Local rule for Port Forward

All of lore.kernel.org
 help / color / mirror / Atom feed

* Local rule for Port Forward
@ 2003-04-25 16:45 Patrick Nelson
  2003-04-25 21:12 ` David Gaudine
  0 siblings, 1 reply; 7+ messages in thread
From: Patrick Nelson @ 2003-04-25 16:45 UTC (permalink / raw)
  To: Netfilter List

RH72 with iptables v1.2.5-3

I'm doing port forwarding to a server that runs jabber and everything
works fine, I did notice that if I bring up a jabber client on the
firewall itself I do not get connected.  While this isn't really
needed... I don't totally understand why it doesn't work.  Being
inquisitive... well I just gots to know why!  Can anyone shed some
light?

My rules for the jabber port forward are:

iptables -A FORWARD 
         -i $ExIF -d $JabIP -p tcp --dport $JabPort 
         -j ACCEPT
iptables -A PREROUTING 
         -t nat -d $ExIP -p tcp --dport $JabPort
         -j DNAT --to-destination $JabIP
iptables -A POSTROUTING
         -t nat -d $JabIP -p tcp --dport $JabPort
         -j SNAT --to-source $InIP

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Local rule for Port Forward
  2003-04-25 16:45 Local rule for Port Forward Patrick Nelson
@ 2003-04-25 21:12 ` David Gaudine
  2003-04-26  8:05   ` Patrick Nelson
  0 siblings, 1 reply; 7+ messages in thread
From: David Gaudine @ 2003-04-25 21:12 UTC (permalink / raw)
  To: Netfilter List

> I'm doing port forwarding to a server that runs jabber and everything
> works fine, I did notice that if I bring up a jabber client on the
> firewall itself I do not get connected.  While this isn't really
> needed... I don't totally understand why it doesn't work.  Being
> inquisitive... well I just gots to know why!  Can anyone shed some
> light?
> 
> My rules for the jabber port forward are:
> 
> iptables -A FORWARD 
>          -i $ExIF -d $JabIP -p tcp --dport $JabPort 
>          -j ACCEPT
> iptables -A PREROUTING 
>          -t nat -d $ExIP -p tcp --dport $JabPort
>          -j DNAT --to-destination $JabIP
> iptables -A POSTROUTING
>          -t nat -d $JabIP -p tcp --dport $JabPort
>          -j SNAT --to-source $InIP

I'm new at this, but shouldn't you have INPUT and OUTPUT rules
if you want to run something on the firewall?  Maybe not, since
I've just mastered FORWARD, INPUT and OUTPUT and I haven't
figured out where PREROUTING and POSTROUTING come in
so maybe you're counting on them to do the job.



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Local rule for Port Forward
  2003-04-25 21:12 ` David Gaudine
@ 2003-04-26  8:05   ` Patrick Nelson
  2003-04-26 15:44     ` Brad Morgan
  0 siblings, 1 reply; 7+ messages in thread
From: Patrick Nelson @ 2003-04-26  8:05 UTC (permalink / raw)
  To: Netfilter List

On Fri, 2003-04-25 at 14:12, David Gaudine wrote:
> > I'm doing port forwarding to a server that runs jabber and everything
> > works fine, I did notice that if I bring up a jabber client on the
> > firewall itself I do not get connected.  While this isn't really
> > needed... I don't totally understand why it doesn't work.  Being
> > inquisitive... well I just gots to know why!  Can anyone shed some
> > light?
> > 
> > My rules for the jabber port forward are:
> > 
> > iptables -A FORWARD 
> >          -i $ExIF -d $JabIP -p tcp --dport $JabPort 
> >          -j ACCEPT
> > iptables -A PREROUTING 
> >          -t nat -d $ExIP -p tcp --dport $JabPort
> >          -j DNAT --to-destination $JabIP
> > iptables -A POSTROUTING
> >          -t nat -d $JabIP -p tcp --dport $JabPort
> >          -j SNAT --to-source $InIP
> 
> I'm new at this, but shouldn't you have INPUT and OUTPUT rules
> if you want to run something on the firewall?  Maybe not, since
> I've just mastered FORWARD, INPUT and OUTPUT and I haven't
> figured out where PREROUTING and POSTROUTING come in
> so maybe you're counting on them to do the job.
> 

Yes, and these are not the only rules to the script.  But these are the
only ones that pertain to Jabber.  Might be an INPUT OUTPUT issue... I
just don't see why seeing the local network has accept rights to the
firewall.



^ permalink raw reply	[flat|nested] 7+ messages in thread

* RE: Local rule for Port Forward
  2003-04-26  8:05   ` Patrick Nelson
@ 2003-04-26 15:44     ` Brad Morgan
  2003-04-26 17:35       ` Andy Wood
  0 siblings, 1 reply; 7+ messages in thread
From: Brad Morgan @ 2003-04-26 15:44 UTC (permalink / raw)
  To: pnelson, 'Netfilter List'



>  I'm doing port forwarding to a server that runs jabber and everything
>  works fine, I did notice that if I bring up a jabber client on the
>  firewall itself I do not get connected.  While this isn't really
>  needed... I don't totally understand why it doesn't work.  Being
>  inquisitive... well I just gots to know why!  Can anyone shed some
>  light?
> 
>  My rules for the jabber port forward are:
> 
>  iptables -A FORWARD
>           -i $ExIF -d $JabIP -p tcp --dport $JabPort
>           -j ACCEPT
>  iptables -A PREROUTING
>           -t nat -d $ExIP -p tcp --dport $JabPort
>           -j DNAT --to-destination $JabIP
>  iptables -A POSTROUTING
>           -t nat -d $JabIP -p tcp --dport $JabPort
>           -j SNAT --to-source $InIP

The reason why jabber doesn't work on the firewall is because the PREROUTING
rule sends the packet to jabber server as requested.  It never reaches the
INPUT chain or the client running on the firewall.

An excellent reference for how packets traverse the iptables chains can be
found at http://iptables-tutorial.frozentux.net by Oskar Andreasson.  He
just posted a new version.

Regards,

Brad Morgan
  




^ permalink raw reply	[flat|nested] 7+ messages in thread

* RE: Local rule for Port Forward
  2003-04-26 15:44     ` Brad Morgan
@ 2003-04-26 17:35       ` Andy Wood
  2003-04-30 21:04         ` Patrick Nelson
  0 siblings, 1 reply; 7+ messages in thread
From: Andy Wood @ 2003-04-26 17:35 UTC (permalink / raw)
  To: 'Netfilter List'; +Cc: pnelson

	...perhaps it is self-governing.  Best practices would dictate that
instant messaging on a firewall is a bad idea.  The idea for a FW is minimal
packages, no permanent compilers, certainly not X and all of its user-ware.
It's remote-code-execution waitin' to happen.

	Question, why do you SNAT external Jabber traffic to your FW's
internal IP?  In doing that your server sees the traffic as originating from
$InIP, vice its true source.


>  I'm doing port forwarding to a server that runs jabber and everything  
> works fine, I did notice that if I bring up a jabber client on the  
> firewall itself I do not get connected.  While this isn't really  
> needed... I don't totally understand why it doesn't work.  Being  
> inquisitive... well I just gots to know why!  Can anyone shed some  
> light?
> 
>  My rules for the jabber port forward are:
> 
>  iptables -A FORWARD
>           -i $ExIF -d $JabIP -p tcp --dport $JabPort
>           -j ACCEPT
>  iptables -A PREROUTING
>           -t nat -d $ExIP -p tcp --dport $JabPort
>           -j DNAT --to-destination $JabIP  iptables -A POSTROUTING
>           -t nat -d $JabIP -p tcp --dport $JabPort
>           -j SNAT --to-source $InIP



^ permalink raw reply	[flat|nested] 7+ messages in thread

* RE: Local rule for Port Forward
  2003-04-26 17:35       ` Andy Wood
@ 2003-04-30 21:04         ` Patrick Nelson
  2003-04-30 17:58           ` Problems removing rules Maurício S. Mudrik
  0 siblings, 1 reply; 7+ messages in thread
From: Patrick Nelson @ 2003-04-30 21:04 UTC (permalink / raw)
  To: 'Netfilter List'

On Sat, 2003-04-26 at 10:35, Andy Wood wrote:
> 	...perhaps it is self-governing.  Best practices would dictate that
> instant messaging on a firewall is a bad idea.  The idea for a FW is minimal
> packages, no permanent compilers, certainly not X and all of its user-ware.
> It's remote-code-execution waitin' to happen.
> 
> 	Question, why do you SNAT external Jabber traffic to your FW's
> internal IP?  In doing that your server sees the traffic as originating from
> $InIP, vice its true source.
> 
> 
> >  I'm doing port forwarding to a server that runs jabber and everything  
> > works fine, I did notice that if I bring up a jabber client on the  
> > firewall itself I do not get connected.  While this isn't really  
> > needed... I don't totally understand why it doesn't work.  Being  
> > inquisitive... well I just gots to know why!  Can anyone shed some  
> > light?
> > 
> >  My rules for the jabber port forward are:
> > 
> >  iptables -A FORWARD
> >           -i $ExIF -d $JabIP -p tcp --dport $JabPort
> >           -j ACCEPT
> >  iptables -A PREROUTING
> >           -t nat -d $ExIP -p tcp --dport $JabPort
> >           -j DNAT --to-destination $JabIP  iptables -A POSTROUTING
> >           -t nat -d $JabIP -p tcp --dport $JabPort
> >           -j SNAT --to-source $InIP
> 

Well good question.  At first I was going to say because it's the only
thing that made it work...  I tried dropping the snat and this shut
everything down.  So at first I was going to say, not sure why but its
the only way it works...  However...

I did notice that the jabber server itself locked up too.  But this time
I left just the 2 rules in place with out the snat, when I restarted the
server.  Oh my all systems were able to connect.  All in all I guess I
just put that rule in there because someone said... these are what I
use.

I think I understand a bit better how the dnat and snat stuff works.
Thanks for questioning it.



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Problems removing rules
  2003-04-30 21:04         ` Patrick Nelson
@ 2003-04-30 17:58           ` Maurício S. Mudrik
  0 siblings, 0 replies; 7+ messages in thread
From: Maurício S. Mudrik @ 2003-04-30 17:58 UTC (permalink / raw)
  To: netfilter

I'm having a huge problem:

I have those rules:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere           tcp dpt:www 
to:192.168.0.1:80

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I inserted iptables -t nat -I PREROUTING -s xxx.xxx.xxx.xxx -j RETURN

OK. The rules works fine.

Then I removed the RETURN iptables -t nat -D PREROUTING -s xxx.xxx.xxx.xxx -j 
RETURN and... The IP still access some pages that accessed before!

Why?

I need to redirect all internal requests to a specific page and then, after a 
login, masquerade them to the Internet...

That's it.

Thanks in advance.

Maurício S. Mudrik

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2003-04-30 21:04 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-04-25 16:45 Local rule for Port Forward Patrick Nelson
2003-04-25 21:12 ` David Gaudine
2003-04-26  8:05   ` Patrick Nelson
2003-04-26 15:44     ` Brad Morgan
2003-04-26 17:35       ` Andy Wood
2003-04-30 21:04         ` Patrick Nelson
2003-04-30 17:58           ` Problems removing rules Maurício S. Mudrik

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.