port translation

port translation

[Romain Moyne]

Hello,

I'm French and my english is bad ;)

I have a http server (debian 3.0) behind a router (debian 3.0). I have a 
problem when I want to log the visitor's IP of my website with PHP or 
Perl or all language. I have always the IP of my router ! Somebody tell 
me that I must do port translation but I have searched and I haven't 
fand anything.
Can you help me ?
This is the rules of my router :

iptables -t nat -A PREROUTING -d MyIP -p tcp --dport 80 -j DNAT 
--to-destination 192.168.0.3:80

Romain

Re: port translation

[Antony Stone]

On Sunday 11 January 2004 10:21 am, Romain Moyne wrote:

> Hello,
>
> I'm French and my english is bad ;)
>
> I have a http server (debian 3.0) behind a router (debian 3.0). I have a
> problem when I want to log the visitor's IP of my website with PHP or
> Perl or all language. I have always the IP of my router ! Somebody tell
> me that I must do port translation but I have searched and I haven't
> fand anything.
> Can you help me ?
> This is the rules of my router :
>
> iptables -t nat -A PREROUTING -d MyIP -p tcp --dport 80 -j DNAT
> --to-destination 192.168.0.3:80

Do you have another rule, in your POSTROUTING chain, for allowing packets out 
of your network?   Something such as:

iptables -A POSTROUTING -t nat -j MASQUERADE

or maybe

iptables -A POSTROUTING -t nat -j SNAT --to MyIP

If you do, then simply change this rule to specify the external interface of 
your firewall, so that it doesn't do SNAT on packets coming in towards your 
webserver.   For example:

iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
or
iptables -A POSTROUTING -t nat -o eth0 -j SNAT --to MyIP

assuming that eth0 is your external interface.

Antony.

-- 
My New Year's resolution is not to make any resolutions I can't keep.

I'm wondering whether I've failed already.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: port translation

[Cedric Blancher]

Le dim 11/01/2004 à 11:21, Romain Moyne a écrit :
> I have a http server (debian 3.0) behind a router (debian 3.0). I have a 
> problem when I want to log the visitor's IP of my website with PHP or 
> Perl or all language. I have always the IP of my router ! Somebody tell 
> me that I must do port translation but I have searched and I haven't 
> fand anything.
> Can you help me ?
> This is the rules of my router :
> iptables -t nat -A PREROUTING -d MyIP -p tcp --dport 80 -j DNAT 
> --to-destination 192.168.0.3:80

You have a problem here. This single rule does not prevent your
webserver from seeing client IP as source, as you only modify
destination IP.

You may have a SNAT rule in POSTROUTING chain that is not restricting
enough and also SNAT incoming traffic to your router's IP when it should
not.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread! 

Re: port translation

[Romain Moyne]

Cedric Blancher a écrit :

>Le dim 11/01/2004 à 11:21, Romain Moyne a écrit :
>  
>
>>I have a http server (debian 3.0) behind a router (debian 3.0). I have a 
>>problem when I want to log the visitor's IP of my website with PHP or 
>>Perl or all language. I have always the IP of my router ! Somebody tell 
>>me that I must do port translation but I have searched and I haven't 
>>fand anything.
>>Can you help me ?
>>This is the rules of my router :
>>iptables -t nat -A PREROUTING -d MyIP -p tcp --dport 80 -j DNAT 
>>--to-destination 192.168.0.3:80
>>    
>>
>
>You have a problem here. This single rule does not prevent your
>webserver from seeing client IP as source, as you only modify
>destination IP.
>
>You may have a SNAT rule in POSTROUTING chain that is not restricting
>enough and also SNAT incoming traffic to your router's IP when it should
>not.
>
>  
>
Ok. I begin to understand... Now I have corrected my rules :
iptables -t nat -A POSTROUTING -j SNAT -o ppp0 --to-source My_ip_on_internet

But now I have a new problem : My router, my http server and my 
workstation are connected with a hub.

                      ppp0                                             
              eth0
INTERNET--------------------192.168.0.1(router) 
---------------------------192.168.0.3 (http server)
                                                                      
                     |
                                                                      
                     |
                                                                      
                     |
                                                                        
  192.168.0.2 (workstation)

I can't access to my webserver with my workstation and it very painful....
Can you still help me ? :-D

Romain

Re: port translation

[Antony Stone]

On Sunday 11 January 2004 12:53 pm, Romain Moyne wrote:

> Ok. I begin to understand... Now I have corrected my rules :
> iptables -t nat -A POSTROUTING -j SNAT -o ppp0 --to-source
> My_ip_on_internet

That looks better.

> But now I have a new problem : My router, my http server and my
> workstation are connected with a hub.
>
>                       ppp0
>               eth0
> INTERNET--------------------192.168.0.1(router)
> ---------------------------192.168.0.3 (http server)
>   192.168.0.2 (workstation)
>
> I can't access to my webserver with my workstation and it very painful....

Are you trying to access the webserver by IP address or by hostname?

If by IP address, make sure it is the private (real) address.

If by hostname, make sure your DNS correctly resolves internal queries to the 
internal address and external queries to the external address.

The correct solution to this problem, of course, is that you should have your 
web server on a separate ("DMZ") interface, because it is accessible from 
both the internal and external networks, and should be kept separate from 
both, for both security and routing reasons.

Regards,

Antony.

-- 
Most people are aware that the Universe is big.

 - Paul Davies, Professor of Theoretical Physics

                                                     Please reply to the list;
                                                           please don't CC me.

Re: port translation

[Cedric Blancher]

Le dim 11/01/2004 à 13:53, Romain Moyne a écrit :
> Ok. I begin to understand... Now I have corrected my rules :
> iptables -t nat -A POSTROUTING -j SNAT -o ppp0 --to-source My_ip_on_internet

OK, fine. Now it should work ;)

> But now I have a new problem : My router, my http server and my 
> workstation are connected with a hub.
[Snip ASCII art]
> I can't access to my webserver with my workstation and it very painful....
> Can you still help me ? :-D

To complete Antony's answer, trying to reach your webserver from your
LAN with its public IP is a common issue that constitue a FAQ.

We will describe what happens when your workstation (WS) tries to
connect to your Webserver (WB) via your router (R) public IP (PPP0).

	WS sends a SYN to R, port 80
		SYN : WS -> PPP0

	R receive the SYN and DNAT it to WB, port 80
		SYN : WS -> WB

	WB receive the SYN and answers.
		SYN,ACK : WB -> WS

But, as WB and WS are on the same network, WB answers directly to WS,
without using R as gateway. So, WS receive a SYN,ACK from WB, but was
waiting for a SYN,ACK from PPP0. That's why the connection fails.

To address this issue, you have to SNAT this kind of connection on the
router so WB answers through R :

	iptables -t nat -A POSTROUTING -s $LAN -d $WB -j SNAT --to $ETH0

I completly agree Antony's advice on DMZ use. From security point of
vue, redirecting a service within LAN is a major architectural flaw.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread! 

Re: port translation

[Romain Moyne]

Cedric Blancher a écrit :

>Le dim 11/01/2004 à 13:53, Romain Moyne a écrit :
>  
>
>>Ok. I begin to understand... Now I have corrected my rules :
>>iptables -t nat -A POSTROUTING -j SNAT -o ppp0 --to-source My_ip_on_internet
>>    
>>
>
>OK, fine. Now it should work ;)
>
>  
>
>>But now I have a new problem : My router, my http server and my 
>>workstation are connected with a hub.
>>    
>>
>[Snip ASCII art]
>  
>
>>I can't access to my webserver with my workstation and it very painful....
>>Can you still help me ? :-D
>>    
>>
>
>To complete Antony's answer, trying to reach your webserver from your
>LAN with its public IP is a common issue that constitue a FAQ.
>
>We will describe what happens when your workstation (WS) tries to
>connect to your Webserver (WB) via your router (R) public IP (PPP0).
>
>	WS sends a SYN to R, port 80
>		SYN : WS -> PPP0
>
>	R receive the SYN and DNAT it to WB, port 80
>		SYN : WS -> WB
>
>	WB receive the SYN and answers.
>		SYN,ACK : WB -> WS
>
>But, as WB and WS are on the same network, WB answers directly to WS,
>without using R as gateway. So, WS receive a SYN,ACK from WB, but was
>waiting for a SYN,ACK from PPP0. That's why the connection fails.
>
>To address this issue, you have to SNAT this kind of connection on the
>router so WB answers through R :
>
>	iptables -t nat -A POSTROUTING -s $LAN -d $WB -j SNAT --to $ETH0
>  
>
What must I write instead of $LAN and $ETH0 ?

>I completly agree Antony's advice on DMZ use. From security point of
>vue, redirecting a service within LAN is a major architectural flaw.
>
>  
>

Re: port translation

[Antony Stone]

On Sunday 11 January 2004 1:45 pm, Romain Moyne wrote:

> Cedric Blancher a écrit :
>
> >	iptables -t nat -A POSTROUTING -s $LAN -d $WB -j SNAT --to $ETH0
>
> What must I write instead of $LAN and $ETH0 ?

$LAN is the network range of the machines you might have packets coming from 
(note it is the source address in the above rule) and $ETH0 is the IP address 
of the interface on your netfilter machine.

Perhaps $LAN=192.168.0.0/24 and $ETH0=192.168.0.1 for your network?

Antony.

-- 
Never write it in Perl if you can do it in Awk.
Never do it in Awk if sed can handle it.
Never use sed when tr can do the job.
Never invoke tr when cat is sufficient.
Avoid using cat whenever possible.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: port translation

[Romain Moyne]

Antony Stone a écrit :

>On Sunday 11 January 2004 1:45 pm, Romain Moyne wrote:
>
>  
>
>>Cedric Blancher a écrit :
>>
>>    
>>
>>>	iptables -t nat -A POSTROUTING -s $LAN -d $WB -j SNAT --to $ETH0
>>>      
>>>
>>What must I write instead of $LAN and $ETH0 ?
>>    
>>
>
>$LAN is the network range of the machines you might have packets coming from 
>(note it is the source address in the above rule) and $ETH0 is the IP address 
>of the interface on your netfilter machine.
>
>Perhaps $LAN=192.168.0.0/24 and $ETH0=192.168.0.1 for your network?
>
>Antony.
>
>  
>
Thanks to everybody ! It works fine now ;)
Thanks you

Romain

Re: port translation

[Bill Davidsen]

Romain Moyne wrote:
> Hello,
> 
> I'm French and my english is bad ;)
> 
> I have a http server (debian 3.0) behind a router (debian 3.0). I have a 
> problem when I want to log the visitor's IP of my website with PHP or 
> Perl or all language. I have always the IP of my router ! Somebody tell 
> me that I must do port translation but I have searched and I haven't 
> fand anything.
> Can you help me ?
> This is the rules of my router :
> 
> iptables -t nat -A PREROUTING -d MyIP -p tcp --dport 80 -j DNAT 
> --to-destination 192.168.0.3:80

Something wrong here... you would see the IP of the router if you were 
doing MASQUERADE, but not with DNAT. I have a similar setup, and my mail 
server filters LOTS of addresses by IP.

You should be sure you don't have a leftover MASQUERADE (or SNAT) rule 
which is being used, then run tcpdump on the internal NIC of the router 
and catch the packets as they leave. DNAT does just what you want, and I 
have a fair number of machines running as routers which don't have this 
problem.

-- 
bill davidsen <davidsen@tmr.com>
   CTO TMR Associates, Inc
   Doing interesting things with small computers since 1979

port translation

[Richard]

Hi,

I am trying to work on port translation. One inside host with source port
xxx would always have the same port yyy after nat. Even after the conntrack
expires, I still want outside incoming packet to port yyy be able to map to
the same host and port. This is what I did,

Assume inside 192.168.25.150:5000 maps to outside 66.1.2.3:60150 on
interface vlan1,

# allow outside traffic to come in
iptables -t nat -I PREROUTING -p udp -i vlan1 -d 66.1.2.3 --dport 60150 -j
DNAT --to-destination 192.168.25.150:5000

# allow outside traffic to go through the router
iptables -t filter -I FORWARD -p udp -i vlan1 --dport 5060 -j ACCEPT

# allow inside traffic to go out
iptables -t nat -I POSTROUTING -p udp -s 192.168.25.150 --sport 5000 -j SNAT
-o vlan1 --to-source 66.1.2.3:60150

Can someone please confirm that this is the right way to do it?

Also if I have multiple internal hosts, for example, one hundred host
192.168.25.1xy:5000 maps to 66.1.2.3:601xy, is there a quick way to do it
instead of 100 blocks of iptables statements?

Thanks,
Richard

Re: port translation

[John A. Sullivan III]

On Tue, 2005-01-04 at 22:23 -1000, Richard wrote:
> Hi,
> 
> I am trying to work on port translation. One inside host with source port
> xxx would always have the same port yyy after nat. Even after the conntrack
> expires, I still want outside incoming packet to port yyy be able to map to
> the same host and port. This is what I did,
> 
> Assume inside 192.168.25.150:5000 maps to outside 66.1.2.3:60150 on
> interface vlan1,
> 
> # allow outside traffic to come in
> iptables -t nat -I PREROUTING -p udp -i vlan1 -d 66.1.2.3 --dport 60150 -j
> DNAT --to-destination 192.168.25.150:5000
> 
> # allow outside traffic to go through the router
> iptables -t filter -I FORWARD -p udp -i vlan1 --dport 5060 -j ACCEPT
> 
> # allow inside traffic to go out
> iptables -t nat -I POSTROUTING -p udp -s 192.168.25.150 --sport 5000 -j SNAT
> -o vlan1 --to-source 66.1.2.3:60150
> 
> Can someone please confirm that this is the right way to do it?
> 
> Also if I have multiple internal hosts, for example, one hundred host
> 192.168.25.1xy:5000 maps to 66.1.2.3:601xy, is there a quick way to do it
> instead of 100 blocks of iptables statements?
<snip>
I haven't confirmed it by trying it but it looks like it would work.  I
assume you have a rule somewhere which will allow internal stations to
initiate traffic outbound on port 5000.  This would typically be in your
FORWARD chain just like you have the rule to allow external stations to
initiate traffic.  I also assume that you really want the entire world
to be able to reach the internal device on that port.

I don't know of a way to condense the number of rules you need to do
this direct port mapping in the nat table.  You could use the iprange
patch or subnet addressing to reduce the number of rules in the FORWARD
chain.

I suppose it would be a simple matter to develop a quick bash script to
create an iptables-restore file and load the rules that way rather than
manually entering each.
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net

Re: port translation

[Eric Ellis]

Richard:


 From http://iptables-tutorial.frozentux.net/iptables-tutorial.html#MATCHES

This is the source match, which is used to match packets, based on their 
source IP address. The main form can be used to match single IP 
addresses, such as 192.168.1.1. It could also be used with a netmask in 
a CIDR "bit" form, by specifying the number of ones (1's) on the left 
side of the network mask. This means that we could for example add /24 
to use a 255.255.255.0 netmask. We could then match whole IP ranges, 
such as our local networks or network segments behind the firewall. The 
line would then look something like 192.168.0.0/24. This would match all 
packets in the 192.168.0.x range. Another way is to do it with an 
regular netmask in the 255.255.255.255 form (i.e., 
192.168.0.0/255.255.255.0). We could also invert the match with an ! 
just as before. If we were in other words to use a match in the form of 
--source ! 192.168.0.0/24, we would match all packets with a source 
address not coming from within the 192.168.0.x range. The default is to 
match all IP addresses.

The easy way is to use a netmask.  If you have a random set of 
addresses, then I'm not shure that there is an easy way.  Perhaps Jason 
would know more.

Richard wrote:
> Hi,
> 
> I am trying to work on port translation. One inside host with source port
> xxx would always have the same port yyy after nat. Even after the conntrack
> expires, I still want outside incoming packet to port yyy be able to map to
> the same host and port. This is what I did,
> 
> Assume inside 192.168.25.150:5000 maps to outside 66.1.2.3:60150 on
> interface vlan1,
> 
> # allow outside traffic to come in
> iptables -t nat -I PREROUTING -p udp -i vlan1 -d 66.1.2.3 --dport 60150 -j
> DNAT --to-destination 192.168.25.150:5000
> 
> # allow outside traffic to go through the router
> iptables -t filter -I FORWARD -p udp -i vlan1 --dport 5060 -j ACCEPT
> 
> # allow inside traffic to go out
> iptables -t nat -I POSTROUTING -p udp -s 192.168.25.150 --sport 5000 -j SNAT
> -o vlan1 --to-source 66.1.2.3:60150
> 
> Can someone please confirm that this is the right way to do it?
> 
> Also if I have multiple internal hosts, for example, one hundred host
> 192.168.25.1xy:5000 maps to 66.1.2.3:601xy, is there a quick way to do it
> instead of 100 blocks of iptables statements?
> 
> Thanks,
> Richard
> 
>