Hi all,
I have ClearOS installed as a gateway/router for a customer LAN setup.
I've been doing Port Forwarding for a couple of printers connected to the LAN exploiting local ports 9100 or 80/443 for printing and managing purposes.
Here's my IPTABLES -nvL FORWARD rules, all set by the web interface of ClearOS.
I just want to add a rule so that the communication to the internal IPs of the printers can be established only from a specific public external IP (say 100.100.100.100).
I've tried to add a simple rule with the incoming firewall which is:
iptables -t filter -I FORWARD -s [PUBLIC LAN IP] -d 10.3.0.60 -p tcp --dport 33333 -j ACCEPT 100.100.100.100
The rule gets accepted by the web interface but nothing works and the rule doesn't even appear in #iptables -nvL FORWARD
I just want the port fw appears as:
Any ideas or suggestions? Thank you in advance for your kind help.
Cercamon
I have ClearOS installed as a gateway/router for a customer LAN setup.
I've been doing Port Forwarding for a couple of printers connected to the LAN exploiting local ports 9100 or 80/443 for printing and managing purposes.
Here's my IPTABLES -nvL FORWARD rules, all set by the web interface of ClearOS.
[root@ism ~]# iptables -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * eth1 0.0.0.0/0 10.3.0.60 tcp dpt:443
0 0 ACCEPT tcp -- * eth1 0.0.0.0/0 10.3.0.60 tcp dpt:9100
0 0 ACCEPT tcp -- * eth1 0.0.0.0/0 10.3.0.128 tcp dpt:80
0 0 ACCEPT tcp -- * eth1 0.0.0.0/0 10.3.0.128 tcp dpt:9100
0 0 ACCEPT tcp -- * eth1 0.0.0.0/0 10.3.0.250 tcp dpt:59005
0 0 ACCEPT tcp -- * eth1 0.0.0.0/0 10.3.0.72 tcp dpt:5900
0 0 ACCEPT tcp -- * eth1 0.0.0.0/0 10.3.0.11 tcp dpt:8080
466 246K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 204 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
I just want to add a rule so that the communication to the internal IPs of the printers can be established only from a specific public external IP (say 100.100.100.100).
I've tried to add a simple rule with the incoming firewall which is:
iptables -t filter -I FORWARD -s [PUBLIC LAN IP] -d 10.3.0.60 -p tcp --dport 33333 -j ACCEPT 100.100.100.100
The rule gets accepted by the web interface but nothing works and the rule doesn't even appear in #iptables -nvL FORWARD
I just want the port fw appears as:
0 0 ACCEPT tcp -- * eth1 100.100.100.100 10.3.0.60 tcp dpt:443
0 0 ACCEPT tcp -- * eth1 100.100.100.100 10.3.0.60 tcp dpt:9100
0 0 ACCEPT tcp -- * eth1 100.100.100.100 10.3.0.128 tcp dpt:80
0 0 ACCEPT tcp -- * eth1 100.100.100.100 10.3.0.128 tcp dpt:9100
Any ideas or suggestions? Thank you in advance for your kind help.
Cercamon
Share this post:
Responses (12)
-
Accepted Answer
The firewall has three main tables, filter, nat and mangle. filter is default and does not need to be specified in any commands the other two do. I could cheat and edit my posts with the correct command, but remember I said try them at the command line first and only apply them if there aren't errors. You've clearly overlooked that bit as the PREROUTING chain is part of the nat table so any command on the PREROUTING chain needs "-t nat" adding to it, including your listing.
Note that you've been lucky. Getting a custom firewall command wrong **can** put the firewall into a restart loop which is hard to break. Always test Custom Firewall rules first.
The rules needed are the same in 6 and 7 except for the iptables/$IPTABLES issue. -
Accepted Answer
Yes, that version has been there for more than 5 years - not a single issue. It always worked fine, port forwarding included.
Do you think that there's a way to make it work with 6.x version? Upgrading to 7.X would be possible but not an easy/fast thing to do.
The custom firewall rules are getting accepted with "iptables" (not $IPTABLES) but maybe they're wrong somehow.
After inserting PREROUTING rules, I can't see them with
#iptables -nvL PREROUTING
I'm only asking to let port forwarding work from a single IP or public network instead of the entire Internet. (i.e. 100.100.100.100 or 100.100.100.0/24) -
Accepted Answer
Crumbs. You are still on 6.x! That has not been updated for 2 1/2 years. Please use 7.x and $IPTABLES (which, as you note, does not work in 6.x) -
Accepted Answer
If I use "$IPTABLES" instead of "iptables" (no quotes) the Custom Firewall produces an error ("Command not permitted").
After confirming the custom commands with "iptables" they get accepted and they show up in my iptables -nvL FORWARD list
My ClearOS Community version is:
Version ClearOS Community release 6.10.0 (Final)
Kernel Version 2.6.32-754.6.3.v6.x86_64 -
Accepted Answer
-
Accepted Answer
Not quite:
Otherwise it won't switch ports.
iptables -I FORWARD -i eth1 -s 100.100.100.100 -d 10.3.0.60 -p tcp --dport 9100 -j ACCEPT
iptables -I FORWARD -i eth1 -s 100.100.100.100 -d 10.3.0.128 -p tcp --dport 9100 -j ACCEPT
iptables -I PREROUTING -d my_WAN_IP -p tcp --dport 59100 -j DNAT --to-destination 10.3.0.60:9100
iptables -I PREROUTING -d my_WAN_IP -p tcp --dport 59101 -j DNAT --to-destination 10.3.0.128:9100 -
Accepted Answer
Thank you.
Let me check if I get this. Will these rules work for what I intend to do?
iptables -I FORWARD -i eth1 -s 100.100.100.100 -d 10.3.0.60 -p tcp --dport 9100 -j ACCEPT
iptables -I FORWARD -i eth1 -s 100.100.100.100 -d 10.3.0.128 -p tcp --dport 9100 -j ACCEPT
iptables -I PREROUTING -d my_WAN_IP -p tcp --dport 59100 -j DNAT --to-destination 10.3.0.60
iptables -I PREROUTING -d my_WAN_IP -p tcp --dport 59101 -j DNAT --to-destination 10.3.0.128
And I'll delete/disable all the rules set from the ClearOS web interface.
This way traffic directed to my_WAN_IP on the ports 59100 and 59101 will only be accepted if it comes from 100.100.100.100 and will be redirected to ports 9100 of 10.3.0.60 and 10.3.0.128 respectively. Will this work as I need it to? -
Accepted Answer
No. The last rules have a "!" in them which means "not". You can't do a port forward from a single WAN IP simply through the webconfig. You have to use one of the two methods outlined. If you do it all through custom rules, you will need extra lines as you are also port switching and the --to-destination will become something like --to-destination=10.3.0.128 and the "-m multiport --dports 80,9100" gets simplified to "--dport 39133" etc. -
Accepted Answer
I am sorry, but from what I understand after reading your messages, I did not explain what my real aim is.
I've got port forwarding configured as in the picture of my last post. That was configured from the ClearOS web interface and it works pretty fine as it is. External ports on the WAN-IP from 39130 to 39133 are forwarded to 10.3.0.60:443 and 9100 ports and 10.3.0.128:80 and 9100. It all works as expected.
Now I just want to allow this forwarding chain from a single public IP address instead of the entire Internet (0.0.0.0/0). Your last message seems to go in the opposite direction, i.e. blocking a single IP address by dropping every TCP packet coming from it and that's not my case.
Of course, I'd be glad to get rid of the rules created by ClearOS and only use custom rules, but I'm not sure I have understood how to do that. I'd like to continue using WAN-IP ports but the only authorized IP must be the one of a remote server that I control. I think I am very close to the solution, but I'm not sure exactly what the remaining steps are.
Thank you very much for your help. -
Accepted Answer
You have not listened about the port 9100.
If you want to use ClearOS port forwarding, then you will want to insert DROP rules to block the unwanted IPs. If you only want 1 IP it is easy:
If you have multiple external IP's you have a bigger issue. You will need multiple accept rules and a single DROP rule for everything above it (so it appears last in the iptables listing).$IPTABLES -I FORWARD -i eth1 ! -s 100.100.100.100 -p tcp -d 10.3.0.60 -m multiport --dports 443,9100 -j DROP
$IPTABLES -I FORWARD -i eth1 ! -s 100.100.100.100 -p tcp -d 10.3.0.128 -m multiport --dports 80,9100 -j DROP
It you want One external IP to forward to one device and another to the other, they can both use port 9100 but only if you use my original custom rules and not using ClearOS port forwarding. -
Accepted Answer
Thank you for your message and hints.
So far the rules in the first iptables result have worked well. But the source was of course 0.0.0.0/0 and that is "dangerous" because anyone, even randomly can reach those external ports on the WAN IP and cause problems to the printers.
So I just want to integrate the existent configuration, which works pretty well, with the limit of the source IP, the only one authorized to connect to those port forwarding.
Thanks.
David -
Accepted Answer
A port forward is made up of two rules, a FORWARD rule and, in the nat table a PREROUTING rule. There is a third rule which is not entirely necessary. Try something like:
I think --to-destination can be shortened to "--to". You need to test the rules at the command line first by using "iptables" instead of "$IPTABLES". If you get an error then the command is slightly wrong.$IPTABLES -I FORWARD -i eth1 -s 100.100.100.100 -d 10.3.0.60 -m multiport --dports 443,9100 -j ACCEPT
$IPTABLES -I FORWARD -i eth1 -s 100.100.100.100 -d 10.3.0.128 -p tcp -m multiport --dports 80,9100 -j ACCEPT
$IPTABLES -I PREROUTING -d your_WAN_IP -p tcp -m multiport --dports 443,9100 -j DNAT --to-destination 10.3.0.60
$IPTABLES -I PREROUTING -d your_WAN_IP -p tcp -m multiport --dports 80,9100 -j DNAT --to-destination 10.3.0.128
There is, however, a fatal flaw in what you are doing. You can't forward the same port (9100) to more than one IP. You can use a different WAN port and switch the port in the PREROUTING rule back to 9100, but you would need to split the PREROUTING rule into two separate rules (drop the "-m multiport" and change --dports to --dport).
If you want to use the WAN IP from your LAN, you need a third rule.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »