Is it possible connecting to a forwarded port from inside the network?

Is it possible connecting to a forwarded port from inside the network?

[Jiwei Wang]

[-- Attachment #1: Type: text/plain, Size: 732 bytes --]

Hello,

 

I'm using iptables on a RedHat 8.0 box to do firewalling and port
forwarding. The port-forwarding works perfectly when accessed from outside
my internal networks.   However, I cannot access the forwarded ports from
inside the network. 

 

I tried to use two IP addresses to do this. That is, I have public IP
addresses a.b.c.x and a.b.c.y both assigned to my Internet facing eth0; I
use a.b.c.x for SNAT and a.b.c.y for DNAT port forwarding (a.b.c.y:80 is
forwarded to an internal host port 80); from the Internet a.b.c.y:80 works
ok, but I still cannot access a.b.c.y:80 from any of my internal box.

 

This setup worked before with ipchains + ipvsadmin on Redhat 6.2.  

 

I'd appreciate any suggestions.

 

Jiwei


[-- Attachment #2: winmail.dat --]
[-- Type: application/ms-tnef, Size: 3444 bytes --]

Re: Is it possible connecting to a forwarded port from inside the network?

[Joel Newkirk]

On Sunday 16 March 2003 02:18 pm, Jiwei Wang wrote:
> Hello,
>
>
>
> I'm using iptables on a RedHat 8.0 box to do firewalling and port
> forwarding. The port-forwarding works perfectly when accessed from
> outside my internal networks.   However, I cannot access the forwarded
> ports from inside the network.
>
>
>
> I tried to use two IP addresses to do this. That is, I have public IP
> addresses a.b.c.x and a.b.c.y both assigned to my Internet facing
> eth0; I use a.b.c.x for SNAT and a.b.c.y for DNAT port forwarding
> (a.b.c.y:80 is forwarded to an internal host port 80); from the
> Internet a.b.c.y:80 works ok, but I still cannot access a.b.c.y:80
> from any of my internal box.

add this, where d.e.f.y is the IP of the internal host, and d.e.f.z is 
the internal IP of the firewalling box:

iptables -t nat -A POSTROUTING -o eth1 -d d.e.f.y -p tcp --dport 80 -j
SNAT --to d.e.f.z

This will force a.b.c.y to respond to the firewall instead of directly to 
the client, so that the reverse DNAT can take place.  As it stands, the 
server is probably trying to reply directly to the client, which is 
discarding the reply.  (it's waiting for a response from a.b.c.y, not 
d.e.f.y!)  Once the reply comes back to the firewall, it will undo the 
SNAT, setting the destination of the reply back to the original client, 
then it will undo the DNAT, setting the 'source' of the reply back to 
the public IP a.b.c.y.

j

Re: Is it possible connecting to a forwarded port from inside the network?

[Cedric Blancher]

Le dim 16/03/2003 à 20:18, Jiwei Wang a écrit :
> I'm using iptables on a RedHat 8.0 box to do firewalling and port
> forwarding. The port-forwarding works perfectly when accessed from outside
> my internal networks.   However, I cannot access the forwarded ports from
> inside the network. 

A quite common issue...

> I tried to use two IP addresses to do this. That is, I have public IP
> addresses a.b.c.x and a.b.c.y both assigned to my Internet facing eth0; I
> use a.b.c.x for SNAT and a.b.c.y for DNAT port forwarding (a.b.c.y:80 is
> forwarded to an internal host port 80); from the Internet a.b.c.y:80 works
> ok, but I still cannot access a.b.c.y:80 from any of my internal box.

I suppose internal network 192.168.1.0/24 (or whatever, it is not the
point), 192.168.10.1 firewall's inner IP and a.b.c.y:80 is DNATed to
192.168.10.2:80.


Internet------ FW ------- 192.168.10.0/24


Now 192.168.10.10 wants to reach a.b.c.y:80. It sends a packet
192168.10.1, which operates DNAT on it :

	a.b.c.y:80 ---> 192.168.10.2:8

Packets gets routed and 192.168.10.2 receive a SYN from 192.168.10.10.
According to its routing table, 192.168.10.0/24 is an attached network.
To send a respone back (SYN-ACK), it does not need the help og gateway,
as it can send it directly on the wire (same network than source). So it
sends directly SYN-ACK to 192.168.10.10.

192.168.10.10 now receive a SYN-ACK from 192.168.10.2, but has no
connection in progress for this host and sends back RST. It is still
waiting for a SYN-ACK from a.b.c.y, and connection times out for you
never get it.

To be short, to achieve this properly, you have to SNAT theses
connections on the gw for the internal network.

	iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -d a.b.c.y \
		-j SNAT --to-source 192.168.10.1

-- 
Cédric Blancher  <blancher@cartel-securite.fr>
IT systems and networks security expert  - Cartel Sécurité
Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE

RE: Is it possible connecting to a forwarded port from inside the network?

[Jiwei Wang]

Thanks Joel.  It works like a charm.

Jiwei

-----Original Message-----
From: Joel Newkirk [mailto:netfilter@newkirk.us] 
Sent: Sunday, March 16, 2003 3:04 PM
To: Jiwei Wang; netfilter@lists.netfilter.org
Subject: Re: Is it possible connecting to a forwarded port from inside
the network?

On Sunday 16 March 2003 02:18 pm, Jiwei Wang wrote:
> Hello,
>
>
>
> I'm using iptables on a RedHat 8.0 box to do firewalling and port
> forwarding. The port-forwarding works perfectly when accessed from
> outside my internal networks.   However, I cannot access the forwarded
> ports from inside the network.
>
>
>
> I tried to use two IP addresses to do this. That is, I have public IP
> addresses a.b.c.x and a.b.c.y both assigned to my Internet facing
> eth0; I use a.b.c.x for SNAT and a.b.c.y for DNAT port forwarding
> (a.b.c.y:80 is forwarded to an internal host port 80); from the
> Internet a.b.c.y:80 works ok, but I still cannot access a.b.c.y:80
> from any of my internal box.

add this, where d.e.f.y is the IP of the internal host, and d.e.f.z is 
the internal IP of the firewalling box:

iptables -t nat -A POSTROUTING -o eth1 -d d.e.f.y -p tcp --dport 80 -j
SNAT --to d.e.f.z

This will force a.b.c.y to respond to the firewall instead of directly
to 
the client, so that the reverse DNAT can take place.  As it stands, the 
server is probably trying to reply directly to the client, which is 
discarding the reply.  (it's waiting for a response from a.b.c.y, not 
d.e.f.y!)  Once the reply comes back to the firewall, it will undo the 
SNAT, setting the destination of the reply back to the original client, 
then it will undo the DNAT, setting the 'source' of the reply back to 
the public IP a.b.c.y.

j

Re: Is it possible connecting to a forwarded port from inside the network?

[alexb]

And on the Gateway ? It seams that the PREROUTING DNAT on the OUTPUT chain has
some problems. It seams that the replays from connections started at the Gateway
to the DNATed ip:port doesn't get unDNATed when it comes back to the INPUT chain.

Exemple


            |
            | 200.200.200.200
         -------
         | GW  |
         |     |
         -------
            | 192.168.200.1/24
            |
      |--|--|--|--|
      |  |  |  |  |
                  |  192.168.200.200  DNS Server


iptables -t nat -A PREROUTIND -p tcp -d 200.200.200.200 --dport 53 -j DNAT --to
192.168.200.200:53
iptables -t nat -A PREROUTIND -p udp -d 200.200.200.200 --dport 53 -j DNAT --to
192.168.200.200:53
iptables -t nat -A OUTPUT -p tcp -d 200.200.200.200 --dport 53 -j DNAT --to
192.168.200.200:53
iptables -t nat -A OUTPUT -p udp -d 200.200.200.200 --dport 53 -j DNAT --to
192.168.200.200:53
iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -d 192.168.200.200 -p tcp
-dport 53 -j SNAT --to 192.168.200.1
iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -d 192.168.200.200 -p udp
-dport 53 -j SNAT --to 192.168.200.1

But the GW can't use 200.200.200.200 for his DNS server while external hosts and
internal host could.



Alex

Cópia Joel Newkirk <netfilter@newkirk.us>:

> On Sunday 16 March 2003 02:18 pm, Jiwei Wang wrote:
> > Hello,
> >
> >
> >
> > I'm using iptables on a RedHat 8.0 box to do firewalling and port
> > forwarding. The port-forwarding works perfectly when accessed from
> > outside my internal networks.   However, I cannot access the
> forwarded
> > ports from inside the network.
> >
> >
> >
> > I tried to use two IP addresses to do this. That is, I have public
> IP
> > addresses a.b.c.x and a.b.c.y both assigned to my Internet facing
> > eth0; I use a.b.c.x for SNAT and a.b.c.y for DNAT port forwarding
> > (a.b.c.y:80 is forwarded to an internal host port 80); from the
> > Internet a.b.c.y:80 works ok, but I still cannot access a.b.c.y:80
> > from any of my internal box.
> 
> add this, where d.e.f.y is the IP of the internal host, and d.e.f.z is
> 
> the internal IP of the firewalling box:
> 
> iptables -t nat -A POSTROUTING -o eth1 -d d.e.f.y -p tcp --dport 80 -j
> SNAT --to d.e.f.z
> 
> This will force a.b.c.y to respond to the firewall instead of directly
> to 
> the client, so that the reverse DNAT can take place.  As it stands, the
> 
> server is probably trying to reply directly to the client, which is 
> discarding the reply.  (it's waiting for a response from a.b.c.y, not 
> d.e.f.y!)  Once the reply comes back to the firewall, it will undo the
> 
> SNAT, setting the destination of the reply back to the original client,
> 
> then it will undo the DNAT, setting the 'source' of the reply back to 
> the public IP a.b.c.y.
> 
> j
> 
>