Invalid friggen argument

Invalid friggen argument

[Herman]

Hi everybody,

I am trying to get port forwarding to work.  I had it working some time ago 
gawdknows what changed...

Now, I get this result with iptables 1.2.7a-2mdk and with 1.2.9rc1:

# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6390 \
 -j DNAT --to 192.168.10.245
iptables: Invalid argument

I can cut and paste a line from a howto and I still get 'invalid argument' - 
grrr...

Any ideas?

Cheers
-- 
Herman

Re: Invalid friggen argument

[Willy TARREAU]

Hi !

On Sun, Oct 12, 2003 at 01:41:15AM -0600, Herman wrote:
 
> Now, I get this result with iptables 1.2.7a-2mdk and with 1.2.9rc1:
> 
> # iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6390 \
>  -j DNAT --to 192.168.10.245
> iptables: Invalid argument

your kernel might be too old and incompatible with these more recent versions.
I got the same when upgrading from iptables-1.2.4 to 1.2.5, IIRC.

Willy

Re: Invalid friggen argument

[Herman]

On Sunday 12 October 2003 5:08 am, Willy TARREAU wrote:
   Hi !

   On Sun, Oct 12, 2003 at 01:41:15AM -0600, Herman wrote:
   > Now, I get this result with iptables 1.2.7a-2mdk and with 1.2.9rc1:
   >
   > # iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6390 \
   >  -j DNAT --to 192.168.10.245
   > iptables: Invalid argument

   your kernel might be too old and incompatible with these more recent
 versions. I got the same when upgrading from iptables-1.2.4 to 1.2.5, IIRC.

   Willy

Hmm, this is Mandrake 9.1 distro and it did work in the past, but kind of 
unreliably.  So I should try an older version of netfilter - any 
recommendations for a version to try?

The funny thing is that the Masquerade line in my firewall setup gives the 
same Invalid Argument error but it actually works.  It is only Port 
Forwarding that doesn't work.

Cheers,
-- 
Herman

RE: Invalid friggen argument

[Mark E. Donaldson]

I don't think you have a versioning problem.  Some of the more recent
releases of netfilter are more sensitive about arguments and argument
ordering I have found.  Are you able to slip in a destination address into
that rule:

iptables -t nat -A PREROUTING -i eth1 -p tcp -d xxx.xxx.xxx.xxx --dport 6390
\
 -j DNAT --to 192.168.10.245

It may be looking for a dest address.

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Herman
Sent: Sunday, October 12, 2003 12:41 AM
To: netfilter@lists.netfilter.org
Subject: Invalid friggen argument


Hi everybody,

I am trying to get port forwarding to work.  I had it working some time ago
gawdknows what changed...

Now, I get this result with iptables 1.2.7a-2mdk and with 1.2.9rc1:

# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6390 \
 -j DNAT --to 192.168.10.245
iptables: Invalid argument

I can cut and paste a line from a howto and I still get 'invalid argument' -
grrr...

Any ideas?

Cheers
--
Herman

Re: Invalid friggen argument

[Herman]

On Sunday 12 October 2003 11:44 am, Mark E. Donaldson wrote:
   I don't think you have a versioning problem.  Some of the more recent
   releases of netfilter are more sensitive about arguments and argument
   ordering I have found.  Are you able to slip in a destination address into
   that rule:

   iptables -t nat -A PREROUTING -i eth1 -p tcp -d xxx.xxx.xxx.xxx --dport
 6390 \
    -j DNAT --to 192.168.10.245

   It may be looking for a dest address.

I have tried that before and here goes:
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 192.168.10.100 --dport 6390 -j 
DNAT --to 192.168.10.245
iptables: Invalid argument

No luck.

Cheers,
-- 
Herman 

Port forwarding doesn't work.

[Herman]

Has anybody got me a *working* port forwarding rule please???

This thing is driving me nuts, since the rules straight from the manuals don't 
work with 1.2.7a or 1.2.9rc1.

Cheers,
-- 
Herman

Re: Port forwarding doesn't work.

[Gerd Zemella]

[-- Attachment #1: Type: text/plain, Size: 856 bytes --]

Hi Herman,

did you try something like
 
iptables -t nat -I PREROUTING  -d x.x.x.x -j DNAT --to destination
y.y.y.y

where you can add also protocol,port.....
Important is also that the destination machine routes back the packets
via the nat machine or you must specify an additional POSTROUTING roule
so that it looks for the destination machine that the pakets are
originated from the nat machine. 
Perhaps an example to the PREROUTING roule.

iptables -t nat -I POSTROUTING -d y.y.y.y -j SNAT --to-source z.z.z.z
then z.z.z.z should be bind to the natting machine.

works for iptables 1.2.7a

greetings 
Gerd

Am Son, den 12.10.2003 schrieb Herman um 22:11:

> Has anybody got me a *working* port forwarding rule please???
> 
> This thing is driving me nuts, since the rules straight from the manuals don't 
> work with 1.2.7a or 1.2.9rc1.
> 
> Cheers,

[-- Attachment #2: Type: text/html, Size: 1232 bytes --]

Re: Port forwarding doesn't work.

[Herman]

Well, here goes:
iptables -t nat -I PREROUTING  -d 192.168.10.100 -j DNAT --to 192.168.10.245
iptables: Target problem

At least, now the error message changed and the only difference from before is 
the -I instead of -A.

So, with -A, I get Invalid Argument, and with -I, I get Target Problem.  Both 
cases don't work and the rule doesn't get added.

Can anybody give me a clue?

Cheers,
-- 
Herman Oosthuysen 
B.Eng(E), MIEEE
Aerospace Software Ltd.
Ph: 1.403.241-8773, Cell: 1.403.852-5545, Fx: 1.403.241-8841
Herman@AerospaceSoftware.com, http://www.AerospaceSoftware.com

Re: Port forwarding doesn't work.

[Herman]

Hi guys,

Well, I now downgraded to netfilter version 1.2.5-1 and the complaints went 
away, though I still haven't gotten forwarding to work and this is the 
version where I last had it working - sigh...

Here is my problem:
I need to forward a port from outside the firewall, to everybody on the 
inside.  All examples I have seen forwards to a specific IP on the inside, 
which doesn't go well with DHCP.  The man page says that specifying a range 
of IPs will trigger a round robin effect, which I don't think I want to 
happen. So, how now brown cow?

I'm testing this with the Nectarine Demoscene radio station and xmms, since 
that is way easier than messing with the government services that I actually 
need this for. Nectarine needs port 8002 to be forwarded.  On the server, it 
works and the address to put into xmms is http://130.231.60.129:8002/

On my laptop, I can't get it to work, though I had it working a couple of 
months ago, with these firewall rules:
echo "   DNAT Forward port 8002 for Nectarine Demoscene Radio"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 8002 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 8002 -j DNAT --to 
192.168.10.245:8002

If I display the rules, I can't see any forwarding rules in the list, which 
tells me that the forwarding rules that I try to implement are simply ignored 
by iptables:

iptables -v -L
Chain INPUT (policy ACCEPT 55251 packets, 13M bytes)
 pkts bytes target     prot opt in     out     source               
destination
    2    96 DROP       all  --  any    any     d142-59-155-57.abhsia.telus.net  
anywhere
    2    96 DROP       all  --  any    any     
s142-59-150-199.ab.hsia.telus.net  anywhere
    3   188 DROP       all  --  any    any     
d142-59-172-230.abhsia.telus.net  anywhere
    2    96 DROP       all  --  any    any     d142-59-59-12.abhsia.telus.net  
anywhere
    2    96 DROP       all  --  any    any     
d142-59-162-102.abhsia.telus.net  anywhere
    2    96 DROP       all  --  any    any     
d142-59-176-107.abhsia.telus.net  anywhere
    1    64 DROP       all  --  any    any     d142-59-78-76.abhsia.telus.net  
anywhere
    2    96 DROP       all  --  any    any     d142-59-80-67.abhsia.telus.net  
anywhere
    1    48 DROP       all  --  any    any     
d142-59-152-127.abhsia.telus.net  anywhere
    2    96 DROP       all  --  any    any     142.59.143.156       anywhere
    2   128 DROP       all  --  any    any     142.59.137.22        anywhere
    0     0 DROP       all  --  any    any     d142-59-63-31.abhsia.telus.net  
anywhere
    2    96 DROP       all  --  any    any     142.59.141.9         anywhere
    2    96 DROP       all  --  any    any     142.59.143.244       anywhere
    0     0 DROP       all  --  any    any     d142-59-10-57.abhsia.telus.net  
anywhere
    2    96 DROP       all  --  any    any     
d142-59-216-157.abhsia.telus.net  anywhere
    2    96 DROP       all  --  any    any     alik57zgy55og.ab.hsia.telus.net  
anywhere
    2    96 DROP       all  --  any    any     d142-59-95-82.abhsia.telus.net  
anywhere
    2    96 DROP       all  --  any    any     
d142-59-225-188.abhsia.telus.net  anywhere
    2    96 DROP       all  --  any    any     trialserver.americoac.com  
anywhere
    2    96 DROP       all  --  any    any     142.59.137.249       anywhere
    2    96 DROP       all  --  any    any     d142-59-144-7.abhsia.telus.net  
anywhere
    1    48 DROP       all  --  any    any     d142-59-81-170.abhsia.telus.net  
anywhere
    2    96 DROP       all  --  any    any     a6jp39qoy31v4.ab.hsia.telus.net  
anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               
destination

Chain OUTPUT (policy ACCEPT 56800 packets, 63M bytes)
 pkts bytes target     prot opt in     out     source               
destination

--
How can the FORWARD chain be empty, since MASQUERADE is working and my laptop 
can surf the web?
Why are my new forwarding rules ignored?
How can I debug this stuff and see where the packets are going/not going?
Can anybody shed light on this?

Cheers,
-- 
Herman Oosthuysen 
B.Eng(E), MIEEE
Aerospace Software Ltd.
Ph: 1.403.241-8773, Cell: 1.403.852-5545, Fx: 1.403.241-8841
Herman@AerospaceSoftware.com, http://www.AerospaceSoftware.com

Re: Port forwarding doesn't work.

[Philip Craig]

Herman wrote:
> If I display the rules, I can't see any forwarding rules in the list, which 
> tells me that the forwarding rules that I try to implement are simply ignored 
> by iptables:
> 
> iptables -v -L

iptables defaults to listing the filter table.
If you want to list nat rules, you must specify the nat table:

iptables -t nat -v -L

-- 
Philip Craig - philipc@snapgear.com - http://www.SnapGear.com
SnapGear - Custom Embedded Solutions and Security Appliances

Re: Port forwarding doesn't work.

[Herman]

On Sunday 12 October 2003 6:10 pm, Philip Craig wrote:
   Herman wrote:
   > If I display the rules, I can't see any forwarding rules in the list,
   > which tells me that the forwarding rules that I try to implement are
   > simply ignored by iptables:
   >
   > iptables -v -L

   iptables defaults to listing the filter table.
   If you want to list nat rules, you must specify the nat table:

   iptables -t nat -v -L

OK, here goes:
iptables -t nat -v -L
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destinat                   
ion

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destinat                   
ion

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destinat                   
ion

Blech...

Mark Donaldson suggested that a module may be missing

I'll try to pursue that thought.

Cheers,
-- 
Herman Oosthuysen 
B.Eng(E), MIEEE
Aerospace Software Ltd.
Ph: 1.403.241-8773, Cell: 1.403.852-5545, Fx: 1.403.241-8841
Herman@AerospaceSoftware.com, http://www.AerospaceSoftware.com

Re: Port forwarding doesn't work.

[Herman]

The real problem that I'm trying to solve is this:
Several hosts need to acces a gov service that uses Java and a certain port.  
I do not know which machine/machines will run and I don't know what their IP 
is going to be, due to DHCP.  I could limit it to one machine with a fixed IP 
just to get started though.

To test this, I'm experimenting with Nectarine radio, since that is easier 
than farting around with a government server.  If I can't get Nectarine to 
work, then I have no hope of getting the gov thing to work.


   On the FORWARD chain, try iptables -v -L FORWARD -t filter.  That will
   isolate just your FORWARD rules.  I gather you are not showing ANY active
   forward rules?  Not even your default policy?

iptables -L FORWARD -n
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

nothing...

iptables -t nat -v -L
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destinat                   
ion

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destinat                   
ion

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destinat                   
ion

nothing much either...

I suppose some modules are missing, but what?

What could be needed to make port forwarding work, that is not already loaded 
to make masquerade work?  At least something is working but gawddammit, this 
doesn't make sense to me.

Cheers,
-- 
Herman Oosthuysen 
B.Eng(E), MIEEE
Aerospace Software Ltd.
Ph: 1.403.241-8773, Cell: 1.403.852-5545, Fx: 1.403.241-8841
Herman@AerospaceSoftware.com, http://www.AerospaceSoftware.com

Re: Port forwarding doesn't work.

[Arnt Karlsen]

On Sun, 12 Oct 2003 18:40:27 -0600, 
Herman <Herman@AerospaceSoftware.com> wrote in message 
<200310121840.27031.Herman@AerospaceSoftware.com>:

> The real problem that I'm trying to solve is this:
> Several hosts need to acces a gov service that uses Java and a certain
> port.  

..if these hosts are initiating this connection from your end, 
" -j ESTABLISHED,RELATED" should do it, instead of you 
running around chasing your tail. 

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Re: Port forwarding doesn't work.

[Robert P. J. Day]

On Mon, 13 Oct 2003, Arnt Karlsen wrote:

> On Sun, 12 Oct 2003 18:40:27 -0600, 
> Herman <Herman@AerospaceSoftware.com> wrote in message 
> <200310121840.27031.Herman@AerospaceSoftware.com>:
> 
> > The real problem that I'm trying to solve is this:
> > Several hosts need to acces a gov service that uses Java and a certain
> > port.  
> 
> ..if these hosts are initiating this connection from your end, 
> " -j ESTABLISHED,RELATED" should do it, instead of you 
> running around chasing your tail. 

i suspect you really meant -m state --state ESTABLISHED,RELATED.

rday

Re: Port forwarding doesn't work.

[Arnt Karlsen]

On Mon, 13 Oct 2003 09:06:29 -0400 (EDT), 
"Robert P. J. Day" <rpjday@mindspring.com> wrote in message 
<Pine.LNX.4.44.0310130905370.17437-100000@localhost.localdomain>:

> On Mon, 13 Oct 2003, Arnt Karlsen wrote:
> 
> > On Sun, 12 Oct 2003 18:40:27 -0600, 
> > Herman <Herman@AerospaceSoftware.com> wrote in message 
> > <200310121840.27031.Herman@AerospaceSoftware.com>:
> > 
> > > The real problem that I'm trying to solve is this:
> > > Several hosts need to acces a gov service that uses Java and a
> > > certain port.  
> > 
> > ..if these hosts are initiating this connection from your end, 
> > " -j ESTABLISHED,RELATED" should do it, instead of you 
> > running around chasing your tail. 
> 
> i suspect you really meant -m state --state ESTABLISHED,RELATED.

..you suspect correctly.  ;-)  Above match -j ACCEPT , to complete what
I meant to say.


-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Re: Port forwarding doesn't work.

[Herman]

On Sunday 12 October 2003 7:17 pm, Arnt Karlsen wrote:
   On Sun, 12 Oct 2003 18:40:27 -0600,
   Herman <Herman@AerospaceSoftware.com> wrote in message

   <200310121840.27031.Herman@AerospaceSoftware.com>:
   > The real problem that I'm trying to solve is this:
   > Several hosts need to acces a gov service that uses Java and a certain
   > port.

   ..if these hosts are initiating this connection from your end,
   " -j ESTABLISHED,RELATED" should do it, instead of you
   running around chasing your tail.

Hi Arnt,

Could you please elaborate on that?

As far as I can see, the hosts are initiating the connection, but the port 
must somehow be forwarded through the firewall snat box.

This is what I have:
echo "   DNAT Forward port 3270 for Alberta Registries application on Pluto"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 3270 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3270 -j DNAT --to 
192.168.10.1:3270

This is working now, provided that I use that specific IP address on the 
inside - I had to load the iptable_mangle module, which made my problems go 
away...

I don't understand how to add the ESTABLISHED,RELATED idea into this type of 
rule.  

Something like this:

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3270 -m state --state 
ESTABLISHED,RELATED

???


Cheers,
-- 
Herman Oosthuysen 
B.Eng(E), MIEEE
Aerospace Software Ltd.
Ph: 1.403.241-8773, Cell: 1.403.852-5545, Fx: 1.403.241-8841
Herman@AerospaceSoftware.com, http://www.AerospaceSoftware.com

Re: Port forwarding doesn't work.

[Jeffrey Laramie]

Herman wrote:

>On Sunday 12 October 2003 7:17 pm, Arnt Karlsen wrote:
>   On Sun, 12 Oct 2003 18:40:27 -0600,
>   Herman <Herman@AerospaceSoftware.com> wrote in message
>
>   <200310121840.27031.Herman@AerospaceSoftware.com>:
>   > The real problem that I'm trying to solve is this:
>   > Several hosts need to acces a gov service that uses Java and a certain
>   > port.
>
>   ..if these hosts are initiating this connection from your end,
>   " -j ESTABLISHED,RELATED" should do it, instead of you
>   running around chasing your tail.
>  
>

I don't have the whole thread so I apologize if I missed something. If
you are using SNAT the return packets should be RELATED or ESTABLISHED
and they can be passed back to your box without any further natting:

# Masquerade everything leaving the lan as the firewall IP.
iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP

# This makes sure the returning packets make it through.
iptables -t filter -A INPUT -p all -m state --state RELATED,ESTABLISHED
-j ACCEPT

Jeff

Re: Port forwarding doesn't work.

[Jeffrey Laramie]

I almost forgot. You'll need the same line for your FORWARD chain:

iptables -t filter -A FORWARD -p all -m state --state 
RELATED,ESTABLISHED -j ACCEPT

Jeff


Herman wrote:

>On Sunday 12 October 2003 7:17 pm, Arnt Karlsen wrote:
>   On Sun, 12 Oct 2003 18:40:27 -0600,
>   Herman <Herman@AerospaceSoftware.com> wrote in message
>
>   <200310121840.27031.Herman@AerospaceSoftware.com>:
>   > The real problem that I'm trying to solve is this:
>   > Several hosts need to acces a gov service that uses Java and a certain
>   > port.
>
>   ..if these hosts are initiating this connection from your end,
>   " -j ESTABLISHED,RELATED" should do it, instead of you
>   running around chasing your tail.
>
>Hi Arnt,
>
>Could you please elaborate on that?
>
>As far as I can see, the hosts are initiating the connection, but the port 
>must somehow be forwarded through the firewall snat box.
>
>This is what I have:
>echo "   DNAT Forward port 3270 for Alberta Registries application on Pluto"
>$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 3270 -j ACCEPT
>$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3270 -j DNAT --to 
>192.168.10.1:3270
>
>This is working now, provided that I use that specific IP address on the 
>inside - I had to load the iptable_mangle module, which made my problems go 
>away...
>
>I don't understand how to add the ESTABLISHED,RELATED idea into this type of 
>rule.  
>
>Something like this:
>
>$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3270 -m state --state 
>ESTABLISHED,RELATED
>
>???
>
>
>Cheers,
>  
>

Re: Port forwarding doesn't work.

[Arnt Karlsen]

On Mon, 13 Oct 2003 12:05:55 -0600, 
Herman <Herman@AerospaceSoftware.com> wrote in message 
<200310131205.55401.Herman@AerospaceSoftware.com>:

> On Sunday 12 October 2003 7:17 pm, Arnt Karlsen wrote:
>    On Sun, 12 Oct 2003 18:40:27 -0600,
>    Herman <Herman@AerospaceSoftware.com> wrote in message
> 
>    <200310121840.27031.Herman@AerospaceSoftware.com>:
>    > The real problem that I'm trying to solve is this:
>    > Several hosts need to acces a gov service that uses Java and a
>    > certain port.
> 
>    ..if these hosts are initiating this connection from your end,
>    " -j ESTABLISHED,RELATED" should do it, instead of you
>    running around chasing your tail.
> 
> Hi Arnt,
> 
> Could you please elaborate on that?

..see Robert's correction to my post and my response.

> As far as I can see, the hosts are initiating the connection, but the
> port must somehow be forwarded through the firewall snat box.
> 
> This is what I have:
> echo "   DNAT Forward port 3270 for Alberta Registries application on
> Pluto"$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 3270 -j
> ACCEPT$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3270 -j
> DNAT --to 192.168.10.1:3270

..this looks like some ifwadm(sp?) or ipchains like kludge?  Rip it out.

> This is working now, provided that I use that specific IP address on
> the inside - I had to load the iptable_mangle module, which made my
> problems go away...
> 
> I don't understand how to add the ESTABLISHED,RELATED idea into this
> type of rule.  
> 
> Something like this:
> 
> $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3270 -m state
> --state ESTABLISHED,RELATED

..you don't need to specify interface nor protocol or ports other 
than possibly to make data for the nice graphs.  KISS:   ;-)

# Accept everyting connected
/sbin/iptables -A INPUT   -m state --state ESTABLISHED,RELATED \
-j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED \
-j ACCEPT

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Re: Port forwarding doesn't work.

[Herman]

On Monday 13 October 2003 2:09 pm, Arnt Karlsen wrote:

   ..you don't need to specify interface nor protocol or ports other
   than possibly to make data for the nice graphs.  KISS:   ;-)

   # Accept everyting connected
   /sbin/iptables -A INPUT   -m state --state ESTABLISHED,RELATED \
   -j ACCEPT
   /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED \
   -j ACCEPT

Wow, that is far more simple than anything I ever saw in any howto.  I like it 
and I'll sure try it.

I currently have this input rule:
# Allow any related traffic coming back to the MASQ server in
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
 ESTABLISHED,RELATED -j ACCEPT

and these forward rules:
echo "     - FWD: Allow all connections OUT and only existing/related IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED 
\
 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

My snat masquerade rule looks like this:
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

Your suggestions will simplify these rules nicely.


The problem is that I'm not quite sure how the Java applet thing works - 
whether the connection is established from the inside, or whether the gov 
server starts it up from the outside, after the initial http connection - 
they may be doing that for some security reason.  If it is the latter, then 
the established,related rules won't work and explicit port forwarding rules 
would be required.  To add to my woes, the gov server is down for maintenance 
at the moment, so I can't test it properly.

Thanks,
-- 
Herman Oosthuysen 
B.Eng(E), MIEEE
Aerospace Software Ltd.
Ph: 1.403.241-8773, Cell: 1.403.852-5545, Fx: 1.403.241-8841
Herman@AerospaceSoftware.com, http://www.AerospaceSoftware.com

Re: Port forwarding doesn't work.

[Chris Brenton]

On Sun, 2003-10-12 at 19:00, Herman wrote:
>
> Here is my problem:
> I need to forward a port from outside the firewall, to everybody on the 
> inside. 

If it was UDP traffic, you might be able to get away with forwarding to
your internal broadcast address. Since its TCP however, that's not RFC
and I doubt anyone will respond unless they have a broken stack.

> All examples I have seen forwards to a specific IP on the inside, 
> which doesn't go well with DHCP. 

Maybe you can do something with DDNS or specify a MAC-->IP mapping for
the host(s) that needs need this service.

>  The man page says that specifying a range 
> of IPs will trigger a round robin effect, which I don't think I want to 
> happen. So, how now brown cow?

Agreed. That will balance to a number of different IPs, not what you are
looking for. Then again your using TCP so you can't do multiple nodes at
the same time anyway.

> If I display the rules, I can't see any forwarding rules in the list, which 
> tells me that the forwarding rules that I try to implement are simply ignored 
> by iptables:

Try it on the command line and see what errors come back.

> iptables -v -L
> Chain INPUT (policy ACCEPT 55251 packets, 13M bytes)

<snip>

> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

Hummm. You do realize you are letting through *everything* you are not
specifically dropping? Looks like you've had quite a bit of traffic
sneak by. :(

> How can the FORWARD chain be empty, since MASQUERADE is working and my laptop 
> can surf the web?

Because you are letting everything not specifically denied blow through.

> Why are my new forwarding rules ignored?

Again, try stuff like this from the command line. If iptables is not
happy, it will let you know about it.

> How can I debug this stuff and see where the packets are going/not going?
> Can anybody shed light on this?

The counters are a good indication of what is going on. You can also run
tcpdump to troubleshoot what goes by.

HTH,
C

Re: Port forwarding doesn't work.

[Herman]

On Sunday 12 October 2003 6:44 pm, Chris Brenton wrote:

   > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

   Hummm. You do realize you are letting through *everything* you are not
   specifically dropping? Looks like you've had quite a bit of traffic
   sneak by. :(

Yep, I opened it up in an effort to figure out what is going on - or rather 
not going on, the really bad stuff is blocked in the INPUT chain and the 
INPUT chain is letting the packets through, since I can play xmms on the 
firewall itself, so the packets get in, but not out the other side.

   > How can the FORWARD chain be empty, since MASQUERADE is working and my
   > laptop can surf the web?

   Because you are letting everything not specifically denied blow through.
OK - it seems that port forwarding uses the nat table - eventually I'll 
understand this I hope...

I I understand it, masquerading also uses the nat table and that is working, 
so why doesn't port forwarding work for port 8002?

Here is the rule:
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 8002 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 8002 -j DNAT --to 
192.168.10.245:8002

on the command line it looks like this:
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 8002 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8002 -j DNAT --to 
192.168.10.245:8002

and it does diddly squat...


   > Why are my new forwarding rules ignored?

   Again, try stuff like this from the command line. If iptables is not
   happy, it will let you know about it.

Tried it with various versions of iptables.  1.2.7a and1.2.9rc1 give either 
Invalid Argument or Target Problem as explained in previous posts.  Iptables 
1.2.5 doesn't give any error messages - I downgraded, since upgrading didn't 
make any diff, so now it doesn't tell me anything although the problem is 
still the same.

It is as if the rules are simply ignored even when I copy and paste examples 
from the howtos or other posts.



   > How can I debug this stuff and see where the packets are going/not
   > going? Can anybody shed light on this?

   The counters are a good indication of what is going on. You can also run
   tcpdump to troubleshoot what goes by.

Trying that now - very trying...

I guess that eventually, I'll understand iptables, but it is going to take a 
while to get there.

Oh, well, what the hell - Catch 22.
-- 
Herman Oosthuysen 
B.Eng(E), MIEEE
Aerospace Software Ltd.
Ph: 1.403.241-8773, Cell: 1.403.852-5545, Fx: 1.403.241-8841
Herman@AerospaceSoftware.com, http://www.AerospaceSoftware.com

Re: Port forwarding doesn't work.

[Herman]

Hmm, as far as I can see iptable_nat handles nat, and it is loaded:

lsmod
Module                  Size  Used by    Not tainted
iptable_nat            16312   1  (autoclean)
ip_conntrack           18624   1  (autoclean) [iptable_nat]
appletalk              21636   1  (autoclean)
ipx                    17188   1  (autoclean)
iptable_filter          1644   1  (autoclean)
ip_tables              11736   4  [iptable_nat iptable_filter]
lp                      6752   0
parport_pc             21736   1
parport                23840   1  [lp parport_pc]
i810_audio             23720   1
soundcore               3684   0  [i810_audio]
ac97_codec             10024   0  [i810_audio]
nfsd                   66832   8  (autoclean)
lockd                  46896   1  (autoclean) [nfsd]
sunrpc                 63356   1  (autoclean) [nfsd lockd]
ppp_async               7456   0  (unused)
ppp_generic            20092   0  [ppp_async]
slhc                    5072   0  [ppp_generic]
af_packet              13000   3  (autoclean)
ip_vs                  74424   0  (autoclean)
sr_mod                 15096   0  (autoclean)
floppy                 49244   0
3c59x                  27248   1  (autoclean)
tulip                  41088   1  (autoclean)
supermount             14116   2  (autoclean)
ide-cd                 30560   0
cdrom                  27008   0  [sr_mod ide-cd]
ide-scsi                9552   0
scsi_mod               91060   2  [sr_mod ide-scsi]
printer                 6944   0  (unused)
usb-uhci               21804   0  (unused)
usbcore                58368   1  [printer usb-uhci]
rtc                     6556   0  (autoclean)
ext3                   59916   4
jbd                    38972   4  [ext3]

So, why O why, doesn't nat work?
(My Bonnie lies over the ocean...)

Am I missing something in the kernel?

Cheers,
-- 
Herman Oosthuysen 
B.Eng(E), MIEEE
Aerospace Software Ltd.
Ph: 1.403.241-8773, Cell: 1.403.852-5545, Fx: 1.403.241-8841
Herman@AerospaceSoftware.com, http://www.AerospaceSoftware.com

Re: Port forwarding now *almost* works...

[Herman]

Aaaaaaaaahhhhh...

It appears that nat is *not* handled by iptable_nat as one would expect, or at 
least not *only* by that one.  The missing module is iptable_mangle and the 
nice Redhat firewall script that I have been using, doesn't load that one, 
saying that it is an unneeded kernel module - sigh.

Once I loaded that with:
iptables -F -t mangle

and added my rules again, they now show up in the nat list, although it still 
doesn't friggen work.  I think it is time to reboot the whole machine and 
start over, but I thought I'll send this message first.

Wheee, at least now I'm getting somewhere and in another day or so I can stop 
banging my head on the table - maybe.

Cheers,
-- 
Herman Oosthuysen 
B.Eng(E), MIEEE
Aerospace Software Ltd.
Ph: 1.403.241-8773, Cell: 1.403.852-5545, Fx: 1.403.241-8841
Herman@AerospaceSoftware.com, http://www.AerospaceSoftware.com

Re: Port forwarding doesn't work.

[Gerd Zemella]

[-- Attachment #1: Type: text/plain, Size: 537 bytes --]

Hi Herman,

Am Mon, den 13.10.2003 schrieb Herman um 00:04:

> Well, here goes:
> iptables -t nat -I PREROUTING  -d 192.168.10.100 -j DNAT --to 192.168.10.245

did you wrote this --to? you must write --to-destination!


> iptables: Target problem
> 
> At least, now the error message changed and the only difference from before is 
> the -I instead of -A.
> 
> So, with -A, I get Invalid Argument, and with -I, I get Target Problem.  Both 
> cases don't work and the rule doesn't get added.
> 
> Can anybody give me a clue?
> 
> Cheers,

[-- Attachment #2: Type: text/html, Size: 925 bytes --]

Re: Port forwarding doesn't work.

[Adam D. Barratt]

Gerd Zemella wrote, Monday, October 13, 2003 8:13 AM

[Please *don't* post HTML to the list]

> Hi Herman,
>
> Am Mon, den 13.10.2003 schrieb Herman um 00:04:
>
> > Well, here goes:
> > iptables -t nat -I PREROUTING  -d 192.168.10.100 -j DNAT --to
192.168.10.245
>
> did you wrote this --to? you must write --to-destination!

Nope. In context, --to is equivalent to --to-destination. There's absolutely
nothing wrong with using it in the manner above (in fact, every single DNAT
rule in our firewall script does -j DNAT --to).

Adam

Re: Port forwarding doesn't work.

[Gerd Zemella]

Ups, two faults. Too much for a monday morning.....

Am Mon, den 13.10.2003 schrieb Adam D. Barratt um 16:32:
> Gerd Zemella wrote, Monday, October 13, 2003 8:13 AM
> 
> [Please *don't* post HTML to the list]
> 
> > Hi Herman,
> >
> > Am Mon, den 13.10.2003 schrieb Herman um 00:04:
> >
> > > Well, here goes:
> > > iptables -t nat -I PREROUTING  -d 192.168.10.100 -j DNAT --to
> 192.168.10.245
> >
> > did you wrote this --to? you must write --to-destination!
> 
> Nope. In context, --to is equivalent to --to-destination. There's absolutely
> nothing wrong with using it in the manner above (in fact, every single DNAT
> rule in our firewall script does -j DNAT --to).
> 
> Adam
> 
> 

Re: Invalid friggen argument

[Joel Newkirk]

On Sun, 2003-10-12 at 03:41, Herman wrote:
> Hi everybody,
> 
> I am trying to get port forwarding to work.  I had it working some time ago 
> gawdknows what changed...
> 
> Now, I get this result with iptables 1.2.7a-2mdk and with 1.2.9rc1:
> 
> # iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6390 \
>  -j DNAT --to 192.168.10.245
> iptables: Invalid argument

Have you checked lsmod, to make sure you have iptable_nat loaded?  If
not, try "modprobe iptable_nat" then try your rule again.

j

Re: Invalid friggen argument

[Herman]

On Tuesday 14 October 2003 12:04 am, Joel Newkirk wrote:
   Have you checked lsmod, to make sure you have iptable_nat loaded?  If
   not, try "modprobe iptable_nat" then try your rule again.

The trouble was not iptable_nat, but rather iptable_mangle.  It seems that nat 
doesn't work if iptable_mangle is not loaded - who woulda thunkit?

I was mislead by a Rehat script, which stated that it isn't needed for nat, 
but apparently it is indeed.

Cheers,
-- 
Herman