port forwarding not working

port forwarding not working

[Nick Vazirianis]

[-- Attachment #1.1: Type: text/plain, Size: 677 bytes --]

iptables v1.2.8
Linux Fedora Core 1
Kernel 2.6.3

I am having some trouble getting port forwarding within the attached script.
 Please refer the line starting     # enable port forwarding for BitTorrent
Incoming packets to these ports are being dropped (and logged) by the
section lower down in the script, I have tried adding the enable port
 forward section in different parts of the script, but this makes no
difference.
 
could soneone please help, I even tried adding the line 
$IPTABLES -A INPUT -i $EXT_IF -p tcp --dport 6881:6885 -j ACCEPT
but i believe this only allows incoming into the firwall and not redirecting to another host

someone please help 

[-- Attachment #1.2: Type: text/html, Size: 1474 bytes --]

[-- Attachment #2: rc2.firewall.txt --]
[-- Type: text/plain, Size: 8859 bytes --]

#!/bin/sh
##
## IPTables firewall script for Linux gateway machine
## connected to Telstra Bigpond Advance (Cable).
##
## This firewall script uses stateful inspection to allow packets 
## in for connections that have already been established. 
##
## It is possible to tighten up this script a lot more, however
## it is designed to allow most Internet services to be accessable
## from within your network while still providing a good level of
## security for your Linux server and internal network.
## 
##
## v1.0 20/01/02 - Con Tassios
##
IPTABLES="/sbin/iptables"
MODPROBE="/sbin/modprobe"

# External network interface (BPA)
EXT_IF="eth0"
EXT_IP=`/sbin/ifconfig $EXT_IF | grep inet | cut -d: -f2 | cut -d\  -f1`

# Internal network interface (LAN)
INT_IF="eth1"
INT_NET="192.168.0.0/24"

XPPRO1="192.168.0.206"

ANY="0.0.0.0/0"

# Filename for incoming/outgoing byte counters
ACCF=/var/log/TRAFFIC
LOCK=/tmp/TRAFFIC.lck

start() {

    $MODPROBE ip_tables
    $MODPROBE iptable_nat
    $MODPROBE ip_nat_ftp
    $MODPROBE ip_conntrack
    $MODPROBE ip_conntrack_ftp

    # Start firewall rules

    # Set to default values
    reset

    BPA_AUTH_SVR=`host dce-server | grep address | cut -f4 -d" "`
 
    # Get byte counters
    getcounters

    # Set default policy
    $IPTABLES -P INPUT DROP
    $IPTABLES -P FORWARD DROP
    $IPTABLES -P OUTPUT ACCEPT

    #
    # [ TRAF ] Accounting chains
    #
    $IPTABLES -N TRAF-IN
    $IPTABLES -N TRAF-OUT

    #
    # [ INPUT ]
    #
    $IPTABLES -F INPUT

    # Byte counter for incoming traffic
    $IPTABLES -A INPUT -i $EXT_IF -j TRAF-IN -c $X1

    #  Allow BPA heartbeat packets 
    $IPTABLES -A INPUT -s $BPA_AUTH_SVR -i $EXT_IF -p udp --dport 5050 -j ACCEPT

    #  Allow all packets from localhost and internal network
    $IPTABLES -A INPUT -i lo -j ACCEPT
    $IPTABLES -A INPUT -i $INT_IF -j ACCEPT

    #  Allow all packets from these hosts (example)
    #$IPTABLES -A INPUT -s 136.186.1.50 -i $EXT_IF -j ACCEPT

    # HTTP
    # allow all http/https incoming/return connections
    $IPTABLES -A INPUT -i $EXT_IF -p tcp -s 0/0 --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
    # $IPTABLES -A INPUT -i $EXT_IF -p tcp -s 0/0 --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A INPUT -i $EXT_IF -p tcp -d 0/0 --dport 80 -j ACCEPT
    # $IPTABLES -A INPUT -i $EXT_IF -p tcp -d 0/0 --dport 443 -j ACCEPT

    # SMTP
    $IPTABLES -A INPUT -i $EXT_IF -p tcp -s 0/0 --sport 25 -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A INPUT -i $EXT_IF -p tcp -d 0/0 --dport 25 -j ACCEPT

    # DAD
    #$IPTABLES -A INPUT -i $EXT_IF -p udp -s 144.132.126.147 -j ACCEPT
    #$IPTABLES -A INPUT -i $EXT_IF -p udp -d 144.132.126.147 -j ACCEPT
    #$IPTABLES -A INPUT -i $EXT_IF -p tcp -s 144.132.126.147 -j ACCEPT
    #$IPTABLES -A INPUT -i $EXT_IF -p tcp -d 144.132.126.147 -j ACCEPT

    #  Stateful inspection - Allow packets in from connections already established
    $IPTABLES -A INPUT -i $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT

    ##
    ## [ FORWARD ]
    ##

    $IPTABLES -F FORWARD
    $IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -j TRAF-IN  -c $X3
    $IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -j TRAF-OUT -c $X4
    $IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -s $ANY -d $INT_NET -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A FORWARD -i $INT_IF -d $ANY -j ACCEPT

    #$IPTABLES -A FORWARD -j LOG --log-prefix "netfilter: "

    ##
    ## [ OUTPUT ]
    ##
    
    # Byte counter for outgoing traffic
    $IPTABLES -A OUTPUT -o $EXT_IF -j TRAF-OUT -c $X2

    ##
    ## [ NAT ]
    ##
    $IPTABLES -F -t nat
    $IPTABLES -t nat -F POSTROUTING
    #$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -s $INT_NET -j SNAT --to-source $EXT_IP
    #$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -s $INT_NET -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0/24 -j MASQUERADE 

    # enable port forwarding for BitTorrent
    $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 6881 -j DNAT --to-destination 192.168.0.206:6881 
    $IPTABLES -A FORWARD -s 6881 -p tcp --dport 6881 -j ACCEPT
    $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 6882 -j DNAT --to-destination 192.168.0.206:6882
    $IPTABLES -A FORWARD -s 6882 -p tcp --dport 6882 -j ACCEPT
    $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 6883 -j DNAT --to-destination 192.168.0.206:6883 
    $IPTABLES -A FORWARD -s 6883 -p tcp --dport 6883 -j ACCEPT
    $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 6884 -j DNAT --to-destination 192.168.0.206:6884 
    $IPTABLES -A FORWARD -s 6884 -p tcp --dport 6884 -j ACCEPT
    $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 6885 -j DNAT --to-destination 192.168.0.206:6885 
    $IPTABLES -A FORWARD -s 6885 -p tcp --dport 6885 -j ACCEPT
        

    ##
    ## Transparent proxy - Uncomment this to forward HTTP traffic on port 80 to Squid 
    ##
    #$IPTABLES -t nat -A PREROUTING -i $INT_IF -p tcp --dport 80 -j REDIRECT --to-port 3128

    #  DROP packets from invalid source
    $IPTABLES -A INPUT -i $EXT_IF -s 10.0.0.0/8 -j DROP
    $IPTABLES -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP
    $IPTABLES -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP
    $IPTABLES -A INPUT -i $EXT_IF -s 169.254.0.0/16 -j DROP

    #  LOG and DENY everything else
    #$IPTABLES -A INPUT -i $EXT_IF -j LOG --log-prefix "netfilter: "
    # UDP, log & drop
    iptables -A INPUT -i $EXT_IF -p udp -j LOG --log-level debug --log-prefix "IPTABLES UDP-IN: "
    iptables -A INPUT -i $EXT_IF -p udp -j DROP
    # ICMP, log & drop
    iptables -A INPUT -i $EXT_IF -p icmp -j LOG --log-level debug --log-prefix "IPTABLES ICMP-IN: "
    iptables -A INPUT -i $EXT_IF -p icmp -j DROP
    # Windows NetBIOS noise, log & drop
    iptables -A INPUT -i $EXT_IF -p tcp -s 0/0 --sport 137:139 -j LOG --log-level debug --log-prefix "IPTABLES NETBIOS-IN: "
    iptables -A INPUT -i $EXT_IF -p tcp -s 0/0 --sport 137:139 -j DROP
    # IGMP noise, log & drop
    iptables -A INPUT -i $EXT_IF -p 2 -j LOG --log-level debug --log-prefix "IPTABLES IGMP-IN: "
    iptables -A INPUT -i $EXT_IF -p 2 -j DROP
    # TCP, log & drop
    iptables -A INPUT -i $EXT_IF -p tcp -j LOG --log-level debug --log-prefix "IPTABLES TCP-IN: "
    iptables -A INPUT -i $EXT_IF -p tcp -j DROP
    # Anything else not allowed, log & drop
    iptables -A INPUT -i $EXT_IF -j LOG --log-level debug --log-prefix "IPTABLES UNKNOWN-IN: "
    iptables -A INPUT -i $EXT_IF -j DROP


}

getcounters() {
    X1="0 0"
    X2="0 0"
    X3="0 0"
    X4="0 0"
    if [ -s $ACCF ]; then
       X1=`grep INPUT    $ACCF | cut -d" " -f2,3`
       X2=`grep OUTPUT   $ACCF | cut -d" " -f2,3`
       X3=`grep FORW-IN  $ACCF | cut -d" " -f2,3`
       X4=`grep FORW-OUT $ACCF | cut -d" " -f2,3`
    fi
}

# Save byte counters
save() {
    # Save iptables rules and accounting information
    lockfile -l300 -r5 $LOCK >/dev/null 2>&1
    if [ $? -eq 0 ]; then
        X=`$IPTABLES -nL | wc -l | sed "s/ //g"`
        if [ $X -gt "8" ]; then 
           $IPTABLES -nvxL INPUT   | grep TRAF-IN  | awk '{print "INPUT "   $1" "$2}' > $ACCF
           $IPTABLES -nvxL OUTPUT  | grep TRAF-OUT | awk '{print "OUTPUT "  $1" "$2}' >>$ACCF
           $IPTABLES -nvxL FORWARD | grep TRAF-IN  | awk '{print "FORW-IN " $1" "$2}' >>$ACCF
           $IPTABLES -nvxL FORWARD | grep TRAF-OUT | awk '{print "FORW-OUT "$1" "$2}' >>$ACCF
        fi
        rm -f $LOCK
    fi
}

reset() {
    # Reset to default values
    $IPTABLES -P INPUT ACCEPT
    $IPTABLES -P FORWARD ACCEPT
    $IPTABLES -P OUTPUT ACCEPT

    $IPTABLES -t nat -P PREROUTING ACCEPT
    $IPTABLES -t nat -P POSTROUTING ACCEPT
    $IPTABLES -t nat -P OUTPUT ACCEPT

    $IPTABLES -t mangle -P PREROUTING ACCEPT
    $IPTABLES -t mangle -P OUTPUT ACCEPT

    $IPTABLES -F
    $IPTABLES -t nat -F
    $IPTABLES -t mangle -F

    $IPTABLES -X
    $IPTABLES -t nat -X
    $IPTABLES -t mangle -X
}

stop() {
    save
    reset
}

# DROP all packets from external interface, allow from internal network
lock() {
    reset
    getcounters
    $IPTABLES -N TRAF-IN
    $IPTABLES -N TRAF-OUT
    $IPTABLES -A INPUT -i $EXT_IF -j TRAF-IN -c $X1
    $IPTABLES -A INPUT -i lo -j ACCEPT
    $IPTABLES -A INPUT -i $INT_IF -j ACCEPT
    $IPTABLES -A INPUT -j DROP
}

case "$1" in
    start)
        start
        ;;
    stop)
        stop
        ;;
    save)
        save
        ;;
    lock)
	lock
        ;;
    restart)
        stop
        start
        ;;
    *)
    echo $"Usage: $0 {start|stop|save|lock|restart}"
esac
exit

Re: port forwarding not working

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 1195 bytes --]

On Thu, 2004-04-15 at 15:57, Nick Vazirianis wrote:
> iptables v1.2.8
> Linux Fedora Core 1
> Kernel 2.6.3
>  
> I am having some trouble getting port forwarding within the attached
> script.
>  Please refer the line starting     # enable port forwarding for
> BitTorrent
> Incoming packets to these ports are being dropped (and logged) by the
> section lower down in the script, I have tried adding the enable port
>  forward section in different parts of the script, but this makes no
> difference.
>  
> could soneone please help, I even tried adding the line 
> $IPTABLES -A INPUT -i $EXT_IF -p tcp --dport 6881:6885 -j ACCEPT
> but i believe this only allows incoming into the firwall and not
> redirecting to another host
>  
> someone please help 
Maybe the source s not 6881 ...
$IPTABLES -A FORWARD -s 6881 -p tcp --dport 6881 -j ACCEPT
try
$IPTABLES -A FORWARD -p tcp --dport 6881 -j ACCEPT
instead
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: port forwarding not working

[Antony Stone]

On Thursday 15 April 2004 2:57 pm, Nick Vazirianis wrote:

> I am having some trouble getting port forwarding within the attached
> script.
>
> I even tried adding the line
> $IPTABLES -A INPUT -i $EXT_IF -p tcp --dport 6881:6885 -j ACCEPT
> but i believe this only allows incoming into the firwall and not
> redirecting to another host

Correct.   INPUT rules are for packets terminating on the machine.   FORWARD 
rules are for packets going somewhere else.

The problem is that your FORWARD rules allowing traffic to the 
newly-translated address for the BitTorrent service are specifying a source 
*address* of 6881, 6882, 6883 etc.   No way will that work.

I'm not sure whether you meant to specify a source port (--sport) instead of 
an address, or whether it should be left out completely, and just use the 
destination port in the rule?

Regards,

Antony.

-- 
What is this talk of "software release"?
Our software evolves and matures until it is capable of escape, leaving a 
bloody trail of designers and quality assurance people in its wake.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: port forwarding not working

[Alexander Economou]

0                                                                                                                                                  


> On Thu, 2004-04-15 at 15:57, Nick Vazirianis wrote:
>> iptables v1.2.8
>> Linux Fedora Core 1
>> Kernel 2.6.3
>>
>> I am having some trouble getting port forwarding within the attached
>> script.
>>  Please refer the line starting     # enable port forwarding for
>> BitTorrent
>> Incoming packets to these ports are being dropped (and logged) by the
>> section lower down in the script, I have tried adding the enable port
>>  forward section in different parts of the script, but this makes no
>> difference.
>>
>> could soneone please help, I even tried adding the line
>> $IPTABLES -A INPUT -i $EXT_IF -p tcp --dport 6881:6885 -j ACCEPT
>> but i believe this only allows incoming into the firwall and not
>> redirecting to another host
>>
>> someone please help
> Maybe the source s not 6881 ...
> $IPTABLES -A FORWARD -s 6881 -p tcp --dport 6881 -j ACCEPT
> try
> $IPTABLES -A FORWARD -p tcp --dport 6881 -j ACCEPT
> instead
> --
> --
> Raymond Leach <raymondl@knowledgefactory.co.za>
> Network Support Specialist
> http://www.knowledgefactory.co.za
> "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
> Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
> --
>
If i understood well , you have a linux firewall with a dmz ip and you
want to redirect traffic from a real ip to lan ip of your network.If i am
correct then you should do :

iptables -t nat -F
iptables -t nat -A POSTROUTING -o dmzinterface -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp -d dmzip --dport 6181 -j DNAT --to
lanip:6181

iptables -t nat -A PREROUTING -p tcp -d dmzip --dport 6182 -j DNAT --to
lanip:6182

etc etc
dmzinterface is the interface with the real ip eg eth0

-- 
Alexander Economou

Re: port forwarding not working

[Antony Stone]

On Thursday 15 April 2004 3:28 pm, Alexander Economou wrote:

> If i understood well , you have a linux firewall with a dmz ip and you
> want to redirect traffic from a real ip to lan ip of your network.If i am
> correct then you should do :
>
> iptables -t nat -F
> iptables -t nat -A POSTROUTING -o dmzinterface -j MASQUERADE

I disagree with this rule.   It will make all connections to servers in the 
DMZ network appear to come from the firewall, which will destroy any useful 
logging on the services which are running.

> iptables -t nat -A PREROUTING -p tcp -d dmzip --dport 6181 -j DNAT --to
> lanip:6181
> iptables -t nat -A PREROUTING -p tcp -d dmzip --dport 6182 -j DNAT --to
> lanip:6182
> etc etc

It's important to remember that in addition to the PREROUTING rules to do the 
address translation, you need FORWARDign rules to allow the now-translated 
packets through the firewall.   It was the FORWARDing rules which were the 
problem in Nick's script.

Regards,

Antony.

-- 
Wanted: telepath.   You know where to apply.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: port forwarding not working

[aksingh]

hi,

I am working on this, just wanted to know if there can be a better solution
to this problem :

problem :
to take a packet from the kernel before the routing decision is made by ip,
give it to a user space process which decides whether it wants to play with
the packet or wants to return it to the kernel.

soultion im thinking of :
use netfilter hook to capture PRE_ROUTING packets, define a call back
function in a kernel module and open a char device to write the sk_buff to
this char device, a user space process reads this and writes back to the
char device if needed, the driver for this char device calls the ip route
lookup function and based on the routing decision, calls etheroutput to
send the packet to its actual destination.

issues :
1. Does this solution sound ok, will this work or am i dong something
incorrect here.
2. If this works, this solution would require two copies, one from the
kernel sk_buff to the char device and then back from the user space process
to the char device, how much of a overhead would that be ? can a
better/easier approach be followed.

Do put in our suggestions.

Regards,
Amit




Antony Stone <Antony@Soft-Solutions.co.uk>@lists.netfilter.org on
04/15/2004 08:23:36 PM

Please respond to netfilter@lists.netfilter.org

Sent by:    netfilter-admin@lists.netfilter.org


To:    netfilter@lists.netfilter.org
cc:

Subject:    Re: port forwarding not working


On Thursday 15 April 2004 3:28 pm, Alexander Economou wrote:

> If i understood well , you have a linux firewall with a dmz ip and you
> want to redirect traffic from a real ip to lan ip of your network.If i am
> correct then you should do :
>
> iptables -t nat -F
> iptables -t nat -A POSTROUTING -o dmzinterface -j MASQUERADE

I disagree with this rule.   It will make all connections to servers in the
DMZ network appear to come from the firewall, which will destroy any useful
logging on the services which are running.

> iptables -t nat -A PREROUTING -p tcp -d dmzip --dport 6181 -j DNAT --to
> lanip:6181
> iptables -t nat -A PREROUTING -p tcp -d dmzip --dport 6182 -j DNAT --to
> lanip:6182
> etc etc

It's important to remember that in addition to the PREROUTING rules to do
the
address translation, you need FORWARDign rules to allow the now-translated
packets through the firewall.   It was the FORWARDing rules which were the
problem in Nick's script.

Regards,

Antony.

--
Wanted: telepath.   You know where to apply.

                                                     Please reply to the
                                                           list;
                                                           please don't CC
                                                           me.

Re: port forwarding not working

[Cedric Blancher]

Le jeu 15/04/2004 à 16:53, Antony Stone a écrit :
> > iptables -t nat -A POSTROUTING -o dmzinterface -j MASQUERADE
> I disagree with this rule.   It will make all connections to servers in the 
> DMZ network appear to come from the firewall, which will destroy any useful 
> logging on the services which are running.

One may just add a "-s $LAN" statement so DMZ do not see packets using
internal addressing scheme (obfuscation), but keep external addresses
unmodified for logging purposes.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Port forwarding not working

[Neil Aggarwal]

Hello:

I have a Linux box acting as a firewall and gateway
for my local internet.  The private IP is 192.168.1.1

Behind that, I have a Linksys VPN box.  Its IP
is 192.168.1.101.

If I go to my Linux box and issue this command:

telnet 192.168.1.101 1723

I get this output:

Trying 192.168.1.101...
Connected to 192.168.1.101 (192.168.1.101).
Escape character is '^]'.

Everything is fine.  I can connect to the Linksys box
without a problem.

Now, I want to set up routing from the external world
to be able to access the Linksys box.

I added this rule to my firewall to do the forwarding:

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $ETH0_IP 
	--sport 1024: --dport 1723 
	-j DNAT --to $LINKSYS_VPN_IP:1723

It is all one one line, I added link breaks for readability.

When I tried to telnet to port 1723 on my public IP, I saw logs
from my firewall for inbound packets so I added these rules:

/sbin/iptables -A FORWARD -i eth0 -o eth1 -d $LINKSYS_VPN_IP 
	-p tcp --sport 1024: --dport 1723 
	-m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth1 -d $LINKSYS_VPN_IP 
	-p tcp --sport 1024: --dport 1723 
	-m state --state NEW,ESTABLISHED -j ACCEPT

But, I am not seeing any logs for the outbound packets from
the Linksys box and the telnet session from the remore computer
is not connecting.  

Any ideas what is going on?

Thanks,
	Neil


--
Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com
FREE! Eliminate junk email and reclaim your inbox.
Visit http://www.spammilter.com for details.

Re: Port forwarding not working (nfcan: to exclusive)

[Jim Laurino]

On 04/28/2007 11:15:33 PM, Neil Aggarwal - neil@JAMMConsulting.com wrote:
> Hello:
> 
> I have a Linux box acting as a firewall and gateway
> for my local internet.  The private IP is 192.168.1.1
> 
> Behind that, I have a Linksys VPN box.  Its IP
> is 192.168.1.101.
> 
> If I go to my Linux box and issue this command:
> 
> telnet 192.168.1.101 1723
> 
> I get this output:
> 
> Trying 192.168.1.101...
> Connected to 192.168.1.101 (192.168.1.101).
> Escape character is '^]'.
> 
> Everything is fine.  I can connect to the Linksys box
> without a problem.
> 
> Now, I want to set up routing from the external world
> to be able to access the Linksys box.
> 
> I added this rule to my firewall to do the forwarding:
> 
> /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $ETH0_IP 
> 	--sport 1024: --dport 1723 
> 	-j DNAT --to $LINKSYS_VPN_IP:1723

> 
> It is all one one line, I added link breaks for readability.
> 
OK, you have forwarded this port from the firewall to the vpn  box.
Now you have to accept it.
(You must have a default drop policy in forward.)

> When I tried to telnet to port 1723 on my public IP, I saw logs
> from my firewall for inbound packets so I added these rules:
> 
> /sbin/iptables -A FORWARD -i eth0 -o eth1 -d $LINKSYS_VPN_IP 
> 	-p tcp --sport 1024: --dport 1723 
> 	-m state --state NEW,ESTABLISHED -j ACCEPT
> /sbin/iptables -t nat -A POSTROUTING -o eth1 -d $LINKSYS_VPN_IP 
> 	-p tcp --sport 1024: --dport 1723 
> 	-m state --state NEW,ESTABLISHED -j ACCEPT
>

You need packets to flow in both directions.
The outside should be able to initiate
so the first rule looks good:

/sbin/iptables -A FORWARD -i eth0 -o eth1 -d $LINKSYS_VPN_IP 
	-p tcp --sport 1024: --dport 1723 
	-m state --state NEW,ESTABLISHED -j ACCEPT

But you need to accept the return packets. 
How about this for the return pattern:
  
/sbin/iptables -A FORWARD -i eth1 -o eth0 -s $LINKSYS_VPN_IP 
	-p tcp --sport 1723 
	-m state --state ESTABLISHED -j ACCEPT

The accept in the nat postrouting can be removed.

HTH

-- 
Jim Laurino
nfcan.x.jimlaur@dfgh.net
Please reply to the list.
Only mail from the listserver reaches this address.

Re: Port forwarding not working (nfcan: to exclusive)

[neil]

Jim:

> The outside should be able to initiate
> so the first rule looks good:
>
> /sbin/iptables -A FORWARD -i eth0 -o eth1 -d $LINKSYS_VPN_IP
> 	-p tcp --sport 1024: --dport 1723
> 	-m state --state NEW,ESTABLISHED -j ACCEPT
>
> But you need to accept the return packets.
> How about this for the return pattern:
>
> /sbin/iptables -A FORWARD -i eth1 -o eth0 -s $LINKSYS_VPN_IP
> 	-p tcp --sport 1723
> 	-m state --state ESTABLISHED -j ACCEPT

That is my point.  Without this rule, I should see packets
hitting the firewall in the log.  I dont see them.

I can add this rule, but I dont think the return packets are
coming back correctly.

> The accept in the nat postrouting can be removed.

I need that as I also set the nat postrouting to drop
by default.

Would it help to see my entire firewall script?

Thanks,
  Neil

--
Neil Aggarwal
JAMM Consulting, Inc.

Re: Port forwarding not working (nfcan: to exclusive) (nfcan: to exclusive)

[Jim Laurino]

On 04/29/2007 12:56:33 AM, neil@JAMMConsulting.com wrote:
> Jim:
> 
> > The outside should be able to initiate
> > so the first rule looks good:
> >
> > /sbin/iptables -A FORWARD -i eth0 -o eth1 -d $LINKSYS_VPN_IP
> > 	-p tcp --sport 1024: --dport 1723
> > 	-m state --state NEW,ESTABLISHED -j ACCEPT
> >
> > But you need to accept the return packets.
> > How about this for the return pattern:
> >
> > /sbin/iptables -A FORWARD -i eth1 -o eth0 -s $LINKSYS_VPN_IP
> > 	-p tcp --sport 1723
> > 	-m state --state ESTABLISHED -j ACCEPT
> 
> That is my point.  Without this rule, I should see packets
> hitting the firewall in the log.  I dont see them.

I guess "hitting the firewall" means showing up in a drop count.
I agree, if the packets come in they should be counted.
But you do need some rule to accept them in filter.

If the packets do not come back, maybe that is a routing problem?
I can also imagine that a vpn box might not want to talk to hosts
not on the local network it was hooked up to.
Some security folks might get upset :)
Maybe you could use SNAT to make the packets appear
to come from the firewall, then they ought to come back.
I think that is a better use of the postrouting chain.
The mantra is always "filter in filter", etc.,
and my experience has been that it is good advice.

> I can add this rule, but I don't think the return packets are
> coming back correctly.

I think a sniffer, e.g. wireshark (ex ethereal), would
be able to tell you if there were loose packets
floating around on the eth1 side trying to get somewhere else.
You could filter on tcp and source ip:port
and see what the destination was.

If the packets were destined for the outside originator,
would the firewall route them there?

> 
> > The accept in the nat postrouting can be removed.
> 
> I need that as I also set the nat postrouting to drop
> by default.
see above, not recommended

-- 
Jim Laurino
nfcan.x.jimlaur@dfgh.net
Please reply to the list.
Only mail from the listserver reaches this address.

RE: Port forwarding not working (nfcan: to exclusive) (nfcan: to exclusive)

[Neil Aggarwal]

Jim:

> Maybe you could use SNAT to make the packets appear
> to come from the firewall, then they ought to come back. 

How do I set up the SNAT rule?

Thanks,
	Neil


--
Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com
FREE! Eliminate junk email and reclaim your inbox.
Visit http://www.spammilter.com for details.

RE: Port forwarding not working (nfcan: to exclusive) (nfcan: to exclusive)

[Jan Engelhardt]

On Apr 29 2007 08:06, Neil Aggarwal wrote:
>
>> Maybe you could use SNAT to make the packets appear
>> to come from the firewall, then they ought to come back. 
>
>How do I set up the SNAT rule?

man iptables



Jan
-- 

Re: Port forwarding not working

[Jim Laurino]

On 04/29/2007 09:06:44 AM, Neil Aggarwal - neil@JAMMConsulting.com wrote:
> Jim:
> 
> > Maybe you could use SNAT to make the packets appear
> > to come from the firewall, then they ought to come back. 
> 
> How do I set up the SNAT rule?
> 

This will make the packet look like it came from the firewall:

/sbin/iptables -t nat -I POSTROUTING -o eth1 -d $LINKSYS_VPN_IP \ 
  -p tcp --dport 1723 -j SNAT --to-source 192.168.1.1

(where 192.168.1.1 is the ip address of the firewall on eth1 side)

If postrouting still has a default drop policy etc.
then this rule must be found before the accept rule,
that is why it has -I, to put it first.

HTH
-- 
Jim Laurino
nfcan.x.jimlaur@dfgh.net
Please reply to the list.
Only mail from the listserver reaches this address.

RE: Port forwarding not working

[Neil Aggarwal]

Jim:

That did it!  I guess the Linksys box was only going
to respond to local IP addresses.

I was able to use your example to set up the routing for
the gre protocol as well.

Thank you for your help.

	Neil

--
Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com
FREE! Eliminate junk email and reclaim your inbox.
Visit http://www.spammilter.com for details.

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Jim Laurino
Sent: Sunday, April 29, 2007 9:40 AM
To: netfilter@lists.netfilter.org
Subject: Re: Port forwarding not working

On 04/29/2007 09:06:44 AM, Neil Aggarwal - neil@JAMMConsulting.com wrote:
> Jim:
> 
> > Maybe you could use SNAT to make the packets appear
> > to come from the firewall, then they ought to come back. 
> 
> How do I set up the SNAT rule?
> 

This will make the packet look like it came from the firewall:

/sbin/iptables -t nat -I POSTROUTING -o eth1 -d $LINKSYS_VPN_IP \ 
  -p tcp --dport 1723 -j SNAT --to-source 192.168.1.1

(where 192.168.1.1 is the ip address of the firewall on eth1 side)

If postrouting still has a default drop policy etc.
then this rule must be found before the accept rule,
that is why it has -I, to put it first.

HTH
-- 
Jim Laurino
nfcan.x.jimlaur@dfgh.net
Please reply to the list.
Only mail from the listserver reaches this address.