# IPTABLES Hell.

## metalhedd

I really need some help with iptables.  I''ve been trying to get basic NAT working all day, using a bunch of different example scripts etc. and I just can get it to work.  the boxes oin the internal network can't make any contact with the outside network.

The only thing I need it to do is standard NAT and have it redirect incoming web traffic to my webserver machine on the internal network.

can someone please give me an example script that will do this?  my internal network is on eth0, it uses 192.168.0.X for its ip's assigned by dhcp.

eth1 is the external interface, which gets its ip from dhcp as well.

my website has been down all day and I could really use some help getting it back up ASAP.

Thanks in advance!

Andre

----------

## Crg

 *metalhedd wrote:*   

> I really need some help with iptables.  I''ve been trying to get basic NAT working all day, using a bunch of different example scripts etc. and I just can get it to work.  the boxes oin the internal network can't make any contact with the outside network.
> 
> The only thing I need it to do is standard NAT and have it redirect incoming web traffic to my webserver machine on the internal network.
> 
> can someone please give me an example script that will do this?  my internal network is on eth0, it uses 192.168.0.X for its ip's assigned by dhcp.
> ...

 

The simplist one would be something like this - no logging, nothing fancy, no restrictions on the internal network, etc..

```

# Allow the machine to able route packets.

echo "1" > /proc/sys/net/ipv4/ip_forward

# Interfaces use dynamic ip.

echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# Set default policies.

# Packet destined for the firewall box itself.

iptables -P INPUT DROP 

# Packets from the firewall itself.

iptables -P OUTPUT ACCEPT

# Forwarded packets.

iptables -P FORWARD DROP

# Allow established connections.

iptables -A FORWARD  -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow internal network to reach the net.

iptables -A FORWARD -i eth0 -j ACCEPT

# Ip Masquerading

iptables -A POSTROUTING -t nat -o eth1 -j MASQUERADE

# Port forwarding for webserver

iptables -A PREROUTING -t nat -i eth1 -p tcp \

        --dport 80 -j DNAT --to web.server.ip.addr

```

Last edited by Crg on Fri Mar 14, 2003 1:46 am; edited 2 times in total

----------

## metalhedd

Thanks for the prompt reply, but its not working  :Sad: 

Its giving me the error 'can't use -o with PREROUTING'

edit: Just noticed that the -o is used with ppp0, I dont use ppp at all, and have no need for ppp.  can I remove that line altogether?

----------

## Crg

 *metalhedd wrote:*   

> Thanks for the prompt reply, but its not working 
> 
> Its giving me the error 'can't use -o with PREROUTING'
> 
> edit: Just noticed that the -o is used with ppp0, I dont use ppp at all, and have no need for ppp.  can I remove that line altogether?

 

Opps sorry about that, thats suppost to be.

```

iptables -A POSTROUTING -t nat -o eth1 -j MASQUERADE

```

[/quote]

----------

## metalhedd

Ok, I changed that.  now I'm getting Bad argument ` '

----------

## metalhedd

Ok I fixed that problem.  the script executes without errors, but I still have no access to the internet from the internal network.

and I can't ssh into the nat box either.

----------

## Crg

 *metalhedd wrote:*   

> Ok I fixed that problem.  the script executes without errors, but I still have no access to the internet from the internal network.
> 
> and I can't ssh into the nat box either.

 

Right to access to the NAT box from the internal network you might want to add:

```

iptables -A INPUT -i eth0 -j ACCEPT

```

The internal machines - do they have the NAT boxes ip address setup as their gateway?

----------

## metalhedd

 *Crg wrote:*   

> 
> 
> Right to access to the NAT box from the internal network you might want to add:
> 
> ```
> ...

 

where would I add that?

 *Crg wrote:*   

> The internal machines - do they have the NAT boxes ip address setup as their gateway?

 

The NAT Box uses DHCP to give out IP's to the internal network so I had assumed that they would take care of their own gateway settings, correct me if I'm wrong on that though.

----------

## Crg

 *metalhedd wrote:*   

>  *Crg wrote:*   
> 
> Right to access to the NAT box from the internal network you might want to add:
> 
> ```
> ...

 

The DHCP server will need to tell its clients to use the NAT box's ip address as the gateway for them to have access to the net, do you know if it does?

----------

## Crg

 *metalhedd wrote:*   

>  *Crg wrote:*   
> 
> Right to access to the NAT box from the internal network you might want to add:
> 
> ```
> ...

 

At the end of the script is fine.

----------

## metalhedd

Hers my dhcpd.conf file.  I think the option routers line is what you were referring to, and yes that is the IP of the gateway machine.

```

default-lease-time 600;

max-lease-time 7200;

option subnet-mask 255.255.255.0;

option broadcast-address 192.168.0.255;

option routers 192.168.0.1;

option domain-name-servers 24.153.23.66, 24.153.22.195;

option domain-name "dethbox.org";

ddns-update-style ad-hoc;

subnet 192.168.0.0 netmask 255.255.255.0 {

  range 192.168.0.3 192.168.0.20;

}

```

----------

## Crg

 *metalhedd wrote:*   

> 
> 
> option routers 192.168.0.1;
> 
> [/code]

 

Hmm... should be fine then:

Can you run the comand:

```
iptables -I FORWARD -j LOG --log-prefix "FORWARDED: "
```

then - try and access the internet from a client - then have a look and see if anything is logged in the system logs on the NAT box?

----------

## Crg

Nice bunny BTW  :Smile: 

----------

## metalhedd

How did you find the Bunny?

Did I post the website addr somewhere?

ahh well, yeah its funny  :Smile: 

Ok I did the Logging thing and its showing alot of forwarded packets in the logfiles.

I noticed that /etc/resolv.conf shows:

search bawk.phub.net.cable.rogers.com

after listing the domain name servers, but when getting its IP from the NAT Box, resolv.conf shows 

search dethbox.org 

dethbox.org isn't a real domain name, its just what I made up for the nat box.  does it have to be dethbox.org in my /etc/hosts and /etc/hostname too?

----------

## Crg

 *metalhedd wrote:*   

> 
> 
> Ok I did the Logging thing and its showing alot of forwarded packets in the logfiles.
> 
> 

 

Hmm..... what have I missed?  Its late at night here so its quite possible I've missed something  :Smile: 

You can reach the internet from the NAT box?

 *Quote:*   

> 
> 
> dethbox.org isn't a real domain name, its just what I made up for the nat box.  does it have to be dethbox.org in my /etc/hosts and /etc/hostname too?
> 
> 

 

The search part just tells it what domains to append so its not that important, ie if you have:

```

search dethbox.org

```

and type 

```
ping nat
```

 it will try to resolve both "nat" and "nat.dethbox.org".

----------

## metalhedd

 *Crg wrote:*   

> You can reach the internet from the NAT box?

 

Yep.  works fine from the NAT Box... i can emerge programs and ping stuff.

is there anything other than the the iptables script that could be wrong?  its possible i misconfigured something else, i've never done this before.  :Smile: 

----------

## Crg

 *metalhedd wrote:*   

>  *Crg wrote:*   You can reach the internet from the NAT box? 
> 
> Yep.  works fine from the NAT Box... i can emerge programs and ping stuff.
> 
> is there anything other than the the iptables script that could be wrong?  its possible i misconfigured something else, i've never done this before. 

 

Hmmm.... one mistake that is often made is forwarding isn't enabled but thats what the 

```
echo "1" > /proc/sys/net/ipv4/ip_forward
```

 does.

Also the forwarding logs show packets being forwarded....

what does a traceroute from one of the clients show?

Also are you able to carry the discussion on over email as there should be less delay, so it can get sorted quicker  :Smile: 

----------

## keratos68

If your happy with command lining everything then so be it, but Guarddog might be worth a look. There is an emerge for it!

----------

## Koon

 *dazzle68 wrote:*   

> If your happy with command lining everything then so be it, but Guarddog might be worth a look. There is an emerge for it!

 

You can also check out Shorewall (don't know of there is an ebuild yet, but it's just a bunch of shell scripts and config files) : it's almost as powerful as command-lining everything and it's a little more user friendly.

-K

----------

## neilhwatson

I have a first stable version of my own firewall.  It's configurable by commenting out the services you don't need.  If people are interested I'll post it.  Be warned, it is lengthy and built for control freaks.

----------

## digitalnick

i just used the firewall scrritp in the iptables howto for basic setup ... everything is open but nat worked after running it. you can then procede to figure out what all you need open then lock doewn everything and just open whatyou need

----------

