Find the answer to your Linux question:
Results 1 to 7 of 7
I have 1 root-server with 2 NICs. Eth1 looks into Internet through DSL modem and has IP 192.168.1.2 Eth2 looks into Local Network and has IP 192.168.63.77. Also I have ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2009
    Posts
    3

    Question Need help. Port forwarding in iptables.


    I have 1 root-server with 2 NICs.
    Eth1 looks into Internet through DSL modem and has IP 192.168.1.2
    Eth2 looks into Local Network and has IP 192.168.63.77.

    Also I have VPN connection that gives to ppp1 IP 192.168.79.10 (I changed IP in aim of security )
    I also started apache-server on this computer in order to run a program.
    This program connects to 192.168.5.150:8003 through 192.168.63.77:8003.

    When I create VPN-connection and make route to 192.168.5.150 through ppp1, I can use telnet on 192.168.5.150 8003 from server, but can't do it from local network.

    What should I do in order to forward packets that go to 192.168.63.77:8003 from local network to 192.168.5.150:8003?

    I have such rules:
    Code:
    # Generated by iptables-save v1.4.0 on Tue Sep 15 20:42:25 2009
    *mangle
    :PREROUTING ACCEPT [112745:78651762]
    :INPUT ACCEPT [64730:49099850]
    :FORWARD ACCEPT [48317:29787165]
    :OUTPUT ACCEPT [60934:49347971]
    :POSTROUTING ACCEPT [109541:79165628]
    COMMIT
    # Completed on Tue Sep 15 20:42:25 2009
    # Generated by iptables-save v1.4.0 on Tue Sep 15 20:42:25 2009
    *nat
    :PREROUTING ACCEPT [2021:108015]
    :POSTROUTING ACCEPT [534:32898]
    :OUTPUT ACCEPT [532:32802]
    -A POSTROUTING -s 192.168.63.0/24 -o eth1 -j SNAT --to-source 192.168.1.2
    COMMIT
    # Completed on Tue Sep 15 20:42:25 2009
    # Generated by iptables-save v1.4.0 on Tue Sep 15 20:42:25 2009
    *filter
    :INPUT ACCEPT [85:54160]
    :FORWARD ACCEPT [71:5131]
    :OUTPUT ACCEPT [140:134369]
    :allowed - [0:0]
    :bad_tcp_packets - [0:0]
    :icmp_packets - [0:0]
    :tcp_packets - [0:0]
    :udp_packets - [0:0]
    -A INPUT -p tcp -j bad_tcp_packets
    -A INPUT -s 192.168.63.0/24 -i eth2 -j ACCEPT
    -A INPUT -s 127.0.0.1/32 -i lo -j ACCEPT
    -A INPUT -s 192.168.63.77/32 -i lo -j ACCEPT
    -A INPUT -s 192.168.1.2/32 -i lo -j ACCEPT
    -A INPUT -i ppp+ -j ACCEPT
    -A INPUT -i eth1 -p gre -j ACCEPT
    -A INPUT -i eth1 -p tcp -m tcp --dport 1723 -j ACCEPT
    -A INPUT -i eth2 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
    -A INPUT -d 192.168.1.2/32 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i eth1 -p tcp -j tcp_packets
    -A INPUT -i eth1 -p udp -j udp_packets
    -A INPUT -i eth1 -p icmp -j icmp_packets
    -A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT INPUT packet died: " --log-level 7
    -A FORWARD -p tcp -j bad_tcp_packets
    -A FORWARD -i eth2 -j ACCEPT
    -A FORWARD -o ppp+ -j ACCEPT
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT FORWARD packet died: " --log-level 7
    -A OUTPUT -p tcp -j bad_tcp_packets
    -A OUTPUT -s 127.0.0.1/32 -j ACCEPT
    -A OUTPUT -s 192.168.63.77/32 -j ACCEPT
    -A OUTPUT -s 192.168.1.2/32 -j ACCEPT
    -A OUTPUT -o ppp+ -j ACCEPT
    -A OUTPUT -o eth1 -p gre -j ACCEPT
    -A OUTPUT -o eth1 -p tcp -m tcp --dport 1723 -j ACCEPT
    -A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT OUTPUT packet died: " --log-level 7
    -A allowed -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
    -A allowed -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A allowed -p tcp -j DROP
    -A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
    -A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not syn:"
    -A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
    -A icmp_packets -s 192.168.63.0/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A icmp_packets -s 192.168.63.0/24 -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A tcp_packets -s 192.168.63.0/24 -p tcp -m tcp --dport 21 -j allowed
    -A tcp_packets -s 192.168.63.0/24 -p tcp -m tcp --dport 22 -j allowed
    -A tcp_packets -p tcp -m tcp --dport 80 -j allowed
    -A tcp_packets -s 192.168.63.0/24 -p tcp -m tcp --dport 113 -j allowed
    -A tcp_packets -s 192.168.63.0/24 -p tcp -m tcp --dport 3128 -j allowed
    -A udp_packets -s 192.168.63.0/24 -p udp -m udp --dport 2074 -j ACCEPT
    -A udp_packets -s 192.168.63.0/24 -p udp -m udp --dport 4000 -j ACCEPT
    COMMIT
    # Completed on Tue Sep 15 20:42:25 2009
    I tried to add:
    Code:
    iptables -t nat -A PREROUTING -p tcp -d 192.168.63.77 --dport 8003 -j DNAT --to-destination 192.168.5.150:8003
    iptables -t nat -A POSTROUTING -p tcp -d 192.168.5.150 --dport 8003 -j SNAT --to-source 192.168.63.77
    iptables -t nat -A POSTROUTING -p tcp -s 192.168.5.150 --sport 8003 -j SNAT --to-source 192.168.63.77:8003
    iptables -t nat -A OUTPUT --dst 192.168.63.77 -p tcp --dport 8003 -j DNAT --to-destination 192.168.5.150:8003
    And this time conection isn't refused. Telnet request is just timed out, and not only from local network, even on server.

    Also some packets that come from Local Network to 192.168.63.77:8067, are to forward to Local Network to IP 192.168.63.15:8067.

    I hope for your help.

    P.S> Surely I have "echo 1 /proc/sys/net/ipv4/ip_forward"
    P.S.2> I know that all policies are Accept on default, but I need it untill the config begins working.

  2. #2
    Just Joined!
    Join Date
    Aug 2009
    Location
    Mumbai, India
    Posts
    90
    Hi,

    If I'm able to interpret your query well ,I assume you want traffic destined from your local network to 192.168.63.77:8003 to be DNAT'd to 192.168.5.150:8003

    Even with the default policy settings set to ACCEPT, I assume some traffic could yet be blocked because some of the rules have DROP target associated with it. I haven't really read through the scores of rules you have listed.

    To check the DNAT which is currently not working you say, clear up all the iptables rules, set your policies to default of ACCEPT & add these rules
    iptables -t nat -A PREROUTING -p tcp -d 192.168.63.77 --dport 8003 -j DNAT --to-destination 192.168.5.150:8003
    iptables -t nat -A POSTROUTING -p tcp -d 192.168.5.150 --dport 8003 -j SNAT --to-source 192.168.63.77

    Then try to access the said service and verify with iptables -t nat -nvL that the packet counts for both the rules are increasing. If so then the rules are fine ( assuming my interpretation of what your require is right). With the above two rules configured your DNAT for local network should work fine. You could also use tcpdump to verify the flow of traffic. This would help isolate if DNAT / SNAT is actually happening; if so then you could proceed further to check the other iptables rules

    --Syd

  3. #3
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Quote Originally Posted by syd05 View Post
    iptables -t nat -A PREROUTING -p tcp -d 192.168.63.77 --dport 8003 -j DNAT --to-destination 192.168.5.150:8003
    iptables -t nat -A POSTROUTING -p tcp -d 192.168.5.150 --dport 8003 -j SNAT --to-source 192.168.63.77
    These rules will not work as you think. Simply because rule 2 cancels out rule 1.

    PREROUTE is done then the rules are filtered through then POSTROUTE is done.

    Packet in: 192.168.63.77:8003
    PREROUTE: change 192.168.63.77:8003 to 192.168.5.150:8003
    Filter packet though rules
    POSTROUTE: change 192.168.5.150:8003 to 192.168.63.77:8003
    Packet out: 192.168.63.77:8003

    You have done nothing with the rules you have listed above the packet comes in and leaves with the same ip address.

    You rules look like they need a lot of help but without knowing what you want to allow on which interface I cannot configure your rules properly.

    Here is an IPTABLES TUTORAL that you can read to get some insight to how to configure your rules.

    Did you follow some sort of configuration when you setup your rules?

    You have some BIG security flaws in your rules. For example you have the Default Policy for INPUT set to ACCEPT. This is wrong for the simple fact that once the end of your rules is reached and the packet did not match any rules it is still accepted and let though. Same with your FORWARD Policy. Nothing stopping the packets from going right through the system. The only packets I see being dropped are the filter for bad_tcp_packets.

    Anyone knowing your external ip address can attempt to hack into your system right now because there is nothing to stop them. Also you have rules that you don't even need or can be shortened also.

    You talked about Telnet. You should not be using Telnet you should be using SSH.

    To be honest your system could already be hacked because it is wide open.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  4. #4
    Just Joined!
    Join Date
    Sep 2009
    Posts
    3
    Quote Originally Posted by Lazydog View Post
    You talked about Telnet. You should not be using Telnet you should be using SSH.

    To be honest your system could already be hacked because it is wide open.
    I need Telnet in order to check if the host 192.168.5.150 can be reached, cause ICMP packets on it are dropped.
    All the Policies that are Accept on default are temporary decision and, when I correct some other rules, will be changed onto Drop. I mean that I read that tutorial and man pages, but I couldn't find what could help me to solve my problem.

    Some corrections to my question.
    The packets from local network get to 192.168.63.77:8003 and should be forwarded to 192.168.5.150:8003 through 192.168.79.10 (the IP that gives me VPN server after connection), cause 63.77 can't see 5.150 without route through ppp1 (192.168.79.10).

    I guess that decision is near DNAT and PREROUTING of the packets, but nothing is worked yet and I'm in the dead end now ((

  5. #5
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Use the tutorial I posted above and look at STATEFUL rule setup. You don't seem to be using it even though you have ESTABLISH,RELATED setup.

    Not sure why you can only get to 192.168.5.150 through ppp1. Can you post your ruote table?
    Code:
    route -n
    I have a box I setup as a router/firewall here that has 4 connections and i can connect to any one of it's ip addresses from any network. It seems you don't have something setup correctly

    You are aware that you can use telnet to check services without having telnet demon running?

    telnet <ipaddr> <port>

    ex.
    Code:
    telnet 192.168.1.1 25
    This will check and connect to the smtp server if it is running.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  6. #6
    Just Joined!
    Join Date
    Aug 2009
    Location
    Mumbai, India
    Posts
    90
    Quote Originally Posted by Lazydog View Post
    These rules will not work as you think. Simply because rule 2 cancels out rule 1.

    PREROUTE is done then the rules are filtered through then POSTROUTE is done.

    Packet in: 192.168.63.77:8003
    PREROUTE: change 192.168.63.77:8003 to 192.168.5.150:8003
    Filter packet though rules
    POSTROUTE: change 192.168.5.150:8003 to 192.168.63.77:8003
    Packet out: 192.168.63.77:8003
    Hi,

    Before listing the rules, I made a simple assumption about the query raised that the user wanted the traffic from local network destined to 192.168.63.77 port 8003 to be DNAT to 192.168.5.150:8003. Another mistake I made is with the second rule which should have been iptables -t nat -A POSTROUTING -p tcp -d 192.168.5.150 -j SNAT --to-source 192.168.63.77

    The above two rules with default filter chain policies of ACCEPT work fine and redirect traffic. The other thing I overlooked is the different network address of source and destination but if the system can be reached over VPN then NAT should perhaps work (though I've not tried this out)

    BTW the above two rules help in NAT's and the second rules does not cancel the first -- IMHO. It translates the source IP of the packet so that the DNAT'd IP does not later try to communicate with the client directly.

    --Syd

  7. #7
    Just Joined!
    Join Date
    Sep 2009
    Posts
    3
    Quote Originally Posted by Lazydog View Post
    Use the tutorial I posted above and look at STATEFUL rule setup. You don't seem to be using it even though you have ESTABLISH,RELATED setup.

    Not sure why you can only get to 192.168.5.150 through ppp1. Can you post your ruote table?
    Code:
    route -n
    I have a box I setup as a router/firewall here that has 4 connections and i can connect to any one of it's ip addresses from any network. It seems you don't have something setup correctly

    You are aware that you can use telnet to check services without having telnet demon running?

    telnet <ipaddr> <port>

    ex.
    Code:
    telnet 192.168.1.1 25
    This will check and connect to the smtp server if it is running.
    I can get to 192.168.5.150 through ppp1 because this network is in other city and 192.168.63.77 can't reach it without:
    Code:
    /sbin/route add -host 192.168.5.150 dev ppp1
    Telnet daemon is started because I can check 80 and 25 port on 192.168.63.77. But when I check 8003 I should get to 192.168.5.150 through forwarding.

    =======
    Well, syd05, I'll try the changes that you suggested. I hope they'll work (because I know that I'm near solution).

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •