[CentOS] Iptables - PREROUTING

Fri May 20 14:51:30 UTC 2005

I have a server whit 2 interfaces of network, where eth0 is the interfaces
connetc to internet and eth1 to the internal network. This server hace a
Squid only, but i setting the iptables for protection to the server.
Iptables run from script and in this script i setting the redirection for
the other server in my internal network to port 80 and 443. I follow the
diferent how to and many manual, but the redirect no work, the NAT
POSTROUTING work and the squid work to. My DNS is Ok, because the consult
whit dig command the answer is the assigned ip. Here put the copy of my
script:

--------------- Begin the Script
#Delete Rules
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F

## Modules install
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp

## FLUSH of Rules
iptables -F
iptables -X
iptables -Z
iptables -t nat -F

## Default policy
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

##Filter Begin
##Note: eth0 is the network interface connect to router and
##      eth1 comnect to lan

## The localhost full
iptables -A INPUT -i lo -j ACCEPT

## DROP the ping for eth0
iptables -A INPUT -i eth0 -p ICMP --icmp-type echo-request -j DROP

## All pack of router acept.
iptables -A INPUT -i eth0 -s rango_ip/29 -d 0/0 -p all -j ACCEPT
iptables -A INPUT -i eth1 -s 172.16.0.0/24 -d 172.16.0.211/32 -p all -j
ACCEPT

##Redirect server web
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to
172.16.0.3:80
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to
172.16.0.3:443

iptables -A FORWARD -i eth1 -p tcp -s 172.16.0.0/24 --dport 80 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp -s 172.16.0.0/24 --dport 443 -j ACCEPT

iptables -A FORWARD -i eth1 -p tcp -s 172.16.0.0/24 --dport 53 -j ACCEPT
iptables -A FORWARD -i eth1 -p udp -s 172.16.0.0/24 --dport 53 -j ACCEPT

## DNS Full. ACEPT.
iptables -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT

## SQUID
iptables -A INPUT -p tcp -m tcp --sport 3128 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 3128 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 3128 -j ACCEPT

# Close range of port know
iptables -A INPUT -s 0.0.0.0/0 -i eth0 -p tcp --dport 1:1024 -j DROP
iptables -A INPUT -s 0.0.0.0/0 -i eth0 -p udp --dport 1:1024 -j DROP

# Close the port of webmin
iptables -A INPUT -s 0.0.0.0/0 -i eth0 -p tcp --dport 10000 -j DROP

## FORWARD
# Do log all forward
iptables -A INPUT -j LOG --log-level info
iptables -A OUTPUT -j LOG --log-level info
iptables -A FORWARD -j LOG --log-level info

## Fnish of table FILTER

## General of MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.0.6/32 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.0.10/32 -o eth0 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 172.16.0.1/32 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.0.9/32 -o eth0 -j MASQUERADE

## Do forward to the interfaces of network
# Enable of forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

/sbin/iptables -L -n > /etc/sysconfig/show
/usr/bin/less /etc/sysconfig/show
-----------------------------End of Script

The output of command "iptables -L -t nat" show me this:

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:www to:172.16.0.3:80
DNAT tcp -- anywhere anywhere tcp dpt:https to:172.16.0.3:443

Some solution??
Regards,
David

_________________________________________
Tec. David Gonzalez Romero
Network/System Administrator
CNAP- Centro Nacional Áreas Protegidas
Linux counter: 242534
_________________________________________

[CentOS] Iptables - PREROUTING

David González Romero