I'm using fail2ban to block failed login attempts on my server. The block is performed using IP tables with the following configuration:
actionstart = iptables -N fail2ban
iptables -A fail2ban -j RETURN
iptables -I <chain> -p tcp -m multiport --dports <port> -j fail2ban
actionstop = iptables -D <chain> -p tcp -m multiport --dports <port> -j fail2ban
iptables -F fail2ban
iptables -X fail2ban
actionban = iptables -I fail2ban 1 -s <ip> -j DROP
actionunban = iptables -D fail2ban -s <ip> -j DROP
What I'm concerned about is rules processing performance. The above rules are in stateful mode and I've been wondering if stateless mode would make the processing faster. To make things clear, I'm blocking the intruder IP address on a TCP port (e.g., 22 or 25).
I read somewhere that for TCP connection specialy, adding the ESTABLISHED,RELATED states would be better. But since each IP refers to a different connection, does it make sense to apply these states?
UPDATE:
Here is a sample iptables -L:
Chain INPUT (policy ACCEPT 399 packets, 36043 bytes)
pkts bytes target prot opt in out source destination
39 4230 fail2ban tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22,25,80,99,100,101
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 282 packets, 39686 bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 192.168.0.1 0.0.0.0/0
0 0 DROP all -- * * 192.168.0.2 0.0.0.0/0
0 0 DROP all -- * * 192.168.0.3 0.0.0.0/0
0 0 DROP all -- * * 192.168.0.4 0.0.0.0/0
39 4230 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Despite what many performance apologists claim, IPtables CAN have significant overhead, but it won't be noticeable until you get some substantial traffic. Now how you do the tables, and which extensions you call, will be determining factor on CPU overhead per packet.
As for stateless vs statefull, yes the performance difference can be immense, but again it's at a very high throughput. In addition as you may have read, it is much more complexity to manage a stateless firewall. It should really only be done if the IPtable impact is measurable.
BUT good practice should always be followed, and IMO that includes the least amount of overhead without adding lots of complexity.
Now as for your situation, fail2ban is only considering a segment of your iptables overall, but the only thing that I would recommend looking at preventively is this part.
-p tcp -m multiport --dports
Using the multiport extension does have more overhead, except when doing so would make a solid reduction of rules. Since you are only doing 2, I would list them separately, to avoid the multiport extension... or better yet just one by range, if you don't care about blocking 23 and 24.
-p tcp -m tcp --dport 22:25
As for established tracking, yes you can use it with fail2ban, although it does have some considerations. To get the most impact, you'd want to place fail2ban chain below ESTABLISHED,RELATED. However this will allow already established connections, considering you'd need an already authenticated user, it seems reasonable enough.
This is a mini example of the tables I use for my servers, with some example rules, I commented it for you,
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
## Stateless on Loopback
## Remove everything before #filter if iptables chokes on #raw
-A OUTPUT -o lo -j NOTRACK
COMMIT
*filter
## Default Chains
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
## Proto Chains
:FWINPUT-TCP - [0:0]
:FWINPUT-UDP - [0:0]
:FWINPUT-ICMP - [0:0]
## FAIL2BAN Chain
:fail2ban - [0:0]
## Accept Established
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
## Accept Loopback
-A INPUT -i lo -j ACCEPT
## Seperate Proto
-A INPUT -p tcp -g FWINPUT-TCP
-A INPUT -p udp -g FWINPUT-UDP
-A INPUT -p icmp -g FWINPUT-ICMP
## Reject Anything Non-TCP/UDP/ICMP
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
## TCP Rules
-A FWINPUT-TCP -p tcp -m tcp --dport 80 -j ACCEPT
-A FWINPUT-TCP -p tcp -m tcp --dport 443 -j ACCEPT
## fail2ban Check
-A FWINPUT-TCP -p tcp -m tcp --dport 22:25 -g fail2ban
## fail2ban Return
-A FWINPUT-TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A FWINPUT-TCP -p tcp -m tcp --dport 25 -j ACCEPT
## TCP-Reset Ident
-A FWINPUT-TCP -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
## Reject Any Other TCP Traffic
-A FWINPUT-TCP -j REJECT --reject-with icmp-port-unreachable
## UDP Rules
-A FWINPUT-UDP -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
## Reject Any Other UDP Traffic
-A FWINPUT-UDP -j REJECT --reject-with icmp-port-unreachable
## ICMP Rules
-A FWINPUT-ICMP -p icmp -m icmp --icmp-type 8 -m limit --limit 5/s -j ACCEPT
-A FWINPUT-ICMP -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A FWINPUT-ICMP -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A FWINPUT-ICMP -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A FWINPUT-ICMP -p icmp -m icmp --icmp-type 12 -j ACCEPT
## Reject Any Other ICMP Types
-A FWINPUT-ICMP -j REJECT --reject-with icmp-host-prohibited
## fail2ban Inserted Rules
-A fail2ban -j RETURN
COMMIT
I would just blank out the action start and action stop, and let fail2ban just add the blocked IP rules when running. This would a pinch more manual considerations, like if you wanted to start using fail2ban to block more stuff... but if it's a set type of thing your trying to work on, then it shouldn't be a problem.
... On my home system, and not on servers, I usually just set an iptables limit and call it good enough.
Related
This question already has answers here:
Are shell scripts sensitive to encoding and line endings?
(14 answers)
Closed 2 years ago.
I input this from a bash script
#!/bin/bash
#
# iptables example configuration script
# Drop ICMP echo-request messages sent to broadcast or multicast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Enable TCP SYN cookie protection from SYN floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# Log packets with impossible source addresses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# Flush all chains
/sbin/iptables --flush
# Allow unlimited traffic on the loopback interface
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
# Set default policies
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT DROP
/sbin/iptables --policy FORWARD DROP
# Previously initiated and accepted exchanges bypass rule checking
# Allow unlimited outbound traffic
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 69 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 69 -m state --state NEW -m recent --set
/sbin/iptables -A INPUT -p tcp --dport 69 -m state --state NEW -j ACCEPT
# Allow certain ports to be accessible from the outside
/sbin/iptables -A INPUT -p tcp --dport 25565 -m state --state NEW -j ACCEPT #Minecraft
/sbin/iptables -A INPUT -p tcp --dport 1688 -m state --state NEW -j ACCEPT #Dynmap plugin
# Other rules for future use if needed. Uncomment to activate
/sbin/iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT # http
/sbin/iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT # https
# UDP packet rule. This is just a random udp packet rule as an example only
# /sbin/iptables -A INPUT -p udp --dport 5021 -m state --state NEW -j ACCEPT
# Allow pinging of your server
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Drop all other traffic
/sbin/iptables -A INPUT -j DROP
# print the activated rules to the console when script is completed
/sbin/iptables -nL
and get output of this
firewall.sh: line 38: DROP: command not found
firewall.sh: line 39: tcp: command not found
firewall.sh: line 43: -p: command not found
firewall.sh: line 46: --dport: command not found
its weird im migrating servers and on the old one this script ran fine is something wrong with the script that im not seeing? What i am hosting on is a pi4 8gb with raspibian x64 is it possible that is giving me the issue with iptables currently? Or is it the code?
The error pointed by you is most likely caused by window-style line ending present in your file. you can try to use cat -A <filename> to debug and use the following command to convert your file with Linux style line endings.
dos2unix <file>
I have a transparent proxy.
I want to redirect a rdp connection to local process, but from 3rd packet. that means I want to pass first and second packet and from 3rd packet until end redirect packets to local process.
I use code below to configure my tproxy.
But it does not work and no packets pass and no packets go to local process(50082).
Could you please help me? I don't know my mistake.
${ip} rule add fwmark 1 lookup 100
${ip} route add local 0.0.0.0/0 dev lo table 100
${iptables} -t mangle -N DIVERT
${iptables} -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
${iptables} -t mangle -A DIVERT -j MARK --set-mark 1
${iptables} -t mangle -A DIVERT -j ACCEPT
${iptables} -t mangle -A PREROUTING -p tcp --dport 3389 -m connbytes --connbytes 3: --connbytes-dir both --connbytes-mode packets -j TPROXY --tproxy-mark 0x1/0x1 --on-port 50082
${iptables} -t mangle -A PREROUTING -p tcp --dport 3389 -m connbytes --connbytes 1:3 --connbytes-dir both --connbytes-mode packets -j ACCEPT
I installed the Gitlab-Omnibus bundle and opened iptables for port 80, 443, 9418 and temp. even for 22. Why doesn't pushing via https work? When I put iptables in default open for everything it works.
Here are my rules for 80, 443, 22 and 9418
# 1. Allow incoming HTTP
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 80 -j ACCEPT
# 2. Allow outgoing HTTP
$IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 80 -j ACCEPT
# Allow incoming HTTPS
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 443 -j ACCEPT
# 10. Allow outgoing HTTPS
$IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 443 -j ACCEPT
# allow git
$IPTABLES -A OUTPUT -p tcp --dport 9418 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 9418 -j ACCEPT
#SSH: Client --> Server
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 22 -j ACCEPT
The Result is:
Pushing to https://TLD/USER/REPO.git
POST git-receive-pack (448 bytes)
And then it just freezes. What do I need to open else?
I tried logging dropped packages but there is nothing with my ip?
I hope someone can help me..
Ok here are the rules for my logging:
#Logging
$IPTABLES -N LOGGING
$IPTABLES -A INPUT -j LOGGING
$IPTABLES -A OUTPUT -j LOGGING
$IPTABLES -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
$IPTABLES -A LOGGING -j DROP
And here is the output:
# Generated by iptables-save v1.4.21 on Thu Nov 13 18:43:13 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LOGGING - [0:0]
-A INPUT -p icmp -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A INPUT -s 10.20.0.0/16 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 37655 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 9418 -j ACCEPT
-A INPUT -j LOGGING
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -d 10.20.0.0/16 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 37655 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 9418 -j ACCEPT
-A OUTPUT -j LOGGING
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: "
-A LOGGING -j DROP
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: "
-A LOGGING -j DROP
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: "
-A LOGGING -j DROP
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: "
-A LOGGING -j DROP
COMMIT
#Devices
DEV0=eth0
#internal network
INT_NET=xxx.xxx.0.0/16
INT_NET_SECURE=xxx.xxx.xxx.0/24
#external network
EXT_NET=xxx.xxx.xxx.0/24
#path iptables
IPTABLES=/sbin/iptables
#path modprobe
MODPROBE=/sbin/modprobe
case $1 in
start)
$0 stop
echo "start ip-package-filter"
# iptables-Modul
$MODPROBE ip_tables
# Connection-Tracking-Module
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp
$MODPROBE iptable_nat
#Standard-Policy - Deny everything except what we want
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#slows down icmp for too much packages
echo "5" >/proc/sys/net/ipv4/icmp_ratelimit
#Kills packages with source route option
echo "0">/proc/sys/net/ipv4/conf/$DEV0/accept_source_route
#Kills icmp forwarding
echo "0">/proc/sys/net/ipv4/conf/$DEV0/accept_redirects
#Kills spoofed packages
echo "1" > /proc/sys/net/ipv4/conf/$DEV0/rp_filter
#Kills packages from 0.X.X.X
echo "0" > /proc/sys/net/ipv4/conf/eth0/bootp_relay
# TCP-FIN-Timeout (DoS-Attack)
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
#TCP-SYN max 3 answers
echo 3 > /proc/sys/net/ipv4/tcp_retries1
#TCP-Package max 15x repetitions
echo 15 > /proc/sys/net/ipv4/tcp_retries2
#Loopback-Communication
$IPTABLES -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
#ICMP: Client <--> Server
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT
#DNS: Server --> DNS-Server
$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
# Allow incoming HTTP
$IPTABLES -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
# Allow incoming HTTPS
$IPTABLES -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
#SSH: Client --> Server (internal)
$IPTABLES -A INPUT -s $INT_NET -p tcp --dport 22 -m state --state NEW -j ACCEPT
#SSH: Client --> Server
#$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
#$IPTABLES -A OUTPUT -p tcp --sport 22 -j ACCEPT
#Update (apt)
$IPTABLES -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
#TeamDrive
$IPTABLES -A INPUT -p tcp --dport 37655 -m state --state NEW -j ACCEPT
#Git
$IPTABLES -A INPUT -p tcp --dport 9418 -m state --state NEW -j ACCEPT
#Connection-Tracking for INPUT and OUTPUT CHAIN
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Logging
$IPTABLES -N LOGGING
$IPTABLES -A INPUT -j LOGGING
$IPTABLES -A OUTPUT -j LOGGING
$IPTABLES -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
$IPTABLES -A LOGGING -j DROP
echo "Firewall activated"
;;
stop)
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
;;
restart)
$0 start
;;
*)
echo "Usage: $0 {startwd|stop|restart}"
;;
esac
So, yes I'm very new to IPtables (and Squid). I'm moving a proxy from a Windows based installation to a CentOS-based one. My configuration is the following:
-------------
//|Squid proxy|
// -------------
-------- ---------------- ---------- -------------
|Modem |--|Router/Gateway|--| Switch |--| HTTP/FTP server |
-------- ---------------- ---------- -------------
\ ----------
\ | User 1 |
----------
:
:
The Squid proxy has two NICs, eth0 (LAN) and eth1 (WAN/internet). I want to just use Squid in the old-fashioned way, i.e. not as "transparent" proxy, and I'd like it to do reverse proxying also for the FTP and HTTP server - these should be reachable from the internet.
Squid is listening on the default port 3128 and I would like to define the IPtables correctly so that routing is going to be correct. I guess the easiest way to route all trafic is by IPtables. I've looked into this a lot, and found the reply by dgabad: Squid+iptables: how do i allow https to pass-through and bypassing Squid?
In short, it's driving me nuts that I'm much in doubt about what rules I should set, but I added the following rules:
iptables -A INPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -i intern -p tcp --dport 3128
iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o extern -p tcp --dport 80
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i extern -p tcp --sport 80
iptables -A OUTPUT -j ACCEPT -m --state ESTABLISHED,RELATED -o intern -p tcp --sport 80
(intern=eth0, extern=eth1)
My interpretation is that the first rule forwards everything TCP from eth0 to port 3128, the second one forwards anything outgoing to eth1 at port 80. The third rule opens for incoming port 80 trafic on eth1.
My questions are:
- What exactly is rule 4 for?
- Am I missing something in order to accomplish what I want? I suppose pre-routing isn't necessary with non-transparent proxies. Postrouting?
Any help in accomplishing this is much appreciated.
I have a trouble. Can`t access to my ethernet-connected MFP from Windows 7 clients, but by Ubuntu (and router/server) machine it can get access to it.
MFP = Epson Stylus Color 730
network:
MFP (192.168.0.100) + win7clients (192.168.0.101-200) ---> Ubuntu server/router (192.168.0.1) ---> Internet
MFP get right IP and settings form DHCP server. On Windows machines disabled all firewalls and so on.
From Ubuntu I can do with MFP what I want, but why I can`t even ping it form Windows?
Thanks
Edit:
Content of /etc/sysctl.conf :
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
##############################################################3
# Functions previously found in netbase
#
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#
Edit 2:
After some fixes - all, except of me in local net can use MFP.
So, new puzzle:
My local network:
http://prntscr.com/kvk5g
"Hakuhonoo" can`t see MFP, but other do.
Content of /etc/iptables.conf:
# Generated by iptables-save v1.4.12 on Fri Nov 9 01:51:58 2012
*filter
:INPUT ACCEPT [23:1420]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [20:18904]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d 224.0.0.0/4 -i eth0 -j ACCEPT
-A INPUT -s 224.0.0.0/4 -i eth0 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80:85 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1985 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 25565 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 60000:65000 -j ACCEPT
-A INPUT -i eth0 -j DROP
-A FORWARD -i eth0 -o br0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -o eth0 -j ACCEPT
-A FORWARD -d 224.0.0.0/4 -j ACCEPT
-A FORWARD -s 224.0.0.0/4 -j ACCEPT
-A FORWARD -i eth0 -p tcp --dport 81:85 -j ACCEPT
-A FORWARD -i eth0 -j DROP
COMMIT
# Completed on Fri Nov 9 01:51:58 2012
# Generated by iptables-save v1.4.12 on Fri Nov 9 01:51:58 2012
*nat
:PREROUTING ACCEPT [377:31747]
:INPUT ACCEPT [39:3558]
:OUTPUT ACCEPT [11:872]
:POSTROUTING ACCEPT [7:570]
-A PREROUTING -i eth0 -p tcp --dport 81:85 -j DNAT --to 192.168.0.101
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Nov 9 01:51:58 2012
# Generated by iptables-save v1.4.12 on Fri Nov 9 01:51:58 2012
*mangle
:PREROUTING ACCEPT [1425:140833]
:INPUT ACCEPT [762:69219]
:FORWARD ACCEPT [495:56655]
:OUTPUT ACCEPT [643:122295]
:POSTROUTING ACCEPT [1152:179096]
-A PREROUTING -d 224.0.0.0/4 -p udp -j TTL --ttl-inc 1
COMMIT
# Completed on Fri Nov 9 01:51:58 2012
Did you set your Ubuntu to forward packets?
Enable routing: (taken from here)
Configure the gateway for routing between two interfaces by enabling IP forwarding:
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
Edit /etc/sysctl.conf, and (up to 10.04) add these lines:
net.ipv4.conf.default.forwarding=1
net.ipv4.conf.all.forwarding=1
From 10.10 onwards, it suffices to edit /etc/sysctl.conf and uncomment:
net.ipv4.ip_forward=1