So I’m looking to ditch the SuSE firewall over iptables for just a couple of reasons:
-
portability - I can take a set of iptables rules and go from SuSE to Fedora to Debian to Slackware
-
learning - YaST is nice, but it can get in the way. I want to be able to get my hands dirty and configure servers\services myself.
Let me first start off with the usual, uname, and version:
uname -a
Linux router 2.6.37.6-0.11-desktop #1 SMP PREEMPT 2011-12-19 23:39:38 +0100 i686 i686 i386 GNU/Linux
cat /etc/SuSE-release
openSUSE 11.4 (i586)
VERSION = 11.4
CODENAME = Celadon
iptables -V
iptables v1.4.10
So I have this iptables script that works on Fedora 14 with iptables version 1.4.9 the way I want it. However, moving it over to openSuSE I get no where near the same results.
script:
#!/bin/bash
##This is the iptables rules for my network.
##Outline:
##
## -----------
## eth1 | | eth0
## internal <========| router |========> internet
## | |
## -----------
##
## current host list
## ====================================
## 10.10.10.40 webserver
## 10.10.10.254 router
BIN_DIR=/usr/sbin/
##Allow packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
##Delete all of the current rules
$BIN_DIR/iptables -F
$BIN_DIR/iptables -F -t nat
## Blocks all input and forwarding. Accepts all output.
$BIN_DIR/iptables -P INPUT DROP
$BIN_DIR/iptables -P FORWARD DROP
$BIN_DIR/iptables -P OUTPUT ACCEPT
## Accept connections on local interfaces and private networks (eth1)
$BIN_DIR/iptables -A INPUT -i lo -j ACCEPT
$BIN_DIR/iptables -A INPUT -i eth1 -j ACCEPT
## Allow established sessions from the internet.
$BIN_DIR/iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
## Open up ports we need from the internet
##SSH
$BIN_DIR/iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
##Forward all of the opened ports to their destination
##SSH
$BIN_DIR/iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination 10.10.10.40
##Enables NAT and routing.
$BIN_DIR/iptables -A FORWARD -i lo -j ACCEPT
$BIN_DIR/iptables -A FORWARD -i eth1 -j ACCEPT
$BIN_DIR/iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$BIN_DIR/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
So this is supposed to be a simple port forwarding (22 ssh) to another machine 10.10.10.40; However, this is not the case. If I were to go outside my network and try to connect I get a connection time out. As a matter of fact, nmap doesn’t even show the port.
If I were to remove the “-t nat -A PREROUTING…” then I can access this machine from the internet.
Machines that are on the inside can access the internet just fine. So I think I’ve narrowed it do to something in this line being incorrect:
##SSH
$BIN_DIR/iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination 10.10.10.40
Is there anything that seems off with that line or any of them?