This script is supposed to:
1.) Allow for complete access from internal -> external on ip1 2.) Allow for VPN connections from external on ip1 -> internal server mango 3.) Allow for www and remote desktop from external on ip2 -> internal server limon 4.) Allow for pop ssl smtp from external on ip1 -> internal server banana 5.) Allow pings on both ip1 and ip2Currently working
1,2, and 4Not working 3, and 5
I have my network interface script setup as such
eth0 static with ip1 eth0:1 static with ip2 eth2 internal interface static ip as well
Any IPTables experts out there that can tell me whats wrong with this script? I cannot for the life of me figure it out. Thanks a bunch!
#!/bin/sh
#modprobe iptables_nat
modprobe ip_conntrack modprobe ip_conntrack_pptp modprobe ip_nat_pptp
echo 1 > /proc/sys/net/ipv4/ip_forward
IPT="iptables -v" $IPT --flush $IPT -t nat --flush $IPT -X $IPT -t nat -X
IP1="66.xxx.xxx.xxx" IP2="66.yyy.yyy.yyy"
MANGO="192.168.1.200" LIMON="192.168.1.201" BANANA="192.168.1.202"
$IPT -t nat -A PREROUTING -p tcp -d $IP2 -i eth0 -m multiport --dport
80,3389 -j DNAT --to-destination $LIMON $IPT -t nat -A POSTROUTING -p tcp -o eth2 -s $LIMON -m multiport -- sport 80,3389 -j SNAT --to-source $IP2 $IPT -A FORWARD -p tcp -m multiport -d $IP2 -o eth2 --dport 80,3389 -j ACCEPT$IPT -t nat -A PREROUTING -p tcp -d $IP1 -i eth0 -m multiport --dport
25,110,443 -j DNAT --to-destination $BANANA $IPT -t nat -A POSTROUTING -p tcp -o eth2 -s $BANANA -m multiport -- sport 25,110,443 -j SNAT --to-source $IP1 $IPT -A FORWARD -p tcp -m multiport -d $IP1 -o eth2 --dport 25,110,443-j ACCEPT
# VPN CONNECTIONS $IPT -A INPUT -p tcp --dport 47 -j ACCEPT $IPT -A FORWARD -p tcp -d $IP1 -o eth2 --dport 47 -j ACCEPT $IPT -t nat -A PREROUTING -p tcp -d $IP1 -i eth0 -m multiport --dport
47,1723 -j DNAT --to-destination $MANGO $IPT -t nat -A POSTROUTING -p tcp -o eth2 -s $MANGO -m multiport -- sport 47,1723 -j SNAT --to-source $IP1 $IPT -A FORWARD -p tcp -d $MANGO --dport 1723 -i eth0 -o eth2 -j ACCEPT$IPT -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to- source $IP1 $IPT -A FORWARD -s 192.168.1.0/24 -i eth2 -o eth0 -j ACCEPT $IPT -A FORWARD -d 192.168.1.0/24 -i eth0 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p icmp -i eth0 -d $IP1 --icmp-type 0 -j ACCEPT $IPT -A INPUT -p icmp -i eth0 -d $IP1 --icmp-type 3 -j ACCEPT $IPT -A INPUT -p icmp -i eth0 -d $IP1 --icmp-type 11 -j ACCEPT
$IPT -A OUTPUT -p icmp -o eth0 -s $IP1 -d 0/0 --icmp-type 0 -j ACCEPT $IPT -A OUTPUT -p icmp -o eth0 -s $IP1 -d 0/0 --icmp-type 3 -j ACCEPT $IPT -A OUTPUT -p icmp -o eth0 -s $IP1 -d 0/0 --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p tcp -m multiport --dport ! 22 -d $IP2 -j LOG --log- prefix "[IN][dst]: " --log-level 4 $IPT -A INPUT -d $IP2 -j LOG $IPT -A INPUT -j ACCEPT $IPT -A OUTPUT -j ACCEPT $IPT -A FORWARD -p tcp -m multiport --dport ! 22 -d $IP2 -j LOG --log- prefix "[FORWARD][dst]: " --log-level 4 $IPT -A FORWARD -j ACCEPT