Port forwarding error

Port forwarding error

[Metal Gear]

Hi all,

plz check the following diagram for pictorial details of my problem

http://www.antionline.com/attachment.php?s=&postid=824669

Squid (only one interface card)
I want to configure iptable rules on my squid machine such that if any
client connects on pop3, smtp, dns these request are redirected to
servers popserver, smtpserver and dnsserver. All three of these
servers are on untrusted network having public ips. My squid machine
and clients are on internal network and only squid machine can cross
the firewall to access the outerworld. I researched a lot but i m
unable to write a successful rule for that. I m posting my rules in
the end of the post. Currently i m using a port redirector (rinetd) in
place of that rules.

Thanks

(Your assistance will be greatly appreciated)


#!/bin/sh
iptables -F
iptables -A INPUT -p ALL -j ACCEPT
iptables -A PREROUTING -t nat -d squidip -p tcp --dport 110 -j DNAT
--to popserver
iptables -I PREROUTING -t nat -d squidip -p udp --dport 110 -j DNAT
--to popserver
iptables -A POSTROUTING -t nat -s popserver -p tcp --dport 110 -j SNAT
--to squidip
iptables -A POSTROUTING -t nat -s popserver -p udp --dport 110 -j SNAT
--to squdip
service iptables save
/etc/rc.d/init.d/iptables restart

Re: Port forwarding error

[Jörg Harmuth]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Hi,

Metal Gear schrieb:

| Hi all,
|
| plz check the following diagram for pictorial details of my problem
|
|
| http://www.antionline.com/attachment.php?s=&postid=824669

Looking at you diagram, this is not a desirable configuration. Anyway.

| Squid (only one interface card) I want to configure iptable rules
| on my squid machine such that if any client connects on pop3, smtp,
| dns these request are redirected to servers popserver, smtpserver
| and dnsserver. All three of these servers are on untrusted network
| having public ips. My squid machine and clients are on internal
| network and only squid machine can cross the firewall to access the
| outerworld. I researched a lot but i m unable to write a successful
| rule for that. I m posting my rules in the end of the post.
| Currently i m using a port redirector (rinetd) in place of that
| rules.
|
| Thanks
|
| (Your assistance will be greatly appreciated)

If I understand correctly, your clients connect to your squid-box at
least on ports 110, 25 and 3128 (probably) tcp and 53 udp. Assuming
this is true.

|
| #!/bin/sh iptables -F

This only flushes the filter table and not the nat table. You have to
"iptables -F -t nat" in order to flush the nat table too.

| iptables -A INPUT -p ALL -j ACCEPT

Probaly this is not what you want. This means that everybody can
connect fron anywhere to all services on the squid-box. You should
restrict access as much as possible, e.g.

iptables -A INPUT -p tcp -s $LAN_ADDRESS/$NETMASK --dport 3128 -m state \
- --state NEW,ESTABLISHED,RELATED -j accept

Note that you have to allow outgoing packages in the OUTPUT chain too:

iptables -A OUTPUT -p tcp -d $LAN_ADDRESS/$NETMASK --sport 3128 -m state \
- --state ESTABLISHED,RELATED -j accept

Note, that you have to allow outgoing connections from squid (probably
to dest-port 80) too. You don't have to worry about POP3,..., in these
chains because they will be forwarded and thus traverse only the
FORWARD chain in filter table.

| iptables -A PREROUTING -t nat -d squidip -p tcp --dport 110 -j DNAT
|  --to popserver

You can do it this way. Remember, that only NEW packages (with SYN
set) will hit this rule. Next step is to allow these connection in
FORWARD chain (assuming the policy id DROP or REJECT).

iptables -A FORWARD -p tcp --dport 110 -d $POPSERVER -m state \
- --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --sport 110 -s $POPSERVER -m state \
- --state ESTABLISHED,RELATED -j ACCEPT

Hmm, quite rude - but should work.

| iptables -I PREROUTING -t nat -d squidip -p udp --dport 110 -j DNAT
|  --to popserver iptables -A POSTROUTING -t nat -s popserver -p tcp
| --dport 110 -j SNAT --to squidip

No. You have to SNAT your LAN to $SQUIDIP, e.g.

iptables -t nat -A POSTROUTING -p tcp --dport 110 -d $POPSERVER -j
SNAT --to $SQUIDIP

Of course, this assumes that your firewall (with the public address)
does SNAT too.

| iptables -A POSTROUTING -t nat -s popserver -p udp --dport 110 -j
| SNAT --to squdip service iptables save /etc/rc.d/init.d/iptables
| restart

There is no rule for DNS in your ruleset, so this will - with policy
drop - not work. You have to allow only udp from port 53 to port 53
for normal DNS queries.

And don't forget to allow ICMP "Destination Unreachable" :)

HTH, have a nice time

Joerg

- --
- -----------------------------------------------------------------------
mnemon
Jörg Harmuth
Marie-Curie.Str. 1
53359 Rheinbach

Tel.: (+49) 22 26  87 18 12
Fax:  (+49) 22 26 87 18 19
mail: harmuth@mnemon.de
Web:  http://www.mnemon.de
PGP-Key: http://www.mnemon.de/keys/harmuth_mnemon.asc
PGP-Fingerprint: 692E 4476 0838 60F8 99E2  7F5D B7D7 E48E 267B 204F
- -----------------------------------------------------------------------
Diese Mail wurde vor dem Versenden auf Viren und andere schädliche
Software untersucht. Es wurde keine maliziöse Software gefunden.

This Mail was checked for virusses and other malicious software before
sending. No malicious software was detected.
- -----------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
 
iD8DBQFCJE7ht9fkjiZ7IE8RAmVwAKCvN4FoUfI2hGXlpSAqSrYOt0WSPACgobfY
EIXJt+4w8wx/5WUabEraeyg=
=C/pk
-----END PGP SIGNATURE-----

Port forwarding error

[Metal Gear]

Hi, 

First of all thanks for quick reply.
After reading the reply throughly i completed my rulesets and sending
it for ur review. I m need little explanation regarding rules u sent
to me
[Quote]
You can do it this way. Remember, that only NEW packages (with SYN
set) will hit this rule. Next step is to allow these connection in
FORWARD chain (assuming the policy id DROP or REJECT).
[/Quote] and

[Quote]
And don't forget to allow ICMP "Destination Unreachable" :)
[/Quote]

Why is this sooo??? Why we need the above two rules.

And for the rules for pop, smtp and dns forwarding what i understood
from the diagram (tables_traverse.jpg) of
(http://iptables-tutorial.frozentux.net/)
- We got a packet from network
- We done NAT PREROUTING
- We FORWARDED the packet
- We done NAT POSTROUTING
- The packet agains flow the interface
Am i right???????

Below is my final rules script based on your help

Thanks
-----------------------------------------------------------------------------------
#!/bin/sh

# Flushing the chains
iptables -F
iptables -F -t nat

# Allow icmp destination unreacable
iptables -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT

# Rules for Squid
iptables -A INPUT -p tcp -s $LAN_ADDRESS/$NETMASK --dport 3128 -m
state --state NEW,ESTABLISHED,RELATED -j accept
iptables -A OUTPUT -p tcp -d $LAN_ADDRESS/$NETMASK --sport 3128 -m
state --state ESTABLISHED,RELATED -j accept

# Enabling POP3 Forwarding
iptables -A PREROUTING -t nat -d squidip -p tcp --dport 110 -j DNAT
--to $POPSERVER
iptables -A FORWARD -p tcp --dport 110 -d $POPSERVER -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --sport 110 -s $POPSERVER -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp --dport 110 -d $POPSERVER -j
SNAT --to $SQUIDIP

# Enabling SMTP Forwarding
iptables -A PREROUTING -t nat -d squidip -p tcp --dport 25 -j DNAT
--to $SMTPSERVER
iptables -A FORWARD -p tcp --dport 25 -d $SMTPSERVER -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --sport 25 -s $SMTPSERVER -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp --dport 25 -d $SMTPSERVER -j
SNAT --to $SQUIDIP

# Enabling DNS Forwarding
iptables -A PREROUTING -t nat -d squidip -p udp --dport 53 -j DNAT
--to $DNSSERVER
iptables -A FORWARD -p udp --dport 53 -d $DNSSERVER -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p udp --sport 53 -s $DNSSERVER -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -p udp --dport 53 -d $DNSSERVER -j SNAT
--to $SQUIDIP

Re: Port forwarding error

[Jörg Harmuth]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Hi,

basically this ruleset should work, but you should write ACCEPT insted
of accept.

One issue. You don't pot the IPs, but I think, that your squid box has
a private IP address and e.g. $POPSERVER has a "real" - not RFC1918 -
address. If so, someone must do NAT on the packages. This is probably
your firewall. If you have a dial-up connection (dsl or the like) this
is done automatically by pppd or whatever software is responsible. But
if this is a static line, you might have to configure it manually.

| [Quote] You can do it this way. Remember, that only NEW packages
| (with SYN set) will hit this rule. Next step is to allow these
| connection in FORWARD chain (assuming the policy id DROP or
| REJECT). [/Quote] and

The reason is, that only NEW packages go through nat PREROUTING, the
rest is done by the state-machine (ip_conntrack). So all packets of a
connection, except the first, don't traverse nat PREROUTING. They will
be DNATed automagically. But all these packets go through FORWARD.
Well, you already found a realy good tutorial. By reading it
carefully, you will see the whole stuff.

|
| [Quote] And don't forget to allow ICMP "Destination Unreachable" :)
|  [/Quote]

YOU can live without that messages, basically. But it's really bad for
the internet itself. Disallowing these messages will break PATH MTU
among others (meaning that more and more packets will be
fragmented,...). Last month there was a discussion about ICMP on this
list, showing the good, nice and bad messages.

|
| Why is this sooo??? Why we need the above two rules.
|
| And for the rules for pop, smtp and dns forwarding what i
| understood from the diagram (tables_traverse.jpg) of
| (http://iptables-tutorial.frozentux.net/) - We got a packet from
| network - We done NAT PREROUTING - We FORWARDED the packet - We
| done NAT POSTROUTING - The packet agains flow the interface Am i
| right???????

Yes.

|
| Below is my final rules script based on your help
|
| Thanks
|
- 
-----------------------------------------------------------------------------------
|  #!/bin/sh
|
| # Flushing the chains iptables -F iptables -F -t nat
|
| # Allow icmp destination unreacable iptables -A INPUT -p icmp -m
| icmp --icmp-type destination-unreachable -j ACCEPT

May be your box generates these messages too, so you should allow
outgoing messages.

|
| # Rules for Squid iptables -A INPUT -p tcp -s $LAN_ADDRESS/$NETMASK
| --dport 3128 -m state --state NEW,ESTABLISHED,RELATED -j accept
| iptables -A OUTPUT -p tcp -d $LAN_ADDRESS/$NETMASK --sport 3128 -m
| state --state ESTABLISHED,RELATED -j accept

This is LAN side of life. To communicate with web-servers on the
internet you need additionally something like:

iptables -A OUTPUT -p tcp --dport 80 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -m state --state
ESTABLISHED,RELATED -j ACCEPT

|
| # Enabling POP3 Forwarding iptables -A PREROUTING -t nat -d squidip
| -p tcp --dport 110 -j DNAT --to $POPSERVER iptables -A FORWARD -p
| tcp --dport 110 -d $POPSERVER -m state --state
| NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p tcp
| --sport 110 -s $POPSERVER -m state --state ESTABLISHED,RELATED -j
| ACCEPT iptables -t nat -A POSTROUTING -p tcp --dport 110 -d
| $POPSERVER -j SNAT --to $SQUIDIP
|
| # Enabling SMTP Forwarding iptables -A PREROUTING -t nat -d squidip
| -p tcp --dport 25 -j DNAT --to $SMTPSERVER iptables -A FORWARD -p
| tcp --dport 25 -d $SMTPSERVER -m state --state
| NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p tcp
| --sport 25 -s $SMTPSERVER -m state --state ESTABLISHED,RELATED -j
| ACCEPT iptables -t nat -A POSTROUTING -p tcp --dport 25 -d
| $SMTPSERVER -j SNAT --to $SQUIDIP
|
| # Enabling DNS Forwarding iptables -A PREROUTING -t nat -d squidip
| -p udp --dport 53 -j DNAT --to $DNSSERVER iptables -A FORWARD -p
| udp --dport 53 -d $DNSSERVER -m state --state
| NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p udp
| --sport 53 -s $DNSSERVER -m state --state ESTABLISHED,RELATED -j
| ACCEPT iptables -t nat -A POSTROUTING -p udp --dport 53 -d
| $DNSSERVER -j SNAT --to $SQUIDIP

Should work. One issue is left - the loopback interface. This is a
must and looks something like:

iptables -I INPUT -i lo -j ACCEPT
iptables -I OUTPUT -o lo -j ACCEPT

Otherwise some of your local processes will not work correctly or at all.

HTH, have a nice time

Jörg

- --
- -----------------------------------------------------------------------
mnemon
Jörg Harmuth
Marie-Curie.Str. 1
53359 Rheinbach

Tel.: (+49) 22 26  87 18 12
Fax:  (+49) 22 26 87 18 19
mail: harmuth@mnemon.de
Web:  http://www.mnemon.de
PGP-Key: http://www.mnemon.de/keys/harmuth_mnemon.asc
PGP-Fingerprint: 692E 4476 0838 60F8 99E2  7F5D B7D7 E48E 267B 204F
- -----------------------------------------------------------------------
Diese Mail wurde vor dem Versenden auf Viren und andere schädliche
Software untersucht. Es wurde keine maliziöse Software gefunden.

This Mail was checked for virusses and other malicious software before
sending. No malicious software was detected.
- -----------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
 
iD8DBQFCJZ5rt9fkjiZ7IE8RAlfbAJ9vG+K5Y4xuIvTph2qmQ3Dtu659iQCfRETV
EB8mzcSIejBLiMjTnSAotDw=
=yH9Y
-----END PGP SIGNATURE-----