I have three computers, linked like this:
box1 (ubuntu) box2 router & gateway (debian) box3 (opensuse)
[10.0.1.1] ---- [10.0.1.18,10.0.2.18,10.0.3.18] ---- [10.0.3.15]
|
box4, www
[10.0.2.1]
Among other things I want box2 to do nat and port forwarding, so that I can do
ssh -p 2223 box2
to reach box3. For this I have the following iptables script:
#!/bin/bash
# flush
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
iptables -t nat -F OUTPUT
# default
default_action=DROP
for chain in INPUT OUTPUT;do
iptables -P $chain $default_action
done
iptables -P FORWARD DROP
# allow ssh to local computer
allowed_ssh_clients="10.0.1.1 10.0.3.15"
for ip in $allowed_ssh_clients;do
iptables -A OUTPUT -p tcp --sport 22 -d $ip -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s $ip -j ACCEPT
done
# allow DNS
iptables -A OUTPUT -p udp --dport 53 -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp --sport 53 -m state \
--state ESTABLISHED,RELATED -j ACCEPT
# allow HTTP & HTTPS
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --sports 80,443 -j ACCEPT
#
# ROUTING
#
# allow routing
echo 1 >/proc/sys/net/ipv4/ip_forward
# nat
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# http
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
# ssh redirect
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2223 -j DNAT \
--to-destination 10.0.3.15:22
iptables -A FORWARD -p tcp --sport 22 -j ACCEPT
iptables -A FORWARD -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -p tcp --sport 1024:65535 -j ACCEPT
iptables -A FORWARD -p tcp --dport 1024:65535 -j ACCEPT
iptables -I FORWARD -j LOG --log-prefix "iptables denied: "
While this works, it takes about 10 seconds to get a password promt from my ssh command. Afterwards, the connection is as responsive as could be. If I change the default policy for my FORWARD chain to "ACCEPT", then the password promt is there imediatly.
I have tried analysing the logs, but I can not spot a difference in the logs for ACCEPT/DROP in my FORWARD chain. Also I have tried allowing all the unprivileged ports, as box1 uses thoses for doing ssh to box2.
Any hints?
(If the whole setup seems strange to you - the point of the exercise is to understand iptables ;))