Packet forwarding.

Packet forwarding.

[bdameron]

 I have 2 linux machines. One is accessable via the outside world (Internet
machine) the other has no outside connectivity (LAN Machine). I need to redirect
port 443 traffic to and from the LAN server via the Internet machine. Is this
possible with Iptables? I have setup packet forwarding but then the LAN server
tries to connect directly to the client machine instead of to the Internet
machine. Any direction appreciated.

-- 
Thank you,
Brad Dameron

Re: Packet forwarding.

[Antony Stone]

On Wednesday 07 April 2004 6:00 pm, bdameron@tscnet.net wrote:

>  I have 2 linux machines. One is accessable via the outside world (Internet
> machine) the other has no outside connectivity (LAN Machine). I need to
> redirect port 443 traffic to and from the LAN server via the Internet
> machine. Is this possible with Iptables?

Yes.   Have you read any of the tutorials or HOWTOs available from 
http://www.netfilter.org to find out what it can do and how to make it do it?

> I have setup packet forwarding but then the LAN server tries to connect
> directly to the client machine instead of to the Internet machine. Any
> direction appreciated.

If you tell us what your rules are and give us some more detail about your 
network setup, we might be able to help, however a better solution for you is 
to look at some of the excellent documentation available to learn how to do 
it yourself.   This is not a hard problem, and you will be able to manage 
your system much better in future if you understand more about how it works.

One very important detail which is not clear from your description above is: 
where is the "client machine" located?

Regards,

Antony.

-- 
In Heaven, the police are British, the chefs are Italian, the beer is Belgian, 
the mechanics are German, the lovers are French, the entertainment is 
American, and everything is organised by the Swiss.

In Hell, the police are German, the chefs are British, the beer is American, 
the mechanics are French, the lovers are Swiss, the entertainment is Belgian, 
and everything is organised by the Italians.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Packet forwarding.

[bdameron]

Quoting Antony Stone <Antony@Soft-Solutions.co.uk>:

> On Wednesday 07 April 2004 6:00 pm, bdameron@tscnet.net wrote:
> 
> >  I have 2 linux machines. One is accessable via the outside world
> (Internet
> > machine) the other has no outside connectivity (LAN Machine). I need to
> > redirect port 443 traffic to and from the LAN server via the Internet
> > machine. Is this possible with Iptables?
> 
> Yes.   Have you read any of the tutorials or HOWTOs available from 
> http://www.netfilter.org to find out what it can do and how to make it do
> it?
> 
> > I have setup packet forwarding but then the LAN server tries to connect
> > directly to the client machine instead of to the Internet machine. Any
> > direction appreciated.
> 
> If you tell us what your rules are and give us some more detail about your 
> network setup, we might be able to help, however a better solution for you is
> 
> to look at some of the excellent documentation available to learn how to do 
> it yourself.   This is not a hard problem, and you will be able to manage 
> your system much better in future if you understand more about how it works.
> 
> One very important detail which is not clear from your description above is:
> 
> where is the "client machine" located?
> 
> Regards,
> 
> Antony.
> 

  Client machine being anyone from the outside world. And I have looked over
some of the documentation. Basically there is no current firewall policies. Just
want anything coming in on xxx.xxx.xxx.xxx:443 (Internet Machine) to be routed
to 10.10.1.110:443 (Internal Lan Machine). Looks like I need to mangle the
packet header so that the Lan machine thinks that the Internet machine is
sending the packet and then have the Internet machine redirect the packet to the
client. Client again being someone on the Internet. Not sure if this can be done
or not. Correct me if I am wrong.

-- 
Thank you,
Brad Dameron

Re: Packet forwarding.

[Antony Stone]

On Wednesday 07 April 2004 6:25 pm, bdameron@tscnet.net wrote:

> > If you tell us what your rules are and give us some more detail about
> > your network setup, we might be able to help, however a better solution
> > for you is to look at some of the excellent documentation available to
> > learn how to do it yourself.   This is not a hard problem, and you will be
> > able to manage your system much better in future if you understand more
> > about how it works.
> >
> > One very important detail which is not clear from your description above
> > is: where is the "client machine" located?
>
>   Client machine being anyone from the outside world. And I have looked
> over some of the documentation. Basically there is no current firewall
> policies. Just want anything coming in on xxx.xxx.xxx.xxx:443 (Internet
> Machine) to be routed to 10.10.1.110:443 (Internal Lan Machine).
>
> Looks like I need to mangle the packet header so that the Lan machine thinks
> that the Internet machine is sending the packet and then have the Internet
> machine redirect the packet to the client. Client again being someone on the
> Internet. Not sure if this can be done or not. Correct me if I am wrong.

With all due respect, yes, you are very wrong.   This is a simple "nat + 
forward" situation.

Since you haven't said what your ruleset is, I shall assume none, and give you 
an example of how to make work what you have asked for:

iptables -F
iptables -F -t nat
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 443 -d 10.10.1.110 -j ACCEPT
iptables -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 10.10.1.110

If eth0 is not your external interface then change it in the above two rules 
for whatever your external interface is.

Regards,

Antony.

-- 
Abandon hope, all ye who enter here.
You'll feel much better about things once you do.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Packet forwarding.

[bdameron]

Quoting Antony Stone <Antony@Soft-Solutions.co.uk>:

> On Wednesday 07 April 2004 6:25 pm, bdameron@tscnet.net wrote:
> 
> > > If you tell us what your rules are and give us some more detail about
> > > your network setup, we might be able to help, however a better solution
> > > for you is to look at some of the excellent documentation available to
> > > learn how to do it yourself.   This is not a hard problem, and you will
> be
> > > able to manage your system much better in future if you understand more
> > > about how it works.
> > >
> > > One very important detail which is not clear from your description above
> > > is: where is the "client machine" located?
> >
> >   Client machine being anyone from the outside world. And I have looked
> > over some of the documentation. Basically there is no current firewall
> > policies. Just want anything coming in on xxx.xxx.xxx.xxx:443 (Internet
> > Machine) to be routed to 10.10.1.110:443 (Internal Lan Machine).
> >
> > Looks like I need to mangle the packet header so that the Lan machine
> thinks
> > that the Internet machine is sending the packet and then have the Internet
> > machine redirect the packet to the client. Client again being someone on
> the
> > Internet. Not sure if this can be done or not. Correct me if I am wrong.
> 
> With all due respect, yes, you are very wrong.   This is a simple "nat + 
> forward" situation.
> 
> Since you haven't said what your ruleset is, I shall assume none, and give
> you 
> an example of how to make work what you have asked for:
> 
> iptables -F
> iptables -F -t nat
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i eth0 -p tcp --dport 443 -d 10.10.1.110 -j ACCEPT
> iptables -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 10.10.1.110
> 
> If eth0 is not your external interface then change it in the above two rules
> 
> for whatever your external interface is.
> 
> Regards,
> 
> Antony.
> 

I found an easier way to do this. xinetd can do port redirect. Worked perfectly.
Thanks for your help.

-- 
Thank you,
Brad Dameron

Re: Packet forwarding.

[Antony Stone]

On Wednesday 07 April 2004 9:04 pm, bdameron@tscnet.net wrote:

> I found an easier way to do this. xinetd can do port redirect. Worked
> perfectly. Thanks for your help.

You're welcome.

Please call back again when you want to set up a secure firewall.

Regards,

Antony.

-- 
If you can't find an Open Source solution for it, then it isn't a real 
problem.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Packet forwarding.

[Alexis]

On Wed, 2004-04-07 at 14:00, bdameron@tscnet.net wrote:
>  I have 2 linux machines. One is accessable via the outside world (Internet
> machine) the other has no outside connectivity (LAN Machine). I need to redirect
> port 443 traffic to and from the LAN server via the Internet machine. Is this
> possible with Iptables? I have setup packet forwarding but then the LAN server
> tries to connect directly to the client machine instead of to the Internet
> machine. Any direction appreciated.

having ACCEPT in FORWARD policy do this in the "internet" box


echo '1' > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --sport 443 -j DNAT --to LAN_IP:443
iptables -t nat -A POSTROUTING -o WAN_IF -j MASQUERADE


and set the "internet" machine as the default gateway of the LAN box.


This is a bad idea (its only an approach), perhaps you _must_ read about
connection tracking, SNAT and DNAT, then change some policies to DROP
and improve these rules.

see http://www.netfilter.org/documentation/index.html

Regards


-- 
Tus problemas no se pueden resolver en el mismo
nivel mental que tenías cuando los creaste. 
		Albert Einstein

packet forwarding

[Drake Henderson]

I am trying to use libipq to forward packets.

Using the following iptable rules, forwarding works.

A. iptables -t nat -A PREROUTING -d 192.168.0.220 -p udp --dport 4488 -j
DNAT --to-destination 192.168.0.212:4488
B. iptables -t filter -A FORWARD -p udp -d 192.168.0.212 -j ACCEPT

In addition, adding rules to log the path of the packet based on the
script at
http://iptables-tutorial.frozentux.net/scripts/rc.test-iptables.txt, I
can see the packet move along the path

  mangle:prerouting, nat:prerouting, mangle:forward, filter:forward,
mangle:postrouting, nat:postrouting  (the right side path in the picture
at the below link)


http://iptables-tutorial.frozentux.net/chunkyhtml/traversingoftables.htm
l#TRAVERSINGGENERAL


The problem occurs when I change the target in rule A from DNAT to
QUEUE.  The handler program changes the destination of the packet and
then accepts it.  The packet, however, follows the path

  mangle:prerouting, nat:prerouting, mangle:input, filter:input (the
left side path in the picture)

Why, if the destination is changed at the nat:prerouting step, does the
routing decision not branch to the forward path instead of the input
path?

I know that the handler program is receiving the packets because if it
drops them, the path stops after nat:prerouting.


Thanks for you help,

Drake