Re: iptables question

It's been too long since I sat down and wrote mine, so take this w/ a
grain of salt.

#binary
IPTABLES="/sbin/iptables"
# Internet interface
IFINET="eth1"
# Outside IP
DANGER="<outside IP address here>"
# Inside network
CATPRINTNET="192.168.43.0/24"

${IPTABLES} -t nat -P PREROUTING ACCEPT
${IPTABLES} -t nat -P OUTPUT ACCEPT
${IPTABLES} -t nat -P POSTROUTING ACCEPT

# Source NAT packets on the way out.
${IPTABLES} -t nat -A POSTROUTING -o ${IFINET} -j SNAT --to-source ${DANGER}

# Allow NEW, ESTABLISHED, RELATED out, ESTABLISHED, RELATED in
${IPTABLES} -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPTABLES} -t nat -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j
ACCEPT

# Allow NEW, ESTABLISHED, RELATED out, ESTABLISHED, RELATED to be FORWARDED
${IPTABLES} -A FORWARD -s ${CATPRINTNET} -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
${IPTABLES} -A FORWARD -d ${CATPRINTNET} -m state --state
ESTABLISHED,RELATED -j ACCEPT

You may need more. FWIW, I drop all INPUT, OUTPUT and FORWARD and
explicitly open them, like this:

# Allow HTTP/HTTPS/SMTP/SSH forwarded to dante from external
list="$HTTP_PORT $HTTPS_PORT $SMTP_PORT $SSH_PORT $IMAPS_PORT"
for i in ${list}; do
     ${IPTABLES} -t nat -A PREROUTING -p tcp --dport ${i} -i ${IFINET}
-j DNAT --to-destination ${DANTE}
     ${IPTABLES} -A FORWARD -p tcp --dport ${i} -d ${DANTE} -j ACCEPT
     ${IPTABLES} -A FORWARD -p tcp --sport ${i} -s ${DANTE} -j ACCEPT
done

Hope that helps.

Cheers,
lance

rob wrote:
> Hi iptables gurus
>
> could someone assume the lotus position and tell me how to reverse nat
> properly
>
>
> iptables -t nat -A POSTROUTING -d 208.185.9.1 -s 208.185.9.0/24 -p tcp
> --dport 18245 -j SNAT --to 208.185.9.236
>
>
> I am trying to map a private side address (208.185.9.0/24 I know I know
> its not a IEEE non-routable but anyway that is set up as a private side)
> any TCP coming in for port 18245 needs to goto 208.285.9.236 , which
> doesn't have a gateway on it , and I need the packet edited toi say the
> source addr is the NATting router 208.185.9.1 (backend) 128.233.18.148
> frontend does my above command look valid? If so how do I see that its
> being used iptables -L doesn't show it?
>
>
> more pertinent info:
> rp# uname -a
> Linux rp 2.4.30 #2 Thu May 5 03:57:22 EDT 2005 i686 unknown
>
>
> rp# iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> remote-admin all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> DROP all -- anywhere anywhere state
> INVALID
> DROP all -- anywhere anywhere state NEW
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> access-acl all -- anywhere anywhere
> autofw-acl all -- anywhere anywhere
> portfw-acl all -- anywhere anywhere
> user-filter all -- anywhere anywhere
> port-filter all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> DROP all -- anywhere anywhere state
> INVALID
> DROP all -- anywhere anywhere state NEW
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain access-acl (1 references)
> target prot opt source destination
>
> Chain autofw-acl (1 references)
> target prot opt source destination
>
> Chain port-filter (1 references)
> target prot opt source destination
>
> Chain portfw-acl (1 references)
> target prot opt source destination
>
> Chain remote-admin (1 references)
> target prot opt source destination
> ACCEPT tcp -- anywhere anywhere tcp
> spts:1024:65535 dpt:99
> ACCEPT icmp -- anywhere anywhere icmp
> echo-request
>
> Chain user-filter (1 references)
> target prot opt source destination
> rp#
>
>
>
>
> --
> I'm interested in upgrading my 28.8 kilobaud internet connection to a
> 1.5 megabit fiberoptic T1 line. Will you be able to provide an IP
> router that's compatible with my token ring ethernet LAN configuration?
>
> To unsubscribe, send a message with the word "unsubscribe" (without the
> quotes) in the body to linux-request@slg.org
> Archives are at http://list.slg.org/
Received on Mon Oct 15 15:14:13 2007