Please send again "iptables-save"
Thanks.

I meant after you've made changes.

Thanks

Attached Files

ipt1.txt (4.9 KB, 12 views)

Ok, lets do some changes. Only for test purpose.
Do a copy of your script. Erase everything, and make new script with only:
Please note WITHOUT "-m tcp" - I don't know where did it come from.


:INPUT DROP
:FORWARD DROP
:OUTPUT DROP
-A PREROUTING -d 190.xxx.xxx.x89/32 -p tcp --dport 80 -j DNAT --to-destination 192.168.222.22:80
-A FORWARD -i eth0 -o eth2 -j ACCEPT
-A FORWARD -i eth2 -o eth0 -j ACCEPT

When you apply that script, nothing should work except for transit traffic.
Next do "iptables --zero" - it will zero counter.
Make sure with "iptables-save" that you have only rules you need.
Do echo "1" > /proc/sys/net/ipv4/ip_forward.
Check that counters is zero (all of them).

Then ask some one to do from outside: "telnet <server IP> 80"
We don't care if server will refuse telnet, we need to find out if it comes in.

Try.

1 members found this post helpful.

After someone finishes telnet'ing, check counters.

1 members found this post helpful.

Ok, done.

Telneting, from a Windows client connected through wifi from a ISP that's NOT same which provides Internet to server on testing.
Result: "Could not open connection to the host, on port 80: Connect failed", it same in 2 intents.

I attach 3 files.

zero.txt, (iptables-save) After run script and echo 1 forward and before iptables --zero

zero1.txt, (iptables-save -c) After iptables --zero and before telneting

zero2.txt, (iptables-save -c) After telneting.

Thanks very much

Attached Files

	zero.txt (699 Bytes, 16 views)
	zero1.txt (723 Bytes, 10 views)
	zero2.txt (743 Bytes, 40 views)

No, you have done wrong.

There is no:

-A PREROUTING -d 190.xxx.xxx.x89/32 -p tcp --dport 80 -j DNAT --to-destination 192.168.222.22:80

in your iptables-save files.

I have asked you, check properly.
Second, counter have not been cleared, try to do: "iptables -Z"


Thanks

1 members found this post helpful.

Now I cannot telneting, close to me nobody can do it at this hour... But as before it has not connected, I'll pass that and I'll send you all the rest...

The command "iptables -Z > file.txt" don't write nothing... and I saw "iptables-save -c" as the right command for counters.... Also "iptables-save -Z > file.txt" warn "- Z no options... " ... Any idea?

I'm waiting for files, they are interesting.

You just need to do telnet and nothing else, and after that send here output of "iptables-save". Counters will be zeroed after reboot, or all modules will be unloaded.
Forget about it. Do telnet and send file.


Thanks

P.S. telnet should not work, we use it for test purpose.

1 members found this post helpful.

Hi nimnull22,
I attach 2 files.

zero.txt, (iptables-save) After run script and echo 1 forward and iptables --zero

zero1.txt, (iptables-save) After telneting.

Again thanks

PS: I'm confused because I see that both zeros txt again it not shows nothing about -A PREROUTING -d 190.xxx.xxx.x89/32 -p tcp --dport 80 -j DNAT --to-destination 192.168.222.22:80
Now I send fire.txt that contains firewall script so you check... In the file sended you the sentence of script "-d 190.xxx.xxx.xx9/32" has been changed for privacy reasons... but in real script it's right IP...

Attached Files

	zero.txt (703 Bytes, 35 views)
	zero1.txt (716 Bytes, 18 views)
	fire.txt (580 Bytes, 22 views)

Yes, because PREROUTING goes to table NAT, sentence should start with:

IPTABLES -t nat -A PREROUTING -d 190.xxx.xxx.x89/32 -p tcp --dport 80 -j DNAT --to-destination 192.168.222.22:80

Look at your first script.

Thanks

P.S.

Add as well default policies:
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

1 members found this post helpful.

Of course!!

Add as well default policies:

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

1 members found this post helpful.

zero.txt, (iptables-save) After run script and echo 1 forward and iptables --zero

zero1.txt, (iptables-save) After telneting.

Thanks

Attached Files

	zero.txt (802 Bytes, 11 views)
	zero1.txt (820 Bytes, 10 views)

So, what about telnet?

Did it connect?

"Could not open connection to the host, on port 80: Connect failed"