RE: IP forwarding on port 80

RE: IP forwarding on port 80

[George Vieira]

[-- Attachment #1: Type: text/plain, Size: 463 bytes --]

What debugging have you done? tcpdump, iptables logging, anything?
 
Does your web server have a default gateway of the firewall?

Thanks,

 
____________________________________________
George Vieira
Citadel Computer Systems Pty Ltd Systems Manager georgev AT citadelcomputer DOT com DOT au 
Citadel Computer Systems Pty Ltd
Phone : +61 2 9955 2644 HelpDesk: +61 2 9955 2698  <http://www.citadelcomputer.com.au/> http://www.citadelcomputer.com.au
 

[-- Attachment #2: Type: text/html, Size: 4247 bytes --]

RE: IP forwarding on port 80

[Kent Wang]

[-- Attachment #1: Type: text/plain, Size: 1481 bytes --]

OK, more info. My belief is that the packets are not being DNAT'd
properly. I added this to that chain:

 

-A PREROUTING -j LOG --log-prefix "test" --log-level 7

 

And was able to log all the incoming HTTP packets. I then added these
two:

 

-A FORWARD -p tcp -m tcp --dport 80 -j LOG --log-prefix "test"
--log-level 7 

-A OUTPUT -p tcp -m tcp --dport 80 -j LOG --log-prefix "test"
--log-level 7

 

A properly DNAT'd packet should pass through FORWARD and then OUTPUT,
but I found nothing in the log. Is it possible that the DNAT module
isn't loaded?

 

I've done tcpdump and the firewall definitely always receives the
internet-incoming message and the web server never receives it.

 

Any clues?

 

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of George Vieira
Sent: Thursday, June 12, 2003 5:18 PM
To: Kent Wang; netfilter@lists.netfilter.org
Subject: RE: IP forwarding on port 80 

 

What debugging have you done? tcpdump, iptables logging, anything?

 

Does your web server have a default gateway of the firewall?

Thanks,

 

____________________________________________
George Vieira
Citadel Computer Systems Pty Ltd   Systems Manager   georgev AT
citadelcomputer DOT com DOT au   

Citadel Computer Systems Pty Ltd

Phone : +61 2 9955 2644   HelpDesk: +61 2 9955 2698
<http://www.citadelcomputer.com.au/>  http://www.citadelcomputer.com.au
<http://www.citadelcomputer.com.au/>  

 


[-- Attachment #2: Type: text/html, Size: 9275 bytes --]

RE: IP forwarding on port 80

[Cedric Blancher]

Le ven 13/06/2003 à 09:24, Kent Wang a écrit :
> A properly DNAT’d packet should pass through FORWARD and then OUTPUT,
> but I found nothing in the log.

A forwarded packets only crosses FORWARD chain. Framework has changed
from ipchains' one. Now, a given packet goes through one filter table
chain, and one only, depending it is destined to the hosts, destined to
be routed or locally generated.

If your DNAT implies packet to get routed, then you'll them in FORWARD
chain. Otherwise, you'll see them in INPUT chain.

> Any clues?

Well, read the doc.

-- 
Cédric Blancher  <blancher@cartel-securite.fr>
IT systems and networks security - Cartel Sécurité
Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE

RE: IP forwarding on port 80

[kwang]

128.83.147.87 is indeed the external IP. I can ping, ssh and telnet 80 to
this address from an offsite machine, and since

-A PREROUTING -d 128.83.147.87 -p tcp -m tcp --dport 80 -j LOG --log-prefix
"prerouting" --log-level 7

catches it, it seems that

-A PREROUTING -d 128.83.147.87 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 192.168.0.2:80

would also catch it.

Also, since I have:

-A INPUT -p tcp -m tcp --dport 80 -j LOG --log-prefix "input" --log-level 7
-A FORWARD -j LOG --log-prefix "forward" --log-level 7

then I should have a log entry no matter what with a prefix of either
"input" or "forward". However, with the PREROUTING -j DNAT line in place,
neither INPUT nor FORWARD logs the packet traversing through their chains.
Isn't this behavior quite impossible since a packet that traverses
PREROUTING (which I do successfully log in that chain), should definitely go
to either INPUT or FORWARD?

BTW, my iptables version is iptables-1.2.6a-2. Could there be some sort of
patch I need? I'm not really using a special case since people do simple
port 80 forwarding all the time.

Kent Wang

> Verify that 128.83.147.87 is the external IP address for this box.
> Also how did you test this?  If you are inside the internal network (on
> 192.168.0.5 for example) you can't access the web site by going to
> 128.83.147.87.  So in other words you will have to be outside of your
> network to test it.

> From: kwang@kwang.org [mailto:kwang@kwang.org]
> Sent: Friday, June 13, 2003 12:58 PM
> To: chris.hoeschen@primevest.com
> Cc: kwang@kwang.org
> Subject: RE: IP forwarding on port 80
>
>
> This is the iptables-save dump:
>
> *nat
> :PREROUTING ACCEPT [37311:5054668]
> :POSTROUTING ACCEPT [72:4540]
> :OUTPUT ACCEPT [72:4540]
> -A PREROUTING -d 128.83.147.87 -p tcp -m tcp --dport 80 -j LOG
> --log-prefix "prerouting" --log-level 7 -A PREROUTING -d 128.83.147.87
> -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.2:80 COMMIT
> # Completed on Fri Jun 13 03:09:25 2003 # Generated by iptables-save
> v1.2.6a on Fri Jun 13 03:09:25 2003 *filter :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [17013:3920003] -A INPUT -d
> 128.83.147.87 -p tcp -m tcp --dport 80 -j LOG --log-prefix "input"
> --log-level 7 -A INPUT -s 127.0.0.1 -p tcp -j ACCEPT -A INPUT -m state
> --state
> RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -p
> tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j
> ACCEPT -A INPUT -p tcp -m tcp --dport 115 -j ACCEPT -A INPUT -j DROP -A
> FORWARD -j LOG --log-prefix "forward" --log-level 7 COMMIT
>
> This is the same as above, but with iptables -L and then -L -nat:
>
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> LOG        tcp  --  anywhere             dscp.nur.utexas.edutcp
> dpt:http LOG
> level debug prefix `input'
> ACCEPT     tcp  --  localhost.localdomain  anywhere
> ACCEPT     all  --  anywhere             anywhere           state
> RELATED,ESTABLISHED
> ACCEPT     icmp --  anywhere             anywhere
> ACCEPT     tcp  --  anywhere             anywhere           tcp
> dpt:http ACCEPT     tcp  --  anywhere             anywhere
> tcp dpt:ssh ACCEPT     tcp  --  anywhere             anywhere
> tcp dpt:sftp DROP       all  --  anywhere             anywhere
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> LOG        all  --  anywhere             anywhere           LOG level
> debug
> prefix `forward'
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
>
> Anyway, I really appreciate you and everybody on the mailing list
> helping me out.
>
> Kent Wang
>
>> Could you send me your entire firewall rules
>>
>>
>> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>>
>> | Chris Hoeschen - Distributed System Analysts        |
>>
>> | PrimeVest Financial Services                        |
>>
>> | (320) 656-4035 E-Mail: chris.hoeschen@primevest.com |
>>
>> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>>
>>
>>
>> "Only two things are infinite, the universe and human stupidity, and
>> I'm not sure about the former."
>>
>>  -- Albert Einstein
>> Hippopotomonstrosesquippedaliophobia is the fear of long words
>>
>> -----Original Message-----
>> From: Kent Wang [mailto:kwang@kwang.org]
>> Sent: Friday, June 13, 2003 11:45 AM
>> To: 'Chris Hoeschen'
>> Subject: RE: IP forwarding on port 80
>>
>>
>> -->
>>
>> HereR17;s the contents of PREROUTING:
>>
>>
>>
>> -A PREROUTING -d 128.83.147.87 -p tcp -m tcp --dport 80 -j LOG
>> --log-prefix "prerouting" --log-level 7
>>
>> -A PREROUTING -d 128.83.147.87 -p tcp -m tcp --dport 80 -j DNAT
>> --to-destination 192.168.0.2:80
>>
>>
>>
>> Apparently -m tcp is implied since my original command didn't include
>> it but this is what the iptables-save dump says. But since these two
>> are identical other than the action part, if something gets LOG'd, it
>> should be DNAT'd and therefore passed to FORWARD right?
>>
>>
>>
>> This is what I have in FORWARD:
>>
>>
>>
>> -A FORWARD -j LOG --log-prefix "forward" --log-level 7
>>
>>
>>
>> So this means everything that passes through FORWARD gets logged,
>> right? But my log has entries from PREROUTING (cause it has log-prefix
>> 'prerouting) but none from FORWARD.
>>
>>
>>
>> The situation with tcpdump is still the same. Nothing incoming, except
>
>> when I manually do telnet 192.168.0.2 80.
>>
>>
>>
>> I think the fault is somewhere at the actual DNAT target or the
>> FORWARDing mechanism. Could there have been a module that I didn't
>> load properly? I don't know how to check that (and I would think that
>> iptables would've told me about it already). This is a standard RedHat
>
>> 7 install with the latest iptables RPM.
>>
>>
>>
>> Kent Wang
>>
>>
>>
>> -----Original Message-----
>> From: Chris Hoeschen [mailto:chris.hoeschen@primevest.com]
>> Sent: Friday, June 13, 2003 8:03 AM
>> To: 'Kent Wang'
>> Subject: RE: IP forwarding on port 80
>>
>>
>>
>> A packet coming into your firewall will first travel through the
>> prerouting table.  Depending on where that packet is destined will
>> determine what other table it will be traveling through.  If that
>> packet is going to your firewall itself then it will travel through
>> the input table.  If it is going to be routed through your firewall to
>
>> another box then it will travel through the forward table.  The output
>
>> table only handles packets that originated from your firewall and is
>> going out, it does not handle any packets that are getting routed
>> through it.
>>
>>
>>
>> I didn't see you DNAT rule so make sure that is set correctly, an
>> example for routing web would be as follows:
>>
>> iptables -t nat -A PREROUTING -p tcp -d {EXT_IP} --dport 80 -j DNAT
>> --to-destination {WWW_IP}:80
>>
>>
>>
>> when you web server receives the packet the source address (the one it
>
>> will be sending the ACK back to) will still be set to the original
>> source and not the firewall.  So it is important that the web server's
>
>> gateway is set to be your firewall.  If this will not work in your
>> environment then you can put a rule into the postrouting table to SNAT
>
>> the packet, this way the web server will see the packet as coming from
>
>> your firewall and (granted that they are on the same subnet) will
>> return the packet to the firewall.  This is not recommended as all
>> connections to the web server will appear as if it was coming from the
>
>> firewall.
>>
>>
>>
>> Sorry for all the routing mojo but helps to get a understanding of the
>
>> tables for troubleshooting.
>>
>>
>>
>>
>>
>> -A FORWARD -p tcp -m tcp --dport 80 -j LOG --log-prefix "test"
>> --log-level 7
>>
>> I don't know what the -m tcp module is and this might be your problem,
>
>> try removing it and see if it works.
>>
>>
>>
>> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>> | Chris Hoeschen - Distributed System Analysts        |
>> | PrimeVest Financial Services                        |
>> | (320) 656-4035 E-Mail: chris.hoeschen@primevest.com |
>> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>>
>> "Only two things are infinite, the universe and human stupidity, and
>> I'm not sure about the former."
>>  -- Albert Einstein
>> Hippopotomonstrosesquippedaliophobia is the fear of long words
>>
>> -----Original Message-----
>> From: netfilter-admin@lists.netfilter.org
>> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Kent Wang
>> Sent: Friday, June 13, 2003 2:25 AM
>> To: 'George Vieira'; netfilter@lists.netfilter.org
>> Subject: RE: IP forwarding on port 80
>>
>> -->
>>
>> OK, more info. My belief is that the packets are not being DNAT'd
>> properly. I added this to that chain:
>>
>>
>>
>> -A PREROUTING -j LOG --log-prefix "test" --log-level 7
>>
>>
>>
>> And was able to log all the incoming HTTP packets. I then added these
>> two:
>>
>>
>>
>> -A FORWARD -p tcp -m tcp --dport 80 -j LOG --log-prefix "test"
>> --log-level 7
>>
>> -A OUTPUT -p tcp -m tcp --dport 80 -j LOG --log-prefix "test"
>> --log-level 7
>>
>>
>>
>> A properly DNAT'd packet should pass through FORWARD and then OUTPUT,
>> but I found nothing in the log. Is it possible that the DNAT module
>> isn't loaded?
>>
>>
>>
>> IR17;ve done tcpdump and the firewall definitely always receives the
>> internet-incoming message and the web server never receives it.
>>
>>
>>
>> Any clues?
>>
>>
>>
>> -----Original Message-----
>> From: netfilter-admin@lists.netfilter.org
>> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of George
>> Vieira
>> Sent: Thursday, June 12, 2003 5:18 PM
>> To: Kent Wang; netfilter@lists.netfilter.org
>> Subject: RE: IP forwarding on port 80
>>
>>
>>
>> What debugging have you done? tcpdump, iptables logging, anything?
>>
>>
>>
>> Does your web server have a default gateway of the firewall?
>>
>> Thanks,
>>
>>
>>
>> ____________________________________________
>>
>>
>>
>> George Vieira
>> Citadel Computer Systems Pty Ltd  Systems Manager  georgev AT
>> citadelcomputer DOT com DOT au
>>
>>
>>
>> Citadel Computer Systems Pty Ltd
>>
>> Phone : +61 2 9955 2644  HelpDesk: +61 2 9955 2698
>> <http://www.citadelcomputer.com.au/> http://www.citadelcomputer.com.au
>
>> <http://www.citadelcomputer.com.au/>

IP forwarding on port 80

[Kent Wang]

[-- Attachment #1: Type: text/plain, Size: 2115 bytes --]

Firewall, called dscp, has these iptables settings:
 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  localhost.localdomain  anywhere
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:sftp
DROP       all  --  anywhere             anywhere
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
 
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             dscp.nur.utexas.edutcp dpt:http
to:192.168.0.2
 
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
 
HTTP server has these settings:
 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  localhost.localdomain  anywhere
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:sftp
DROP       all  --  anywhere             anywhere
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
 
Firewall connects to the world via eth1 and to the HTTP server on eth0.
HTTP
server connects to the firewall on eth0 and to another machine on eth1.
 
I can access the HTTP server from the firewall just fine but not from
the
Internet (times out). Any clues?

 


[-- Attachment #2: Type: text/html, Size: 10399 bytes --]

IP forwarding on port 80

[kwang]

Firewall, called dscp, has these iptables settings:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  localhost.localdomain  anywhere
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:sftp
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             dscp.nur.utexas.edutcp dpt:http
to:192.168.0.2

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

HTTP server has these settings:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  localhost.localdomain  anywhere
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:sftp
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Firewall connects to the world via eth1 and to the HTTP server on eth0. HTTP
server connects to the firewall on eth0 and to another machine on eth1.

I can access the HTTP server from the firewall just fine but not from the
internet. Any clues?