help on iptables port forwarding

[aulich]

ive got an esxi guest im trying to access from another state however i am not able to establish the connection remotely (connection refused). on the internal lan there is no problem connecting


eth0 = internet (external ip) foo.com
eth1 = internal lan = 192.168.0.50

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level warning
ACCEPT tcp -- anywhere 192.168.0.99 tcp dpt:902
ACCEPT tcp -- anywhere 192.168.0.99 tcp dpt:903
ACCEPT tcp -- anywhere 192.168.0.99 tcp dpt:902
ACCEPT tcp -- anywhere 192.168.0.99 tcp dpt:903


Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:902 to:192.168.0.99:902
DNAT tcp -- anywhere anywhere tcp dpt:903 to:192.168.0.99:903


i am using the following rules to create the above:
iptables -A FORWARD -i eth1 -d 192.168.0.99 -p tcp --dport 902 -j ACCEPT
iptables -A FORWARD -i eth1 -d 192.168.0.99 -p tcp --dport 903 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.99 -p tcp --dport 902 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.99 -p tcp --dport 903 -j ACCEPT
iptables -A PREROUTING -i eth0 -t nat -p tcp --dport 902 -j DNAT --to 192.168.0.99:902
iptables -A PREROUTING -i eth0 -t nat -p tcp --dport 903 -j DNAT --to 192.168.0.99:903

any assistance is greatly appreciated

[Lazydog]

Try the following

Code:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 902 -j DNAT --to-destination 192.168.0.99
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 903 -j DNAT --to-destination 192.168.0.99
iptables -A FORWARD -i eth0 -d 192.168.0.99 -p tcp --dport 902 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.99 -p tcp --dport 903 -j ACCEPT

[aulich]

still didnt work but let me know if this is the problem. the commands used to set up ip masq for the lan:

eth0 = external
eth1 = internal


echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

# then i added what you recomended:

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 902 -j DNAT --to-destination 192.168.0.99
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 903 -j DNAT --to-destination 192.168.0.99
iptables -A FORWARD -i eth0 -d 192.168.0.99 -p tcp --dport 902 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.99 -p tcp --dport 903 -j ACCEPT

so im wondering if the beginning rules for the forward chain are causing the problem. I can ssh into foo.com from anywhere no problem tho, just cant get the requests to port 902/3 to 0.99. no other IDS is running, hosts.deny is enpty

[Lazydog]

OK, if you can log into foo.com form anywhere I would then question if you have a service listing on port 902/3. What program is listing on these ports?

[aulich]

i should clarify that when i ssh to foo.com its hitting foo.com directly, sshd runs locally (192.168.0.50) on that machine on port 900, 901 is an ftp server. 902 and 903 which are for the esxi server on 192.168.0.99 are not listed as open, so im assuming not being routed to 192.168.0.99

if i port scan foo.com from foo.com i get:
37/tcp open time
53/tcp open domain
113/tcp open auth
139/tcp open netbios-ssn
445/tcp open microsoft-ds
900/tcp open unknown
901/tcp open samba-swat
3128/tcp open squid-http
6000/tcp open X11

however, if i port scan from nmaps website i get:
Not shown: 4883 closed ports, 110 filtered ports
PORT STATE SERVICE
37/tcp open time
53/tcp open domain
113/tcp open auth
900/tcp open unknown
901/tcp open samba-swat
902/tcp open iss-realsecure
3128/tcp open squid-http

above is showing that 902 is in fact open and being routed from 192.168.0.50 to 192.168.0.99 where the esxi server lives.

pertaining to service listings, are you referring to whats in my /etc/services file? if so there are no entries at all in there for 902 and 903.

[Lazydog]

Goto the server that has processes listing on 902/3 and run the following and then post.

Code:

netstat -a | grep 902
netstat -a | grep 903

[aulich]

the netstat command isnt available under esxi nor is it able to be installed/compiled

they best i can do is run netstat from .0.50 (where i do have 3 connections to vortual machines on 0.99 on the lan)
bash-3.1# netstat -a | grep 902
tcp 0 0 192.168.0.50:40056 192.168.0.99:902 ESTABLISHED
tcp 0 37 192.168.0.50:54864 192.168.0.99:902 ESTABLISHED
tcp 0 37 192.168.0.50:46743 192.168.0.99:902 ESTABLISHED

[Lazydog]

This just shows the connections. I was looking for the process/program that was listing on the port