simple port forwarding question

simple port forwarding question

[Rohit Kumar Mehta]

Hi guys, I was wondering if someone could help me out here.  I am fairly 
well confused after trying to muddle through
this tutorial:
http://iptables-tutorial.frozentux.net/iptables-tutorial.html

I think what I want to do should be easy.  Perhaps someone could help.

We are trying to trick the systems into believing that the Kerberos 5 
server is on IP#2 (let's call it 192.168.28.3)
but it is in fact on IP#1 (192.168.28.2).

Maybe my attempted iptables commands will make it blatantly obvious what 
I am trying to do:

iptables -t nat -A PREROUTING --dst 192.168.28.3 -p tcp --dport 88 -j 
DNAT --to 192.168.28.2
iptables -t nat -A PREROUTING --dst 192.168.28.3 -p udp --dport 88 -j 
DNAT --to 192.168.28.2

iptables -t nat -A POSTROUTING -p udp --dst 192.168.28.2 --dport 88 -j 
SNAT --to-source 192.168.28.3
iptables -t nat -A POSTROUTING -p tcp --dst 192.168.28.2 --dport 88 -j 
SNAT --to-source 192.168.28.3

iptables -t nat -A OUTPUT --dst 192.168.28.3 -p tcp --dport 88 -j DNAT 
--to-destination 192.168.28.2
iptables -t nat -A OUTPUT --dst 192.168.28.3 -p udp --dport 88 -j DNAT 
--to-destination 192.168.28.2


Basically we want it so that if I do a "telnet 192.168.28.3 88", I get a 
connection to "192.168.28.2:88"
This works - when I initiate the connection from 192.168.28.3, but from 
any other machine on the network
it does not work.

Am I doing something wrong or forgetting a key step?  Thanks!

Rohit

Re: simple port forwarding question

[Herman]

Hmm, make sure that the FORWARD chain is ACCEPT for that port.  Something 
like:
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 88 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 88 -j ACCEPT

For debug purposes, make a logndrop chain and use that on all DROP rules, so 
that tail -f  /var/log/messages will show what is going on.

iptables -n logndrop
iptables -A logndrop -j LOG --log-level info
iptables -A logndrop -j DROP

Then whenever you suspect that a DROP rule will dump the wrong stuff, use -j 
logndrop as the target, to make the packet show up in the /var/log/messages 
file, something like this:
iptables -A FORWARD -p tcp --dport 135 -j logndrop

Once the script is debugged and working, add a # to the second line of the 
logndrop chain to stop the logging.

Hope this helps.

Herman

On Monday 03 November 2003 1:58 pm, Rohit Kumar Mehta wrote:
> Hi guys, I was wondering if someone could help me out here.  I am fairly
> well confused after trying to muddle through
> this tutorial:
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
>
> I think what I want to do should be easy.  Perhaps someone could help.
>
> We are trying to trick the systems into believing that the Kerberos 5
> server is on IP#2 (let's call it 192.168.28.3)
> but it is in fact on IP#1 (192.168.28.2).
>
> Maybe my attempted iptables commands will make it blatantly obvious what
> I am trying to do:
>
> iptables -t nat -A PREROUTING --dst 192.168.28.3 -p tcp --dport 88 -j
> DNAT --to 192.168.28.2
> iptables -t nat -A PREROUTING --dst 192.168.28.3 -p udp --dport 88 -j
> DNAT --to 192.168.28.2
>
> iptables -t nat -A POSTROUTING -p udp --dst 192.168.28.2 --dport 88 -j
> SNAT --to-source 192.168.28.3
> iptables -t nat -A POSTROUTING -p tcp --dst 192.168.28.2 --dport 88 -j
> SNAT --to-source 192.168.28.3
>
> iptables -t nat -A OUTPUT --dst 192.168.28.3 -p tcp --dport 88 -j DNAT
> --to-destination 192.168.28.2
> iptables -t nat -A OUTPUT --dst 192.168.28.3 -p udp --dport 88 -j DNAT
> --to-destination 192.168.28.2
>
>
> Basically we want it so that if I do a "telnet 192.168.28.3 88", I get a
> connection to "192.168.28.2:88"
> This works - when I initiate the connection from 192.168.28.3, but from
> any other machine on the network
> it does not work.
>
> Am I doing something wrong or forgetting a key step?  Thanks!
>
> Rohit

Re: simple port forwarding question

[SBlaze]

--- Rohit Kumar Mehta <rohitm@engr.uconn.edu> wrote:
> 
> Hi guys, I was wondering if someone could help me out here.  I am fairly 
> well confused after trying to muddle through
> this tutorial:
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> 
> I think what I want to do should be easy.  Perhaps someone could help.
> 
> We are trying to trick the systems into believing that the Kerberos 5 
> server is on IP#2 (let's call it 192.168.28.3)
> but it is in fact on IP#1 (192.168.28.2).
> 
> Maybe my attempted iptables commands will make it blatantly obvious what 
> I am trying to do:
> 
> iptables -t nat -A PREROUTING --dst 192.168.28.3 -p tcp --dport 88 -j 
> DNAT --to 192.168.28.2
> iptables -t nat -A PREROUTING --dst 192.168.28.3 -p udp --dport 88 -j 
> DNAT --to 192.168.28.2
> 
> iptables -t nat -A POSTROUTING -p udp --dst 192.168.28.2 --dport 88 -j 
> SNAT --to-source 192.168.28.3
> iptables -t nat -A POSTROUTING -p tcp --dst 192.168.28.2 --dport 88 -j 
> SNAT --to-source 192.168.28.3
> 
> iptables -t nat -A OUTPUT --dst 192.168.28.3 -p tcp --dport 88 -j DNAT 
> --to-destination 192.168.28.2
> iptables -t nat -A OUTPUT --dst 192.168.28.3 -p udp --dport 88 -j DNAT 
> --to-destination 192.168.28.2
> 
> 
> Basically we want it so that if I do a "telnet 192.168.28.3 88", I get a 
> connection to "192.168.28.2:88"
> This works - when I initiate the connection from 192.168.28.3, but from 
> any other machine on the network
> it does not work.
> 
> Am I doing something wrong or forgetting a key step?  Thanks!
> 
> Rohit
> 
> 

I think you left out one important bit of information here. Are these two ips
on the same box? ( ie .1 on eth0 and .3 eth1 ) If they are I think it would
mean all the world of difference for your ruleset. you might be using the NAT
table when FOWARD lines in your filter table would sufice...

just a guess...

SBlaze

=====
In the absence of order there will be chaos.

__________________________________
Do you Yahoo!?
Exclusive Video Premiere - Britney Spears
http://launch.yahoo.com/promos/britneyspears/

Re: simple port forwarding question

[Rohit Kumar Mehta]

Sorry, maybe I tried to distill the problem too much ;-)  The short 
answer is no they are seperate machines.

The first machine 192.168.28.2 is a Windows 2000 Active Directory 
(working as the kerberos 5 KDC),
and the second machine (which I am running iptables on) is a Debian 
GNU/Linux system running kernel 2.4.22.

Rohit

SBlaze wrote:

>I think you left out one important bit of information here. Are these two ips
>on the same box? ( ie .1 on eth0 and .3 eth1 ) If they are I think it would
>mean all the world of difference for your ruleset. you might be using the NAT
>table when FOWARD lines in your filter table would sufice...
>
>just a guess...
>
>SBlaze
>
>=====
>In the absence of order there will be chaos.
>
>__________________________________
>Do you Yahoo!?
>Exclusive Video Premiere - Britney Spears
>http://launch.yahoo.com/promos/britneyspears/
>  
>

RE: simple port forwarding question

[Han, Yan]

Hi! Look at your forward options

Maybe you need to have these lines. Make sure if FORWARD is ACCEPT.



#set the dafault policies; close everything
iptables -P INPUT DROP   
iptables -P OUTPUT DROP 
iptables -P FORWARD ACCEPT  # modify this 


################################################
# Allow all outgoing Internet access
################################################
iptables -A OUTPUT  -s 192.168.28.3  -d 0/0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


################
iptables -t nat -A PREROUTING --dst 192.168.28.3 -p tcp --dport 88 -j 
DNAT --to 192.168.28.2
iptables -t nat -A PREROUTING --dst 192.168.28.3 -p udp --dport 88 -j 
DNAT --to 192.168.28.2

iptables -t nat -A POSTROUTING -p udp --dst 192.168.28.2 --dport 88 -j 
SNAT --to-source 192.168.28.3
iptables -t nat -A POSTROUTING -p tcp --dst 192.168.28.2 --dport 88 -j 
SNAT --to-source 192.168.28.3

iptables -t nat -A OUTPUT --dst 192.168.28.3 -p tcp --dport 88 -j DNAT 
--to-destination 192.168.28.2
iptables -t nat -A OUTPUT --dst 192.168.28.3 -p udp --dport 88 -j DNAT 
--to-destination 192.168.28.2


Yan

-----Original Message-----
From: Rohit Kumar Mehta [mailto:rohitm@engr.uconn.edu] 
Sent: Monday, November 03, 2003 6:59 AM
To: netfilter@lists.netfilter.org
Subject: simple port forwarding question


Hi guys, I was wondering if someone could help me out here.  I am fairly 
well confused after trying to muddle through
this tutorial:
http://iptables-tutorial.frozentux.net/iptables-tutorial.html

I think what I want to do should be easy.  Perhaps someone could help.

We are trying to trick the systems into believing that the Kerberos 5 
server is on IP#2 (let's call it 192.168.28.3)
but it is in fact on IP#1 (192.168.28.2).

Maybe my attempted iptables commands will make it blatantly obvious what 
I am trying to do:

iptables -t nat -A PREROUTING --dst 192.168.28.3 -p tcp --dport 88 -j 
DNAT --to 192.168.28.2
iptables -t nat -A PREROUTING --dst 192.168.28.3 -p udp --dport 88 -j 
DNAT --to 192.168.28.2

iptables -t nat -A POSTROUTING -p udp --dst 192.168.28.2 --dport 88 -j 
SNAT --to-source 192.168.28.3
iptables -t nat -A POSTROUTING -p tcp --dst 192.168.28.2 --dport 88 -j 
SNAT --to-source 192.168.28.3

iptables -t nat -A OUTPUT --dst 192.168.28.3 -p tcp --dport 88 -j DNAT 
--to-destination 192.168.28.2
iptables -t nat -A OUTPUT --dst 192.168.28.3 -p udp --dport 88 -j DNAT 
--to-destination 192.168.28.2


Basically we want it so that if I do a "telnet 192.168.28.3 88", I get a 
connection to "192.168.28.2:88"
This works - when I initiate the connection from 192.168.28.3, but from 
any other machine on the network
it does not work.

Am I doing something wrong or forgetting a key step?  Thanks!

Rohit