# [Solved]Getting SSH to Forward with iptables

## eulogious

Hello all,

What I am trying to accomplish is forwarding ssh (port 22 specifically) on my router (gentoo box running iptables), to another computer.  I had this same script running on an Ubuntu box but decided to go back to gentoo because its way better.  This setup worked great, then when I switched it over to gentoo, port 22 just won't open.  Every other port I have opened in this script is fine.  If I open a port and restart my firewall, it opens the port.  But it WILL NOT open port 22.  Again, this same script worked fine on Ubuntu (yes I know, it's not gentoo), but I really can't figure out why port 22 WILL NOT OPEN.  I have been using linux for a few years now, and I am comfortable with it.  I have tried searching the forums, but everyone suggest using different rules.  I try, and it works for EVERY other port, except port 22.  So I am wondering if this has something to do with ssh, or iptables.  I have changed the ssh port on the router to something different to make sure that that wasn't interfering with anything.  Either way, I need this port open and it won't open.  Please help me, I have been banging my head on the desk for a few days now!

Here's my iptables script.  Also if anyone has suggestions on improving it, I am open to them!

```

#!/bin/sh

#

# 1.0 Created on 1-30-08

# 1.1 Hardened Policies 1-30-08

# 1.2 Fixed Server Web Browsing Issue, Hardened Policies 1-31-08

# 1.3 Fixed Port Forwarding Issues 2-8-08

#

echo "Loading Firewall v1.3 On Watchdog, Created and Maintained By eulogious..."

# The location of the iptables and kernel module programs 

#

#   If your Linux distribution came with a copy of iptables,

#   most likely all the programs will be located in /sbin.  If

#   you manually compiled iptables, the default location will

#   be in /usr/local/sbin 

#

# ** Please use the "whereis iptables" command to figure out

# ** where your copy is and change the path below to reflect

# ** your setup

#

IPTABLES=/sbin/iptables

DEPMOD=/sbin/depmod

MODPROBE=/sbin/modprobe

#Setting the EXTERNAL and INTERNAL interfaces for the network

#

#  Each IP Masquerade network needs to have at least one

#  external and one internal network.  The external network 

#  is where the natting will occur and the internal network

#  should preferably be addressed with a RFC1918 private address

#  scheme.

#

#  For this example, "eth0" is external and "eth1" is internal" 

#

#

#  NOTE:  If this doesnt EXACTLY fit your configuration, you must

#         change the EXTIF or INTIF variables above. For example:

#

#            If you are a PPPoE or analog modem user:

#

#               EXTIF="ppp0" 

#

#

EXTIF="eth0"

INTIF="eth1"

LOCALNETWORK="192.168.2.0/24"

PUBLICPORTS="1024:65535"

echo "External Interface:  $EXTIF"

echo "Internal Interface:  $INTIF"

EXTIP="`/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"

echo "External IP:  $EXTIP"

#======================================================================

#== No editing beyond this line is required for initial MASQ testing == 

#echo "loading modules: "

# Need to verify that all modules have all required dependencies

#

#echo "  - Verifying that all kernel modules are ok"

#$DEPMOD -a

# With the new IPTABLES code, the core MASQ functionality is now either 

# modular or compiled into the kernel.  This HOWTO shows ALL IPTABLES

# options as MODULES.  If your kernel is compiled correctly, there is

# NO need to load the kernel modules manually.

#

#  NOTE: The following items are listed ONLY for informational reasons. 

#        There is no reason to manual load these modules unless your

#        kernel is either mis-configured or you intentionally disabled

#        the kernel module autoloader.

#

# Upon the commands of starting up IP Masq on the server, the 

# following kernel modules will be automatically loaded:

#

# NOTE:  Only load the IP MASQ modules you need.  All current IP MASQ

#        modules are shown below but are commented out from loading.

# =============================================================== 

#echo "----------------------------------------------------------------------"

#Load the main body of the IPTABLES module - "iptable"

#  - Loaded automatically when the "iptables" command is invoked 

#

#  - Loaded manually to clean up kernel auto-loading timing issues

#

#echo "ip_tables, "

#$MODPROBE ip_tables

#Load the IPTABLES filtering module - "iptable_filter"

#  - Loaded automatically when filter policies are activated 

#Load the stateful connection tracking framework - "ip_conntrack"

#

# The conntrack  module in itself does nothing without other specific

# conntrack modules being loaded afterwards such as the "ip_conntrack_ftp" 

# module

#

#  - This module is loaded automatically when MASQ functionality is

#    enabled

#

#  - Loaded manually to clean up kernel auto-loading timing issues

#

#echo "ip_conntrack, " 

#$MODPROBE ip_conntrack

#Load the FTP tracking mechanism for full FTP tracking

#

# Enabled by default -- insert a "#" on the next line to deactivate

#

#echo "ip_conntrack_ftp, " 

#$MODPROBE ip_conntrack_ftp

#Load the IRC tracking mechanism for full IRC tracking

#

# Enabled by default -- insert a "#" on the next line to deactivate

#

#echo "ip_conntrack_irc, " 

#$MODPROBE ip_conntrack_irc

#Load the general IPTABLES NAT code - "iptable_nat"

#  - Loaded automatically when MASQ functionality is turned on

#

#  - Loaded manually to clean up kernel auto-loading timing issues 

#

#echo "iptable_nat, "

#$MODPROBE iptable_nat

#Loads the FTP NAT functionality into the core IPTABLES code

# Required to support non-PASV FTP.

#

# Enabled by default -- insert a "#" on the next line to deactivate 

#

#echo "ip_nat_ftp, "

#$MODPROBE ip_nat_ftp

#Loads the IRC NAT functionality into the core IPTABLES code

# Required to support NAT of IRC DCC requests

#

# Disabled by default -- remove the "#" on the next line to activate 

#

#echo -e "ip_nat_irc"

#$MODPROBE ip_nat_irc

#echo "----------------------------------------------------------------------"

# Just to be complete, here is a partial list of some of the other 

# IPTABLES kernel modules and their function.  Please note that most

# of these modules (the ipt ones) are automatically loaded by the

# master kernel module for proper operation and don't need to be

# manually loaded. 

# --------------------------------------------------------------------

#

#    ip_nat_snmp_basic - this module allows for proper NATing of some

#                        SNMP traffic

#

#    iptable_mangle    - this target allows for packets to be

#                        manipulated for things like the TCPMSS

#                        option, etc.

#

# --

#

#    ipt_mark       - this target marks a given packet for future action.

#                     This automatically loads the ipt_MARK module

#

#    ipt_tcpmss     - this target allows to manipulate the TCP MSS

#                     option for braindead remote firewalls.

#                     This automatically loads the ipt_TCPMSS module

#

#    ipt_limit      - this target allows for packets to be limited to

#                     to many hits per sec/min/hr

#

#    ipt_multiport  - this match allows for targets within a range

#                     of port numbers vs. listing each port individually

#

#    ipt_state      - this match allows to catch packets with various

#                     IP and TCP flags set/unset

#

#    ipt_unclean    - this match allows to catch packets that have invalid

#                     IP/TCP flags set

#

#    iptable_filter - this module allows for packets to be DROPped,

#                     REJECTed, or LOGged.  This module automatically

#                     loads the following modules:

#

#                     ipt_LOG - this target allows for packets to be

#                               logged

#

#                     ipt_REJECT - this target DROPs the packet and returns

#                                  a configurable ICMP packet back to the

#                                  sender.

#

#echo "Done loading modules.\n"

#CRITICAL:  Enable IP forwarding since it is disabled by default since 

#

#           Redhat Users:  you may try changing the options in

#                          /etc/sysconfig/network from:

#

#                       FORWARD_IPV4=false

#                             to

#                       FORWARD_IPV4=true

#

# Dynamic IP users:

#

#   If you get your IP address dynamically from SLIP, PPP, or DHCP, 

#   enable this following option.  This enables dynamic-address hacking

#   which makes the life with Diald and similar programs much easier.

#

echo "Enabling DynamicAddr..."

echo "1" > /proc/sys/net/ipv4/ip_dynaddr 

echo "Enabling forwarding..."

echo "1" > /proc/sys/net/ipv4/ip_forward

# Enable simple IP forwarding and Masquerading

#

#  NOTE:  In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.

#

#  NOTE #2:  The following is an example for an internal LAN address in the 

#            192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask

#            connecting to the Internet on external interface "eth0".  This

#            example will MASQ internal traffic out to the Internet but not

#            allow non-initiated traffic into your internal network.

#

#

#         ** Please change the above network numbers, subnet mask, and your

#         *** Internet connection interface name to match your setup 

#

#Clearing any previous configuration

#

#  Unless specified, the defaults for OUTPUT is ACCEPT

#    The default for INPUT, and FORWARD is DROP (REJECT is not a valid policy)

echo "Clearing any existing rules and setting default policy..."

$IPTABLES -F

$IPTABLES -F INPUT

$IPTABLES -F OUTPUT

$IPTABLES -F FORWARD

$IPTABLES -F -t nat

$IPTABLES -X

$IPTABLES -P INPUT DROP

$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -P FORWARD DROP

# Uncomment to allow ssh to Watchdog from the Internet

#echo "Enabling SSH on port 2022 for Watchdog2..."

#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -m tcp -p tcp --dport 2022 -j ACCEPT

#Allowing SSH on Port 2222

echo "Enabling SSH on port 2222 for Watchdog2..."

$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -m tcp -p tcp --dport 2222 -j ACCEPT

#Bittorent

echo "Forwarding Bittorent Port 8888 to 192.168.2.4..."

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 8888 -j DNAT --to 192.168.2.4

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp -d 192.168.2.4 --dport 8888 -j ACCEPT

echo "Allowing all connections out and only existing and related ones in..."

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -m state --state NEW -i ! $EXTIF -j ACCEPT

$IPTABLES -A FORWARD -m state --state NEW -i ! $EXTIF -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state NEW,INVALID -j DROP

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

$IPTABLES -A FORWARD -j LOG

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

echo "Forwading SSH To Buckfutter..."

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 22 -j DNAT --to 192.168.2.2

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp -d 192.168.2.2 --dport 22 -j ACCEPT

#Allow Connections From Local Network

echo "Allowing Local Connections..."

$IPTABLES -A INPUT -i lo -j ACCEPT

$IPTABLES -A OUTPUT -o lo -j ACCEPT

#Allow pptpd connections (port 1723)

echo "Allowing PPTP(VPN) Connections..."

$IPTABLES -A OUTPUT -p 47 -j ACCEPT

$IPTABLES -A INPUT -p 47 -j ACCEPT

$IPTABLES -A FORWARD -s 192.168.2.0/24 -d 192.168.2.0/24 -j ACCEPT

$IPTABLES -A INPUT -p tcp --dport 1723 -j ACCEPT

$IPTABLES -A INPUT -s 192.168.2.0/24 -d 192.168.2.0/24 -j ACCEPT

#DNS

echo "Allowing DNS..."

#$IPTABLES -t nat -A PREROUTING -i $EXTIF -p udp --dport 53 -j DNAT --to 192.168.2.12

#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp -d 192.168.2.12 --dport 53 -j ACCEPT

#$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 53 -j DNAT --to 192.168.2.12

#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp -d 192.168.2.12 --dport 53 -j ACCEPT

$IPTABLES -A INPUT -p udp -s 0/0 --sport 1024:65535 -d $EXTIP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

$IPTABLES -A OUTPUT -p udp -s $EXTIP --sport 53 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

$IPTABLES -A INPUT -p udp -s 0/0 --sport 53 -d $EXTIP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

$IPTABLES -A OUTPUT -p udp -s $EXTIP --sport 53 -d 0/0 --dport 53 -m state --state ESTABLISHED -j ACCEPT

# Here we define a new chain which is going to handle

# packets we don't want to respond to

# limit the amount of logs to 10/min

$IPTABLES -N Firewall

$IPTABLES -A Firewall -m limit --limit 10/minute -j LOG --log-prefix "Firewall: "

$IPTABLES -A Firewall -j DROP

# log those packets and inform the sender that the packet was rejected

$IPTABLES -N Rejectwall

$IPTABLES -A Rejectwall -m limit --limit 10/minute -j LOG --log-prefix "Rejectwall: "

$IPTABLES -A Rejectwall -j REJECT

# here we create a chain to deal with unlegitimate packets

# and limit the number of alerts to 10/min

# packets will be drop without informing the sender

$IPTABLES -N Badflags

$IPTABLES -A Badflags -m limit --limit 10/minute -j LOG --log-prefix "Badflags: "

$IPTABLES -A Badflags -j DROP

# A list of well known combination of Bad TCP flags

# we redirect those to the Badflags chain

# which is going to handle them (log and drop)

$IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j Badflags

$IPTABLES -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j Badflags

$IPTABLES -A INPUT -p tcp --tcp-flags ACK,URG URG -j Badflags

$IPTABLES -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j Badflags

$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j Badflags

$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j Badflags

$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j Badflags

$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j Badflags

$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j Badflags

$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j Badflags

$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j Badflags

# Accept certain icmp message, drop the others

# and log them through the Firewall chain

echo "Allowing some ICMP requests, but not all..."

# 0 => echo reply

$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT

# 3 => Destination Unreachable

$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT

# 11 => Time Exceeded

$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT

#8 => Echo

# avoid ping flood

$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT

$IPTABLES -A INPUT -p icmp -j Firewall

# Drop netbios from the outside, no log, just drop

echo "Dropping netbios from the outside..."

$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j DROP

echo "Enabling SNAT (MASQUERADE) functionality on $EXTIF..."

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

$IPTABLES -A FORWARD -i $EXTIF -j ACCEPT

# Dropping Everything Else

echo "Blocking Everything Else And Logging It..." 

$IPTABLES -A INPUT -j Rejectwall

echo "Successfully Started Firewall v1.3 On Watchdog"

```

sshd

```

#   $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $

# This is the sshd server system-wide configuration file.  See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.  Uncommented options change a

# default value.

Port 2222

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new

# installations. In future the default will change to require explicit

# activation of protocol 1

Protocol 2

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h

#ServerKeyBits 768

# Logging

# obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

#LogLevel INFO

# Authentication:

#LoginGraceTime 2m

#PermitRootLogin yes

#StrictModes yes

#MaxAuthTries 6

#RSAAuthentication yes

#PubkeyAuthentication yes

#AuthorizedKeysFile   .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!

PasswordAuthentication no

#PermitEmptyPasswords no

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#KerberosGetAFSToken no

# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing, 

# and session processing. If this is enabled, PAM authentication will 

# be allowed through the ChallengeResponseAuthentication and

# PasswordAuthentication.  Depending on your PAM configuration,

# PAM authentication via ChallengeResponseAuthentication may bypass

# the setting of "PermitRootLogin without-password".

# If you just want the PAM account and session checks to run without

# PAM authentication, then enable this but set PasswordAuthentication

# and ChallengeResponseAuthentication to 'no'.

UsePAM yes

#AllowTcpForwarding yes

#GatewayPorts no

#X11Forwarding no

#X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#TCPKeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

#Compression delayed

#ClientAliveInterval 0

#ClientAliveCountMax 3

#UseDNS yes

#PidFile /var/run/sshd.pid

#MaxStartups 10

#PermitTunnel no

# no default banner path

#Banner /some/path

# override default of no subsystems

Subsystem   sftp   /usr/lib/misc/sftp-server

# Example of overriding settings on a per-user basis

#Match User anoncvs

#   X11Forwarding no

#   AllowTcpForwarding no

#   ForceCommand cvs server

```

Last edited by eulogious on Sat Feb 23, 2008 8:08 am; edited 1 time in total

----------

## Hu

In general, you should set the default policy before you flush the chains.  That avoids the possibility that a new connection will arrive while the chain has a policy of ACCEPT and no rules to drop the unexpected traffic.

You say that all other ports work fine.  Have you verified that connections for port 22 even make it to the machine on which the iptables script is run?  If an upstream computer is not routing port 22 to you properly, then there is nothing that your script can do.

----------

## eulogious

Hello, that's a good idea to move the default policy, I will do that.  The reason that I am saying that the port won't open is because I go to grc.com, and have them probe that port, and instead of it showing up as either "open" or "closed", it's says "stealth".  When I run a scan on a random port before I open it, it says "stealth", and then when I open it with my firewall script, it says "closed" because my computer doesn't have anything running on that port to make a connection.  When I scan a port thats running ssh, port 2222, it says "open".  Then, when I go to someone else house and try to ssh in, I can't on port 22 (still says "stealth"), but I can on port 2222 (obviously says "open").  Again, this did work on another computer.  If I was to hook that computer up again, it works great.  I honestly have no idea why just on this computer, it refuse to open port 22.  How would I verify if they are making it to the machine?  I am still trying to wrap my head around this firewall stuff.  I got a really good grasp on it, but obviously I still need help with it.  I will try moving the default rules to see if that helps.  Any other suggestions?  Thanks for the response!   :Very Happy: 

----------

## eulogious

Ok, so I just moved the default policy above the section where the rules flushing is, and still no go.  The same thing.  Every other port is open and works, just not 22.    :Neutral: 

----------

## Hu

Use net-analyzer/tcpdump to monitor the Internet-facing interface.  Packet captures are done before netfilter processes the packet, so tcpdump can see a packet even if the firewall rules subsequently drop it.

----------

## gundelgauk

 *Quote:*   

> echo "Forwading SSH To Buckfutter..."
> 
> $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 22 -j DNAT --to 192.168.2.2
> 
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp -d 192.168.2.2 --dport 22 -j ACCEPT

 

Those are correct, but you also need to allow incoming connections from outside, or else they get dropped long before reaching the FORWARD table:

```
$IPTABLES -A INPUT -i $EXTIF -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
```

----------

## eulogious

Hello, thanks for the responses.  Hu, I haven't had time to mess around with tcpdump, but I will tonight.  Gundelgauk, I have tried four different variations of that same command and still no go.  I was on the same thought process with you a few days ago, but still no go.  Also if you look at my bittorrent statement, it's the same line as my ssh forwarding, and it works fine and says "open" when I probe it, so that can't be the answer:

```

#Bittorent

echo "Forwarding Bittorent Port 8888 to 192.168.2.4..."

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 8888 -j DNAT --to 192.168.2.4

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp -d 192.168.2.4 --dport 8888 -j ACCEPT 

```

Like I said in my first post, if I plug in my Ubuntu box and use it as my router, this EXACT same script runs on it, and all my ports forward and are open.  This is why I am confused as all hell.  It works on one distro, and not another.  I am missing something here or what?  I just verified that Ubuntu does do it correctly.  So why on earth does this SAME script not work in gentoo?  I am seriously at a loss here.  Thanks for everyone help.  The gentoo forums kick butt, which is one of the reason that I am trying to get rid of Ubuntu, and again thanks alot everyone.  I will post when I find out more info with tcpdump.

----------

## gundelgauk

Ok, that is indeed strange. Sorry, I'm also at a loss here. Tcpdump is a good idea. You might also want to have a look at your log files, since you do have LOG targets. If all else fails, you might also consider starting from scratch with a script that's as simple as possible, confirm that SSH forwaring works and add rules as you need them, each time confirming that the old ones still work as intended.

----------

## Hu

gundelgauk: there is no need for an INPUT rule if the packet is not meant to be taken as INPUT to the local machine.

eulogious: you did turn on IPv4 forwarding, right?  echo 1 > /proc/sys/net/ipv4/ip_forward to be sure.  If that fixes it, you can change the corresponding value in /etc/sysctl.conf to make it persist across reboots.  Ubuntu might have turned it on by default.

----------

## eulogious

Hu yup I turned that on its in my script right before I clear the rules and set the default policy  :Neutral: . So ya I will try tcpdump tonight when I am at work so that I will be able to actually use the connection, its hard to test this from inside my network and I will post what I find.  Thanks again to everyone for their time!

----------

## eulogious

Hello, sorry I haven't been doing anything...  I had connections problems with Comcast,  :Neutral:  and I had no internet for a day.  So I will try the tcpdump tonight now that I have a connection.  I will post with my findings.

----------

## eulogious

Ok, I don't get this.  It works.  I can't tell you why.  I did change the script a little, but I basically "reverted" back to the original one, and it works.  I think that maybe my problems with comcast had something to do with it, I don't know.  I probe the port with grc.com and it now says "open".  Here's the last part of my script that matters.

```

# Dynamic IP users:

#

#   If you get your IP address dynamically from SLIP, PPP, or DHCP, 

#   enable this following option.  This enables dynamic-address hacking

#   which makes the life with Diald and similar programs much easier.

#

echo "Enabling DynamicAddr..."

echo "1" > /proc/sys/net/ipv4/ip_dynaddr 

# Enable simple IP forwarding and Masquerading

#

#  NOTE:  In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.

#

#  NOTE #2:  The following is an example for an internal LAN address in the 

#            192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask

#            connecting to the Internet on external interface "eth0".  This

#            example will MASQ internal traffic out to the Internet but not

#            allow non-initiated traffic into your internal network.

#

#

#         ** Please change the above network numbers, subnet mask, and your

#         *** Internet connection interface name to match your setup 

#

#Clearing any previous configuration

#

#  Unless specified, the defaults for OUTPUT is ACCEPT

#    The default for INPUT, and FORWARD is DROP (REJECT is not a valid policy)

echo "Clearing any existing rules and setting default policy..."

$IPTABLES -P INPUT DROP

$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -P FORWARD DROP

$IPTABLES -F

$IPTABLES -F INPUT

$IPTABLES -F OUTPUT

$IPTABLES -F FORWARD

$IPTABLES -F -t nat

$IPTABLES -X

# Uncomment to allow ssh to Watchdog from the Internet

#echo "Enabling SSH on port 2022 for Watchdog2..."

#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -m tcp -p tcp --dport 2022 -j ACCEPT

echo "Enabling SSH on port 2222 for Watchdog2..."

$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -m tcp -p tcp --dport 2222 -j ACCEPT

echo "Forwading SSH To Buckfutter..."

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 22 -j DNAT --to 192.168.2.2

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp -d 192.168.2.2 --dport 22 -j ACCEPT

#Bittorent

echo "Forwarding Bittorent Port 8888 to 192.168.2.4..."

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 8888 -j DNAT --to 192.168.2.4

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp -d 192.168.2.4 --dport 8888 -j ACCEPT

echo "Allowing all connections out and only existing and related ones in..."

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -m state --state NEW -i ! $EXTIF -j ACCEPT

$IPTABLES -A FORWARD -m state --state NEW -i ! $EXTIF -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state NEW,INVALID -j DROP

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

$IPTABLES -A FORWARD -j LOG

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

#Allow Connections From Local Network

echo "Allowing Local Connections..."

$IPTABLES -A INPUT -i lo -j ACCEPT

$IPTABLES -A OUTPUT -o lo -j ACCEPT

#Allow pptpd connections (port 1723)

echo "Allowing PPTP(VPN) Connections..."

$IPTABLES -A OUTPUT -p 47 -j ACCEPT

$IPTABLES -A INPUT -p 47 -j ACCEPT

$IPTABLES -A FORWARD -s 192.168.2.0/24 -d 192.168.2.0/24 -j ACCEPT

$IPTABLES -A INPUT -p tcp --dport 1723 -j ACCEPT

$IPTABLES -A INPUT -s 192.168.2.0/24 -d 192.168.2.0/24 -j ACCEPT

#DNS

echo "Allowing DNS..."

#$IPTABLES -t nat -A PREROUTING -i $EXTIF -p udp --dport 53 -j DNAT --to 192.168.2.12

#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp -d 192.168.2.12 --dport 53 -j ACCEPT

#$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 53 -j DNAT --to 192.168.2.12

#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp -d 192.168.2.12 --dport 53 -j ACCEPT

$IPTABLES -A INPUT -p udp -s 0/0 --sport 1024:65535 -d $EXTIP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

$IPTABLES -A OUTPUT -p udp -s $EXTIP --sport 53 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

$IPTABLES -A INPUT -p udp -s 0/0 --sport 53 -d $EXTIP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

$IPTABLES -A OUTPUT -p udp -s $EXTIP --sport 53 -d 0/0 --dport 53 -m state --state ESTABLISHED -j ACCEPT

# Here we define a new chain which is going to handle

# packets we don't want to respond to

# limit the amount of logs to 10/min

$IPTABLES -N Firewall

$IPTABLES -A Firewall -m limit --limit 10/minute -j LOG --log-prefix "Firewall: "

$IPTABLES -A Firewall -j DROP

# log those packets and inform the sender that the packet was rejected

$IPTABLES -N Rejectwall

$IPTABLES -A Rejectwall -m limit --limit 10/minute -j LOG --log-prefix "Rejectwall: "

$IPTABLES -A Rejectwall -j REJECT

# here we create a chain to deal with unlegitimate packets

# and limit the number of alerts to 10/min

# packets will be drop without informing the sender

$IPTABLES -N Badflags

$IPTABLES -A Badflags -m limit --limit 10/minute -j LOG --log-prefix "Badflags: "

$IPTABLES -A Badflags -j DROP

# A list of well known combination of Bad TCP flags

# we redirect those to the Badflags chain

# which is going to handle them (log and drop)

$IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j Badflags

$IPTABLES -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j Badflags

$IPTABLES -A INPUT -p tcp --tcp-flags ACK,URG URG -j Badflags

$IPTABLES -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j Badflags

$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j Badflags

$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j Badflags

$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j Badflags

$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j Badflags

$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j Badflags

$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j Badflags

$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j Badflags

# Accept certain icmp message, drop the others

# and log them through the Firewall chain

echo "Allowing some ICMP requests, but not all..."

# 0 => echo reply

$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT

# 3 => Destination Unreachable

$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT

# 11 => Time Exceeded

$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT

#8 => Echo

# avoid ping flood

$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT

$IPTABLES -A INPUT -p icmp -j Firewall

# Drop netbios from the outside, no log, just drop

echo "Dropping netbios from the outside..."

$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j DROP

echo "Enabling SNAT (MASQUERADE) functionality on $EXTIF..."

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

$IPTABLES -A FORWARD -i $EXTIF -j ACCEPT

# Dropping Everything Else

echo "Blocking Everything Else And Logging It..." 

$IPTABLES -A INPUT -j Rejectwall

echo "Enabling forwarding..."

echo "1" > /proc/sys/net/ipv4/ip_forward

echo "Successfully Started Firewall v1.3 On Watchdog" 

```

I will mark this post as "solved" in a few days, just to make sure that this does work.  Man, I am happy that it works, but I am still puzzled why it just started working.  If anyone has any thoughts, please let me know.

----------

## eulogious

Ok, so it seems that all is well.  The only thing that I know that I did was I moved this line 

```
echo "1" > /proc/sys/net/ipv4/ip_forward
```

 to the very bottom of my script.  The funny thing is, is that's where it was the first time that I ran the script, and it didn't work.  I don't know, maybe setting the default policy and then clearing the rules helped, or maybe Comcast is dumb.  I have also made it into an init script so that it will stop and start at boot.  Now onto QoS!  Anyways, it's fixed, and thanks everyone your help!  Gentoo Rocks (especially the forums)!    :Laughing: 

----------

## Zepp

 *eulogious wrote:*   

> Ok, so it seems that all is well.  The only thing that I know that I did was I moved this line 
> 
> ```
> echo "1" > /proc/sys/net/ipv4/ip_forward
> ```
> ...

 

Why do people write these custom scripts to restore iptables, why not just use /etc/init.d/iptables save?

----------

## eulogious

And why do people say stuff that is totally not on topic with the post (post wasn't about making the script, its was about why the iptables function wasn't working), and when the post is marked solved?  Questions no one will ever be able to answer...

----------

## Zepp

 *eulogious wrote:*   

> And why do people say stuff that is totally not on topic with the post (post wasn't about making the script, its was about why the iptables function wasn't working), and when the post is marked solved?  Questions no one will ever be able to answer...

 

*shrug* report it and have it moved to off the wall if you care so much  :Razz: .

----------

## eulogious

Hey, since we have each others attention, and you have been around a while, what do you think of my iptables rules?  It's really my first try at this, so I have done a lot of research, but I really don't know.  If you got an input, let me know  :Wink: 

----------

## benkong2

I have the Rejectwall rule and the firewall works perfectly. But..... my logs are filled with this?

<snip>

peter kernel: [1220500.732752] Rejectwall: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0c:31:f4:28:01:08:00 SRC=10.125.96.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=21843 PROTO=UDP SPT=67 DPT=68 LEN=308 

</snip>

This is not my internal network it is all 10.0.0.??? also I have a road runner cable modem so could it possibly come from there?

What does it all mean?

----------

