Port forwarding not working

Port forwarding not working

[Neil Aggarwal]

Hello:

I have a Linux box acting as a firewall and gateway
for my local internet.  The private IP is 192.168.1.1

Behind that, I have a Linksys VPN box.  Its IP
is 192.168.1.101.

If I go to my Linux box and issue this command:

telnet 192.168.1.101 1723

I get this output:

Trying 192.168.1.101...
Connected to 192.168.1.101 (192.168.1.101).
Escape character is '^]'.

Everything is fine.  I can connect to the Linksys box
without a problem.

Now, I want to set up routing from the external world
to be able to access the Linksys box.

I added this rule to my firewall to do the forwarding:

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $ETH0_IP 
	--sport 1024: --dport 1723 
	-j DNAT --to $LINKSYS_VPN_IP:1723

It is all one one line, I added link breaks for readability.

When I tried to telnet to port 1723 on my public IP, I saw logs
from my firewall for inbound packets so I added these rules:

/sbin/iptables -A FORWARD -i eth0 -o eth1 -d $LINKSYS_VPN_IP 
	-p tcp --sport 1024: --dport 1723 
	-m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth1 -d $LINKSYS_VPN_IP 
	-p tcp --sport 1024: --dport 1723 
	-m state --state NEW,ESTABLISHED -j ACCEPT

But, I am not seeing any logs for the outbound packets from
the Linksys box and the telnet session from the remore computer
is not connecting.  

Any ideas what is going on?

Thanks,
	Neil


--
Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com
FREE! Eliminate junk email and reclaim your inbox.
Visit http://www.spammilter.com for details.

Re: Port forwarding not working (nfcan: to exclusive)

[Jim Laurino]

On 04/28/2007 11:15:33 PM, Neil Aggarwal - neil@JAMMConsulting.com wrote:
> Hello:
> 
> I have a Linux box acting as a firewall and gateway
> for my local internet.  The private IP is 192.168.1.1
> 
> Behind that, I have a Linksys VPN box.  Its IP
> is 192.168.1.101.
> 
> If I go to my Linux box and issue this command:
> 
> telnet 192.168.1.101 1723
> 
> I get this output:
> 
> Trying 192.168.1.101...
> Connected to 192.168.1.101 (192.168.1.101).
> Escape character is '^]'.
> 
> Everything is fine.  I can connect to the Linksys box
> without a problem.
> 
> Now, I want to set up routing from the external world
> to be able to access the Linksys box.
> 
> I added this rule to my firewall to do the forwarding:
> 
> /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $ETH0_IP 
> 	--sport 1024: --dport 1723 
> 	-j DNAT --to $LINKSYS_VPN_IP:1723

> 
> It is all one one line, I added link breaks for readability.
> 
OK, you have forwarded this port from the firewall to the vpn  box.
Now you have to accept it.
(You must have a default drop policy in forward.)

> When I tried to telnet to port 1723 on my public IP, I saw logs
> from my firewall for inbound packets so I added these rules:
> 
> /sbin/iptables -A FORWARD -i eth0 -o eth1 -d $LINKSYS_VPN_IP 
> 	-p tcp --sport 1024: --dport 1723 
> 	-m state --state NEW,ESTABLISHED -j ACCEPT
> /sbin/iptables -t nat -A POSTROUTING -o eth1 -d $LINKSYS_VPN_IP 
> 	-p tcp --sport 1024: --dport 1723 
> 	-m state --state NEW,ESTABLISHED -j ACCEPT
>

You need packets to flow in both directions.
The outside should be able to initiate
so the first rule looks good:

/sbin/iptables -A FORWARD -i eth0 -o eth1 -d $LINKSYS_VPN_IP 
	-p tcp --sport 1024: --dport 1723 
	-m state --state NEW,ESTABLISHED -j ACCEPT

But you need to accept the return packets. 
How about this for the return pattern:
  
/sbin/iptables -A FORWARD -i eth1 -o eth0 -s $LINKSYS_VPN_IP 
	-p tcp --sport 1723 
	-m state --state ESTABLISHED -j ACCEPT

The accept in the nat postrouting can be removed.

HTH

-- 
Jim Laurino
nfcan.x.jimlaur@dfgh.net
Please reply to the list.
Only mail from the listserver reaches this address.

Re: Port forwarding not working (nfcan: to exclusive)

[neil]

Jim:

> The outside should be able to initiate
> so the first rule looks good:
>
> /sbin/iptables -A FORWARD -i eth0 -o eth1 -d $LINKSYS_VPN_IP
> 	-p tcp --sport 1024: --dport 1723
> 	-m state --state NEW,ESTABLISHED -j ACCEPT
>
> But you need to accept the return packets.
> How about this for the return pattern:
>
> /sbin/iptables -A FORWARD -i eth1 -o eth0 -s $LINKSYS_VPN_IP
> 	-p tcp --sport 1723
> 	-m state --state ESTABLISHED -j ACCEPT

That is my point.  Without this rule, I should see packets
hitting the firewall in the log.  I dont see them.

I can add this rule, but I dont think the return packets are
coming back correctly.

> The accept in the nat postrouting can be removed.

I need that as I also set the nat postrouting to drop
by default.

Would it help to see my entire firewall script?

Thanks,
  Neil

--
Neil Aggarwal
JAMM Consulting, Inc.

Re: Port forwarding not working (nfcan: to exclusive) (nfcan: to exclusive)

[Jim Laurino]

On 04/29/2007 12:56:33 AM, neil@JAMMConsulting.com wrote:
> Jim:
> 
> > The outside should be able to initiate
> > so the first rule looks good:
> >
> > /sbin/iptables -A FORWARD -i eth0 -o eth1 -d $LINKSYS_VPN_IP
> > 	-p tcp --sport 1024: --dport 1723
> > 	-m state --state NEW,ESTABLISHED -j ACCEPT
> >
> > But you need to accept the return packets.
> > How about this for the return pattern:
> >
> > /sbin/iptables -A FORWARD -i eth1 -o eth0 -s $LINKSYS_VPN_IP
> > 	-p tcp --sport 1723
> > 	-m state --state ESTABLISHED -j ACCEPT
> 
> That is my point.  Without this rule, I should see packets
> hitting the firewall in the log.  I dont see them.

I guess "hitting the firewall" means showing up in a drop count.
I agree, if the packets come in they should be counted.
But you do need some rule to accept them in filter.

If the packets do not come back, maybe that is a routing problem?
I can also imagine that a vpn box might not want to talk to hosts
not on the local network it was hooked up to.
Some security folks might get upset :)
Maybe you could use SNAT to make the packets appear
to come from the firewall, then they ought to come back.
I think that is a better use of the postrouting chain.
The mantra is always "filter in filter", etc.,
and my experience has been that it is good advice.

> I can add this rule, but I don't think the return packets are
> coming back correctly.

I think a sniffer, e.g. wireshark (ex ethereal), would
be able to tell you if there were loose packets
floating around on the eth1 side trying to get somewhere else.
You could filter on tcp and source ip:port
and see what the destination was.

If the packets were destined for the outside originator,
would the firewall route them there?

> 
> > The accept in the nat postrouting can be removed.
> 
> I need that as I also set the nat postrouting to drop
> by default.
see above, not recommended

-- 
Jim Laurino
nfcan.x.jimlaur@dfgh.net
Please reply to the list.
Only mail from the listserver reaches this address.

RE: Port forwarding not working (nfcan: to exclusive) (nfcan: to exclusive)

[Neil Aggarwal]

Jim:

> Maybe you could use SNAT to make the packets appear
> to come from the firewall, then they ought to come back. 

How do I set up the SNAT rule?

Thanks,
	Neil


--
Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com
FREE! Eliminate junk email and reclaim your inbox.
Visit http://www.spammilter.com for details.

RE: Port forwarding not working (nfcan: to exclusive) (nfcan: to exclusive)

[Jan Engelhardt]

On Apr 29 2007 08:06, Neil Aggarwal wrote:
>
>> Maybe you could use SNAT to make the packets appear
>> to come from the firewall, then they ought to come back. 
>
>How do I set up the SNAT rule?

man iptables



Jan
-- 

Re: Port forwarding not working

[Jim Laurino]

On 04/29/2007 09:06:44 AM, Neil Aggarwal - neil@JAMMConsulting.com wrote:
> Jim:
> 
> > Maybe you could use SNAT to make the packets appear
> > to come from the firewall, then they ought to come back. 
> 
> How do I set up the SNAT rule?
> 

This will make the packet look like it came from the firewall:

/sbin/iptables -t nat -I POSTROUTING -o eth1 -d $LINKSYS_VPN_IP \ 
  -p tcp --dport 1723 -j SNAT --to-source 192.168.1.1

(where 192.168.1.1 is the ip address of the firewall on eth1 side)

If postrouting still has a default drop policy etc.
then this rule must be found before the accept rule,
that is why it has -I, to put it first.

HTH
-- 
Jim Laurino
nfcan.x.jimlaur@dfgh.net
Please reply to the list.
Only mail from the listserver reaches this address.

RE: Port forwarding not working

[Neil Aggarwal]

Jim:

That did it!  I guess the Linksys box was only going
to respond to local IP addresses.

I was able to use your example to set up the routing for
the gre protocol as well.

Thank you for your help.

	Neil

--
Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com
FREE! Eliminate junk email and reclaim your inbox.
Visit http://www.spammilter.com for details.

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Jim Laurino
Sent: Sunday, April 29, 2007 9:40 AM
To: netfilter@lists.netfilter.org
Subject: Re: Port forwarding not working

On 04/29/2007 09:06:44 AM, Neil Aggarwal - neil@JAMMConsulting.com wrote:
> Jim:
> 
> > Maybe you could use SNAT to make the packets appear
> > to come from the firewall, then they ought to come back. 
> 
> How do I set up the SNAT rule?
> 

This will make the packet look like it came from the firewall:

/sbin/iptables -t nat -I POSTROUTING -o eth1 -d $LINKSYS_VPN_IP \ 
  -p tcp --dport 1723 -j SNAT --to-source 192.168.1.1

(where 192.168.1.1 is the ip address of the firewall on eth1 side)

If postrouting still has a default drop policy etc.
then this rule must be found before the accept rule,
that is why it has -I, to put it first.

HTH
-- 
Jim Laurino
nfcan.x.jimlaur@dfgh.net
Please reply to the list.
Only mail from the listserver reaches this address.