FORWARD question

FORWARD question

[Nick]

Hi everyone,

I have a question about PREROUTING and FORWARD.

I use those rules(amongst others) to reach the FTP
server on the LAN:

 $IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP -i
ppp0 --dport 21 -j DNAT --to $FTPSRVIP 

 $IPTABLES -A FORWARD -i ppp0 -o $LAN_IFACE -p tcp -d
$FTPSRVIP--dport 21 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i ppp0 -o $LAN_IFACE -p tcp -d
$FTPSRVIP--dport 20 -j ACCEPT
$IPTABLES -A FORWARD -i ppp0 -o $LAN_IFACE -p tcp -d
$FTPSRVIP--dport 1024:65535 --sport 1024:65535 -j
ACCEPT 

Does this mean that all traffic coming from the
internet for ports 1024:65535 will be forwarded
towards the FTP server ports 1024:65535 ? 

What about traffic for ports 1024:65535 that should go
to other clients on the LAN ? Is it going to be
forwarded to the FTP server as well ? If yes, how
could I forward only FTP traffic to the FTP server ? 

I hope I make sense. Thanks for any help

__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/

Re: FORWARD question

[Antony Stone]

On Thursday 20 November 2003 8:27 pm, Nick wrote:

> Hi everyone,
>
> I have a question about PREROUTING and FORWARD.
>
> I use those rules(amongst others) to reach the FTP
> server on the LAN:
>
>  $IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP -i
> ppp0 --dport 21 -j DNAT --to $FTPSRVIP
>
>  $IPTABLES -A FORWARD -i ppp0 -o $LAN_IFACE -p tcp -d
> $FTPSRVIP--dport 21 -m state --state NEW -j ACCEPT
> $IPTABLES -A FORWARD -i ppp0 -o $LAN_IFACE -p tcp -d
> $FTPSRVIP--dport 20 -j ACCEPT
> $IPTABLES -A FORWARD -i ppp0 -o $LAN_IFACE -p tcp -d
> $FTPSRVIP--dport 1024:65535 --sport 1024:65535 -j
> ACCEPT
>
> Does this mean that all traffic coming from the
> internet for ports 1024:65535 will be forwarded
> towards the FTP server ports 1024:65535 ?

Yes.   If you have public (routable) IP addresses on your LAN (unlikely, but 
you didn't say) this will allow a large amount of port scanning to be 
successful.   If not, then packets can't be addressed to your LAN machines 
anyway, so the final FORWARD rule will not do anything.

> What about traffic for ports 1024:65535 that should go
> to other clients on the LAN ? Is it going to be
> forwarded to the FTP server as well ?

No, because you are only performing NAT on packets sent to TCP port 21.

Packets sent to any other port will not be NATted, and will continue to their 
original destination, assuming this was a routable address in the first place.

> If yes, how could I forward only FTP traffic to the FTP server ?

I really would recommend that you use connection tracking and the NAT helpers:

1. Compile your kernel, or load the modules (depending on personal 
preference) for FTP conntrack and FTP nat.

2. Use the following rules:

iptables -A PREROUTING -t nat -d a.b.c.d -p tcp --dport 21 -j DNAT --to 
w.x.y.z

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d w.x.y.z -p tcp --dport 21 -j ACCEPT

Where a.b.c.d is your external (public) IP address, and w.x.y.z is the 
internal (private) IP address of your FTP server.

Connection tracking means no need to worry about port 20, and no need to open 
up all the high ports to people on the outside.

Regards,

Antony.

-- 

The only problem with the Universe as a platform, though, is that it is 
currently running someone else's program.

 - Ken Karakotsios, author of SimLife
                                                     Please reply to the list;
                                                           please don't CC me.

Re: FORWARD question

[Nick]

Anthony, first of all thanks for your answer :-) If
you don't mind I would like to clarify a few things. 

I know the router 'remembers' things about packets, I
just don't know how much he remembers.That's where I
am right now.

I do use connection traccking, and I guess I use it
correctly.(Earlier I had posted only a part of my
script) I also have only one public IP, the FW machine
sends FTP requests to the FTP server on 192.168.0.12.

The only open port on the external NIC of the FW
machine is 21. 

My complete forward rules are those:

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state
ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i ppp0 -o $LAN_IFACE -p tcp -d
$FTPSRV --dport 21 -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -i ppp0 -o $LAN_IFACE -p tcp -d
$FTPSRV --dport 20 -j ACCEPT

$IPTABLES -A FORWARD -i ppp0 -o $LAN_IFACE -p tcp -d
$FTPSRV --dport 1024:65535 --sport 1024:65535 -j
ACCEPT

$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP -i
ppp0 --dport 21 -j DNAT --to $FTPSRV

$IPTABLES -t nat -A POSTROUTING -o ppp0 -s
$LAN_IP_RANGE -j MASQUERADE 

$INET_IP= public IP
$LAN_IFACE=internal NIC of the FW server

I use NEW when I forward to port 21 because I figured 
the first FTP request will be new. Am I right ?

If I understand correctly, the router will pick up FTP
related traffic coming from the internet through ports
1024:65535 and forward it only to the FTP server
because I do PREROUTING to my FTP server ? 

Does the router say: 'this packet that came through
port 1025 ist FTP related and I will FORWARD it only
to the FTP server(because that's what PREROUTING tells
me) and this packet coming through port 1026 is for
client x.x.x.x (for which there is no PREROUTING) and
I will send it to only him' ?

If that's so, great :-) Thanks again for your help

__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/

Re: FORWARD question

[Nick]

Anthony, first of all thanks for your answer :-) If
you don't mind I would like to clarify a few things. 

I know the router 'remembers' things about packets, I
just don't know how much he remembers.That's where I
am right now.

I do use connection traccking, and I guess I use it
correctly.(Earlier I had posted only a part of my
script) I also have only one public IP, the FW machine
sends FTP requests to the FTP server on 192.168.0.12.

The only open port on the external NIC of the FW
machine is 21. 

My complete forward rules are those:

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state
ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i ppp0 -o $LAN_IFACE -p tcp -d
$FTPSRV --dport 21 -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -i ppp0 -o $LAN_IFACE -p tcp -d
$FTPSRV --dport 20 -j ACCEPT

$IPTABLES -A FORWARD -i ppp0 -o $LAN_IFACE -p tcp -d
$FTPSRV --dport 1024:65535 --sport 1024:65535 -j
ACCEPT

$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP -i
ppp0 --dport 21 -j DNAT --to $FTPSRV

$IPTABLES -t nat -A POSTROUTING -o ppp0 -s
$LAN_IP_RANGE -j MASQUERADE 

$INET_IP= public IP
$LAN_IFACE=internal NIC of the FW server

I use NEW when I forward to port 21 because I figured 
the first FTP request will be new. Am I right ?

If I understand correctly, the router will pick up FTP
related traffic coming from the internet through ports
1024:65535 and forward it only to the FTP server
because I do PREROUTING to my FTP server ? 

Does the router say: 'this packet that came through
port 1025 ist FTP related and I will FORWARD it only
to the FTP server(because that's what PREROUTING tells
me) and this packet coming through port 1026 is for
client x.x.x.x (for which there is no PREROUTING) and
I will send it to only him' ?

If that's so, great :-) Thanks again for your help

__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/

Re: FORWARD question

[Antony Stone]

On Thursday 20 November 2003 9:51 pm, Nick wrote:

> Antony, first of all thanks for your answer :-) If
> you don't mind I would like to clarify a few things.
>
> I know the router 'remembers' things about packets, I
> just don't know how much he remembers.That's where I
> am right now.

The connection tracking system remembers: source IP & port, destination IP & 
port (4 values), and the ESTABLISHED state then matches reply packets with 
source & destination reversed.   The RELATED state will also match packets 
with completely different port numbers, depending on the protocol involved 
(this is where the FTP conntrack helper comes in).

> I do use connection traccking, and I guess I use it
> correctly.(Earlier I had posted only a part of my
> script) I also have only one public IP, the FW machine
> sends FTP requests to the FTP server on 192.168.0.12.
>
> The only open port on the external NIC of the FW
> machine is 21.

If that really is true (I wonder how you think you have closed all the other 
ports?), then even FTP won't work, because it needs TCP port 20 as well (in 
active mode).

> My complete forward rules are those:
>
> $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
> $IPTABLES -A FORWARD -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> $IPTABLES -A FORWARD -i ppp0 -o $LAN_IFACE -p tcp -d
> $FTPSRV --dport 21 -m state --state NEW -j ACCEPT
>
> $IPTABLES -A FORWARD -i ppp0 -o $LAN_IFACE -p tcp -d
> $FTPSRV --dport 20 -j ACCEPT

The above rule is redundant (see whether "iptables -L -n -v -x" shows any 
packets having matched it) because of the "-m state" rule earlier.

> $IPTABLES -A FORWARD -i ppp0 -o $LAN_IFACE -p tcp -d
> $FTPSRV --dport 1024:65535 --sport 1024:65535 -j
> ACCEPT

Ditto.

> $IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP -i
> ppp0 --dport 21 -j DNAT --to $FTPSRV

This forwards FTP requests to your FTP server.

> $IPTABLES -t nat -A POSTROUTING -o ppp0 -s
> $LAN_IP_RANGE -j MASQUERADE

This makes sure all outgoing packets have a public source address, so the 
replies can get back to you.

> $INET_IP= public IP
> $LAN_IFACE=internal NIC of the FW server
>
> I use NEW when I forward to port 21 because I figured
> the first FTP request will be new. Am I right ?

Yes.

> If I understand correctly, the router will pick up FTP
> related traffic coming from the internet through ports
> 1024:65535 and forward it only to the FTP server
> because I do PREROUTING to my FTP server ?

The original packet coming in to your public IP address will be to port 21, 
and will therefore be NATted to your internal FTP server.

All future packets will match ESTABLISHED or RELATED, and will therefore 
match the first rule in your FORWARD chain.   You do not need to worry about 
packets other than the first one in your nat tables, because all future 
packets are automagically NATted (in both directions) by the protocol nat 
helper (this is why in my previous answer I said you should compile into your 
kernel, or load as modules, the connection tracking and nat helpers for FTP).

> Does the router say: 'this packet that came through
> port 1025 ist FTP related and I will FORWARD it only
> to the FTP server(because that's what PREROUTING tells
> me) and this packet coming through port 1026 is for
> client x.x.x.x (for which there is no PREROUTING) and
> I will send it to only him' ?

That depends on whether it is RELATED to an already ESTABLISHED ftp 
connection.

Provided there was a PORT command sent over the FTP control channel to 
specify data on port 1025, then yes.   If there was no PORT command telling 
the nat & conntrack helpers to expect a data connection on port 1025, then 
that packet will not be allowed through, and your network remains secure.

Basically what I'm saying is that if you use the nat and conntrack ftp 
helpers, your rules can be very simple and your network can be very secure, 
both at the same time.

If you do not use the nat and conntrack helpers, it is very difficult to make 
the ftp protocol both secure and functional at the same time.

> If that's so, great :-) Thanks again for your help

Try it and see :)

Antony.

-- 

What is this talk of software 'release' ?
Our software evolves and matures until it becomes capable of escape, leaving 
a bloody trail of designers and quality assurance people in its wake.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: FORWARD question

[Nick]

Thanks Antony, I got it. Once nat and conntrack
helpers are implemented correctly, I don't have to
worry about it anymore :-)

There is one last thing, though(I promise it's the
last one ;-)

When I said that only port 21 is open I meant that on
the router machine only this port accepts NEW client
connections. The other ports will accept only
ESTABLISHED and RELATED. I defined this in my INPUT
rules. 

Do I need to accept NEW client connections to port 20
as well ? I know it's used for active FTP and I
thought FTP client never sends NEW to port 20, only
ESTABLISHED.

What do you think? I appreciate your help

__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/

Re: FORWARD question

[Antony Stone]

On Friday 21 November 2003 10:42 am, Nick wrote:

> Thanks Antony, I got it. Once nat and conntrack
> helpers are implemented correctly, I don't have to
> worry about it anymore :-)
>
> There is one last thing, though(I promise it's the
> last one ;-)
>
> When I said that only port 21 is open I meant that on
> the router machine only this port accepts NEW client
> connections. The other ports will accept only
> ESTABLISHED and RELATED. I defined this in my INPUT
> rules.

I hope you didn't define them in INPUT :)   I hope you mean FORWARD!?

The INPUT chain is *only* used for packets which are addressed *to* the 
firewall machine itself - not for packets which are being routed through it 
to some other machine.   Those packets go through FORWARD.

> Do I need to accept NEW client connections to port 20
> as well ? I know it's used for active FTP and I
> thought FTP client never sends NEW to port 20, only
> ESTABLISHED.

No, packets coming in on port 20 as part of an ective FTP connection will 
count as RELATED.

That's the magic of protocol helpers :)

Antony.

-- 

Success is a lousy teacher.   It seduces smart people into thinking they 
can't lose.

 - William H Gates III
                                                     Please reply to the list;
                                                           please don't CC me.

Re: FORWARD question

[Nick]

Antony, I thought I had it all figured out.
Apparently, I don't... :-(

On the routing machine the INPUT looks something like
this:

$IPTABLES -N allowed
$IPTABLES -N tcp_packets

$IPTABLES -A allowed -p TCP --syn -j ACCEPT

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j
allowed

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j
tcp_packets


So, if I understand what you're saying, I shouldn't
have this

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j
allowed

in my INPUT. I should have it in FORWARD. Right ?

I thought it should be in INPUT so that the router
'gets' the incoming request, and once it has it, it
will FORWARD it to the LAN server. 

Now, if this rule should be in the FORWARD, what
should I have in INPUT in order to acept NEW FTP
requests ? Or is FORWARD doing this automatically ? 

I promised that the previous message would be the last
one. Sorry for breaking my promise :-)

__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/

Re: FORWARD question

[Antony Stone]

On Friday 21 November 2003 11:59 am, Nick wrote:

> Antony, I thought I had it all figured out.
> Apparently, I don't... :-(
>
> I thought it should be in INPUT so that the router
> 'gets' the incoming request, and once it has it, it
> will FORWARD it to the LAN server.

No no no no no no no :))

Packets being routed do not go through FORWARD (you didn't used to use 
ipchains, did you?   Your idea is the way that system used to work...)

> Now, if this rule should be in the FORWARD, what
> should I have in INPUT in order to acept NEW FTP
> requests ? Or is FORWARD doing this automatically ?

See 
http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TRAVERSINGOFTABLES

> I promised that the previous message would be the last
> one. Sorry for breaking my promise :-)

No problem.   You'll probably have another one in a week or so, when you want 
to do something even more exciting :)

Antony.

-- 

Because it completely breaks the way people normally read things.
Why is top-posting bad?
It means writing your reply above whatever you're replying to.
What does top-post mean?
Please don't top-post in email replies.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: FORWARD question

[Antony Stone]

On Friday 21 November 2003 12:38 pm, Antony Stone wrote something completely 
stupid and sent it to the list.

I said "packets being routed do not go through FORWARD".   This completely 
wrong, and I should have said "packets being routed do not go through INPUT". 
They definitely do go through FORWARD.

Corrected version of my previous response below :)

> On Friday 21 November 2003 11:59 am, Nick wrote:
> > Antony, I thought I had it all figured out.
> > Apparently, I don't... :-(
> >
> > I thought it should be in INPUT so that the router
> > 'gets' the incoming request, and once it has it, it
> > will FORWARD it to the LAN server.
>
> No no no no no no no :))

Packets being routed do not go through INPUT (you didn't used to use
ipchains, did you?   Your idea is the way that system used to work...)

> > Now, if this rule should be in the FORWARD, what
> > should I have in INPUT in order to acept NEW FTP
> > requests ? Or is FORWARD doing this automatically ?
>
> See
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TRAVERSINGOFT
>ABLES
>
> > I promised that the previous message would be the last
> > one. Sorry for breaking my promise :-)
>
> No problem.   You'll probably have another one in a week or so, when you
> want to do something even more exciting :)
>
> Antony.

-- 

How should I know if it works?   That's what beta testers are for.   I only 
coded it.

 - Linus Torvalds
                                                     Please reply to the list;
                                                           please don't CC me.

Re: FORWARD question

[Nick]

Now I really start getting it ! Thanks again Antony
:-), and again, and again, and...

Thanks for the link. I had read that tutorial but
obviously reading it was not enough. Now when I
actually start using it I begin to understand the
theory. It's cool, I like it...

So, basically when I FORWARD FTP requests to the FTP
server I don't need INPUT, unless the server is on the
routing machine. INPUT is being used only for the
routing machine. 

I guess if I wanted to set up a firewall on the FTP
machine, then I would use INPUT on that machine. 

OK, I'll eperiment with it :-) 

P.S. I read the correction. Now I understand enough to
realize that it was only a typ ;-)

__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/

Re: FORWARD question

[Jeffrey Laramie]

Nick wrote:

>Now I really start getting it ! Thanks again Antony
>:-), and again, and again, and...
>
>Thanks for the link. I had read that tutorial but
>obviously reading it was not enough. Now when I
>actually start using it I begin to understand the
>theory. It's cool, I like it...
>
>So, basically when I FORWARD FTP requests to the FTP
>server I don't need INPUT, unless the server is on the
>routing machine. INPUT is being used only for the
>routing machine. 
>  
>
Keep in mind that without putting any rules on the INPUT chain your 
firewall box is either totally open or totally closed (i.e. iptables -t 
filter -P INPUT ACCEPT or DROP). Generally you need rules on both the 
INPUT and FORWARD chains although the rules will be somewhat different. 
Take a look at Oskar's sample scripts.

>I guess if I wanted to set up a firewall on the FTP
>machine, then I would use INPUT on that machine. 
>  
>

Yes, but you probably ought to anyway.

>OK, I'll eperiment with it :-) 
>
>P.S. I read the correction. Now I understand enough to
>realize that it was only a typ ;-)
>  
>
Indeed.  Antony, screw up like that again and I'll have to fire you!!  ;-)

Jeff

Re: FORWARD question

[Nick]

Thanks, Jeff. I have been using one of Oskar's scripts
with some changes in it for quite a while now. 

I got confused when I started using the LAN FTP, but
now I gradually start getting back on track :-)

__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/

Re: FORWARD question

[Antony Stone]

On Friday 21 November 2003 1:50 pm, Jeffrey Laramie wrote:

> Indeed.  Antony, screw up like that again and I'll have to fire you!!  ;-)

Indeed.   I think you'll find I've already done it myself by then though :)

Antony.

-- 

Most people are aware that the Universe is big.

 - Paul Davies, Professor of Theoretical Physics
                                                     Please reply to the list;
                                                           please don't CC me.

redirect squid to other proxy(windows) hearing in port 80

[Guillermo]

hello!!
i need help with iptables and proxy squid...
i have a linux-proxy for tests and it is connected in the internal net
(LAN), but i need that this squid pass through a win2000 proxy that is
hearing in port 80 for all request....(view the picture)

computers ----->squid-linux(hear port 3128)---->win2000-proxy(hear port
80)----->internet (https-DNS)

mi problem is that apparently the DNS petitions (port 53) not arrives at the
DNS server.
how i must setup IPTABLES for redirect this packets DNS (TCP and UDP) at the
win2000 proxy???
or i must setup SQUID for this???
or i must instal a BIND DNS in my Linux box??
any help will be welcome...
thanks

PD: sorry for my english.... i dont speak english very well..

Re: redirect squid to other proxy(windows) hearing in port 80

[Antony Stone]

On Friday 21 November 2003 4:19 pm, Guillermo wrote:

> hello!!
> i need help with iptables and proxy squid...
> i have a linux-proxy for tests and it is connected in the internal net
> (LAN), but i need that this squid pass through a win2000 proxy that is
> hearing in port 80 for all request....(view the picture)
>
> computers ----->squid-linux(hear port 3128)---->win2000-proxy(hear port
> 80)----->internet (https-DNS)
>
> mi problem is that apparently the DNS petitions (port 53) not arrives at
> the DNS server.

DNS from which machine/s?   The clients, or the proxy/ies?   (In a proxy 
setup the clients will use DNS because they always do, and the proxy will use 
DNS because it needs to contact the real server).

> how i must setup IPTABLES for redirect this packets DNS (TCP and UDP) at
> the win2000 proxy???

It's not clear to me from the above diagram which computer is running 
netfilter (iptables).   Tell us this and we can suggest how to redirect your 
DNS requests (if indeed that is the problem).

> or i must setup SQUID for this???

Indeed - I would actually recommend that you chain the proxies together using 
the squid configuration file, so that they know how they're interconnected.

> or i must instal a BIND DNS in my Linux box??

That would not be a bad idea at all.   If you're running a caching proxy, it 
can benefit quite a bit from having a (very) local DNS server as well.

> PD: sorry for my english.... i dont speak english very well..

No problem at all.

Antony.

-- 

Windows: just another pane in the glass.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: redirect squid to other proxy(windows) hearing in port 80

[Antony Stone]

On Friday 21 November 2003 4:43 pm, Antony Stone wrote:

> On Friday 21 November 2003 4:19 pm, Guillermo wrote:
> > hello!!
> > i need help with iptables and proxy squid...
> > i have a linux-proxy for tests and it is connected in the internal net
> > (LAN), but i need that this squid pass through a win2000 proxy that is
> > hearing in port 80 for all request....(view the picture)
> >
> > computers ----->squid-linux(hear port 3128)---->win2000-proxy(hear port
> > 80)----->internet (https-DNS)

> Indeed - I would actually recommend that you chain the proxies together
> using the squid configuration file, so that they know how they're
> interconnected.

Oh, I forgot to ask - why do you want have two proxies involved anyway 
(especially when one of them is running W2k)?

Antony.

-- 

The idea that Bill Gates appeared like a knight in shining armour
to lead all customers out of a mire of technological chaos
neatly ignores the fact that it was he who, by peddling
second-rate technology, led them into it in the first place.

 - Douglas Adams in The Guardian, August 25, 1995
                                                     Please reply to the list;
                                                           please don't CC me.