[Dorset] iptables question
Hi folks- I have an iptables question. I've tried a few things, but since this is my gateway/router I usually seem to end up killing internet access (or more strangely, slowing it right down for a time) when I try to work it out myself. Here is the setup. What I need to do is to open an external port on the WAN side and direct it to a port on an internal machine. Can anyone suggest the required incantation to do the job? Many thanks! wlan0 is the LAN side and r...@squiddy:~# more startup #!/bin/bash sysctl -w net.ipv4.ip_forward=1 iptables -P FORWARD ACCEPT iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE iptables --table nat -A PREROUTING -i wlan0 -p tcp --dport 80 -j REDIRECT --to-port 3128 r...@squiddy:~# iptables-save # Generated by iptables-save v1.4.4 on Thu Apr 22 10:18:53 2010 *nat :PREROUTING ACCEPT [132042:12331577] :POSTROUTING ACCEPT [18152:3537221] :OUTPUT ACCEPT [82653:10602042] -A PREROUTING -i wlan0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Thu Apr 22 10:18:53 2010 # Generated by iptables-save v1.4.4 on Thu Apr 22 10:18:53 2010 *filter :INPUT ACCEPT [9519853:1538511432] :FORWARD ACCEPT [4638871:616558804] :OUTPUT ACCEPT [8536672:1749833220] COMMIT # Completed on Thu Apr 22 10:18:53 2010 -- Next meeting: Unknown http://dorset.lug.org.uk/ http://www.linkedin.com/groups?gid=2645413 Chat: http://www.mibbit.com/?server=irc.blitzed.orgchannel=%23dorset List info: https://mailman.lug.org.uk/mailman/listinfo/dorset
Re: [Dorset] iptables question
On 22/04/10 13:29, John Horne wrote: On Thu, 2010-04-22 at 12:48 +0100, John Carlyle-Clarke wrote: sysctl -w net.ipv4.ip_forward=1 iptables -P FORWARD ACCEPT iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE iptables --table nat -A PREROUTING -i wlan0 -p tcp --dport 80 -j REDIRECT --to-port 3128 Hi, We have been trying a similar (same?) thing on one of our web caches to use WCCP - that is redirect from port 80 (on a GRE interface) to port 3128 (the cache). We are using Centos 5.4. We found: sysctl -w net.ipv4.ip_forward=1 this was not required. However, we use a GRE interface and net.ipv4.conf.gre0.rp_filter = 0 was required (in your case 'wlan0' obviously). For iptables we use: *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -i gre0 -p tcp -m tcp -j REDIRECT --to-ports 3128 COMMIT This is redirecting everything to port 3128, but you could include a '--dport 80'. So the differences are the sysctl entry, and no iptables postrouting entry. I make no claim that what we have will work for you, but perhaps try the changes to see if it helps :-) Hi John, thanks for the reply. It's fascinating that there always seem to be many ways to go about things! I should have clarified better though. The NAT routing from the LAN is working fine, and the transparent proxying is working OK too, so the bit I gave above is working as a setup. What I need to add is to forward a few *incoming* ports, for example port 80 on the WAN side of the gateway to 10.0.0.254 (a server), or things like bittorrent ports to individual machines on my network and other similar cases where incoming connectivity is needed. Many thanks, John -- Next meeting: Unknown http://dorset.lug.org.uk/ http://www.linkedin.com/groups?gid=2645413 Chat: http://www.mibbit.com/?server=irc.blitzed.orgchannel=%23dorset List info: https://mailman.lug.org.uk/mailman/listinfo/dorset
Re: [Dorset] iptables question
On Thu, 22 Apr 2010 12:48:11 +0100, j...@wormdrive.net said: I have an iptables question. There was a not-dissimilar question on the Hants LUG list only this week. This is the reply I posted there: Life is too short to write iptables rules by hand. We use Shorewall, which is excellent so long as you're happy with a non-GUI, configure-by-editing-files tool. I've yet to find anything that it can't do with iptables; there's excellent documentation, excellent support on the mailing list, and it is way, way easier to maintain than an list of iptables commands. One of our customers has a firewall with ten ethernet interfaces (seven in use), five different incoming OpenVPN connections, an L2TP/ipsec vpn, and lots of access restrictions. The thought of managing that type of firewall (and there's actually two configured as an HA pair) using raw iptables is scary. Another customer is a school where there is a simple web interface to toggle the Internet connectivity of each classroom individually, and if access is allowed then it can optionally route via Dans Guardian. All done dynamically, again with Shorewall (and ipsets in that case), and again managing that with raw iptables commands would be a nightmare. Your problem would be trivial to solve with Shorewall. -- Keith Edmunds +-+ |Tiger Computing Ltd| Helping businesses make the most of Linux | | The Linux Specialists | http://www.tiger-computing.co.uk | +-+ -- Next meeting: Unknown http://dorset.lug.org.uk/ http://www.linkedin.com/groups?gid=2645413 Chat: http://www.mibbit.com/?server=irc.blitzed.orgchannel=%23dorset List info: https://mailman.lug.org.uk/mailman/listinfo/dorset
Re: [Dorset] iptables question
On 22/04/10 13:57, John Carlyle-Clarke wrote: What I need to add is to forward a few *incoming* ports, for example port 80 on the WAN side of the gateway to 10.0.0.254 (a server), or things like bittorrent ports to individual machines on my network and other similar cases where incoming connectivity is needed. I believe that DNAT is what you want: iptables -t nat -A PREROUTING -m tcp -p tcp --dport 80 -j DNAT --to-destination 10.0.0.254:8080 If you're testing this configuration /on the gateway/, you'll have to add the same rule to the OUTPUT chain to see the effect, since the PREROUTING chain isn't processed for packets which originate on the local host. -- Nathan Baum By day, mild mannered programmer / By night, asleep -- Next meeting: Unknown http://dorset.lug.org.uk/ http://www.linkedin.com/groups?gid=2645413 Chat: http://www.mibbit.com/?server=irc.blitzed.orgchannel=%23dorset List info: https://mailman.lug.org.uk/mailman/listinfo/dorset