BigSmoke » iptables

Making a service available on more ports with iptables

halfgaar — Thu, 23 Dec 2010 14:27:10 +0000

If you need services to be availble on multiple ports, you can use:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1000 -j REDIRECT --to-port 25  --match comment --comment "Explain."

This makes port 1000 and 25 the same service.

Making a port forwarded machine available from within the LAN

halfgaar — Fri, 23 Jul 2010 11:33:08 +0000

When you forward a port to an internal machine on the network, you still can’t access that host using your WAN-IP from within the LAN. This article explains it well. In short, it’s because the reply the machine your connecting to makes, goes to the LAN IP directly, and not back through the router.

To fix it, we need to add a SNAT rule for that port forward as well. In the example that we want to forward port 80 to 10.50.0.4 on our 10.50.0.0/16 LAN and 10.50.0.1 is our router, these two rules are necessary:

iptables -t nat -A PREROUTING -d WANIP -p tcp --dport 80 -m comment --comment "Forward www to 10.50.0.4." -j DNAT --to-destination LANIP
iptables -t nat -A POSTROUTING -p tcp --source 10.50.0.0/16 --dest 10.50.0.4 --dport 80 -j SNAT --to-source 10.50.0.1 --match comment --comment "Allow our LAN to access port 80 from the WAN side as well."

Normally when forwarding, I would not use -d WANIP, but –in-interface eth0, but that won’t work here, because the LAN requests are not on eth0.

Also, the –source in the second rule is not strictly necessery, but if you don’t specify this rule, it will also match incoming requests for the internet, which is ugly, especially if you have logging rules.

Saving and loading iptables rules on Debian

halfgaar — Wed, 03 Feb 2010 12:36:53 +0000

For some reason, Debian can’t do “/etc/init.d/iptables save”. So, we have to fix something ourselves. I used this article as source, which also has some useful comments. Apparently, the iptables initscript used to exist…

To save, type:

iptables-save > /etc/iptables.rules

Make /etc/network/if-pre-up.d/iptables:

#!/bin/sh
iptables-restore < /etc/iptables.rules

Don’t forget to make it executable:

chmod +x /etc/network/if-pre-up.d/iptables

Convenient iptables rules

halfgaar — Mon, 04 Jan 2010 10:16:56 +0000

Here are some convenient iptables rules.

This first list is for not allowing anything in, accept packets that come back from outgoing connections, complicated related traffic like FTP, everything from the localhost, ICMP (ping and stuff) and SSH. It also sets the default policy to DROP. This you would use on a machine connected directly to the internet.

iptables -A INPUT --match state --state RELATED,ESTABLISHED -j ACCEPT --match comment --comment "Accept traffic from outgoing connections and stuff like FTP."
iptables -A INPUT -p icmp -j ACCEPT --match comment --comment "Allow ICMP"
iptables -A INPUT -p tcp --dport 22 -j ACCEPT --match comment --comment "Allow SSH"
iptables -A INPUT --in-interface lo -j ACCEPT --match comment --comment "Allow everything on the localhost"
iptables -P INPUT DROP

Here are some rules to allow certain MAC addresses to access everything. Simplifies things on a LAN (even though it’s not attacker-proof, it keeps unwanted people out of my SMB and stuff):

iptables -A INPUT --match mac --mac-source xx:xx:xx:xx:xx:xx --match comment --comment "Allow everything from [computer]" -j ACCEPT

Besides computers you want to grant full access to a machine, don’t forget to include the MACs of the router and the machine’s own ethernet interface.

When the machine acts as a masquerading SNAT server, use this to forward ports to LAN hosts (be sure to have the –to after the -j):

iptables -t nat -A PREROUTING --in-interface eth0 -p tcp --dport 80 -j DNAT --to 10.0.0.1:22 --match comment --comment "forwards incoming port 80 to port 22 on 10.0.0.1"

To allow everything for a samba server:

iptables -A INPUT -p tcp --dport 139 -m comment --comment "Allow Netbios-ssn" -j ACCEPT 
iptables -A INPUT -p tcp --dport 445 -m comment --comment "Allow microsoft-ds" -j ACCEPT 
iptables -A INPUT -p udp --dport 137 -m comment --comment "Allow netbios-ns" -j ACCEPT 
iptables -A INPUT -p udp --dport 138 -m comment --comment "Allow netbios-dgm" -j ACCEPT

Iptables rule to block access to our IMAP server

halfgaar — Mon, 21 Dec 2009 13:53:03 +0000

When migrating to Zimbra, I don’t want people to fiddle with their mail when I’m doing it, so I disable IMAP access from anything but the virtual machine instance in which Zimbra is running. I do that with this:

iptables -A INPUT ! -s 192.168.1.106 -p tcp --dport 143 -j REJECT