NAT PREROUTING vs. filter FORWARD

NAT PREROUTING vs. filter FORWARD

[Mike]

I'm having difficulty with clients connecting to a game I'm hosting
over the internet.
So I'm wondering if my PREROUTING rule is conflicting with my FORWARD rule.

If I have these prerouting rules:

 $IPTABLES -t nat -A PREROUTING -p tcp --dport 34297 -i ppp0 -j DNAT
--to-destination 192.168.170.6
$IPTABLES -t nat -A PREROUTING -p udp --dport 34297 -i ppp0 -j DNAT
--to-destination 192.168.170.6
$IPTABLES -t nat -A PREROUTING -p tcp --dport 34397 -i ppp0 -j DNAT
--to-destination 192.168.170.6
$IPTABLES -t nat -A PREROUTING -p udp --dport 34397 -i ppp0 -j DNAT
--to-destination 192.168.170.6
$IPTABLES -t nat -A PREROUTING -p tcp --dport 34447 -i ppp0 -j DNAT
--to-destination 192.168.170.6
$IPTABLES -t nat -A PREROUTING -p udp --dport 34447 -i ppp0 -j DNAT
--to-destination 192.168.170.6

Then I should not have to worry about these FORWARD rules interfering
with the prerouted data getting to the server at 192.168.170.6 ---

$IPTABLES -t filter -A FORWARD -i ppp0 -o eth1 -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t filter -A FORWARD -i ppp0 -o eth2 -m state --state
ESTABLISHED,RELATED -j ACCEPT

Am I right or wrong?
If wrong, is the only way then to change the FORWARD rule to -j ACCEPT
and leave out the ESTABLISHED,RELATED requirement?

Thanks for your time and assistance.

Mike

On 10/19/06, tarak@ossindia.com <tarak@ossindia.com> wrote:
> hello experts,
>
>               i have a problem in iptables, i want to customize the
> firewall. through iptable i want run a shell script which will keep an
> watch
> on each and every ip addresses in my organization, that how much amount
> of
> data downloading and uploading from those ip addresses...... seperately..
> is
> this possible to do,,,, if so please tell me how to do...
>
> thanks in advance
>
> Regards,
> Tarak Ranjan
>
>
>

Re: NAT PREROUTING vs. filter FORWARD

[Mike]

Sorry for the quoted text from another thread.
Accidentally copied it and did not realize before I hit Send.  :-(

Re: NAT PREROUTING vs. filter FORWARD

[Jasbir Khehra]

Mike wrote:

> I'm having difficulty with clients connecting to a game I'm hosting
> over the internet.
> So I'm wondering if my PREROUTING rule is conflicting with my FORWARD 
> rule.
>
>
> Then I should not have to worry about these FORWARD rules interfering
> with the prerouted data getting to the server at 192.168.170.6 ---
>
> $IPTABLES -t filter -A FORWARD -i ppp0 -o eth1 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -t filter -A FORWARD -i ppp0 -o eth2 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> Am I right or wrong?
> If wrong, is the only way then to change the FORWARD rule to -j ACCEPT
> and leave out the ESTABLISHED,RELATED requirement?

You just missing out on the rule to accept NEW state connections on your 
game ports
$IPTABLES -t filter -A FORWARD -i ppp0  -m state --state NEW -p tcp -m 
multiport --dports 34297,34397,34447  -j ACCEPT
Same rule for udp connections.

>
> Thanks for your time and assistance.
>
> Mike 

HTH,
Jasbir

Re: NAT PREROUTING vs. filter FORWARD

[Mike]

Thank you Jasbir!
I forgot about NEW option.
I will try later today and see if it makes success.
I appreciate your help.
Mike

On 10/20/06, Jasbir Khehra <jasbir.k@gmail.com> wrote:
> Mike wrote:
>
> > I'm having difficulty with clients connecting to a game I'm hosting
> > over the internet.
> > So I'm wondering if my PREROUTING rule is conflicting with my FORWARD
> > rule.
> >
> >
> > Then I should not have to worry about these FORWARD rules interfering
> > with the prerouted data getting to the server at 192.168.170.6 ---
> >
> > $IPTABLES -t filter -A FORWARD -i ppp0 -o eth1 -m state --state
> > ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -t filter -A FORWARD -i ppp0 -o eth2 -m state --state
> > ESTABLISHED,RELATED -j ACCEPT
> >
> > Am I right or wrong?
> > If wrong, is the only way then to change the FORWARD rule to -j ACCEPT
> > and leave out the ESTABLISHED,RELATED requirement?
>
> You just missing out on the rule to accept NEW state connections on your
> game ports
> $IPTABLES -t filter -A FORWARD -i ppp0  -m state --state NEW -p tcp -m
> multiport --dports 34297,34397,34447  -j ACCEPT
> Same rule for udp connections.
>
> >
> > Thanks for your time and assistance.
> >
> > Mike
>
> HTH,
> Jasbir
>

Re: NAT PREROUTING vs. filter FORWARD

[Martijn Lievaart]

<citaat van="Mike">
> I'm having difficulty with clients connecting to a game I'm hosting
> over the internet.
> So I'm wondering if my PREROUTING rule is conflicting with my FORWARD
> rule.
>
> If I have these prerouting rules:
>
>  $IPTABLES -t nat -A PREROUTING -p tcp --dport 34297 -i ppp0 -j DNAT
> --to-destination 192.168.170.6
> $IPTABLES -t nat -A PREROUTING -p udp --dport 34297 -i ppp0 -j DNAT
> --to-destination 192.168.170.6
> $IPTABLES -t nat -A PREROUTING -p tcp --dport 34397 -i ppp0 -j DNAT
> --to-destination 192.168.170.6
> $IPTABLES -t nat -A PREROUTING -p udp --dport 34397 -i ppp0 -j DNAT
> --to-destination 192.168.170.6
> $IPTABLES -t nat -A PREROUTING -p tcp --dport 34447 -i ppp0 -j DNAT
> --to-destination 192.168.170.6
> $IPTABLES -t nat -A PREROUTING -p udp --dport 34447 -i ppp0 -j DNAT
> --to-destination 192.168.170.6
>
> Then I should not have to worry about these FORWARD rules interfering
> with the prerouted data getting to the server at 192.168.170.6 ---
>
> $IPTABLES -t filter -A FORWARD -i ppp0 -o eth1 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -t filter -A FORWARD -i ppp0 -o eth2 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> Am I right or wrong?
> If wrong, is the only way then to change the FORWARD rule to -j ACCEPT
> and leave out the ESTABLISHED,RELATED requirement?
`
You have to ACCEPT these packets in your forward chain. What I generally
do (but I generate this with a script) is to duplicate the rules in
PREROUTING, once with -j MARK and once with -j DNAT, In FORWARD I then use
--mark to accept those DNATted connections all in one rule.

HTH,
M4

Re: NAT PREROUTING vs. filter FORWARD

[Mike]

Martijn,
The sciprt idea sounds quite clever and efficient!
I would be very interested to see your method by script, if it is not
a security risk, etc.
Thank you very much for your response and idea.
Mike

On 10/20/06, Martijn Lievaart <m@rtij.nl> wrote:
> <citaat van="Mike">
> > I'm having difficulty with clients connecting to a game I'm hosting
> > over the internet.
> > So I'm wondering if my PREROUTING rule is conflicting with my FORWARD
> > rule.
> >
> > If I have these prerouting rules:
> >
> >  $IPTABLES -t nat -A PREROUTING -p tcp --dport 34297 -i ppp0 -j DNAT
> > --to-destination 192.168.170.6
> > $IPTABLES -t nat -A PREROUTING -p udp --dport 34297 -i ppp0 -j DNAT
> > --to-destination 192.168.170.6
> > $IPTABLES -t nat -A PREROUTING -p tcp --dport 34397 -i ppp0 -j DNAT
> > --to-destination 192.168.170.6
> > $IPTABLES -t nat -A PREROUTING -p udp --dport 34397 -i ppp0 -j DNAT
> > --to-destination 192.168.170.6
> > $IPTABLES -t nat -A PREROUTING -p tcp --dport 34447 -i ppp0 -j DNAT
> > --to-destination 192.168.170.6
> > $IPTABLES -t nat -A PREROUTING -p udp --dport 34447 -i ppp0 -j DNAT
> > --to-destination 192.168.170.6
> >
> > Then I should not have to worry about these FORWARD rules interfering
> > with the prerouted data getting to the server at 192.168.170.6 ---
> >
> > $IPTABLES -t filter -A FORWARD -i ppp0 -o eth1 -m state --state
> > ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -t filter -A FORWARD -i ppp0 -o eth2 -m state --state
> > ESTABLISHED,RELATED -j ACCEPT
> >
> > Am I right or wrong?
> > If wrong, is the only way then to change the FORWARD rule to -j ACCEPT
> > and leave out the ESTABLISHED,RELATED requirement?
> `
> You have to ACCEPT these packets in your forward chain. What I generally
> do (but I generate this with a script) is to duplicate the rules in
> PREROUTING, once with -j MARK and once with -j DNAT, In FORWARD I then use
> --mark to accept those DNATted connections all in one rule.
>
> HTH,
> M4
>
>

Re: NAT PREROUTING vs. filter FORWARD

[Martijn Lievaart]

Mike wrote:

> Martijn,
> The sciprt idea sounds quite clever and efficient!
> I would be very interested to see your method by script, if it is not
> a security risk, etc.
> Thank you very much for your response and idea.


It is pretty efficient. I write my firewall rules in perl. The loader 
executes this script and pipes the output into iptables-restore. It is 
not in a stage that I want to release it to the world yet, however.

M4