[ILUG] really being specific with iptables.

Pawel Bogucki pawel.bogucki at gmail.com
Wed Jan 9 09:00:02 GMT 2008 

On Jan 8, 2008 10:33 PM, Darragh <lists at digitaldarragh.com> wrote:
> Hello there,
> I may be stretching the functionality that one machine can provide and if
> so, that's fine but better to be sure about these things.
>
>
> On that machine with the squid proxy and the iptables set up that I spoke
> about during the weekend, I have a mail server running that delivers mail
> via imap and webmail.
> Imap is working perfectly and web mail is accessible from the lan but I
> cant access port 80 from the internet like i could before configuring
> iptables.
>
> My thihnking was that because there are connections coming in on port 80
> and I've instructed iptables to forward all conections on port 80 to squid
> at 3028, it is seeing this connection on port 80 as something that needs
> to be forwarded as well.
>
> I had an idea that that could be the cause of my problem but after
> thinking about it, that couldn't be as I can access the server over port
> 80 internally so it must be something I've done wrong somewhere.
>
> my problem is, I cannot adiquitly read these blasted iptable entries.
> I've tried iptables -L -n and that is definitly more descriptive than -L
> on it's own but I'm still not seeing a reason why connections made from
> the internet are rejected.
>
> here is the output of iptables.
>
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
> ACCEPT     icmp --  192.168.2.25         0.0.0.0/0
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
> RELATED,ESTABLISHED
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
> RELATED,ESTABLISHED
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:67
> dpt:68
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:1214
> DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:1214
> LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> dpts:0:1023 state NEW LOG flags 0 level 4 prefix `LOW PORT TCP CONNECTION:
> '
> LOG        udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp
> dpts:0:1023 LOG flags 0 level 4 prefix `LOW PORT UDP CONNECTION: '
> LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
> dpts:1024:65535 LOG flags 0 level 4 prefix `HIGH PORT UDP CONNECTION: '
> LOG        udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp
> dpts:1024:65535 LOG flags 0 level 4 prefix `HIGH PORT UDP CONNECTION:'
> LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `NEW NOT SYN: '
> LOG        icmp --  0.0.0.0/0            0.0.0.0/0           LOG flags 0
> level 4 prefix `ECHO: '
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:123
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
>
> can anyone tell me if I'm completely over looking something?
> Or, better again, is there a better way of understanding these iptables
> rules?
>
> Thanks
>
> Darragh
>
forward only internal addresses to squid excluding request with server address

iptables -A PREROUTING -t nat -p tcp -i $INTERNAL_INTERFACE -d
!$SERVER_ADDRESS --dport 80 -j DNAT --to-destination
$SERVER_ADDRESS:3028

something like that


-- 
Pawel Bogucki
Skype: pbogu_
JabberID: pawel.bogucki at gmail.com
GSM: +353 85 8184879

More information about the ILUG mailing list