Why wont this IPTables script work correctly

This script is supposed to:

1.) Allow for complete access from internal -> external on ip1
2.) Allow for VPN connections from external on ip1 -> internal server
mango
3.) Allow for www and remote desktop from external on ip2 -> internal
server limon
4.) Allow for pop ssl smtp from external on ip1 -> internal server
banana
5.) Allow pings on both ip1 and ip2

Currently working
1,2, and 4

Not working 3, and 5

I have my network interface script setup as such

eth0 static with ip1
eth0:1 static with ip2
eth2 internal interface static ip as well


Any IPTables experts out there that can tell me whats wrong with this
script? I cannot for the life of me figure it out. Thanks a bunch!

#!/bin/sh

#modprobe iptables_nat

modprobe ip_conntrack
modprobe ip_conntrack_pptp
modprobe ip_nat_pptp

echo 1 > /proc/sys/net/ipv4/ip_forward

IPT="iptables -v"
$IPT --flush
$IPT -t nat --flush
$IPT -X
$IPT -t nat -X

IP1="66.xxx.xxx.xxx"
IP2="66.yyy.yyy.yyy"

MANGO="192.168.1.200"
LIMON="192.168.1.201"
BANANA="192.168.1.202"

$IPT -t nat -A PREROUTING -p tcp -d $IP2 -i eth0 -m multiport --dport
80,3389 -j DNAT --to-destination $LIMON
$IPT -t nat -A POSTROUTING -p tcp -o eth2 -s $LIMON -m multiport --
sport 80,3389 -j SNAT --to-source $IP2
$IPT -A FORWARD -p tcp -m multiport -d $IP2 -o eth2 --dport 80,3389 -j
ACCEPT

$IPT -t nat -A PREROUTING -p tcp -d $IP1 -i eth0 -m multiport --dport
25,110,443 -j DNAT --to-destination $BANANA
$IPT -t nat -A POSTROUTING -p tcp -o eth2 -s $BANANA -m multiport --
sport 25,110,443 -j SNAT --to-source $IP1
$IPT -A FORWARD -p tcp -m multiport -d $IP1 -o eth2 --dport 25,110,443
-j ACCEPT

# VPN CONNECTIONS
$IPT -A INPUT -p tcp --dport 47 -j ACCEPT
$IPT -A FORWARD -p tcp -d $IP1 -o eth2 --dport 47 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -d $IP1 -i eth0 -m multiport --dport
47,1723 -j DNAT --to-destination $MANGO
$IPT -t nat -A POSTROUTING -p tcp -o eth2 -s $MANGO -m multiport --
sport 47,1723 -j SNAT --to-source $IP1
$IPT -A FORWARD -p tcp -d $MANGO --dport 1723 -i eth0 -o eth2 -j
ACCEPT


$IPT -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-
source $IP1
$IPT -A FORWARD -s 192.168.1.0/24 -i eth2 -o eth0 -j ACCEPT
$IPT -A FORWARD -d 192.168.1.0/24 -i eth0 -o eth2 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -p icmp -i eth0 -d $IP1 --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp -i eth0 -d $IP1 --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp -i eth0 -d $IP1 --icmp-type 11 -j ACCEPT

$IPT -A OUTPUT -p icmp -o eth0 -s $IP1 -d 0/0 --icmp-type 0 -j ACCEPT
$IPT -A OUTPUT -p icmp -o eth0 -s $IP1 -d 0/0 --icmp-type 3 -j ACCEPT
$IPT -A OUTPUT -p icmp -o eth0 -s $IP1 -d 0/0 --icmp-type 11 -j ACCEPT

$IPT -A INPUT -p tcp -m multiport --dport ! 22 -d $IP2 -j LOG --log-
prefix "[IN][dst]: " --log-level 4
$IPT -A INPUT -d $IP2 -j LOG
$IPT -A INPUT -j ACCEPT
$IPT -A OUTPUT -j ACCEPT
$IPT -A FORWARD -p tcp -m multiport --dport ! 22 -d $IP2 -j LOG --log-
prefix "[FORWARD][dst]: " --log-level 4
$IPT -A FORWARD -j ACCEPT

Re: Why wont this IPTables script work correctly

martin.fowler@gmail.com wrote:
> 1.) Allow for complete access from internal -> external on ip1
> 2.) Allow for VPN connections from external on ip1 -> internal server
> mango
> 3.) Allow for www and remote desktop from external on ip2 -> internal
> server limon
> 4.) Allow for pop ssl smtp from external on ip1 -> internal server
> banana
> 5.) Allow pings on both ip1 and ip2
>
> Currently working
> 1,2, and 4
>
> Not working 3, and 5
[...]
> $IPT -t nat -A PREROUTING -p tcp -d $IP2 -i eth0 -m multiport
> --dport 80,3389 -j DNAT --to-destination $LIMON
> $IPT -t nat -A POSTROUTING -p tcp -o eth2 -s $LIMON -m multiport
> --sport 80,3389 -j SNAT --to-source $IP2

You want to SNAT outgoing traffic to your external address $IP2, so the
second rule should be "-o eth0" AFAICS.

> $IPT -A FORWARD -p tcp -m multiport -d $IP2 -o eth2 --dport 80,3389
> -j ACCEPT

The packets entering the FORWARD chain are already DNATed, so they no
longer have the destination address $IP2, but $LIMON.

[...]
> $IPT -A INPUT -p icmp -i eth0 -d $IP1 --icmp-type 0 -j ACCEPT
> $IPT -A INPUT -p icmp -i eth0 -d $IP1 --icmp-type 3 -j ACCEPT
> $IPT -A INPUT -p icmp -i eth0 -d $IP1 --icmp-type 11 -j ACCEPT
>
> $IPT -A OUTPUT -p icmp -o eth0 -s $IP1 -d 0/0 --icmp-type 0 -j ACCEPT
> $IPT -A OUTPUT -p icmp -o eth0 -s $IP1 -d 0/0 --icmp-type 3 -j ACCEPT
> $IPT -A OUTPUT -p icmp -o eth0 -s $IP1 -d 0/0 --icmp-type 11 -j ACCEPT

Well, ping won't work too well without allowing echo requests, would it?
You need to allow ICMP type 8 packets here, too. In addition to that I'd
also allow types 4 and 12 (source quench and parameter problem).

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich