Re: forwarding

Re: forwarding

[Antony Stone]

On Monday 08 July 2002 4:25 am, Tim wrote:

> Well, it looks like my netfilter rules/commands are not forwarding even
> though I have
>
> ## Routing packets (traffic) between INTERNAL and DMZ
> "echo "1" /proc/sys/net/ipv4/ip_forward"

That really says
echo 1 >/proc/sys/net/ipv4/ip_forward
or
echo "1" >/proc/sys/net/ipv4/ip_forward
doesn't it ?

(Note specifically the > sign)

 

Antony.

Re: forwarding

[Antony Stone]

On Monday 08 July 2002 4:47 am, Tim wrote:

> yes...it does say echo 1 > /proc/sys/net/ipv4/ip_forward  .... and when I
> look in file is has the number 1 on it as it should according to this
> command.

Okay, what's the output of
iptables -L -n -v -x
iptables -L -n -v -x -t nat

after you've tried to send some packets through the machine ?

Oh, and just to be sure - how do yu know your machine isn't forwarding 
packets ?   What happens / doesn't happen to tell you it's not working ?

Oh, and by the way - what are the addresses / netmasks on your Internal / DMZ 
interfaces, and what's your routing table ?

 

Antony.

> ----- Original Message -----
> From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
> To: "iptables-list" <netfilter@lists.samba.org>
> Sent: Sunday, July 07, 2002 5:30 PM
> Subject: Re: forwarding
>
> > On Monday 08 July 2002 4:25 am, Tim wrote:
> > > Well, it looks like my netfilter rules/commands are not forwarding even
> > > though I have
> > >
> > > ## Routing packets (traffic) between INTERNAL and DMZ
> > > "echo "1" /proc/sys/net/ipv4/ip_forward"
> >
> > That really says
> > echo 1 >/proc/sys/net/ipv4/ip_forward
> > or
> > echo "1" >/proc/sys/net/ipv4/ip_forward
> > doesn't it ?
> >
> > (Note specifically the > sign)
> >
> >
> >
> > Antony.

forwarding

[Tim]

[-- Attachment #1: Type: text/plain, Size: 751 bytes --]

Well, it looks like my netfilter rules/commands are not forwarding even though I have 

--snip--
## Routing packets (traffic) between INTERNAL and DMZ
"echo "1" /proc/sys/net/ipv4/ip_forward" 
## FORWARD rules for traffic between INTERNAL and DMZ
iptables -A FORWARD -i $INTERNAL_NET -o $DMZ_NET -j ACCEPT
iptables -A FORWARD -i $DMZ_NET -o $INTERNAL_NET -j ACCEPT
--snip--

set up in the script and the rules, gentlemen any ideas? Is there something wrong with what is in these rules/commands?

Tim Rodriguez-- Mia/Fla.
Network Security Student
--
90% of networking problems are routing problems.
9 of the remaining 10% are routing problems, but in the other direction.
The final 1% might not be routing, but check it anyway.
--


[-- Attachment #2: Type: text/html, Size: 1664 bytes --]

Re: forwarding

[Tim]

give me a second and I will get this all for you

Tim
----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.samba.org>
Sent: Sunday, July 07, 2002 5:53 PM
Subject: Re: forwarding


> On Monday 08 July 2002 4:47 am, Tim wrote:
>
> > yes...it does say echo 1 > /proc/sys/net/ipv4/ip_forward  .... and when
I
> > look in file is has the number 1 on it as it should according to this
> > command.
>
> Okay, what's the output of
> iptables -L -n -v -x
> iptables -L -n -v -x -t nat
>
> after you've tried to send some packets through the machine ?
>
> Oh, and just to be sure - how do yu know your machine isn't forwarding
> packets ?   What happens / doesn't happen to tell you it's not working ?
>
> Oh, and by the way - what are the addresses / netmasks on your Internal /
DMZ
> interfaces, and what's your routing table ?
>
>
>
> Antony.
>
> > ----- Original Message -----
> > From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
> > To: "iptables-list" <netfilter@lists.samba.org>
> > Sent: Sunday, July 07, 2002 5:30 PM
> > Subject: Re: forwarding
> >
> > > On Monday 08 July 2002 4:25 am, Tim wrote:
> > > > Well, it looks like my netfilter rules/commands are not forwarding
even
> > > > though I have
> > > >
> > > > ## Routing packets (traffic) between INTERNAL and DMZ
> > > > "echo "1" /proc/sys/net/ipv4/ip_forward"
> > >
> > > That really says
> > > echo 1 >/proc/sys/net/ipv4/ip_forward
> > > or
> > > echo "1" >/proc/sys/net/ipv4/ip_forward
> > > doesn't it ?
> > >
> > > (Note specifically the > sign)
> > >
> > >
> > >
> > > Antony.
>
>

forwarding

[alucard]

Hi there again,

   I finally decided to add a second card to both, the server and the
client to be able to forward packets from port 8080 in server 1 to port
80 in server 2 and somehow this packets are not going thru, let me
explain my scenario

                           Internet Address
                            Nat'ed Address
                            ---------------
                            |  Linux Box  |
                  Server 1  |10.73.219.156|nat'ed' address
                            | 192.168.0.1 |2nd NIC to forward packets
                            ---------------
                                 8080
                                   |
                                   |
                                  80
                            ---------------
                            |  web server |
                  Server 2  | 192.168.0.2 |
                            |             |
                            ---------------


- Server 1 has a natted addres using it's 10.73; what I'm trying to do is
that evrything that comes to 10.73.219.156:8080 gets forwarded to
192.168.0.2:80.

- Server 1 functions as a webserver and that's why I'm using port 8080 in
order to forward packets to port 80 in server 2

- Here's my Server 1's /etc/rc.d/rc.firewall script because somehow it's
not working:

-----
echo "Borrando posibles reglas anteriores..."
iptables -F
iptables -X

echo "Habilitando politicas de negacion total de paquetes"

iptables -P FORWARD DROP
iptables -P INPUT DROP

echo "Reglas para paquetes de entrada y salida"

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

##internas
iptables -A INPUT -i eth0 -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -i lo -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT

#para el forward
echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -d 192.168.0.1 -p tcp --dport 8080 \
    -j DNAT --to-destination 192.168.0.2:80
echo 1 > /proc/sys/net/ipv4/ip_forward
-----

I have done this many times and somehow this time is not working, that
means that I have changed many things using postrouting, nat and dnat. Is
it because any missconfiguration on Server 2's route? here's the output:

-----
[root@linserv root]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
10.73.216.0     *               255.255.252.0   U     0      0        0 eth0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         192.168.0.1     0.0.0.0         UG    0      0        0 eth1
-----

Is it because I have to use different INPUT rules? for what I know, INPUT
rules are only for the packets going to the computer itself.

Any suggestions will be great
Thanks a lot as usual to this great mailing list

Juan

Re: forwarding

[John A. Sullivan III]

I think I see it - I'll add a comment in your e-mail within brackets []

On Tue, 2004-05-18 at 10:22, alucard@kanux.com wrote:
> Hi there again,
> 
>    I finally decided to add a second card to both, the server and the
> client to be able to forward packets from port 8080 in server 1 to port
> 80 in server 2 and somehow this packets are not going thru, let me
> explain my scenario
> 
>                            Internet Address
>                             Nat'ed Address
>                             ---------------
>                             |  Linux Box  |
>                   Server 1  |10.73.219.156|nat'ed' address
>                             | 192.168.0.1 |2nd NIC to forward packets
>                             ---------------
>                                  8080
>                                    |
>                                    |
>                                   80
>                             ---------------
>                             |  web server |
>                   Server 2  | 192.168.0.2 |
>                             |             |
>                             ---------------
> 
> 
> - Server 1 has a natted addres using it's 10.73; what I'm trying to do is
> that evrything that comes to 10.73.219.156:8080 gets forwarded to
> 192.168.0.2:80.
> 
> - Server 1 functions as a webserver and that's why I'm using port 8080 in
> order to forward packets to port 80 in server 2
> 
> - Here's my Server 1's /etc/rc.d/rc.firewall script because somehow it's
> not working:
> 
> -----
> echo "Borrando posibles reglas anteriores..."
> iptables -F
> iptables -X
> 
> echo "Habilitando politicas de negacion total de paquetes"
> 
> iptables -P FORWARD DROP
> iptables -P INPUT DROP
> 
> echo "Reglas para paquetes de entrada y salida"
> 
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
> iptables -A INPUT -p tcp --dport 21 -j ACCEPT
> iptables -A INPUT -p tcp --dport 25 -j ACCEPT
> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> 
> ##internas
> iptables -A INPUT -i eth0 -p tcp --dport 143 -j ACCEPT
> iptables -A INPUT -i lo -p tcp --dport 143 -j ACCEPT
> iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
> iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT
> 
> #para el forward
> echo 0 > /proc/sys/net/ipv4/ip_forward
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -d 192.168.0.1 -p tcp --dport 8080 \
>     -j DNAT --to-destination 192.168.0.2:80
[JAS - isn't the packet coming in on 10.73.219.156? In other words, your
NAT rule should be:
iptables -t nat -A PREREOUTING -d 10.73.219.156 -p 6 --dport 8080 -j
DNAT --to-destination 192.168.0.2:80]
> echo 1 > /proc/sys/net/ipv4/ip_forward
> -----
> 
> I have done this many times and somehow this time is not working, that
> means that I have changed many things using postrouting, nat and dnat. Is
> it because any missconfiguration on Server 2's route? here's the output:
> 
> -----
> [root@linserv root]# route
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> 192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
> 10.73.216.0     *               255.255.252.0   U     0      0        0 eth0
> 169.254.0.0     *               255.255.0.0     U     0      0        0 eth0
> 127.0.0.0       *               255.0.0.0       U     0      0        0 lo
> default         192.168.0.1     0.0.0.0         UG    0      0        0 eth1
> -----
> 
> Is it because I have to use different INPUT rules? for what I know, INPUT
> rules are only for the packets going to the computer itself.
> 
> Any suggestions will be great
> Thanks a lot as usual to this great mailing list
> 
> Juan
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: forwarding

[Antony Stone]

On Tuesday 18 May 2004 3:22 pm, alucard@kanux.com wrote:

> Hi there again,
>
>    I finally decided to add a second card to both, the server and the
> client to be able to forward packets from port 8080 in server 1 to port
> 80 in server 2 and somehow this packets are not going thru, let me
> explain my scenario
>
> - Server 1 has a natted addres using it's 10.73; what I'm trying to do is
> that evrything that comes to 10.73.219.156:8080 gets forwarded to
> 192.168.0.2:80.
>
> - Server 1 functions as a webserver and that's why I'm using port 8080 in
> order to forward packets to port 80 in server 2
>
> - Here's my Server 1's /etc/rc.d/rc.firewall script because somehow it's
> not working:
>
> #para el forward
> echo 0 > /proc/sys/net/ipv4/ip_forward
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -d 192.168.0.1 -p tcp --dport 8080 \
>     -j DNAT --to-destination 192.168.0.2:80
> echo 1 > /proc/sys/net/ipv4/ip_forward
> -----

That nat rule should read:

iptables -t nat -A PREROUTING -d 10.73.219.156 -p tcp --dport 8080 -j DNAT 
--to-destination 192.168.0.2:80

Regards,

Antony.

-- 
This email is intended for the use of the individual addressee(s) named above 
and may contain information that is confidential, privileged or unsuitable 
for overly sensitive persons with low self-esteem, no sense of humour, or 
irrational religious beliefs.

If you have received this email in error, you are required to shred it 
immediately, add some nutmeg, three egg whites and a dessertspoonful of 
caster sugar.   Whisk until soft peaks form, then place in a warm oven for 40 
minutes.   Remove promptly and let stand for 2 hours before adding some 
decorative kiwi fruit and cream.   Then notify me immediately by return email 
and eat the original message.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: forwarding

[alucard]

> [JAS - isn't the packet coming in on 10.73.219.156? In other words, your
> NAT rule should be:
> iptables -t nat -A PREREOUTING -d 10.73.219.156 -p 6 --dport 8080 -j
> DNAT --to-destination 192.168.0.2:80]

-p 6? I've never seen this before, what is that rule trying to do?

Thnax for your help pal

Juan

Re: forwarding

[John A. Sullivan III]

On Tue, 2004-05-18 at 10:49, alucard@kanux.com wrote:
> > [JAS - isn't the packet coming in on 10.73.219.156? In other words, your
> > NAT rule should be:
> > iptables -t nat -A PREREOUTING -d 10.73.219.156 -p 6 --dport 8080 -j
> > DNAT --to-destination 192.168.0.2:80]
> 
> -p 6? I've never seen this before, what is that rule trying to do?
> 
<snip>
Ah, I usually use the protocol numbers directly rather than the names of
the protocols as it saves the lookup to the /etc/protocols file.  6 is
the IP protocol number for TCP.  It is the same as saying -p tcp but a
little faster. The main point was the destination address appears to be
wrong - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com

Re: forwarding

[Antony Stone]

On Tuesday 18 May 2004 3:49 pm, alucard@kanux.com wrote:

> > [JAS - isn't the packet coming in on 10.73.219.156? In other words, your
> > NAT rule should be:
> > iptables -t nat -A PREREOUTING -d 10.73.219.156 -p 6 --dport 8080 -j
> > DNAT --to-destination 192.168.0.2:80]
>
> -p 6? I've never seen this before, what is that rule trying to do?

It's a slightly unconventional way to specify TCP :)

Protocols have numbers (after all, *everything* has numbers when a computer 
gets involved...), and TCP happens to be protocol number 6; UDP is protocol 
number 17, and ICMP is protocol number 1.

See /etc/protocols on your own machine for more examples.

Regards,

Antony.

-- 
There are two possible outcomes:

 If the result confirms the hypothesis, then you've made a measurement.
 If the result is contrary to the hypothesis, then you've made a discovery.

 - Enrico Fermi

                                                     Please reply to the list;
                                                           please don't CC me.

Re: forwarding

[alucard]

Hi there again...

Here's my changed rule:

-------
echo "Borrando posibles reglas anteriores..."
iptables -F
iptables -X

echo "Habilitando politicas de negacion total de paquetes"

iptables -P FORWARD DROP
iptables -P INPUT DROP

echo "Reglas para paquetes de entrada y salida"

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT


##internas
iptables -A INPUT -i eth0 -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -i lo -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT

#para el forward
echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -d 10.73.219.156 -p 6 --dport 8080 \
    -j DNAT --to-destination 192.168.0.2:80
echo 1 > /proc/sys/net/ipv4/ip_forward
-------

and after I executed this, here's my nmap output

-------
root@mail:~# nmap 10.73.219.156

(The 1652 ports scanned but not shown below are in state: filtered)
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
143/tcp  open  imap
3306/tcp open  mysql
--------

Should I show something else? for what I know, it should be forwarding
packets but is not... port 8080 is not open as nmap shows, any
suggestions?

Thanks a lot as usual...
Juan

Re: forwarding

[John A. Sullivan III]

On Tue, 2004-05-18 at 10:57, alucard@kanux.com wrote:
> Hi there again...
> 
> Here's my changed rule:
> 
> -------
> echo "Borrando posibles reglas anteriores..."
> iptables -F
> iptables -X
> 
> echo "Habilitando politicas de negacion total de paquetes"
> 
> iptables -P FORWARD DROP
> iptables -P INPUT DROP
> 
> echo "Reglas para paquetes de entrada y salida"
> 
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
> #iptables -A INPUT -p tcp --dport 21 -j ACCEPT
> iptables -A INPUT -p tcp --dport 25 -j ACCEPT
> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> 
> 
> ##internas
> iptables -A INPUT -i eth0 -p tcp --dport 143 -j ACCEPT
> iptables -A INPUT -i lo -p tcp --dport 143 -j ACCEPT
> iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
> iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT
> 
> #para el forward
> echo 0 > /proc/sys/net/ipv4/ip_forward
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -d 10.73.219.156 -p 6 --dport 8080 \
>     -j DNAT --to-destination 192.168.0.2:80
> echo 1 > /proc/sys/net/ipv4/ip_forward
> -------
> 
> and after I executed this, here's my nmap output
> 
> -------
> root@mail:~# nmap 10.73.219.156
> 
> (The 1652 ports scanned but not shown below are in state: filtered)
> PORT     STATE SERVICE
> 22/tcp   open  ssh
> 25/tcp   open  smtp
> 80/tcp   open  http
> 143/tcp  open  imap
> 3306/tcp open  mysql
> --------
> 
> Should I show something else? for what I know, it should be forwarding
> packets but is not... port 8080 is not open as nmap shows, any
> suggestions?
> 
> Thanks a lot as usual...
> Juan
Although it probably did, are you sure nmap scanned port 8080? How about
nmap -sT -p 8080 10.73.219.156

I would then trace both the wire and the iptables rules to find out
where it is breaking - John 
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com

Re: forwarding

[Antony Stone]

On Tuesday 18 May 2004 3:57 pm, alucard@kanux.com wrote:

> Hi there again...
>
> Here's my changed rule:
>
> -------
> echo "Borrando posibles reglas anteriores..."
> iptables -F
> iptables -X
>
> echo "Habilitando politicas de negacion total de paquetes"
>
> iptables -P FORWARD DROP
> iptables -P INPUT DROP
>
> #para el forward
> echo 0 > /proc/sys/net/ipv4/ip_forward
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -d 10.73.219.156 -p 6 --dport 8080 \
>     -j DNAT --to-destination 192.168.0.2:80
> echo 1 > /proc/sys/net/ipv4/ip_forward
> -------
>
> and after I executed this, here's my nmap output
>
> -------
> root@mail:~# nmap 10.73.219.156
>
> (The 1652 ports scanned but not shown below are in state: filtered)
> PORT     STATE SERVICE
> 22/tcp   open  ssh
> 25/tcp   open  smtp
> 80/tcp   open  http
> 143/tcp  open  imap
> 3306/tcp open  mysql
> --------

Where are you running nmap from?

I wonder if the problem is thr routes on machine2 (the genuione web server) 
not sending the reply packets back via machine1 (the firewall) correctly?

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
10.73.216.0     *               255.255.252.0   U     0      0        0 eth0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         192.168.0.1     0.0.0.0         UG    0      0        0 eth1

If the requests come in on eth1 but the replies go out on eth0 that would be a 
problem.

Regards,

Antony.

-- 
"The future is already here.   It's just not evenly distributed yet."

 - William Gibson

                                                     Please reply to the list;
                                                           please don't CC me.

Re: forwarding

[alucard]

> Although it probably did, are you sure nmap scanned port 8080? How about
> nmap -sT -p 8080 10.73.219.156
>
> I would then trace both the wire and the iptables rules to find out
> where it is breaking - John

Yes, it filters now but now it seems that the problem is in the 2nd server
because I try to telnet to server 1's 8080 port and I get no response. Is
it any missconfiguration on the router? take a look at this:
----
root@mail:~# nmap -sT -p 8080 10.73.219.156

Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-05-18 11:06 VET
Interesting ports on mail.aeropostal.com.ve (10.73.219.156):
PORT     STATE    SERVICE
8080/tcp filtered http-proxy
----

the webserver in server 2 is working perfectly but im not able to reach it
from server one, look at this in server 2, maybe im doing something wrong

[root@linserv root]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
10.73.216.0     *               255.255.252.0   U     0      0        0 eth0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         192.168.0.1     0.0.0.0         UG    0      0        0 eth1


Thanx a lot for this great help
Juan

RE: forwarding

[CPD - David Cardeñosa Rubio]

[-- Attachment #1: Type: text/plain, Size: 1930 bytes --]


HI!

if you add

iptables -t nat -A PREROUTING -d 192.168.0.1 -p tcp --dport 8080 \
    -j DNAT --to-destination 192.168.0.2:80

you need 

iptables -t nat -A POSTROUTING -s 192.168.0.2 -p tcp --dport 80 -j SNAT --to
192.168.0.1:8080

you can test the conections with tcpdump 

Un saludo

David Cardeñosa

-----Mensaje original-----
De: alucard@kanux.com [mailto:alucard@kanux.com]
Enviado el: martes, 18 de mayo de 2004 17:13
Para: netfilter@lists.netfilter.org
Asunto: Re: forwarding



> Although it probably did, are you sure nmap scanned port 8080? How about
> nmap -sT -p 8080 10.73.219.156
>
> I would then trace both the wire and the iptables rules to find out
> where it is breaking - John

Yes, it filters now but now it seems that the problem is in the 2nd server
because I try to telnet to server 1's 8080 port and I get no response. Is
it any missconfiguration on the router? take a look at this:
----
root@mail:~# nmap -sT -p 8080 10.73.219.156

Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-05-18 11:06 VET
Interesting ports on mail.aeropostal.com.ve (10.73.219.156):
PORT     STATE    SERVICE
8080/tcp filtered http-proxy
----

the webserver in server 2 is working perfectly but im not able to reach it
from server one, look at this in server 2, maybe im doing something wrong

[root@linserv root]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
10.73.216.0     *               255.255.252.0   U     0      0        0 eth0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         192.168.0.1     0.0.0.0         UG    0      0        0 eth1


Thanx a lot for this great help
Juan





[-- Attachment #2: Type: text/html, Size: 4510 bytes --]

Re: forwarding

[alucard]

> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> 192.168.0.0     *               255.255.255.0   U     0      0        0
> eth1
> 10.73.216.0     *               255.255.252.0   U     0      0        0
> eth0
> 169.254.0.0     *               255.255.0.0     U     0      0        0
> eth0
> 127.0.0.0       *               255.0.0.0       U     0      0        0 lo
> default         192.168.0.1     0.0.0.0         UG    0      0        0
> eth1
>
> If the requests come in on eth1 but the replies go out on eth0 that would
> be a
> problem.

well, in server2 -the one that that has to get the packets forwarded from
server1- 192.168 network is in eth1, does anybody see anything wrong with
it's route configuration? any suggestions??

Thanks a lot

RE: forwarding

[John A. Sullivan III]

I do not believe that is necessarily true.  I'm not the expert but I
believe that if all you want is inbound access, connection tracking will
take care of the source alteration.  You would only need SNAT if you
wanted to originate outbound packets with the altered source.  Someone
please correct me if I am wrong - John

On Tue, 2004-05-18 at 11:33, CPD - David Cardeñosa Rubio wrote:
> HI!
> 
> if you add
> 
> iptables -t nat -A PREROUTING -d 192.168.0.1 -p tcp --dport 8080 \
>     -j DNAT --to-destination 192.168.0.2:80
> 
> you need 
> 
> iptables -t nat -A POSTROUTING -s 192.168.0.2 -p tcp --dport 80 -j
> SNAT --to 192.168.0.1:8080
> 
> you can test the conections with tcpdump 
> 
> Un saludo
> 
> David Cardeñosa
> 
> -----Mensaje original-----
> De: alucard@kanux.com [mailto:alucard@kanux.com]
> Enviado el: martes, 18 de mayo de 2004 17:13
> Para: netfilter@lists.netfilter.org
> Asunto: Re: forwarding
> 
> 
> 
> > Although it probably did, are you sure nmap scanned port 8080? How
> about
> > nmap -sT -p 8080 10.73.219.156
> >
> > I would then trace both the wire and the iptables rules to find out
> > where it is breaking - John
> 
> Yes, it filters now but now it seems that the problem is in the 2nd
> server
> because I try to telnet to server 1's 8080 port and I get no response.
> Is
> it any missconfiguration on the router? take a look at this:
> ----
> root@mail:~# nmap -sT -p 8080 10.73.219.156
> 
> Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-05-18
> 11:06 VET
> Interesting ports on mail.aeropostal.com.ve (10.73.219.156):
> PORT     STATE    SERVICE
> 8080/tcp filtered http-proxy
> ----
> 
> the webserver in server 2 is working perfectly but im not able to
> reach it
> from server one, look at this in server 2, maybe im doing something
> wrong
> 
> [root@linserv root]# route
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref   
> Use Iface
> 192.168.0.0     *               255.255.255.0   U     0      0       
> 0 eth1
> 10.73.216.0     *               255.255.252.0   U     0      0       
> 0 eth0
> 169.254.0.0     *               255.255.0.0     U     0      0       
> 0 eth0
> 127.0.0.0       *               255.0.0.0       U     0      0       
> 0 lo
> default         192.168.0.1     0.0.0.0         UG    0      0       
> 0 eth1
> 
> 
> Thanx a lot for this great help
> Juan
> 
> 
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com

Re: forwarding

[Antony Stone]

On Tuesday 18 May 2004 4:33 pm, CPD - David Cardeñosa Rubio wrote:

> HI!
>
> if you add
>
> iptables -t nat -A PREROUTING -d 192.168.0.1 -p tcp --dport 8080 \
>     -j DNAT --to-destination 192.168.0.2:80
>
> you need
>
> iptables -t nat -A POSTROUTING -s 192.168.0.2 -p tcp --dport 80 -j SNAT
> --to 192.168.0.1:8080

No, you don't.

Netfilter handles the reverse-natting of reply packets transparently - you do 
not need to specify your own rule for them.

The only reason you would want both the above rules is when you want a machine 
accessible on a translated IP address, and you also want *new* connections 
from that machine to come from the translated address.   In both cases you 
specify the rule for the "forward" packets, and the "return" packets get 
handled by netfilter.

Regards,

Antony.

-- 
"640 kilobytes (of RAM) should be enough for anybody."

 - Bill Gates

                                                     Please reply to the list;
                                                           please don't CC me.

Re: forwarding

[Antony Stone]

On Tuesday 18 May 2004 4:40 pm, alucard@kanux.com wrote:

> > Kernel IP routing table
> > Destination     Gateway         Genmask         Flags Metric Ref    Use
> > Iface
> > 192.168.0.0     *               255.255.255.0   U     0      0        0
> > eth1
> > 10.73.216.0     *               255.255.252.0   U     0      0        0
> > eth0
> > 169.254.0.0     *               255.255.0.0     U     0      0        0
> > eth0
> > 127.0.0.0       *               255.0.0.0       U     0      0        0
> > lo default         192.168.0.1     0.0.0.0         UG    0      0       
> > 0 eth1
> >
> > If the requests come in on eth1 but the replies go out on eth0 that would
> > be a
> > problem.
>
> well, in server2 -the one that that has to get the packets forwarded from
> server1- 192.168 network is in eth1, does anybody see anything wrong with
> it's route configuration? any suggestions??

Yes, but where are you doing the nmap testing from?   Surely not the machine 
with the nat rules on it??   (That won't work.)

Server 2 has to have a route to send the reply packets back to the machine 
doing the testing.   The packets will not have the source address of server1.

Regards,

Antony.

-- 
In Heaven, the police are British, the chefs are Italian, the beer is Belgian, 
the mechanics are German, the lovers are French, the entertainment is 
American, and everything is organised by the Swiss.

In Hell, the police are German, the chefs are British, the beer is American, 
the mechanics are French, the lovers are Swiss, the entertainment is Belgian, 
and everything is organised by the Italians.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: forwarding

[John A. Sullivan III]

On Tue, 2004-05-18 at 11:12, alucard@kanux.com wrote:
> > Although it probably did, are you sure nmap scanned port 8080? How about
> > nmap -sT -p 8080 10.73.219.156
> >
> > I would then trace both the wire and the iptables rules to find out
> > where it is breaking - John
> 
> Yes, it filters now but now it seems that the problem is in the 2nd server
> because I try to telnet to server 1's 8080 port and I get no response. Is
> it any missconfiguration on the router? take a look at this:
> ----
> root@mail:~# nmap -sT -p 8080 10.73.219.156
> 
> Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-05-18 11:06 VET
> Interesting ports on mail.aeropostal.com.ve (10.73.219.156):
> PORT     STATE    SERVICE
> 8080/tcp filtered http-proxy
> ----
> 
> the webserver in server 2 is working perfectly but im not able to reach it
> from server one, look at this in server 2, maybe im doing something wrong
> 
> [root@linserv root]# route
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> 192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
> 10.73.216.0     *               255.255.252.0   U     0      0        0 eth0
> 169.254.0.0     *               255.255.0.0     U     0      0        0 eth0
> 127.0.0.0       *               255.0.0.0       U     0      0        0 lo
> default         192.168.0.1     0.0.0.0         UG    0      0        0 eth1
<snip>
At first glance, the routing looks correct but I hope you are not trying
to access the web server from the Linux box.  You will have more
accurate results if you try to access through it.
If you try to telnet from the Linux box, you may find it uses a source
address of 10.73.219.156. The web server will then try to respond out
interface eth0.  I believe there is an option to override the source
port of telnet - -b I think.  You will also need to ensure that nothing
is interfering in the INPUT and OUTPUT chains.  I would suggest testing
through the Linux Box rather than from it - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: forwarding

[alucard]

All right, let me explain my current setup because is not working after
all your great help, let me put here step by step everything that is
currently going on here.

-Server 1 has this /etc/rc.d/rc.firewall script:

#-----<script>
echo "Borrando posibles reglas anteriores..."
iptables -F
iptables -X

echo "Habilitando politicas de negacion total de paquetes"

iptables -P FORWARD DROP
iptables -P INPUT DROP

echo "Reglas para paquetes de entrada y salida"

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

##internas
iptables -A INPUT -i eth0 -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -i lo -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT

#para el forward
echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -d 10.73.219.156 -p tcp --dport 8080 \
    -j DNAT --to-destination 192.168.0.2:80
echo 1 > /proc/sys/net/ipv4/ip_forward
#-----</script>

-in order to avoid any eth0/eth1 packets confussion, I have only one NIC
in server2, the one that has the second webserver. This is the server2's
route output:

-----route script
[root@linserv root]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         192.168.0.1     0.0.0.0         UG    0      0        0 eth0
-----route script

It seems to be ok, from server2 I can access server1 thru 192,168 network
but, what concerns me is that, it takes too long to show the default
router, it gets stuck in lo about a minute. About accessing it from
server1 using telnet, i have a remote server trying to access ip:8080 and
it stills get no answer, even though the nmap record shows that port 8080
in server one is filtered

Thanx a lot for this great help, I really apreciated it

Peace
Juan
Programmin' Python is like sugar... Sweet! ;)

Re: forwarding

[John A. Sullivan III]

On Tue, 2004-05-18 at 12:38, alucard@kanux.com wrote:
> All right, let me explain my current setup because is not working after
> all your great help, let me put here step by step everything that is
> currently going on here.
> 
> -Server 1 has this /etc/rc.d/rc.firewall script:
> 
> #-----<script>
> echo "Borrando posibles reglas anteriores..."
> iptables -F
> iptables -X
> 
> echo "Habilitando politicas de negacion total de paquetes"
> 
> iptables -P FORWARD DROP
> iptables -P INPUT DROP
> 
> echo "Reglas para paquetes de entrada y salida"
> 
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
> #iptables -A INPUT -p tcp --dport 21 -j ACCEPT
> iptables -A INPUT -p tcp --dport 25 -j ACCEPT
> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> #iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
> 
> ##internas
> iptables -A INPUT -i eth0 -p tcp --dport 143 -j ACCEPT
> iptables -A INPUT -i lo -p tcp --dport 143 -j ACCEPT
> iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
> iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT
> 
> #para el forward
> echo 0 > /proc/sys/net/ipv4/ip_forward
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -d 10.73.219.156 -p tcp --dport 8080 \
>     -j DNAT --to-destination 192.168.0.2:80
> echo 1 > /proc/sys/net/ipv4/ip_forward
> #-----</script>
> 
> -in order to avoid any eth0/eth1 packets confussion, I have only one NIC
> in server2, the one that has the second webserver. This is the server2's
> route output:
> 
> -----route script
> [root@linserv root]# route
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> 192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
> 127.0.0.0       *               255.0.0.0       U     0      0        0 lo
> default         192.168.0.1     0.0.0.0         UG    0      0        0 eth0
> -----route script
> 
> It seems to be ok, from server2 I can access server1 thru 192,168 network
> but, what concerns me is that, it takes too long to show the default
> router, it gets stuck in lo about a minute. About accessing it from
> server1 using telnet, i have a remote server trying to access ip:8080 and
> it stills get no answer, even though the nmap record shows that port 8080
> in server one is filtered
> 
> Thanx a lot for this great help, I really apreciated it
> 
> Peace
> Juan
> Programmin' Python is like sugar... Sweet! ;)

OK - it's good to simplify :-)
You should not need to INPUT rule for 8080.
The delay in finding the default route is route's attempt at reverse
name resolution.  Use route -n instead.
Our next step is to trace.  From what address are you attempting to
telnet and where does that address live?
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com

RE: forwarding

[CPD - David Cardeñosa Rubio]

[-- Attachment #1: Type: text/plain, Size: 3145 bytes --]

hi

Im testing your configuration in my test machines and it´s works for me


	
Firewall					web server
172.40.x.x (yes, local network with public ip, aggg) ----- [172.40.42.200 -
192.168.150.1] ----- [192.168.150.2]



firewall:~# iptables -L -t nat -n -v
Chain PREROUTING (policy ACCEPT 259 packets, 35934 bytes)
 pkts bytes target     prot opt in     out     source
destination
    3   144 DNAT       tcp  --  *      *       0.0.0.0/0
172.40.43.200      tcp dpt:8080 to:192.168.150.2:80

Chain POSTROUTING (policy ACCEPT 39 packets, 2680 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 19 packets, 1499 bytes)
 pkts bytes target     prot opt in     out     source
destination
firewall:~#

firewall:~# iptables -L -n -v
Chain INPUT (policy DROP 15 packets, 1455 bytes)
 pkts bytes target     prot opt in     out     source
destination
 2943  293K ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED
    1    48 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:22

Chain FORWARD (policy DROP 1 packets, 72 bytes)
 pkts bytes target     prot opt in     out     source
destination
 3963 3939K ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED
    3   144 ACCEPT     tcp  --  *      *       0.0.0.0/0
192.168.150.2      tcp dpt:80

Chain OUTPUT (policy ACCEPT 3794 packets, 283K bytes)
 pkts bytes target     prot opt in     out     source
destination
firewall:~#


balanceador:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
192.168.150.0   0.0.0.0         255.255.255.252 U     0      0        0 eth1
192.168.200.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         192.168.150.1   0.0.0.0         UG    0      0        0 eth1
balanceador:~#


firewall:~# tcpdump -n tcp src or dst port 80 or 8080
tcpdump: listening on eth0
20:01:06.945606 172.60.60.75.2286 > 172.40.43.200.8080: S
1752076561:1752076561(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
20:01:06.946034 172.40.43.200.8080 > 172.60.60.75.2286: S
2920282127:2920282127(0) ack 1752076562 win 5840 <mss 1460,nop,nop,sackOK>
(DF)
20:01:06.946273 172.60.60.75.2286 > 172.40.43.200.8080: . ack 1 win 17520
(DF)
20:01:17.851129 172.60.60.75.2286 > 172.40.43.200.8080: P 1:3(2) ack 1 win
17520 (DF)
20:01:17.851467 172.40.43.200.8080 > 172.60.60.75.2286: . ack 3 win 5840
(DF)

balanceador:~# tcpdump -i eth1 -n tcp src or dst port 80
tcpdump: listening on eth1
21:08:36.116571 172.60.60.75.2286 > 192.168.150.2.80: S
1752076561:1752076561(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
21:08:36.116668 192.168.150.2.80 > 172.60.60.75.2286: S
2920282127:2920282127(0) ack 1752076562 win 5840 <mss 1460,nop,nop,sackOK>
(DF)
21:08:36.117201 172.60.60.75.2286 > 192.168.150.2.80: . ack 1 win 17520 (DF)
21:08:47.022155 172.60.60.75.2286 > 192.168.150.2.80: P 1:3(2) ack 1 win
17520 (DF)
21:08:47.022211 192.168.150.2.80 > 172.60.60.75.2286: . ack 3 win 5840 (DF)

[-- Attachment #2: Type: text/html, Size: 7794 bytes --]

RE: forwarding

[Daniel Chemko]

John A. Sullivan III wrote:
> I do not believe that is necessarily true.  I'm not the expert but I
> believe that if all you want is inbound access, connection tracking
> will take care of the source alteration.  You would only need SNAT if
> you wanted to originate outbound packets with the altered source. 
> Someone please correct me if I am wrong - John    

If the default route does not route back through the Linux server, you are required to SNAT the packet back to thye firewall's address basically forcing the respondee to keep the firewall in-the-loop so to speak. Netfilter will NOT allow a one way stream into the system since the second packet sent by the client (ACK) is marked as INVALID by the state machine since it never received a SYNACK in response to the initial packet.

Re: forwarding

[alucard]

> OK - it's good to simplify :-)
> You should not need to INPUT rule for 8080.
I´t´s commented, it´s an old rule for something I used to have in that server

> The delay in finding the default route is route's attempt at reverse
> name resolution.  Use route -n instead.

Indeed, this is what I get in server2

--------
[root@linserv root]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth0
--------

> Our next step is to trace.  From what address are you attempting to
> telnet and where does that address live?

I´m using a completly different address to try to access the server from
the outside, to be more specific, I'm doing this at work and I'm using the
computers in my house to do this test and nothing happens. If I telnet
port 80 server2 directly from server1 I get this -to make sure it's
working-:

--------
root@mail:~# telnet 192.168.0.2 80
Trying 192.168.0.2...
Connected to 192.168.0.2.
Escape character is '^]'.
^]
telnet>
--------

Thanks dude
Peace
Juan
Programmin' Python is like sugar... Sweet! ;)

RE: forwarding

[Daniel Chemko]

iptables -t nat -A POSTROUTING --destination ${server2} -j SNAT --to
${server1_internal_ip}

This is the last time I try to respond to you since you've been ignoring
the rest. SNAT traffic from server 1 to server 2. Period. There's no
magic. Put it in, then the system will magically work. Well, replace the
${}'s with the actual values first.

If you even get this email, let me know cause I feel like I'm falling on
deaf ears.

Re: forwarding

[Antony Stone]

On Tuesday 18 May 2004 7:21 pm, alucard@kanux.com wrote:

> > Our next step is to trace.  From what address are you attempting to
> > telnet and where does that address live?
>
> I´m using a completly different address to try to access the server from
> the outside, to be more specific, I'm doing this at work and I'm using the
> computers in my house to do this test and nothing happens.

What result do you get if you traceroute from home to work?

Unless you have been disguising the IP addresses without telling us, I don't 
see how you can contact 10.72.219.156 across the Internet....

Regards,

Antony.

-- 
Your work is both good and original.  Unfortunately the parts that are good 
aren't original, and the parts that are original aren't good.

 - Samuel Johnson

                                                     Please reply to the list;
                                                           please don't CC me.

Re: forwarding

[Antony Stone]

On Tuesday 18 May 2004 7:23 pm, Daniel Chemko wrote:

> iptables -t nat -A POSTROUTING --destination ${server2} -j SNAT --to
> ${server1_internal_ip}
>
> This is the last time I try to respond to you since you've been ignoring
> the rest.

Who are you talking to here (your posting was addressed to two individuals, 
plus the list), and what is "the rest" you refer to?

I have only seen one other email from you in this thread, and that was in 
response to a somewhat off-topic posting about reverse routing, which IMHO 
didn't require a response...

We don't want anyone to feel left out on this list, but if you've posted other 
comments and not had a response, the reason is probably that other list 
subscribers haven't seen what you said yet (no, I don't know why that would 
be).

By the way, I disagree that the above SNAT rule is required.

Regards,

Antony.

-- 
Most people have more than the average number of legs.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: forwarding

[alucard]

> see how you can contact 10.72.219.156 across the Internet....
>
It's a nat'ed address from my ISP

Juan

RE: forwarding

[alucard]

> iptables -t nat -A POSTROUTING --destination ${server2} -j SNAT --to
> ${server1_internal_ip}
>
> This is the last time I try to respond to you since you've been ignoring
> the rest. SNAT traffic from server 1 to server 2. Period. There's no
> magic. Put it in, then the system will magically work. Well, replace the
> ${}'s with the actual values first.
>

Dude, is not that I wasn't reading or not paying attention to your posts,
I really apreciate them, it´s just that -and this is why I like this list
so much- that I had a LOT of replys trying to help. For what I can see
now, I have to be doing something VERY stupid that is not allowing me to
do what I need so, I'm sending -again- my script mixed with your
recommendations for you to read it and suggest something

-----
echo "Borrando posibles reglas anteriores..."
iptables -F
iptables -X

echo "Habilitando politicas de negacion total de paquetes"

iptables -P FORWARD DROP
iptables -P INPUT DROP

echo "Reglas para paquetes de entrada y salida"

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

##internas
iptables -A INPUT -i eth0 -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -i lo -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT

#para el forward
echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -d 10.73.219.156 -p tcp --dport 8080 \
    -j DNAT --to-destination 192.168.0.2:80
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING --destination 192.168.0.2 -j SNAT --to \
10.73.219.156
-----

Thanx a lot again for this great help

Peace
Juan
Programmin' Python is like sugar... Sweet! ;)

RE: forwarding

[John A. Sullivan III]

On Tue, 2004-05-18 at 14:23, Daniel Chemko wrote:
> iptables -t nat -A POSTROUTING --destination ${server2} -j SNAT --to
> ${server1_internal_ip}
> 
> This is the last time I try to respond to you since you've been ignoring
> the rest. SNAT traffic from server 1 to server 2. Period. There's no
> magic. Put it in, then the system will magically work. Well, replace the
> ${}'s with the actual values first.
> 
> If you even get this email, let me know cause I feel like I'm falling on
> deaf ears.
Daniel, that was a problem but he has changed the default gateway to
ensure that the packets do make it back to the gateway.

From a previous post:
[root@linserv root]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
192.168.0.0     *               255.255.255.0   U     0      0        0
eth1
10.73.216.0     *               255.255.252.0   U     0      0        0
eth0
169.254.0.0     *               255.255.0.0     U     0      0        0
eth0
127.0.0.0       *               255.0.0.0       U     0      0        0
lo
default         192.168.0.1     0.0.0.0         UG    0      0        0
eth1

I believe 192.168.0.1 is the gateway.
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com

Re: forwarding

[John A. Sullivan III]

On Tue, 2004-05-18 at 14:21, alucard@kanux.com wrote:
> > OK - it's good to simplify :-)
> > You should not need to INPUT rule for 8080.
> I´t´s commented, it´s an old rule for something I used to have in that server
> 
> > The delay in finding the default route is route's attempt at reverse
> > name resolution.  Use route -n instead.
> 
> Indeed, this is what I get in server2
> 
> --------
> [root@linserv root]# route -n
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> 192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
> 127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
> 0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth0
> --------
> 
> > Our next step is to trace.  From what address are you attempting to
> > telnet and where does that address live?
> 
> I´m using a completly different address to try to access the server from
> the outside, to be more specific, I'm doing this at work and I'm using the
> computers in my house to do this test and nothing happens. If I telnet
> port 80 server2 directly from server1 I get this -to make sure it's
> working-:
> 
> --------
> root@mail:~# telnet 192.168.0.2 80
> Trying 192.168.0.2...
> Connected to 192.168.0.2.
> Escape character is '^]'.
> ^]
> telnet>
> --------
<snip>
Ok - so this is where the tracing comes in.  I assume you are sending a
packet from your home network to some public IP.  Your ISP is then
NATting this to 10.73.219.156.  Using tcpdump or ethereal, can you see
the packet arrive at 10.73.219.156? If so, can you see the packet leave
192.168.0.1?, If so, what are the source and destination sockets of the
egressing packet? Do you see a reply packet? How is it addressed?
If you do not see a packet exiting the gateway on the 192.168.0.1
interface, place log rules in the various points of your table to find
out where the packet is dying.  Good luck - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com

RE: forwarding

[Daniel Chemko]

Antony Stone wrote:
> On Tuesday 18 May 2004 7:23 pm, Daniel Chemko wrote:
> 
>> iptables -t nat -A POSTROUTING --destination ${server2} -j SNAT --to
>> ${server1_internal_ip} 
>> 
>> This is the last time I try to respond to you since you've been
>> ignoring the rest.
> 
> Who are you talking to here (your posting was addressed to two
> individuals, plus the list), and what is "the rest" you refer to?
> 
> I have only seen one other email from you in this thread, and that
> was in response to a somewhat off-topic posting about reverse
> routing, which IMHO didn't require a response...
> 
> We don't want anyone to feel left out on this list, but if you've
> posted other comments and not had a response, the reason is probably
> that other list subscribers haven't seen what you said yet (no, I
> don't know why that would be).

Sorry, I was referring to the last thread the poster openned. Not this
one. I agree with the rest. I forgot that he had implemented the
two-card solutino already.

RE: forwarding

[Daniel Chemko]

Ok, one more thing:

Is the address 10.73.219.156 the only IP address on the external
interface of the server1?

If you don't bind the 10.73.219.156 IP address to the ethernet interface
on server1, then hosts on that network won't be able to find the server
even with the prerouting rule. You could solve this by Proxy-arp or just
simply adding another IP address to the outside interface.

This may be redundant, but I don't believe the external interface's been
discussed at all as a possible issue.

RE: forwarding

[John A. Sullivan III]

On Tue, 2004-05-18 at 16:48, Daniel Chemko wrote:
> Ok, one more thing:
> 
> Is the address 10.73.219.156 the only IP address on the external
> interface of the server1?
> 
> If you don't bind the 10.73.219.156 IP address to the ethernet interface
> on server1, then hosts on that network won't be able to find the server
> even with the prerouting rule. You could solve this by Proxy-arp or just
> simply adding another IP address to the outside interface.
> 
> This may be redundant, but I don't believe the external interface's been
> discussed at all as a possible issue.
I believe that is the only address bound to the external interface.  The
entire unusual premise is that is the only address available.  There is
already a web server at that address listening on port 80 and the user
wants to give users access to a different web server.  Since he only has
the one IP address, he is sending traffic for the second web server to
port 8080 and then DNATting that traffic to the other web server on port
80.
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: forwarding

[Antony Stone]

On Tuesday 18 May 2004 7:21 pm, alucard@kanux.com wrote:

> I´m using a completly different address to try to access the server from
> the outside, to be more specific, I'm doing this at work and I'm using the
> computers in my house to do this test and nothing happens. If I telnet
> port 80 server2 directly from server1 I get this -to make sure it's
> working-:
>
> --------
> root@mail:~# telnet 192.168.0.2 80
> Trying 192.168.0.2...
> Connected to 192.168.0.2.
> Escape character is '^]'.
> ^]
> telnet>
> --------

A couple of suggestions:

1. Try a totally different port number (in the PREROUTING nat rule, and when 
you telnet to test things) to see if there's some problem with 8080.   You 
know that port 80 can get to the firewall (because it's running its own web 
server), so try TCP port 88 perhaps instead of 8080.

2. Remove the PREROUTING nat rule, make sure any dropped packets on INPUT are 
getting LOGged, and then telnet from the outside to port 8080 again - and 
make sure you see them in the log output.   This is just one way of making 
sure that the requests to port 8080 are making it as far as the netfilter 
machine so that it can nat them on to the real server.

Also, what does "iptables -L -nvx; iptables -L -t nat -nvx" tell you in the 
packet / byte counters?   Does it look like any packets are getting natted 
and/or forwarded?

Regards,

Antony.

-- 
The first fifty percent of an engineering project takes ninety percent of the 
time, and the remaining fifty percent takes another ninety percent of the 
time.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: forwarding

[Juan Hernandez]

Everybody...

   Thanks a lot for all your great help, now it's fully working and the 
problem was -as I said, it HAS to be something stupid- that port 8080 
didn't allow me to forward packets, I changed de port and it's fully 
working. Please dont hate me, hehehe... BTW, I learned a lot from this 
huge discussion. This list is simply great.

Juan
Programmin' Python is like sugar... sweet ;)

forwarding

[amir_sarbazi]

hi all

I want  when firewall get mail request packet then forward it to
another pc (forward it to 192.168.1.3:25)

how i can do it?
best regards.