RE: forwarding

From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Tim" Subject: forwarding Date: Sun, 7 Jul 2002 20:25:25 -0700 Sender: netfilter-admin@lists.samba.org Message-ID: <003101c2262f$33ff1a30$1606d6d1@nebuchadnezza> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_002E_01C225F4.6D03F8E0" Return-path: Errors-To: netfilter-admin@lists.samba.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: iptables-list This is a multi-part message in MIME format. ------=_NextPart_000_002E_01C225F4.6D03F8E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Well, it looks like my netfilter rules/commands are not forwarding even = though I have=20 --snip-- ## Routing packets (traffic) between INTERNAL and DMZ "echo "1" /proc/sys/net/ipv4/ip_forward"=20 ## FORWARD rules for traffic between INTERNAL and DMZ iptables -A FORWARD -i $INTERNAL_NET -o $DMZ_NET -j ACCEPT iptables -A FORWARD -i $DMZ_NET -o $INTERNAL_NET -j ACCEPT --snip-- set up in the script and the rules, gentlemen any ideas? Is there = something wrong with what is in these rules/commands? Tim Rodriguez-- Mia/Fla. Network Security Student -- 90% of networking problems are routing problems. 9 of the remaining 10% are routing problems, but in the other direction. The final 1% might not be routing, but check it anyway. -- ------=_NextPart_000_002E_01C225F4.6D03F8E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Well, it looks like my netfilter=20 rules/commands are not forwarding even though I = have

--snip--

## Routing packets (traffic) between=20 INTERNAL and DMZ

"echo "1" = /proc/sys/net/ipv4/ip_forward"=20

## FORWARD rules for traffic between = INTERNAL and=20 DMZ

iptables -A FORWARD -i $INTERNAL_NET -o = $DMZ_NET -j=20 ACCEPT

iptables -A FORWARD -i $DMZ_NET -o = $INTERNAL_NET -j=20 ACCEPT

--snip--

set up in the script and the rules, = gentlemen any=20 ideas? Is there something wrong with what is in these=20 rules/commands?

Tim Rodriguez-- Mia/Fla.
Network = Security=20 Student

90% of networking problems are routing=20 problems.
9 of the remaining 10% are routing problems, but in the = other=20 direction.
The final 1% might not be routing, but check it=20 anyway.

------=_NextPart_000_002E_01C225F4.6D03F8E0-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Antony Stone Subject: Re: forwarding Date: Mon, 8 Jul 2002 01:30:29 +0100 Sender: netfilter-admin@lists.samba.org Message-ID: <20020708003031.PFFP23840.mta03-svc.ntlworld.com@there> References: <003101c2262f$33ff1a30$1606d6d1@nebuchadnezza> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <003101c2262f$33ff1a30$1606d6d1@nebuchadnezza> Errors-To: netfilter-admin@lists.samba.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: iptables-list On Monday 08 July 2002 4:25 am, Tim wrote: > Well, it looks like my netfilter rules/commands are not forwarding even > though I have > > ## Routing packets (traffic) between INTERNAL and DMZ > "echo "1" /proc/sys/net/ipv4/ip_forward" That really says echo 1 >/proc/sys/net/ipv4/ip_forward or echo "1" >/proc/sys/net/ipv4/ip_forward doesn't it ? (Note specifically the > sign) Antony. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Antony Stone Subject: Re: forwarding Date: Mon, 8 Jul 2002 01:53:20 +0100 Sender: netfilter-admin@lists.samba.org Message-ID: <20020708005322.KPDJ4119.mta06-svc.ntlworld.com@there> References: <003101c2262f$33ff1a30$1606d6d1@nebuchadnezza> <20020708003031.PFFP23840.mta03-svc.ntlworld.com@there> <003801c22632$521c93a0$1606d6d1@nebuchadnezza> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <003801c22632$521c93a0$1606d6d1@nebuchadnezza> Errors-To: netfilter-admin@lists.samba.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.samba.org On Monday 08 July 2002 4:47 am, Tim wrote: > yes...it does say echo 1 > /proc/sys/net/ipv4/ip_forward .... and when I > look in file is has the number 1 on it as it should according to this > command. Okay, what's the output of iptables -L -n -v -x iptables -L -n -v -x -t nat after you've tried to send some packets through the machine ? Oh, and just to be sure - how do yu know your machine isn't forwarding packets ? What happens / doesn't happen to tell you it's not working ? Oh, and by the way - what are the addresses / netmasks on your Internal / DMZ interfaces, and what's your routing table ? Antony. > ----- Original Message ----- > From: "Antony Stone" > To: "iptables-list" > Sent: Sunday, July 07, 2002 5:30 PM > Subject: Re: forwarding > > > On Monday 08 July 2002 4:25 am, Tim wrote: > > > Well, it looks like my netfilter rules/commands are not forwarding even > > > though I have > > > > > > ## Routing packets (traffic) between INTERNAL and DMZ > > > "echo "1" /proc/sys/net/ipv4/ip_forward" > > > > That really says > > echo 1 >/proc/sys/net/ipv4/ip_forward > > or > > echo "1" >/proc/sys/net/ipv4/ip_forward > > doesn't it ? > > > > (Note specifically the > sign) > > > > > > > > Antony. From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Tim" Subject: Re: forwarding Date: Sun, 7 Jul 2002 21:03:24 -0700 Sender: netfilter-admin@lists.samba.org Message-ID: <003d01c22634$82a59600$1606d6d1@nebuchadnezza> References: <003101c2262f$33ff1a30$1606d6d1@nebuchadnezza> <20020708003031.PFFP23840.mta03-svc.ntlworld.com@there> <003801c22632$521c93a0$1606d6d1@nebuchadnezza> <20020708005322.KPDJ4119.mta06-svc.ntlworld.com@there> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Errors-To: netfilter-admin@lists.samba.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: iptables-list give me a second and I will get this all for you Tim ----- Original Message ----- From: "Antony Stone" To: Sent: Sunday, July 07, 2002 5:53 PM Subject: Re: forwarding > On Monday 08 July 2002 4:47 am, Tim wrote: > > > yes...it does say echo 1 > /proc/sys/net/ipv4/ip_forward .... and when I > > look in file is has the number 1 on it as it should according to this > > command. > > Okay, what's the output of > iptables -L -n -v -x > iptables -L -n -v -x -t nat > > after you've tried to send some packets through the machine ? > > Oh, and just to be sure - how do yu know your machine isn't forwarding > packets ? What happens / doesn't happen to tell you it's not working ? > > Oh, and by the way - what are the addresses / netmasks on your Internal / DMZ > interfaces, and what's your routing table ? > > > > Antony. > > > ----- Original Message ----- > > From: "Antony Stone" > > To: "iptables-list" > > Sent: Sunday, July 07, 2002 5:30 PM > > Subject: Re: forwarding > > > > > On Monday 08 July 2002 4:25 am, Tim wrote: > > > > Well, it looks like my netfilter rules/commands are not forwarding even > > > > though I have > > > > > > > > ## Routing packets (traffic) between INTERNAL and DMZ > > > > "echo "1" /proc/sys/net/ipv4/ip_forward" > > > > > > That really says > > > echo 1 >/proc/sys/net/ipv4/ip_forward > > > or > > > echo "1" >/proc/sys/net/ipv4/ip_forward > > > doesn't it ? > > > > > > (Note specifically the > sign) > > > > > > > > > > > > Antony. > > From mboxrd@z Thu Jan 1 00:00:00 1970 From: alucard@kanux.com Subject: forwarding Date: Tue, 18 May 2004 10:22:07 -0400 (VET) Sender: netfilter-admin@lists.netfilter.org Message-ID: <33934.200.44.170.105.1084890127.squirrel@200.44.170.105> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org Hi there again, I finally decided to add a second card to both, the server and the client to be able to forward packets from port 8080 in server 1 to port 80 in server 2 and somehow this packets are not going thru, let me explain my scenario Internet Address Nat'ed Address --------------- | Linux Box | Server 1 |10.73.219.156|nat'ed' address | 192.168.0.1 |2nd NIC to forward packets --------------- 8080 | | 80 --------------- | web server | Server 2 | 192.168.0.2 | | | --------------- - Server 1 has a natted addres using it's 10.73; what I'm trying to do is that evrything that comes to 10.73.219.156:8080 gets forwarded to 192.168.0.2:80. - Server 1 functions as a webserver and that's why I'm using port 8080 in order to forward packets to port 80 in server 2 - Here's my Server 1's /etc/rc.d/rc.firewall script because somehow it's not working: ----- echo "Borrando posibles reglas anteriores..." iptables -F iptables -X echo "Habilitando politicas de negacion total de paquetes" iptables -P FORWARD DROP iptables -P INPUT DROP echo "Reglas para paquetes de entrada y salida" iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 21 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT ##internas iptables -A INPUT -i eth0 -p tcp --dport 143 -j ACCEPT iptables -A INPUT -i lo -p tcp --dport 143 -j ACCEPT iptables -A INPUT -p tcp --dport 3306 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT #para el forward echo 0 > /proc/sys/net/ipv4/ip_forward iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -d 192.168.0.1 -p tcp --dport 8080 \ -j DNAT --to-destination 192.168.0.2:80 echo 1 > /proc/sys/net/ipv4/ip_forward ----- I have done this many times and somehow this time is not working, that means that I have changed many things using postrouting, nat and dnat. Is it because any missconfiguration on Server 2's route? here's the output: ----- [root@linserv root]# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 * 255.255.255.0 U 0 0 0 eth1 10.73.216.0 * 255.255.252.0 U 0 0 0 eth0 169.254.0.0 * 255.255.0.0 U 0 0 0 eth0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default 192.168.0.1 0.0.0.0 UG 0 0 0 eth1 ----- Is it because I have to use different INPUT rules? for what I know, INPUT rules are only for the packets going to the computer itself. Any suggestions will be great Thanks a lot as usual to this great mailing list Juan From mboxrd@z Thu Jan 1 00:00:00 1970 From: "John A. Sullivan III" Subject: Re: forwarding Date: Tue, 18 May 2004 10:39:41 -0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <1084891180.6410.18.camel@localhost> References: <33934.200.44.170.105.1084890127.squirrel@200.44.170.105> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <33934.200.44.170.105.1084890127.squirrel@200.44.170.105> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: alucard@kanux.com Cc: netfilter@lists.netfilter.org I think I see it - I'll add a comment in your e-mail within brackets [] On Tue, 2004-05-18 at 10:22, alucard@kanux.com wrote: > Hi there again, > > I finally decided to add a second card to both, the server and the > client to be able to forward packets from port 8080 in server 1 to port > 80 in server 2 and somehow this packets are not going thru, let me > explain my scenario > > Internet Address > Nat'ed Address > --------------- > | Linux Box | > Server 1 |10.73.219.156|nat'ed' address > | 192.168.0.1 |2nd NIC to forward packets > --------------- > 8080 > | > | > 80 > --------------- > | web server | > Server 2 | 192.168.0.2 | > | | > --------------- > > > - Server 1 has a natted addres using it's 10.73; what I'm trying to do is > that evrything that comes to 10.73.219.156:8080 gets forwarded to > 192.168.0.2:80. > > - Server 1 functions as a webserver and that's why I'm using port 8080 in > order to forward packets to port 80 in server 2 > > - Here's my Server 1's /etc/rc.d/rc.firewall script because somehow it's > not working: > > ----- > echo "Borrando posibles reglas anteriores..." > iptables -F > iptables -X > > echo "Habilitando politicas de negacion total de paquetes" > > iptables -P FORWARD DROP > iptables -P INPUT DROP > > echo "Reglas para paquetes de entrada y salida" > > iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > > iptables -A INPUT -p tcp --dport 21 -j ACCEPT > iptables -A INPUT -p tcp --dport 25 -j ACCEPT > iptables -A INPUT -p tcp --dport 80 -j ACCEPT > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > > ##internas > iptables -A INPUT -i eth0 -p tcp --dport 143 -j ACCEPT > iptables -A INPUT -i lo -p tcp --dport 143 -j ACCEPT > iptables -A INPUT -p tcp --dport 3306 -j ACCEPT > iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT > > #para el forward > echo 0 > /proc/sys/net/ipv4/ip_forward > iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT > iptables -t nat -A PREROUTING -d 192.168.0.1 -p tcp --dport 8080 \ > -j DNAT --to-destination 192.168.0.2:80 [JAS - isn't the packet coming in on 10.73.219.156? In other words, your NAT rule should be: iptables -t nat -A PREREOUTING -d 10.73.219.156 -p 6 --dport 8080 -j DNAT --to-destination 192.168.0.2:80] > echo 1 > /proc/sys/net/ipv4/ip_forward > ----- > > I have done this many times and somehow this time is not working, that > means that I have changed many things using postrouting, nat and dnat. Is > it because any missconfiguration on Server 2's route? here's the output: > > ----- > [root@linserv root]# route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > 192.168.0.0 * 255.255.255.0 U 0 0 0 eth1 > 10.73.216.0 * 255.255.252.0 U 0 0 0 eth0 > 169.254.0.0 * 255.255.0.0 U 0 0 0 eth0 > 127.0.0.0 * 255.0.0.0 U 0 0 0 lo > default 192.168.0.1 0.0.0.0 UG 0 0 0 eth1 > ----- > > Is it because I have to use different INPUT rules? for what I know, INPUT > rules are only for the packets going to the computer itself. > > Any suggestions will be great > Thanks a lot as usual to this great mailing list > > Juan -- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan@nexusmgmt.com --- If you are interested in helping to develop a GPL enterprise class VPN/Firewall/Security device management console, please visit http://iscs.sourceforge.net From mboxrd@z Thu Jan 1 00:00:00 1970 From: alucard@kanux.com Subject: Re: forwarding Date: Tue, 18 May 2004 10:49:20 -0400 (VET) Sender: netfilter-admin@lists.netfilter.org Message-ID: <34002.200.44.170.105.1084891760.squirrel@200.44.170.105> References: <33934.200.44.170.105.1084890127.squirrel@200.44.170.105> <1084891180.6410.18.camel@localhost> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <1084891180.6410.18.camel@localhost> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org > [JAS - isn't the packet coming in on 10.73.219.156? In other words, your > NAT rule should be: > iptables -t nat -A PREREOUTING -d 10.73.219.156 -p 6 --dport 8080 -j > DNAT --to-destination 192.168.0.2:80] -p 6? I've never seen this before, what is that rule trying to do? Thnax for your help pal Juan From mboxrd@z Thu Jan 1 00:00:00 1970 From: Antony Stone Subject: Re: forwarding Date: Tue, 18 May 2004 15:44:24 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: <200405181544.24474.Antony@Soft-Solutions.co.uk> References: <33934.200.44.170.105.1084890127.squirrel@200.44.170.105> Reply-To: netfilter@lists.netfilter.org Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <33934.200.44.170.105.1084890127.squirrel@200.44.170.105> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org On Tuesday 18 May 2004 3:22 pm, alucard@kanux.com wrote: > Hi there again, > > I finally decided to add a second card to both, the server and the > client to be able to forward packets from port 8080 in server 1 to port > 80 in server 2 and somehow this packets are not going thru, let me > explain my scenario > > - Server 1 has a natted addres using it's 10.73; what I'm trying to do is > that evrything that comes to 10.73.219.156:8080 gets forwarded to > 192.168.0.2:80. > > - Server 1 functions as a webserver and that's why I'm using port 8080 in > order to forward packets to port 80 in server 2 > > - Here's my Server 1's /etc/rc.d/rc.firewall script because somehow it's > not working: > > #para el forward > echo 0 > /proc/sys/net/ipv4/ip_forward > iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT > iptables -t nat -A PREROUTING -d 192.168.0.1 -p tcp --dport 8080 \ > -j DNAT --to-destination 192.168.0.2:80 > echo 1 > /proc/sys/net/ipv4/ip_forward > ----- That nat rule should read: iptables -t nat -A PREROUTING -d 10.73.219.156 -p tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 Regards, Antony. -- This email is intended for the use of the individual addressee(s) named above and may contain information that is confidential, privileged or unsuitable for overly sensitive persons with low self-esteem, no sense of humour, or irrational religious beliefs. If you have received this email in error, you are required to shred it immediately, add some nutmeg, three egg whites and a dessertspoonful of caster sugar. Whisk until soft peaks form, then place in a warm oven for 40 minutes. Remove promptly and let stand for 2 hours before adding some decorative kiwi fruit and cream. Then notify me immediately by return email and eat the original message. Please reply to the list; please don't CC me. From mboxrd@z Thu Jan 1 00:00:00 1970 From: alucard@kanux.com Subject: Re: forwarding Date: Tue, 18 May 2004 10:57:15 -0400 (VET) Sender: netfilter-admin@lists.netfilter.org Message-ID: <34012.200.44.170.105.1084892235.squirrel@200.44.170.105> References: <33934.200.44.170.105.1084890127.squirrel@200.44.170.105> <1084891180.6410.18.camel@localhost> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <1084891180.6410.18.camel@localhost> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: "John A. Sullivan III" Cc: netfilter@lists.netfilter.org Hi there again... Here's my changed rule: ------- echo "Borrando posibles reglas anteriores..." iptables -F iptables -X echo "Habilitando politicas de negacion total de paquetes" iptables -P FORWARD DROP iptables -P INPUT DROP echo "Reglas para paquetes de entrada y salida" iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #iptables -A INPUT -p tcp --dport 21 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT ##internas iptables -A INPUT -i eth0 -p tcp --dport 143 -j ACCEPT iptables -A INPUT -i lo -p tcp --dport 143 -j ACCEPT iptables -A INPUT -p tcp --dport 3306 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT #para el forward echo 0 > /proc/sys/net/ipv4/ip_forward iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -d 10.73.219.156 -p 6 --dport 8080 \ -j DNAT --to-destination 192.168.0.2:80 echo 1 > /proc/sys/net/ipv4/ip_forward ------- and after I executed this, here's my nmap output ------- root@mail:~# nmap 10.73.219.156 (The 1652 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 143/tcp open imap 3306/tcp open mysql -------- Should I show something else? for what I know, it should be forwarding packets but is not... port 8080 is not open as nmap shows, any suggestions? Thanks a lot as usual... Juan From mboxrd@z Thu Jan 1 00:00:00 1970 From: "John A. Sullivan III" Subject: Re: forwarding Date: Tue, 18 May 2004 10:51:17 -0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <1084891877.6418.28.camel@localhost> References: <33934.200.44.170.105.1084890127.squirrel@200.44.170.105> <1084891180.6410.18.camel@localhost> <34002.200.44.170.105.1084891760.squirrel@200.44.170.105> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <34002.200.44.170.105.1084891760.squirrel@200.44.170.105> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: alucard@kanux.com Cc: netfilter@lists.netfilter.org On Tue, 2004-05-18 at 10:49, alucard@kanux.com wrote: > > [JAS - isn't the packet coming in on 10.73.219.156? In other words, your > > NAT rule should be: > > iptables -t nat -A PREREOUTING -d 10.73.219.156 -p 6 --dport 8080 -j > > DNAT --to-destination 192.168.0.2:80] > > -p 6? I've never seen this before, what is that rule trying to do? > Ah, I usually use the protocol numbers directly rather than the names of the protocols as it saves the lookup to the /etc/protocols file. 6 is the IP protocol number for TCP. It is the same as saying -p tcp but a little faster. The main point was the destination address appears to be wrong - John -- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan@nexusmgmt.com From mboxrd@z Thu Jan 1 00:00:00 1970 From: "John A. Sullivan III" Subject: Re: forwarding Date: Tue, 18 May 2004 10:58:45 -0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <1084892325.6417.40.camel@localhost> References: <33934.200.44.170.105.1084890127.squirrel@200.44.170.105> <1084891180.6410.18.camel@localhost> <34012.200.44.170.105.1084892235.squirrel@200.44.170.105> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <34012.200.44.170.105.1084892235.squirrel@200.44.170.105> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: alucard@kanux.com Cc: netfilter@lists.netfilter.org On Tue, 2004-05-18 at 10:57, alucard@kanux.com wrote: > Hi there again... > > Here's my changed rule: > > ------- > echo "Borrando posibles reglas anteriores..." > iptables -F > iptables -X > > echo "Habilitando politicas de negacion total de paquetes" > > iptables -P FORWARD DROP > iptables -P INPUT DROP > > echo "Reglas para paquetes de entrada y salida" > > iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > > #iptables -A INPUT -p tcp --dport 21 -j ACCEPT > iptables -A INPUT -p tcp --dport 25 -j ACCEPT > iptables -A INPUT -p tcp --dport 80 -j ACCEPT > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > > > ##internas > iptables -A INPUT -i eth0 -p tcp --dport 143 -j ACCEPT > iptables -A INPUT -i lo -p tcp --dport 143 -j ACCEPT > iptables -A INPUT -p tcp --dport 3306 -j ACCEPT > iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT > > #para el forward > echo 0 > /proc/sys/net/ipv4/ip_forward > iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT > iptables -t nat -A PREROUTING -d 10.73.219.156 -p 6 --dport 8080 \ > -j DNAT --to-destination 192.168.0.2:80 > echo 1 > /proc/sys/net/ipv4/ip_forward > ------- > > and after I executed this, here's my nmap output > > ------- > root@mail:~# nmap 10.73.219.156 > > (The 1652 ports scanned but not shown below are in state: filtered) > PORT STATE SERVICE > 22/tcp open ssh > 25/tcp open smtp > 80/tcp open http > 143/tcp open imap > 3306/tcp open mysql > -------- > > Should I show something else? for what I know, it should be forwarding > packets but is not... port 8080 is not open as nmap shows, any > suggestions? > > Thanks a lot as usual... > Juan Although it probably did, are you sure nmap scanned port 8080? How about nmap -sT -p 8080 10.73.219.156 I would then trace both the wire and the iptables rules to find out where it is breaking - John -- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan@nexusmgmt.com From mboxrd@z Thu Jan 1 00:00:00 1970 From: Antony Stone Subject: Re: forwarding Date: Tue, 18 May 2004 15:56:15 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: <200405181556.15769.Antony@Soft-Solutions.co.uk> References: <33934.200.44.170.105.1084890127.squirrel@200.44.170.105> <1084891180.6410.18.camel@localhost> <34002.200.44.170.105.1084891760.squirrel@200.44.170.105> Reply-To: netfilter@lists.netfilter.org Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <34002.200.44.170.105.1084891760.squirrel@200.44.170.105> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org On Tuesday 18 May 2004 3:49 pm, alucard@kanux.com wrote: > > [JAS - isn't the packet coming in on 10.73.219.156? In other words, your > > NAT rule should be: > > iptables -t nat -A PREREOUTING -d 10.73.219.156 -p 6 --dport 8080 -j > > DNAT --to-destination 192.168.0.2:80] > > -p 6? I've never seen this before, what is that rule trying to do? It's a slightly unconventional way to specify TCP :) Protocols have numbers (after all, *everything* has numbers when a computer gets involved...), and TCP happens to be protocol number 6; UDP is protocol number 17, and ICMP is protocol number 1. See /etc/protocols on your own machine for more examples. Regards, Antony. -- There are two possible outcomes: If the result confirms the hypothesis, then you've made a measurement. If the result is contrary to the hypothesis, then you've made a discovery. - Enrico Fermi Please reply to the list; please don't CC me. From mboxrd@z Thu Jan 1 00:00:00 1970 From: alucard@kanux.com Subject: Re: forwarding Date: Tue, 18 May 2004 11:12:56 -0400 (VET) Sender: netfilter-admin@lists.netfilter.org Message-ID: <34103.200.44.170.105.1084893176.squirrel@200.44.170.105> References: <33934.200.44.170.105.1084890127.squirrel@200.44.170.105> <1084891180.6410.18.camel@localhost> <34012.200.44.170.105.1084892235.squirrel@200.44.170.105> <1084892325.6417.40.camel@localhost> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <1084892325.6417.40.camel@localhost> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org > Although it probably did, are you sure nmap scanned port 8080? How about > nmap -sT -p 8080 10.73.219.156 > > I would then trace both the wire and the iptables rules to find out > where it is breaking - John Yes, it filters now but now it seems that the problem is in the 2nd server because I try to telnet to server 1's 8080 port and I get no response. Is it any missconfiguration on the router? take a look at this: ---- root@mail:~# nmap -sT -p 8080 10.73.219.156 Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-05-18 11:06 VET Interesting ports on mail.aeropostal.com.ve (10.73.219.156): PORT STATE SERVICE 8080/tcp filtered http-proxy ---- the webserver in server 2 is working perfectly but im not able to reach it from server one, look at this in server 2, maybe im doing something wrong [root@linserv root]# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 * 255.255.255.0 U 0 0 0 eth1 10.73.216.0 * 255.255.252.0 U 0 0 0 eth0 169.254.0.0 * 255.255.0.0 U 0 0 0 eth0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default 192.168.0.1 0.0.0.0 UG 0 0 0 eth1 Thanx a lot for this great help Juan From mboxrd@z Thu Jan 1 00:00:00 1970 From: Antony Stone Subject: Re: forwarding Date: Tue, 18 May 2004 16:09:59 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: <200405181609.59945.Antony@Soft-Solutions.co.uk> References: <33934.200.44.170.105.1084890127.squirrel@200.44.170.105> <1084891180.6410.18.camel@localhost> <34012.200.44.170.105.1084892235.squirrel@200.44.170.105> Reply-To: netfilter@lists.netfilter.org Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <34012.200.44.170.105.1084892235.squirrel@200.44.170.105> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org On Tuesday 18 May 2004 3:57 pm, alucard@kanux.com wrote: > Hi there again... > > Here's my changed rule: > > ------- > echo "Borrando posibles reglas anteriores..." > iptables -F > iptables -X > > echo "Habilitando politicas de negacion total de paquetes" > > iptables -P FORWARD DROP > iptables -P INPUT DROP > > #para el forward > echo 0 > /proc/sys/net/ipv4/ip_forward > iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT > iptables -t nat -A PREROUTING -d 10.73.219.156 -p 6 --dport 8080 \ > -j DNAT --to-destination 192.168.0.2:80 > echo 1 > /proc/sys/net/ipv4/ip_forward > ------- > > and after I executed this, here's my nmap output > > ------- > root@mail:~# nmap 10.73.219.156 > > (The 1652 ports scanned but not shown below are in state: filtered) > PORT STATE SERVICE > 22/tcp open ssh > 25/tcp open smtp > 80/tcp open http > 143/tcp open imap > 3306/tcp open mysql > -------- Where are you running nmap from? I wonder if the problem is thr routes on machine2 (the genuione web server) not sending the reply packets back via machine1 (the firewall) correctly? Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 * 255.255.255.0 U 0 0 0 eth1 10.73.216.0 * 255.255.252.0 U 0 0 0 eth0 169.254.0.0 * 255.255.0.0 U 0 0 0 eth0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default 192.168.0.1 0.0.0.0 UG 0 0 0 eth1 If the requests come in on eth1 but the replies go out on eth0 that would be a problem. Regards, Antony. -- "The future is already here. It's just not evenly distributed yet." - William Gibson Please reply to the list; please don't CC me. From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?ISO-8859-1?Q?CPD_-_David_Carde=F1osa_Rubio?= Subject: RE: forwarding Date: Tue, 18 May 2004 17:33:37 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <7528A97D83FBD411BEF40003471B905B05D8FEF7@smtp.retecal.es> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C43CED.7D241950" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: "'netfilter@lists.netfilter.org'" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C43CED.7D241950 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable HI! if you add iptables -t nat -A PREROUTING -d 192.168.0.1 -p tcp --dport 8080 \ -j DNAT --to-destination 192.168.0.2:80 you need=20 iptables -t nat -A POSTROUTING -s 192.168.0.2 -p tcp --dport 80 -j SNAT = --to 192.168.0.1:8080 you can test the conections with tcpdump=20 Un saludo David Carde=F1osa -----Mensaje original----- De: alucard@kanux.com [mailto:alucard@kanux.com] Enviado el: martes, 18 de mayo de 2004 17:13 Para: netfilter@lists.netfilter.org Asunto: Re: forwarding > Although it probably did, are you sure nmap scanned port 8080? How = about > nmap -sT -p 8080 10.73.219.156 > > I would then trace both the wire and the iptables rules to find out > where it is breaking - John Yes, it filters now but now it seems that the problem is in the 2nd = server because I try to telnet to server 1's 8080 port and I get no response. = Is it any missconfiguration on the router? take a look at this: ---- root@mail:~# nmap -sT -p 8080 10.73.219.156 Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-05-18 = 11:06 VET Interesting ports on mail.aeropostal.com.ve (10.73.219.156): PORT STATE SERVICE 8080/tcp filtered http-proxy ---- the webserver in server 2 is working perfectly but im not able to reach = it from server one, look at this in server 2, maybe im doing something = wrong [root@linserv root]# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 * 255.255.255.0 U 0 0 0 = eth1 10.73.216.0 * 255.255.252.0 U 0 0 0 = eth0 169.254.0.0 * 255.255.0.0 U 0 0 0 = eth0 127.0.0.0 * 255.0.0.0 U 0 0 0 = lo default 192.168.0.1 0.0.0.0 UG 0 0 0 = eth1 Thanx a lot for this great help Juan ------_=_NextPart_001_01C43CED.7D241950 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable RE: forwarding

HI!

if you add

iptables -t nat -A PREROUTING -d 192.168.0.1 -p tcp = --dport 8080 \
-j DNAT --to-destination = 192.168.0.2:80

you need

iptables -t nat -A POSTROUTING -s 192.168.0.2 -p tcp = --dport 80 -j SNAT --to 192.168.0.1:8080

you can test the conections with tcpdump

Un saludo

David Carde=F1osa

-----Mensaje original-----
De: alucard@kanux.com [mailto:alucard@kanux.com]
Enviado el: martes, 18 de mayo de 2004 17:13
Para: netfilter@lists.netfilter.org
Asunto: Re: forwarding

> Although it probably did, are you sure nmap = scanned port 8080? How about
> nmap -sT -p 8080 10.73.219.156
>
> I would then trace both the wire and the = iptables rules to find out
> where it is breaking - John

Yes, it filters now but now it seems that the problem = is in the 2nd server
because I try to telnet to server 1's 8080 port and = I get no response. Is
it any missconfiguration on the router? take a look = at this:
----
root@mail:~# nmap -sT -p 8080 10.73.219.156

Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-05-18 = 11:06 VET
Interesting ports on mail.aeropostal.com.ve = (10.73.219.156):
PORT STATE = SERVICE
8080/tcp filtered http-proxy
----

the webserver in server 2 is working perfectly but im = not able to reach it
from server one, look at this in server 2, maybe im = doing something wrong

[root@linserv root]# route
Kernel IP routing table
Destination     = Gateway         = Genmask         Flags Metric = Ref    Use Iface
192.168.0.0     = *            = ;   255.255.255.0   U     = 0      = 0        0 eth1
10.73.216.0     = *            = ;   255.255.252.0   U     = 0      = 0        0 eth0
169.254.0.0     = *            = ;   255.255.0.0     = U     0      = 0        0 eth0
127.0.0.0       = *            = ;   255.0.0.0       = U     0      = 0        0 lo
default         = 192.168.0.1     = 0.0.0.0         = UG    0      = 0        0 eth1

Thanx a lot for this great help
Juan

------_=_NextPart_001_01C43CED.7D241950-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: alucard@kanux.com Subject: Re: forwarding Date: Tue, 18 May 2004 11:40:59 -0400 (VET) Sender: netfilter-admin@lists.netfilter.org Message-ID: <34253.200.44.170.105.1084894859.squirrel@200.44.170.105> References: <33934.200.44.170.105.1084890127.squirrel@200.44.170.105> <1084891180.6410.18.camel@localhost> <34012.200.44.170.105.1084892235.squirrel@200.44.170.105> <200405181609.59945.Antony@Soft-Solutions.co.uk> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <200405181609.59945.Antony@Soft-Solutions.co.uk> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" Cc: netfilter@lists.netfilter.org > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > 192.168.0.0 * 255.255.255.0 U 0 0 0 > eth1 > 10.73.216.0 * 255.255.252.0 U 0 0 0 > eth0 > 169.254.0.0 * 255.255.0.0 U 0 0 0 > eth0 > 127.0.0.0 * 255.0.0.0 U 0 0 0 lo > default 192.168.0.1 0.0.0.0 UG 0 0 0 > eth1 > > If the requests come in on eth1 but the replies go out on eth0 that would > be a > problem. well, in server2 -the one that that has to get the packets forwarded from server1- 192.168 network is in eth1, does anybody see anything wrong with it's route configuration? any suggestions?? Thanks a lot From mboxrd@z Thu Jan 1 00:00:00 1970 From: Antony Stone Subject: Re: forwarding Date: Tue, 18 May 2004 16:51:16 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: <200405181651.16999.Antony@Soft-Solutions.co.uk> References: <7528A97D83FBD411BEF40003471B905B05D8FEF7@smtp.retecal.es> Reply-To: "'netfilter@lists.netfilter.org'" Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <7528A97D83FBD411BEF40003471B905B05D8FEF7@smtp.retecal.es> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="iso-8859-1" To: "'netfilter@lists.netfilter.org'" On Tuesday 18 May 2004 4:33 pm, CPD - David Carde=F1osa Rubio wrote: > HI! > > if you add > > iptables -t nat -A PREROUTING -d 192.168.0.1 -p tcp --dport 8080 \ > -j DNAT --to-destination 192.168.0.2:80 > > you need > > iptables -t nat -A POSTROUTING -s 192.168.0.2 -p tcp --dport 80 -j SNAT > --to 192.168.0.1:8080 No, you don't. Netfilter handles the reverse-natting of reply packets transparently - yo= u do=20 not need to specify your own rule for them. The only reason you would want both the above rules is when you want a ma= chine=20 accessible on a translated IP address, and you also want *new* connection= s=20 from that machine to come from the translated address. In both cases yo= u=20 specify the rule for the "forward" packets, and the "return" packets get=20 handled by netfilter. Regards, Antony. --=20 "640 kilobytes (of RAM) should be enough for anybody." - Bill Gates Please reply to the = list; please don't C= C me. From mboxrd@z Thu Jan 1 00:00:00 1970 From: "John A. Sullivan III" Subject: RE: forwarding Date: Tue, 18 May 2004 11:47:49 -0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <1084895268.7272.2.camel@localhost> References: <7528A97D83FBD411BEF40003471B905B05D8FEF7@smtp.retecal.es> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <7528A97D83FBD411BEF40003471B905B05D8FEF7@smtp.retecal.es> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="utf-8" To: CPD - David =?ISO-8859-1?Q?Carde=F1osa?= Rubio Cc: "'netfilter@lists.netfilter.org'" I do not believe that is necessarily true. I'm not the expert but I believe that if all you want is inbound access, connection tracking will take care of the source alteration. You would only need SNAT if you wanted to originate outbound packets with the altered source. Someone please correct me if I am wrong - John On Tue, 2004-05-18 at 11:33, CPD - David Carde=C3=B1osa Rubio wrote: > HI! >=20 > if you add >=20 > iptables -t nat -A PREROUTING -d 192.168.0.1 -p tcp --dport 8080 \ > -j DNAT --to-destination 192.168.0.2:80 >=20 > you need=20 >=20 > iptables -t nat -A POSTROUTING -s 192.168.0.2 -p tcp --dport 80 -j > SNAT --to 192.168.0.1:8080 >=20 > you can test the conections with tcpdump=20 >=20 > Un saludo >=20 > David Carde=C3=B1osa >=20 > -----Mensaje original----- > De: alucard@kanux.com [mailto:alucard@kanux.com] > Enviado el: martes, 18 de mayo de 2004 17:13 > Para: netfilter@lists.netfilter.org > Asunto: Re: forwarding >=20 >=20 >=20 > > Although it probably did, are you sure nmap scanned port 8080? How > about > > nmap -sT -p 8080 10.73.219.156 > > > > I would then trace both the wire and the iptables rules to find out > > where it is breaking - John >=20 > Yes, it filters now but now it seems that the problem is in the 2nd > server > because I try to telnet to server 1's 8080 port and I get no response. > Is > it any missconfiguration on the router? take a look at this: > ---- > root@mail:~# nmap -sT -p 8080 10.73.219.156 >=20 > Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-05-18 > 11:06 VET > Interesting ports on mail.aeropostal.com.ve (10.73.219.156): > PORT STATE SERVICE > 8080/tcp filtered http-proxy > ---- >=20 > the webserver in server 2 is working perfectly but im not able to > reach it > from server one, look at this in server 2, maybe im doing something > wrong >=20 > [root@linserv root]# route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref =20 > Use Iface > 192.168.0.0 * 255.255.255.0 U 0 0 =20 > 0 eth1 > 10.73.216.0 * 255.255.252.0 U 0 0 =20 > 0 eth0 > 169.254.0.0 * 255.255.0.0 U 0 0 =20 > 0 eth0 > 127.0.0.0 * 255.0.0.0 U 0 0 =20 > 0 lo > default 192.168.0.1 0.0.0.0 UG 0 0 =20 > 0 eth1 >=20 >=20 > Thanx a lot for this great help > Juan >=20 >=20 --=20 John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan@nexusmgmt.com From mboxrd@z Thu Jan 1 00:00:00 1970 From: Antony Stone Subject: Re: forwarding Date: Tue, 18 May 2004 16:53:01 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: <200405181653.01776.Antony@Soft-Solutions.co.uk> References: <33934.200.44.170.105.1084890127.squirrel@200.44.170.105> <200405181609.59945.Antony@Soft-Solutions.co.uk> <34253.200.44.170.105.1084894859.squirrel@200.44.170.105> Reply-To: netfilter@lists.netfilter.org Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <34253.200.44.170.105.1084894859.squirrel@200.44.170.105> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org On Tuesday 18 May 2004 4:40 pm, alucard@kanux.com wrote: > > Kernel IP routing table > > Destination Gateway Genmask Flags Metric Ref Use > > Iface > > 192.168.0.0 * 255.255.255.0 U 0 0 0 > > eth1 > > 10.73.216.0 * 255.255.252.0 U 0 0 0 > > eth0 > > 169.254.0.0 * 255.255.0.0 U 0 0 0 > > eth0 > > 127.0.0.0 * 255.0.0.0 U 0 0 0 > > lo default 192.168.0.1 0.0.0.0 UG 0 0 > > 0 eth1 > > > > If the requests come in on eth1 but the replies go out on eth0 that would > > be a > > problem. > > well, in server2 -the one that that has to get the packets forwarded from > server1- 192.168 network is in eth1, does anybody see anything wrong with > it's route configuration? any suggestions?? Yes, but where are you doing the nmap testing from? Surely not the machine with the nat rules on it?? (That won't work.) Server 2 has to have a route to send the reply packets back to the machine doing the testing. The packets will not have the source address of server1. Regards, Antony. -- In Heaven, the police are British, the chefs are Italian, the beer is Belgian, the mechanics are German, the lovers are French, the entertainment is American, and everything is organised by the Swiss. In Hell, the police are German, the chefs are British, the beer is American, the mechanics are French, the lovers are Swiss, the entertainment is Belgian, and everything is organised by the Italians. Please reply to the list; please don't CC me. From mboxrd@z Thu Jan 1 00:00:00 1970 From: "John A. Sullivan III" Subject: Re: forwarding Date: Tue, 18 May 2004 11:53:08 -0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <1084895498.7289.7.camel@localhost> References: <33934.200.44.170.105.1084890127.squirrel@200.44.170.105> <1084891180.6410.18.camel@localhost> <34012.200.44.170.105.1084892235.squirrel@200.44.170.105> <1084892325.6417.40.camel@localhost> <34103.200.44.170.105.1084893176.squirrel@200.44.170.105> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <34103.200.44.170.105.1084893176.squirrel@200.44.170.105> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: alucard@kanux.com Cc: netfilter@lists.netfilter.org On Tue, 2004-05-18 at 11:12, alucard@kanux.com wrote: > > Although it probably did, are you sure nmap scanned port 8080? How about > > nmap -sT -p 8080 10.73.219.156 > > > > I would then trace both the wire and the iptables rules to find out > > where it is breaking - John > > Yes, it filters now but now it seems that the problem is in the 2nd server > because I try to telnet to server 1's 8080 port and I get no response. Is > it any missconfiguration on the router? take a look at this: > ---- > root@mail:~# nmap -sT -p 8080 10.73.219.156 > > Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-05-18 11:06 VET > Interesting ports on mail.aeropostal.com.ve (10.73.219.156): > PORT STATE SERVICE > 8080/tcp filtered http-proxy > ---- > > the webserver in server 2 is working perfectly but im not able to reach it > from server one, look at this in server 2, maybe im doing something wrong > > [root@linserv root]# route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > 192.168.0.0 * 255.255.255.0 U 0 0 0 eth1 > 10.73.216.0 * 255.255.252.0 U 0 0 0 eth0 > 169.254.0.0 * 255.255.0.0 U 0 0 0 eth0 > 127.0.0.0 * 255.0.0.0 U 0 0 0 lo > default 192.168.0.1 0.0.0.0 UG 0 0 0 eth1 At first glance, the routing looks correct but I hope you are not trying to access the web server from the Linux box. You will have more accurate results if you try to access through it. If you try to telnet from the Linux box, you may find it uses a source address of 10.73.219.156. The web server will then try to respond out interface eth0. I believe there is an option to override the source port of telnet - -b I think. You will also need to ensure that nothing is interfering in the INPUT and OUTPUT chains. I would suggest testing through the Linux Box rather than from it - John -- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan@nexusmgmt.com --- If you are interested in helping to develop a GPL enterprise class VPN/Firewall/Security device management console, please visit http://iscs.sourceforge.net From mboxrd@z Thu Jan 1 00:00:00 1970 From: alucard@kanux.com Subject: Re: forwarding Date: Tue, 18 May 2004 12:38:23 -0400 (VET) Sender: netfilter-admin@lists.netfilter.org Message-ID: <34404.200.44.170.105.1084898303.squirrel@200.44.170.105> References: <33934.200.44.170.105.1084890127.squirrel@200.44.170.105> <1084891180.6410.18.camel@localhost> <34012.200.44.170.105.1084892235.squirrel@200.44.170.105> <1084892325.6417.40.camel@localhost> <34103.200.44.170.105.1084893176.squirrel@200.44.170.105> <1084895498.7289.7.camel@localhost> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <1084895498.7289.7.camel@localhost> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: "John A. Sullivan III" Cc: alucard@kanux.com, netfilter@lists.netfilter.org All right, let me explain my current setup because is not working after all your great help, let me put here step by step everything that is currently going on here. -Server 1 has this /etc/rc.d/rc.firewall script: #----- -in order to avoid any eth0/eth1 packets confussion, I have only one NIC in server2, the one that has the second webserver. This is the server2's route output: -----route script [root@linserv root]# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0 -----route script It seems to be ok, from server2 I can access server1 thru 192,168 network but, what concerns me is that, it takes too long to show the default router, it gets stuck in lo about a minute. About accessing it from server1 using telnet, i have a remote server trying to access ip:8080 and it stills get no answer, even though the nmap record shows that port 8080 in server one is filtered Thanx a lot for this great help, I really apreciated it Peace Juan Programmin' Python is like sugar... Sweet! ;) From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?ISO-8859-1?Q?CPD_-_David_Carde=F1osa_Rubio?= Subject: RE: forwarding Date: Tue, 18 May 2004 19:04:52 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <7528A97D83FBD411BEF40003471B905B05D8FEFC@smtp.retecal.es> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C43CFA.3C8F95B0" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: "'alucard@kanux.com'" Cc: netfilter@lists.netfilter.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C43CFA.3C8F95B0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable hi Im testing your configuration in my test machines and it=B4s works for = me =09 Firewall web server 172.40.x.x (yes, local network with public ip, aggg) ----- = [172.40.42.200 - 192.168.150.1] ----- [192.168.150.2] firewall:~# iptables -L -t nat -n -v Chain PREROUTING (policy ACCEPT 259 packets, 35934 bytes) pkts bytes target prot opt in out source destination 3 144 DNAT tcp -- * * 0.0.0.0/0 172.40.43.200 tcp dpt:8080 to:192.168.150.2:80 Chain POSTROUTING (policy ACCEPT 39 packets, 2680 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 19 packets, 1499 bytes) pkts bytes target prot opt in out source destination firewall:~# firewall:~# iptables -L -n -v Chain INPUT (policy DROP 15 packets, 1455 bytes) pkts bytes target prot opt in out source destination 2943 293K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 1 48 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 Chain FORWARD (policy DROP 1 packets, 72 bytes) pkts bytes target prot opt in out source destination 3963 3939K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 144 ACCEPT tcp -- * * 0.0.0.0/0 192.168.150.2 tcp dpt:80 Chain OUTPUT (policy ACCEPT 3794 packets, 283K bytes) pkts bytes target prot opt in out source destination firewall:~# balanceador:~# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.150.0 0.0.0.0 255.255.255.252 U 0 0 0 = eth1 192.168.200.0 0.0.0.0 255.255.255.0 U 0 0 0 = eth0 0.0.0.0 192.168.150.1 0.0.0.0 UG 0 0 0 = eth1 balanceador:~# firewall:~# tcpdump -n tcp src or dst port 80 or 8080 tcpdump: listening on eth0 20:01:06.945606 172.60.60.75.2286 > 172.40.43.200.8080: S 1752076561:1752076561(0) win 16384 (DF) 20:01:06.946034 172.40.43.200.8080 > 172.60.60.75.2286: S 2920282127:2920282127(0) ack 1752076562 win 5840 (DF) 20:01:06.946273 172.60.60.75.2286 > 172.40.43.200.8080: . ack 1 win = 17520 (DF) 20:01:17.851129 172.60.60.75.2286 > 172.40.43.200.8080: P 1:3(2) ack 1 = win 17520 (DF) 20:01:17.851467 172.40.43.200.8080 > 172.60.60.75.2286: . ack 3 win = 5840 (DF) balanceador:~# tcpdump -i eth1 -n tcp src or dst port 80 tcpdump: listening on eth1 21:08:36.116571 172.60.60.75.2286 > 192.168.150.2.80: S 1752076561:1752076561(0) win 16384 (DF) 21:08:36.116668 192.168.150.2.80 > 172.60.60.75.2286: S 2920282127:2920282127(0) ack 1752076562 win 5840 (DF) 21:08:36.117201 172.60.60.75.2286 > 192.168.150.2.80: . ack 1 win 17520 = (DF) 21:08:47.022155 172.60.60.75.2286 > 192.168.150.2.80: P 1:3(2) ack 1 = win 17520 (DF) 21:08:47.022211 192.168.150.2.80 > 172.60.60.75.2286: . ack 3 win 5840 = (DF) ------_=_NextPart_001_01C43CFA.3C8F95B0 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable RE: forwarding

Im testing your configuration in my test machines and = it=B4s works for me

= = = = = = = = = Firewall = = = = web server

172.40.x.x (yes, local network with public ip, aggg) = ----- [172.40.42.200 - 192.168.150.1] ----- [192.168.150.2]

firewall:~# iptables -L -t nat -n -v
Chain PREROUTING (policy ACCEPT 259 packets, 35934 = bytes)
pkts bytes target prot = opt in out = source = destination
3 144 = DNAT tcp -- = * * = 0.0.0.0/0 &nb= sp; 172.40.43.200 tcp dpt:8080 = to:192.168.150.2:80

Chain POSTROUTING (policy ACCEPT 39 packets, 2680 = bytes)
pkts bytes target prot = opt in out = source = destination

Chain OUTPUT (policy ACCEPT 19 packets, 1499 = bytes)
pkts bytes target prot = opt in out = source = destination
firewall:~#

firewall:~# iptables -L -n -v
Chain INPUT (policy DROP 15 packets, 1455 = bytes)
pkts bytes target     prot = opt in     out     = source           =     destination
2943 293K ACCEPT     = all -- *      = *       = 0.0.0.0/0          &nb= sp; 0.0.0.0/0          = state RELATED,ESTABLISHED
    1    48 = ACCEPT     tcp -- = *      *       = 0.0.0.0/0          &nb= sp; 0.0.0.0/0          tcp = dpt:22

Chain FORWARD (policy DROP 1 packets, 72 = bytes)
pkts bytes target     prot = opt in     out     = source           =     destination
3963 3939K ACCEPT     = all -- *      = *       = 0.0.0.0/0          &nb= sp; 0.0.0.0/0          = state RELATED,ESTABLISHED
    3   144 = ACCEPT     tcp -- = *      *       = 0.0.0.0/0          &nb= sp; 192.168.150.2      tcp dpt:80

Chain OUTPUT (policy ACCEPT 3794 packets, 283K = bytes)
pkts bytes target prot = opt in out = source = destination
firewall:~#

balanceador:~# route -n
Kernel IP routing table
Destination     = Gateway         = Genmask         Flags Metric = Ref    Use Iface
192.168.150.0   = 0.0.0.0         255.255.255.252 = U     0      = 0        0 eth1
192.168.200.0   = 0.0.0.0         = 255.255.255.0   U     = 0      = 0        0 eth0
0.0.0.0         = 192.168.150.1   = 0.0.0.0         = UG    0      = 0        0 eth1
balanceador:~#

firewall:~# tcpdump -n tcp src or dst port 80 or = 8080
tcpdump: listening on eth0
20:01:06.945606 172.60.60.75.2286 > = 172.40.43.200.8080: S 1752076561:1752076561(0) win 16384 <mss = 1460,nop,nop,sackOK> (DF)

20:01:06.946034 172.40.43.200.8080 > = 172.60.60.75.2286: S 2920282127:2920282127(0) ack 1752076562 win 5840 = <mss 1460,nop,nop,sackOK> (DF)

20:01:06.946273 172.60.60.75.2286 > = 172.40.43.200.8080: . ack 1 win 17520 (DF)
20:01:17.851129 172.60.60.75.2286 > = 172.40.43.200.8080: P 1:3(2) ack 1 win 17520 (DF)
20:01:17.851467 172.40.43.200.8080 > = 172.60.60.75.2286: . ack 3 win 5840 (DF)

balanceador:~# tcpdump -i eth1 -n tcp src or dst port = 80
tcpdump: listening on eth1
21:08:36.116571 172.60.60.75.2286 > = 192.168.150.2.80: S 1752076561:1752076561(0) win 16384 <mss = 1460,nop,nop,sackOK> (DF)

21:08:36.116668 192.168.150.2.80 > = 172.60.60.75.2286: S 2920282127:2920282127(0) ack 1752076562 win 5840 = <mss 1460,nop,nop,sackOK> (DF)

21:08:36.117201 172.60.60.75.2286 > = 192.168.150.2.80: . ack 1 win 17520 (DF)
21:08:47.022155 172.60.60.75.2286 > = 192.168.150.2.80: P 1:3(2) ack 1 win 17520 (DF)
21:08:47.022211 192.168.150.2.80 > = 172.60.60.75.2286: . ack 3 win 5840 (DF)

------_=_NextPart_001_01C43CFA.3C8F95B0-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: "John A. Sullivan III" Subject: Re: forwarding Date: Tue, 18 May 2004 13:02:57 -0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <1084899777.7261.17.camel@localhost> References: <33934.200.44.170.105.1084890127.squirrel@200.44.170.105> <1084891180.6410.18.camel@localhost> <34012.200.44.170.105.1084892235.squirrel@200.44.170.105> <1084892325.6417.40.camel@localhost> <34103.200.44.170.105.1084893176.squirrel@200.44.170.105> <1084895498.7289.7.camel@localhost> <34404.200.44.170.105.1084898303.squirrel@200.44.170.105> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <34404.200.44.170.105.1084898303.squirrel@200.44.170.105> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: alucard@kanux.com Cc: netfilter@lists.netfilter.org On Tue, 2004-05-18 at 12:38, alucard@kanux.com wrote: > All right, let me explain my current setup because is not working after > all your great help, let me put here step by step everything that is > currently going on here. > > -Server 1 has this /etc/rc.d/rc.firewall script: > > #----- > > -in order to avoid any eth0/eth1 packets confussion, I have only one NIC > in server2, the one that has the second webserver. This is the server2's > route output: > > -----route script > [root@linserv root]# route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 > 127.0.0.0 * 255.0.0.0 U 0 0 0 lo > default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0 > -----route script > > It seems to be ok, from server2 I can access server1 thru 192,168 network > but, what concerns me is that, it takes too long to show the default > router, it gets stuck in lo about a minute. About accessing it from > server1 using telnet, i have a remote server trying to access ip:8080 and > it stills get no answer, even though the nmap record shows that port 8080 > in server one is filtered > > Thanx a lot for this great help, I really apreciated it > > Peace > Juan > Programmin' Python is like sugar... Sweet! ;) OK - it's good to simplify :-) You should not need to INPUT rule for 8080. The delay in finding the default route is route's attempt at reverse name resolution. Use route -n instead. Our next step is to trace. From what address are you attempting to telnet and where does that address live? -- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan@nexusmgmt.com From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Daniel Chemko" Subject: RE: forwarding Date: Tue, 18 May 2004 11:04:57 -0700 Sender: netfilter-admin@lists.netfilter.org Message-ID: <7C9884991ADAE0479C14F10C858BCDF5679349@alderaan.smgtec.com> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: content-class: urn:content-classes:message Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: "John A. Sullivan III" , =?iso-8859-1?Q?CPD_-_David_Carde=F1osa_Rubio?= Cc: netfilter@lists.netfilter.org John A. Sullivan III wrote: > I do not believe that is necessarily true. I'm not the expert but I > believe that if all you want is inbound access, connection tracking > will take care of the source alteration. You would only need SNAT if > you wanted to originate outbound packets with the altered source.=20 > Someone please correct me if I am wrong - John =20 If the default route does not route back through the Linux server, you = are required to SNAT the packet back to thye firewall's address = basically forcing the respondee to keep the firewall in-the-loop so to = speak. Netfilter will NOT allow a one way stream into the system since = the second packet sent by the client (ACK) is marked as INVALID by the = state machine since it never received a SYNACK in response to the = initial packet. From mboxrd@z Thu Jan 1 00:00:00 1970 From: alucard@kanux.com Subject: Re: forwarding Date: Tue, 18 May 2004 14:21:37 -0400 (VET) Sender: netfilter-admin@lists.netfilter.org Message-ID: <4290.192.168.74.21.1084904497.squirrel@192.168.74.21> References: <33934.200.44.170.105.1084890127.squirrel@200.44.170.105> <1084891180.6410.18.camel@localhost> <34012.200.44.170.105.1084892235.squirrel@200.44.170.105> <1084892325.6417.40.camel@localhost> <34103.200.44.170.105.1084893176.squirrel@200.44.170.105> <1084895498.7289.7.camel@localhost> <34404.200.44.170.105.1084898303.squirrel@200.44.170.105> <1084899777.7261.17.camel@localhost> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <1084899777.7261.17.camel@localhost> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="iso-8859-1" To: "John A. Sullivan III" Cc: netfilter@lists.netfilter.org > OK - it's good to simplify :-) > You should not need to INPUT rule for 8080. I=B4t=B4s commented, it=B4s an old rule for something I used to have in tha= t server > The delay in finding the default route is route's attempt at reverse > name resolution. Use route -n instead. Indeed, this is what I get in server2 -------- [root@linserv root]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Ifa= ce 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0 -------- > Our next step is to trace. From what address are you attempting to > telnet and where does that address live? I=B4m using a completly different address to try to access the server from the outside, to be more specific, I'm doing this at work and I'm using the computers in my house to do this test and nothing happens. If I telnet port 80 server2 directly from server1 I get this -to make sure it's working-: -------- root@mail:~# telnet 192.168.0.2 80 Trying 192.168.0.2... Connected to 192.168.0.2. Escape character is '^]'. ^] telnet> -------- Thanks dude Peace Juan Programmin' Python is like sugar... Sweet! ;) From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Daniel Chemko" Subject: RE: forwarding Date: Tue, 18 May 2004 11:23:38 -0700 Sender: netfilter-admin@lists.netfilter.org Message-ID: <7C9884991ADAE0479C14F10C858BCDF567934A@alderaan.smgtec.com> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: content-class: urn:content-classes:message Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: alucard@kanux.com, "John A. Sullivan III" Cc: netfilter@lists.netfilter.org iptables -t nat -A POSTROUTING --destination ${server2} -j SNAT --to ${server1_internal_ip} This is the last time I try to respond to you since you've been ignoring the rest. SNAT traffic from server 1 to server 2. Period. There's no magic. Put it in, then the system will magically work. Well, replace the ${}'s with the actual values first. If you even get this email, let me know cause I feel like I'm falling on deaf ears. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Antony Stone Subject: Re: forwarding Date: Tue, 18 May 2004 19:28:09 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: <200405181928.09292.Antony@Soft-Solutions.co.uk> References: <33934.200.44.170.105.1084890127.squirrel@200.44.170.105> <1084899777.7261.17.camel@localhost> <4290.192.168.74.21.1084904497.squirrel@192.168.74.21> Reply-To: netfilter@lists.netfilter.org Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <4290.192.168.74.21.1084904497.squirrel@192.168.74.21> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="iso-8859-1" To: netfilter@lists.netfilter.org On Tuesday 18 May 2004 7:21 pm, alucard@kanux.com wrote: > > Our next step is to trace. From what address are you attempting to > > telnet and where does that address live? > > I=B4m using a completly different address to try to access the server f= rom > the outside, to be more specific, I'm doing this at work and I'm using = the > computers in my house to do this test and nothing happens. What result do you get if you traceroute from home to work? Unless you have been disguising the IP addresses without telling us, I do= n't=20 see how you can contact 10.72.219.156 across the Internet.... Regards, Antony. --=20 Your work is both good and original. Unfortunately the parts that are go= od=20 aren't original, and the parts that are original aren't good. - Samuel Johnson Please reply to the = list; please don't C= C me. From mboxrd@z Thu Jan 1 00:00:00 1970 From: alucard@kanux.com Subject: Re: forwarding Date: Tue, 18 May 2004 14:42:36 -0400 (VET) Sender: netfilter-admin@lists.netfilter.org Message-ID: <3138.192.168.74.21.1084905756.squirrel@192.168.74.21> References: <33934.200.44.170.105.1084890127.squirrel@200.44.170.105> <1084899777.7261.17.camel@localhost> <4290.192.168.74.21.1084904497.squirrel@192.168.74.21> <200405181928.09292.Antony@Soft-Solutions.co.uk> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <200405181928.09292.Antony@Soft-Solutions.co.uk> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" Cc: netfilter@lists.netfilter.org > see how you can contact 10.72.219.156 across the Internet.... > It's a nat'ed address from my ISP Juan From mboxrd@z Thu Jan 1 00:00:00 1970 From: alucard@kanux.com Subject: RE: forwarding Date: Tue, 18 May 2004 14:50:03 -0400 (VET) Sender: netfilter-admin@lists.netfilter.org Message-ID: <1563.192.168.74.21.1084906203.squirrel@192.168.74.21> References: <7C9884991ADAE0479C14F10C858BCDF567934A@alderaan.smgtec.com> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <7C9884991ADAE0479C14F10C858BCDF567934A@alderaan.smgtec.com> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="iso-8859-1" To: Daniel Chemko Cc: "John A. Sullivan III" , netfilter@lists.netfilter.org > iptables -t nat -A POSTROUTING --destination ${server2} -j SNAT --to > ${server1_internal_ip} > > This is the last time I try to respond to you since you've been ignoring > the rest. SNAT traffic from server 1 to server 2. Period. There's no > magic. Put it in, then the system will magically work. Well, replace the > ${}'s with the actual values first. > Dude, is not that I wasn't reading or not paying attention to your posts, I really apreciate them, it=B4s just that -and this is why I like this list so much- that I had a LOT of replys trying to help. For what I can see now, I have to be doing something VERY stupid that is not allowing me to do what I need so, I'm sending -again- my script mixed with your recommendations for you to read it and suggest something ----- echo "Borrando posibles reglas anteriores..." iptables -F iptables -X echo "Habilitando politicas de negacion total de paquetes" iptables -P FORWARD DROP iptables -P INPUT DROP echo "Reglas para paquetes de entrada y salida" iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #iptables -A INPUT -p tcp --dport 21 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT #iptables -A INPUT -p tcp --dport 8080 -j ACCEPT ##internas iptables -A INPUT -i eth0 -p tcp --dport 143 -j ACCEPT iptables -A INPUT -i lo -p tcp --dport 143 -j ACCEPT iptables -A INPUT -p tcp --dport 3306 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT #para el forward echo 0 > /proc/sys/net/ipv4/ip_forward iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -d 10.73.219.156 -p tcp --dport 8080 \ -j DNAT --to-destination 192.168.0.2:80 echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING --destination 192.168.0.2 -j SNAT --to \ 10.73.219.156 ----- Thanx a lot again for this great help Peace Juan Programmin' Python is like sugar... Sweet! ;) From mboxrd@z Thu Jan 1 00:00:00 1970 From: "John A. Sullivan III" Subject: RE: forwarding Date: Tue, 18 May 2004 15:15:44 -0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <1084907744.7259.62.camel@localhost> References: <7C9884991ADAE0479C14F10C858BCDF567934A@alderaan.smgtec.com> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <7C9884991ADAE0479C14F10C858BCDF567934A@alderaan.smgtec.com> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: Daniel Chemko Cc: alucard@kanux.com, netfilter@lists.netfilter.org On Tue, 2004-05-18 at 14:23, Daniel Chemko wrote: > iptables -t nat -A POSTROUTING --destination ${server2} -j SNAT --to > ${server1_internal_ip} > > This is the last time I try to respond to you since you've been ignoring > the rest. SNAT traffic from server 1 to server 2. Period. There's no > magic. Put it in, then the system will magically work. Well, replace the > ${}'s with the actual values first. > > If you even get this email, let me know cause I feel like I'm falling on > deaf ears. Daniel, that was a problem but he has changed the default gateway to ensure that the packets do make it back to the gateway. >From a previous post: [root@linserv root]# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 * 255.255.255.0 U 0 0 0 eth1 10.73.216.0 * 255.255.252.0 U 0 0 0 eth0 169.254.0.0 * 255.255.0.0 U 0 0 0 eth0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default 192.168.0.1 0.0.0.0 UG 0 0 0 eth1 I believe 192.168.0.1 is the gateway. -- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan@nexusmgmt.com From mboxrd@z Thu Jan 1 00:00:00 1970 From: "John A. Sullivan III" Subject: Re: forwarding Date: Tue, 18 May 2004 15:22:00 -0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <1084908120.7272.69.camel@localhost> References: <33934.200.44.170.105.1084890127.squirrel@200.44.170.105> <1084891180.6410.18.camel@localhost> <34012.200.44.170.105.1084892235.squirrel@200.44.170.105> <1084892325.6417.40.camel@localhost> <34103.200.44.170.105.1084893176.squirrel@200.44.170.105> <1084895498.7289.7.camel@localhost> <34404.200.44.170.105.1084898303.squirrel@200.44.170.105> <1084899777.7261.17.camel@localhost> <4290.192.168.74.21.1084904497.squirrel@192.168.74.21> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <4290.192.168.74.21.1084904497.squirrel@192.168.74.21> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="utf-8" To: alucard@kanux.com Cc: netfilter@lists.netfilter.org On Tue, 2004-05-18 at 14:21, alucard@kanux.com wrote: > > OK - it's good to simplify :-) > > You should not need to INPUT rule for 8080. > I=C2=B4t=C2=B4s commented, it=C2=B4s an old rule for something I used to = have in that server >=20 > > The delay in finding the default route is route's attempt at reverse > > name resolution. Use route -n instead. >=20 > Indeed, this is what I get in server2 >=20 > -------- > [root@linserv root]# route -n > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use I= face > 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 e= th0 > 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 l= o > 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 e= th0 > -------- >=20 > > Our next step is to trace. From what address are you attempting to > > telnet and where does that address live? >=20 > I=C2=B4m using a completly different address to try to access the server = from > the outside, to be more specific, I'm doing this at work and I'm using th= e > computers in my house to do this test and nothing happens. If I telnet > port 80 server2 directly from server1 I get this -to make sure it's > working-: >=20 > -------- > root@mail:~# telnet 192.168.0.2 80 > Trying 192.168.0.2... > Connected to 192.168.0.2. > Escape character is '^]'. > ^] > telnet> > -------- Ok - so this is where the tracing comes in. I assume you are sending a packet from your home network to some public IP. Your ISP is then NATting this to 10.73.219.156. Using tcpdump or ethereal, can you see the packet arrive at 10.73.219.156? If so, can you see the packet leave 192.168.0.1?, If so, what are the source and destination sockets of the egressing packet? Do you see a reply packet? How is it addressed? If you do not see a packet exiting the gateway on the 192.168.0.1 interface, place log rules in the various points of your table to find out where the packet is dying. Good luck - John --=20 John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan@nexusmgmt.com From mboxrd@z Thu Jan 1 00:00:00 1970 From: Antony Stone Subject: Re: forwarding Date: Tue, 18 May 2004 19:42:17 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: <200405181942.17508.Antony@Soft-Solutions.co.uk> References: <7C9884991ADAE0479C14F10C858BCDF567934A@alderaan.smgtec.com> Reply-To: Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <7C9884991ADAE0479C14F10C858BCDF567934A@alderaan.smgtec.com> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org On Tuesday 18 May 2004 7:23 pm, Daniel Chemko wrote: > iptables -t nat -A POSTROUTING --destination ${server2} -j SNAT --to > ${server1_internal_ip} > > This is the last time I try to respond to you since you've been ignoring > the rest. Who are you talking to here (your posting was addressed to two individuals, plus the list), and what is "the rest" you refer to? I have only seen one other email from you in this thread, and that was in response to a somewhat off-topic posting about reverse routing, which IMHO didn't require a response... We don't want anyone to feel left out on this list, but if you've posted other comments and not had a response, the reason is probably that other list subscribers haven't seen what you said yet (no, I don't know why that would be). By the way, I disagree that the above SNAT rule is required. Regards, Antony. -- Most people have more than the average number of legs. Please reply to the list; please don't CC me. From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Daniel Chemko" Subject: RE: forwarding Date: Tue, 18 May 2004 13:33:00 -0700 Sender: netfilter-admin@lists.netfilter.org Message-ID: <7C9884991ADAE0479C14F10C858BCDF567934B@alderaan.smgtec.com> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: content-class: urn:content-classes:message Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org Antony Stone wrote: > On Tuesday 18 May 2004 7:23 pm, Daniel Chemko wrote: >=20 >> iptables -t nat -A POSTROUTING --destination ${server2} -j SNAT --to >> ${server1_internal_ip}=20 >>=20 >> This is the last time I try to respond to you since you've been >> ignoring the rest. >=20 > Who are you talking to here (your posting was addressed to two > individuals, plus the list), and what is "the rest" you refer to? >=20 > I have only seen one other email from you in this thread, and that > was in response to a somewhat off-topic posting about reverse > routing, which IMHO didn't require a response... >=20 > We don't want anyone to feel left out on this list, but if you've > posted other comments and not had a response, the reason is probably > that other list subscribers haven't seen what you said yet (no, I > don't know why that would be). Sorry, I was referring to the last thread the poster openned. Not this one. I agree with the rest. I forgot that he had implemented the two-card solutino already. From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Daniel Chemko" Subject: RE: forwarding Date: Tue, 18 May 2004 13:48:48 -0700 Sender: netfilter-admin@lists.netfilter.org Message-ID: <7C9884991ADAE0479C14F10C858BCDF5122F54@alderaan.smgtec.com> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: content-class: urn:content-classes:message Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: alucard@kanux.com Cc: "John A. Sullivan III" , netfilter@lists.netfilter.org Ok, one more thing: Is the address 10.73.219.156 the only IP address on the external interface of the server1? If you don't bind the 10.73.219.156 IP address to the ethernet interface on server1, then hosts on that network won't be able to find the server even with the prerouting rule. You could solve this by Proxy-arp or just simply adding another IP address to the outside interface. This may be redundant, but I don't believe the external interface's been discussed at all as a possible issue. From mboxrd@z Thu Jan 1 00:00:00 1970 From: "John A. Sullivan III" Subject: RE: forwarding Date: Tue, 18 May 2004 17:15:23 -0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <1084914922.9624.1.camel@localhost> References: <7C9884991ADAE0479C14F10C858BCDF5122F54@alderaan.smgtec.com> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <7C9884991ADAE0479C14F10C858BCDF5122F54@alderaan.smgtec.com> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: Daniel Chemko Cc: alucard@kanux.com, netfilter@lists.netfilter.org On Tue, 2004-05-18 at 16:48, Daniel Chemko wrote: > Ok, one more thing: > > Is the address 10.73.219.156 the only IP address on the external > interface of the server1? > > If you don't bind the 10.73.219.156 IP address to the ethernet interface > on server1, then hosts on that network won't be able to find the server > even with the prerouting rule. You could solve this by Proxy-arp or just > simply adding another IP address to the outside interface. > > This may be redundant, but I don't believe the external interface's been > discussed at all as a possible issue. I believe that is the only address bound to the external interface. The entire unusual premise is that is the only address available. There is already a web server at that address listening on port 80 and the user wants to give users access to a different web server. Since he only has the one IP address, he is sending traffic for the second web server to port 8080 and then DNATting that traffic to the other web server on port 80. -- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan@nexusmgmt.com --- If you are interested in helping to develop a GPL enterprise class VPN/Firewall/Security device management console, please visit http://iscs.sourceforge.net From mboxrd@z Thu Jan 1 00:00:00 1970 From: Antony Stone Subject: Re: forwarding Date: Tue, 18 May 2004 22:33:34 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: <200405182233.34800.Antony@Soft-Solutions.co.uk> References: <33934.200.44.170.105.1084890127.squirrel@200.44.170.105> <1084899777.7261.17.camel@localhost> <4290.192.168.74.21.1084904497.squirrel@192.168.74.21> Reply-To: netfilter@lists.netfilter.org Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <4290.192.168.74.21.1084904497.squirrel@192.168.74.21> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="iso-8859-1" To: netfilter@lists.netfilter.org On Tuesday 18 May 2004 7:21 pm, alucard@kanux.com wrote: > I=B4m using a completly different address to try to access the server f= rom > the outside, to be more specific, I'm doing this at work and I'm using = the > computers in my house to do this test and nothing happens. If I telnet > port 80 server2 directly from server1 I get this -to make sure it's > working-: > > -------- > root@mail:~# telnet 192.168.0.2 80 > Trying 192.168.0.2... > Connected to 192.168.0.2. > Escape character is '^]'. > ^] > telnet> > -------- A couple of suggestions: 1. Try a totally different port number (in the PREROUTING nat rule, and w= hen=20 you telnet to test things) to see if there's some problem with 8080. Yo= u=20 know that port 80 can get to the firewall (because it's running its own w= eb=20 server), so try TCP port 88 perhaps instead of 8080. 2. Remove the PREROUTING nat rule, make sure any dropped packets on INPUT= are=20 getting LOGged, and then telnet from the outside to port 8080 again - and= =20 make sure you see them in the log output. This is just one way of makin= g=20 sure that the requests to port 8080 are making it as far as the netfilter= =20 machine so that it can nat them on to the real server. Also, what does "iptables -L -nvx; iptables -L -t nat -nvx" tell you in t= he=20 packet / byte counters? Does it look like any packets are getting natte= d=20 and/or forwarded? Regards, Antony. --=20 The first fifty percent of an engineering project takes ninety percent of= the=20 time, and the remaining fifty percent takes another ninety percent of the= =20 time. Please reply to the = list; please don't C= C me. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Juan Hernandez Subject: Re: forwarding Date: Tue, 18 May 2004 21:56:46 -0700 Sender: netfilter-admin@lists.netfilter.org Message-ID: <40AAE90E.7020509@kanux.com> References: <33934.200.44.170.105.1084890127.squirrel@200.44.170.105> <1084899777.7261.17.camel@localhost> <4290.192.168.74.21.1084904497.squirrel@192.168.74.21> <200405182233.34800.Antony@Soft-Solutions.co.uk> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <200405182233.34800.Antony@Soft-Solutions.co.uk> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: netfilter@lists.netfilter.org Everybody... Thanks a lot for all your great help, now it's fully working and the problem was -as I said, it HAS to be something stupid- that port 8080 didn't allow me to forward packets, I changed de port and it's fully working. Please dont hate me, hehehe... BTW, I learned a lot from this huge discussion. This list is simply great. Juan Programmin' Python is like sugar... sweet ;) From mboxrd@z Thu Jan 1 00:00:00 1970 From: amir_sarbazi Subject: forwarding Date: Sat, 26 Mar 2005 22:18:17 +0430 Message-ID: <43c5e5aa050326094878aabe92@mail.gmail.com> Reply-To: backslash46@yahoo.com Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit To: netdev@oss.sgi.com Sender: netdev-bounce@oss.sgi.com Errors-to: netdev-bounce@oss.sgi.com List-Id: netdev.vger.kernel.org hi all I want when firewall get mail request packet then forward it to another pc (forward it to 192.168.1.3:25) how i can do it? best regards.