048610 eth2 > 209.51.13.240.32892 > 192.168.2.1.pop3: tcp 0 (DF) 19:42:20.048610 eth2 < 192.168.2.1.pop3 > 209.51.13.240.32892: tcp 0 (DF) 19:42:20.048610 eth0 > 216.199.114.130.pop3 > 209.51.13.240.32892: tcp 0 (DF) 19:42:20.108610 eth0 < 209.51.13.240.32892 > 216.199.114.130.pop3: tcp 0 (DF) 19:42:20.108610 eth2 > 209.51.13.240.32892 > 192.168.2.1.pop3: tcp 0 (DF) 19:42:20.108610 eth2 < 192.168.2.1.pop3 > 209.51.13.240.32892: tcp 100 (DF) 19:42:20.108610 eth0 > 216.199.114.130.pop3 > 209.51.13.240.32892: tcp 100 (DF) 19:42:20.168610 eth0 < 209.51.13.240.32892 > 216.199.114.130.pop3: tcp 0 (DF) 19:42:20.168610 eth2 > 209.51.13.240.32892 > 192.168.2.1.pop3: tcp 0 (DF) 19:42:52.978610 eth0 < 209.51.13.240.32892 > 216.199.114.130.pop3: tcp 0 (DF) 19:42:52.978610 eth2 > 209.51.13.240.32892 > 192.168.2.1.pop3: tcp 0 (DF) 19:42:52.978610 eth2 < 192.168.2.1.pop3 > 209.51.13.240.32892: tcp 0 (DF) 19:42:52.978610 eth0 > 216.199.114.130.pop3 > 209.51.13.240.32892: tcp 0 (DF) 19:42:52.978610 eth2 < 192.168.2.1.pop3 > 209.51.13.240.32892: tcp 0 (DF) 19:42:52.978610 eth0 > 216.199.114.130.pop3 > 209.51.13.240.32892: tcp 0 (DF) 19:42:53.048610 eth0 < 209.51.13.240.32892 > 216.199.114.130.pop3: tcp 0 (DF) 19:42:53.048610 eth2 > 209.51.13.240.32892 > 192.168.2.1.pop3: tcp 0 (DF)
