port forwarding partially working

All of lore.kernel.org
 help / color / mirror / Atom feed

* port forwarding partially working
@ 2005-02-16 20:58 Raul I. Becette
  2005-02-16 21:17 ` Cedric Blancher
  0 siblings, 1 reply; 6+ messages in thread
From: Raul I. Becette @ 2005-02-16 20:58 UTC (permalink / raw)
  To: netfilter

Hello again

I am having trouble forwarding ports to internal servers.

There is a server in the LAN at $SERV_BIBL running on Windows NT4 and 
the port forwarding lines

$IPTABLES -A FORWARD -i $PUB_IF -p tcp --dport 1024 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 1024 -j DNAT 
--to $SERV_BIBL:110

works ok when I telnet $PUB_IF 1024. I got redirected to the POP server 
with no problems.

The problem is when I try to forward port any other port (including 
1024) to the same server on ports 25 or 21 (ftp access too).
The lines I added to my iptables scripts are the same as above changing 
1024 to 1025 and 110 to the service port (25 or 21).

Mail server running is MERCUR SMTP Server (v4.02.07
FTP Server running is WarFTPd 1.81.01

When I telnet internally to the private IP on ports 25 and 21 I have no 
problems and get the welcome message of the service.

The same thing happens with another internal server running on Mandrake 
Linux
POP works ok but MTA and FTP services are not forwarded on the ports I added
Postfix Mail Server and ProFTPD 1.2.5rc1 Server

One last thing
I have a forwarding of port 25 on $PUB_IF to port 25 on my internal POP 
server with the users accounts and it works ok.
Same with POP

Below are the lines I have on my script for this I want to do

# Abro el puerto de smtp para enviar los correos desde unpata hacia a La 
Gran Bestia POP
$IPTABLES -A FORWARD -i $PUB_IF -s $LAN_SMTP -p tcp --dport 25 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 25 -j DNAT --to 
$LAN_POP:25

# POP a cuentas unpata.edu.ar y unp.edu.ar
$IPTABLES -A FORWARD -i $PUB_IF -p tcp --dport 110 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 110 -j DNAT 
--to $LAN_POP:110
-------------------------------------So far the forwarding works 
OK------------------------------------------------------

-------------------------------------From here only forwarding to 110 
works--------------------------------------------
# Cuentas biblioteca.unp.edu.ar
$IPTABLES -A FORWARD -i $PUB_IF -p tcp --dport 1024 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 1024 -j DNAT 
--to $SERV_BIBL:110

$IPTABLES -A FORWARD -i $PUB_IF -p tcp --dport 1025 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 1025 -j DNAT 
--to $SERV_BIBL:25

# Cuentas ing.unp.edu.ar
$IPTABLES -A FORWARD -i $PUB_IF -p tcp --dport 1030 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 1030 -j DNAT 
--to $SERV_ING:110

$IPTABLES -A FORWARD -i $PUB_IF -p tcp --dport 1031 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 1031 -j DNAT 
--to $SERV_ING:25

If you need more info just ask

Any help would be greatly appreciated

Thanks in advance


-----------------------------------------------------------------
Raul I. Becette
E-mail: raulbecette@unp.edu.ar
REPAC, Red Patagonica de  Comunicaciones
Univ. Nac. de la Patagonia San Juan Bosco
Ciudad Universitaria - Km.4.
9000 - Comodoro Rivadavia - Chubut
Tel/Fax : (0297) - 4550073
------------------------------------------------------------------



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: port forwarding partially working
  2005-02-16 20:58 port forwarding partially working Raul I. Becette
@ 2005-02-16 21:17 ` Cedric Blancher
       [not found]   ` <4214B68A.7000301@unp.edu.ar>
  0 siblings, 1 reply; 6+ messages in thread
From: Cedric Blancher @ 2005-02-16 21:17 UTC (permalink / raw)
  To: Raul I. Becette; +Cc: netfilter

Le mercredi 16 février 2005 à 17:58 -0300, Raul I. Becette a écrit :
> I am having trouble forwarding ports to internal servers.
> $IPTABLES -A FORWARD -i $PUB_IF -p tcp --dport 1024 -j ACCEPT
> $IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 1024 -j DNAT 
> --to $SERV_BIBL:110
> works ok when I telnet $PUB_IF 1024. I got redirected to the POP server 
> with no problems.

I should not.

If you DNAT your connexion to $PUB_IF port 1024 to $SERV_BIBL:110, then
your FORWARD chain will see a packet to destined to port 110, not 1024.
If you just look at Netfilter architecture, you will see FORWARD chain
traversal occurs _after_ PREROUTING traversal. Thus, packets are already
NDATed and have their destination modified when hitting FORWARD rules.

That's why, in order to accept your DNATed connection, you should have :

$IPTABLES -A FORWARD -i $PUB_IF -p tcp --dport 110 -j ACCEPT

If it works anyway, it means you must have some kind of overlaping rule
that accidentally accepts thoses packets.

Now, going to your script, there's indeed a rule that accepts
destination port 110 whatever their destination is :

$IPTABLES -A FORWARD -i $PUB_IF -p tcp --dport 110 -j ACCEPT

So your stuff works, but that's an accident !

-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

^ permalink raw reply	[flat|nested] 6+ messages in thread

* remap local addresses
       [not found]   ` <4214B68A.7000301@unp.edu.ar>
@ 2005-02-17 15:45     ` Remus
  2005-02-17 16:07       ` Jason Opperisano
  2005-02-18 13:52     ` port forwarding partially working (SOLVED) Raul I. Becette
  1 sibling, 1 reply; 6+ messages in thread
From: Remus @ 2005-02-17 15:45 UTC (permalink / raw)
  To: netfilter

Hi,

Does anybody know how to remap local addresses, if I want to connect two 
networks via VNP with the same IP space in the private address range?

Thanks

Remus




^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: remap local addresses
  2005-02-17 15:45     ` remap local addresses Remus
@ 2005-02-17 16:07       ` Jason Opperisano
  2005-02-17 16:14         ` Remus
  0 siblings, 1 reply; 6+ messages in thread
From: Jason Opperisano @ 2005-02-17 16:07 UTC (permalink / raw)
  To: netfilter

On Thu, 2005-02-17 at 10:45, Remus wrote:
> Hi,
> 
> Does anybody know how to remap local addresses, if I want to connect two 
> networks via VNP with the same IP space in the private address range?

use the NETMAP target from POM.

-j

--
"Mmmm...free goo."
	--The Simpsons



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: remap local addresses
  2005-02-17 16:07       ` Jason Opperisano
@ 2005-02-17 16:14         ` Remus
  0 siblings, 0 replies; 6+ messages in thread
From: Remus @ 2005-02-17 16:14 UTC (permalink / raw)
  To: netfilter

Are there any examples how to use the NETMAP?


Remus

----- Original Message ----- 
From: "Jason Opperisano" <opie@817west.com>
To: <netfilter@lists.netfilter.org>
Sent: Thursday, February 17, 2005 4:07 PM
Subject: Re: remap local addresses


> On Thu, 2005-02-17 at 10:45, Remus wrote:
>> Hi,
>>
>> Does anybody know how to remap local addresses, if I want to connect two
>> networks via VNP with the same IP space in the private address range?
>
> use the NETMAP target from POM.
>
> -j
>
> --
> "Mmmm...free goo."
> --The Simpsons
>
>
>
> 




^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: port forwarding partially working (SOLVED)
       [not found]   ` <4214B68A.7000301@unp.edu.ar>
  2005-02-17 15:45     ` remap local addresses Remus
@ 2005-02-18 13:52     ` Raul I. Becette
  1 sibling, 0 replies; 6+ messages in thread
From: Raul I. Becette @ 2005-02-18 13:52 UTC (permalink / raw)
  To: netfilter

Raul I. Becette wrote:

> Cedric Blancher wrote:
>
>> Le mercredi 16 février 2005 à 17:58 -0300, Raul I. Becette a écrit :
>>  
>>
>>> I am having trouble forwarding ports to internal servers.
>>> $IPTABLES -A FORWARD -i $PUB_IF -p tcp --dport 1024 -j ACCEPT
>>> $IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 1024 -j 
>>> DNAT --to $SERV_BIBL:110
>>> works ok when I telnet $PUB_IF 1024. I got redirected to the POP 
>>> server with no problems.
>>>   
>>
>>
>> I should not.
>>  
>>
> How can I accomplish the port forwarding for the services?
>
> What I want to do is assign ports 1024-1030 to redirect services for 
> $SERV_BIBL, ports 1031-1039 to redirect services for $SERV_ING and so on.
>
>> If you DNAT your connexion to $PUB_IF port 1024 to $SERV_BIBL:110, then
>> your FORWARD chain will see a packet to destined to port 110, not 1024.
>> If you just look at Netfilter architecture, you will see FORWARD chain
>> traversal occurs _after_ PREROUTING traversal. Thus, packets are already
>> NDATed and have their destination modified when hitting FORWARD rules.
>>
>> That's why, in order to accept your DNATed connection, you should have :
>>
>> $IPTABLES -A FORWARD -i $PUB_IF -p tcp --dport 110 -j ACCEPT
>>
>> If it works anyway, it means you must have some kind of overlaping rule
>> that accidentally accepts thoses packets.
>>
>> Now, going to your script, there's indeed a rule that accepts
>> destination port 110 whatever their destination is :
>>
>> $IPTABLES -A FORWARD -i $PUB_IF -p tcp --dport 110 -j ACCEPT
>>
>> So your stuff works, but that's an accident !
>>
>>
>>  
>>
> Why is an accident?
>
> TIA
>
Hello list

I solved the problem modifying the FORWARD line adding the state of the 
connection as NEW

$IPTABLES -A FORWARD -p tcp --dport $SERVICE_PORT -m state --state NEW 
-j ACCEPT

and deleted the FORWARD lines that accepted connections with --dport 
10nn. The PREROUTING chain takes care of redirecting that port.

That part of my script now is:

# Abro el puerto de smtp para enviar los correos desde unpata hacia a La 
Gran Bestia POP
$IPTABLES -A FORWARD -i $PUB_IF -s $LAN_SMTP -p tcp --dport 25 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 25 -j DNAT --to 
$LAN_POP:25

# Abro puertos para servicios accesibles desde Internet
$IPTABLES -A FORWARD -i $PUB_IF -p tcp --dport 21 -m state --state NEW 
-j ACCEPT

# POP a cuentas unpata.edu.ar y unp.edu.ar
$IPTABLES -A FORWARD -i $PUB_IF -p tcp --dport 110 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 110 -j DNAT 
--to $LAN_POP:110

# Servicios biblioteca.unp.edu.ar
$IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 1024 -j DNAT 
--to $SERV_BIBL:21
$IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 1025 -j DNAT 
--to $SERV_BIBL:25
$IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 1026 -j DNAT 
--to $SERV_BIBL:110

# Servicios ing.unp.edu.ar
$IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 1030 -j DNAT 
--to $SERV_ING:21
$IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 1031 -j DNAT 
--to $SERV_ING:110


I used information from the "slow ftp" thread and wondered myself "what 
if I specify the state of the connection?"
It worked.

Thanks a lot for the help

-- 


-----------------------------------------------------------------
Raul I. Becette
E-mail: raulbecette@unp.edu.ar
Area Redes y Telecomunicaciones
Univ. Nac. de la Patagonia San Juan Bosco
Ciudad Universitaria - Km.4.
9000 - Comodoro Rivadavia - Chubut
Tel/Fax : (0297) - 4550073
------------------------------------------------------------------



^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2005-02-18 13:52 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-02-16 20:58 port forwarding partially working Raul I. Becette
2005-02-16 21:17 ` Cedric Blancher
     [not found]   ` <4214B68A.7000301@unp.edu.ar>
2005-02-17 15:45     ` remap local addresses Remus
2005-02-17 16:07       ` Jason Opperisano
2005-02-17 16:14         ` Remus
2005-02-18 13:52     ` port forwarding partially working (SOLVED) Raul I. Becette

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.