HTTP Port forwarding issues

HTTP Port forwarding issues

[Big Daddy]

[-- Attachment #1: Type: text/plain, Size: 843 bytes --]

all,
     for some reason i can get my smtp and pop3 to route from the  internet, but i cannot get http requests to forward correctly.
 iptables -A FORWARD -p tcp -i eth0 -d $int_ip -p tcp --dport http -m state --state NEW -j ACCEPT
 iptables -A FORWARD -p tcp -i eth0 -d $int_ip -p tcp --dport smtp -m state --state NEW -j ACCEPT (works)
 iptables -A FORWARD -p tcp -i eth0 -d $int_ip -p tcp --dport pop3 -m state --state NEW -j ACCEPT (works)

 iptables -t nat -A PREROUTING -d $ext_ip -p tcp --dport smtp -j DNAT --to-destination $int_smtp:25 (works)
 iptables -t nat -A PREROUTING -d $ext_ip -p tcp --dport pop3 -j DNAT --to-destination $int_pop3:110 (works)
 iptables -t nat -A PREROUTING -d $ext_ip -p tcp --dport http -j DNAT --to-destination $int_http:80

 web server is running IIS5.
any help would be great!
Big D@ddy


[-- Attachment #2: Type: text/html, Size: 1274 bytes --]

Re: HTTP Port forwarding issues

[Tom Eastep]

Big Daddy wrote:
> all,
>      for some reason i can get my smtp and pop3 to route from 
> the  internet, but i cannot get http requests to forward correctly.
> 
>  iptables -A FORWARD -p tcp -i eth0 -d $int_ip -p tcp --dport http -m 
> state --state NEW -j ACCEPT
>  iptables -A FORWARD -p tcp -i eth0 -d $int_ip -p tcp --dport smtp -m 
> state --state NEW -j ACCEPT (works)
>  iptables -A FORWARD -p tcp -i eth0 -d $int_ip -p tcp --dport pop3 -m 
> state --state NEW -j ACCEPT (works)
> 
>  iptables -t nat -A PREROUTING -d $ext_ip -p tcp --dport smtp -j DNAT 
> --to-destination $int_smtp:25 (works)
>  iptables -t nat -A PREROUTING -d $ext_ip -p tcp --dport pop3 -j DNAT 
> --to-destination $int_pop3:110 (works)
>  iptables -t nat -A PREROUTING -d $ext_ip -p tcp --dport http -j DNAT 
> --to-destination $int_http:80
> 
>  web server is running IIS5.
> any help would be great!

More than likely your ISP is blocking incoming HTTP requests.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Re: HTTP Port forwarding issues

[Antony Stone]

On Monday 08 July 2002 8:37 pm, Big Daddy wrote:

> all,
>      for some reason i can get my smtp and pop3 to route from the 
> internet, but i cannot get http requests to forward correctly.

Okay, so what's not working ?

Are the incoming requests not getting to the server, or is the server trying 
to do some sort of reverse DNS lookup, or is the response not getting out 
again ?

Put some LOGging rules onto your firewall to see what packets are or aren't 
flowing, or else just try

iptables -L -n -v -x
iptables -L -n -v -x -t nat

and see what packets seem to be where.

 

Antony.

RE: HTTP Port forwarding issues

[Stewart Thompson]

[-- Attachment #1: Type: text/plain, Size: 1208 bytes --]

Try changing your NEW statement to NEW, ESTABLISHED, RELATED and see if that
helps your situation.

Stu……


-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org]On Behalf Of Big Daddy
Sent: July 8, 2002 12:38 PM
To: netfilter@lists.samba.org
Subject: HTTP Port forwarding issues

all,
     for some reason i can get my smtp and pop3 to route from the  internet,
but i cannot get http requests to forward correctly.
 iptables -A FORWARD -p tcp -i eth0 -d $int_ip -p tcp --dport http -m
state --state NEW -j ACCEPT
 iptables -A FORWARD -p tcp -i eth0 -d $int_ip -p tcp --dport smtp -m
state --state NEW -j ACCEPT (works)
 iptables -A FORWARD -p tcp -i eth0 -d $int_ip -p tcp --dport pop3 -m
state --state NEW -j ACCEPT (works)

 iptables -t nat -A PREROUTING -d $ext_ip -p tcp --dport smtp -j
DNAT --to-destination $int_smtp:25 (works)
 iptables -t nat -A PREROUTING -d $ext_ip -p tcp --dport pop3 -j
DNAT --to-destination $int_pop3:110 (works)
 iptables -t nat -A PREROUTING -d $ext_ip -p tcp --dport http -j
DNAT --to-destination $int_http:80

 web server is running IIS5.
any help would be great!
Big D@ddy <mailto:D@ddy>

[-- Attachment #2: Type: text/html, Size: 6000 bytes --]

Re: HTTP Port forwarding issues

[Big Daddy]

It worked when I was using a Linksys router. However maybe they have changed
it since then. Do my rules look fine?

----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "Big Daddy" <bigdaddy@monster-solutions.net>
Cc: <netfilter@lists.samba.org>
Sent: Monday, July 08, 2002 3:44 PM
Subject: Re: HTTP Port forwarding issues


> Big Daddy wrote:
> > all,
> >      for some reason i can get my smtp and pop3 to route from
> > the  internet, but i cannot get http requests to forward correctly.
> >
> >  iptables -A FORWARD -p tcp -i eth0 -d $int_ip -p tcp --dport http -m
> > state --state NEW -j ACCEPT
> >  iptables -A FORWARD -p tcp -i eth0 -d $int_ip -p tcp --dport smtp -m
> > state --state NEW -j ACCEPT (works)
> >  iptables -A FORWARD -p tcp -i eth0 -d $int_ip -p tcp --dport pop3 -m
> > state --state NEW -j ACCEPT (works)
> >
> >  iptables -t nat -A PREROUTING -d $ext_ip -p tcp --dport smtp -j DNAT
> > --to-destination $int_smtp:25 (works)
> >  iptables -t nat -A PREROUTING -d $ext_ip -p tcp --dport pop3 -j DNAT
> > --to-destination $int_pop3:110 (works)
> >  iptables -t nat -A PREROUTING -d $ext_ip -p tcp --dport http -j DNAT
> > --to-destination $int_http:80
> >
> >  web server is running IIS5.
> > any help would be great!
>
> More than likely your ISP is blocking incoming HTTP requests.
>
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net
>

Re: HTTP Port forwarding issues

[Tom Eastep]

Big Daddy wrote:
> It worked when I was using a Linksys router. However maybe they have changed
> it since then. Do my rules look fine?
> 

Yes, assuming that $int_http is set correctly and that you have a rule 
that passes --state ESTABLISHED packets in both directions through the 
FORWARD chain.


-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Re: HTTP Port forwarding issues

[Antony Stone]

On Monday 08 July 2002 8:51 pm, Big Daddy wrote:

> It worked when I was using a Linksys router. However maybe they have
> changed it since then. Do my rules look fine?

Well, I hope these are not your *only* rules ?   I mean, like Stewart 
suggested, what about the ESTABLISHED packets as well as the NEW ones ?

 

Antony.

RE: HTTP Port forwarding issues

[Darrell Dieringer]

Hello,

Have you confirmed that the packets are leaving the firewall / router
(by using tcpdump, etc)?  If they are, then it might be an IIS
configuration issue.  I had some trouble forwarding http connections
to internal IIS machines (IIS4 on NT4 Server and IIS5 on Win2K Pro).
After much head pounding, I found the solution to my problem.

<begin offtopic>
If I remember correctly...

On the main property page for the web site in IIS, the "IP Address"
field should be set to "All Unassigned" and the port must be set to
the same one that is being forwarded.  (ie, you must forward
$ext_ip:8080 to $int_ip:8080).  Though there's nothing about http that
requires the ports to match, IIS has some trouble.

For instance, if your arrangement is $ext_ip:8080 to $int_ip:80, IIS
replies to the initial request for whatever page with an http redirect
(302, I think).  Actually, it may only do this if the "IP Address"
field in the main propery page is set to something other than "All
Unassigned".  That redirect tells the client to ask for the page on a
different port.  If that port is blocked by your firewall or by your
ISP (as it is in my case), the client never receives the content
because the redirect was unsuccessful.
</offtopic>

It has been many months since I solved this problem for my own home
setup, so I don't remember all the details.  After confirming that the
packets are indeed on the wire, examine both your firewall logs and
your IIS logs for a clue to what's going on.

I know I delved offtopic for netfilter, but hopefully it ends up being
helpful to a couple of people.

Darrell


-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org]On Behalf Of Big Daddy
Sent: Monday, July 08, 2002 2:38 PM
To: netfilter@lists.samba.org
Subject: HTTP Port forwarding issues


all,
     for some reason i can get my smtp and pop3 to route from the
internet, but i cannot get http requests to forward correctly.
 iptables -A FORWARD -p tcp -i eth0 -d $int_ip -p tcp --dport http -m
state --state NEW -j ACCEPT
 iptables -A FORWARD -p tcp -i eth0 -d $int_ip -p tcp --dport smtp -m
state --state NEW -j ACCEPT (works)
 iptables -A FORWARD -p tcp -i eth0 -d $int_ip -p tcp --dport pop3 -m
state --state NEW -j ACCEPT (works)

 iptables -t nat -A PREROUTING -d $ext_ip -p tcp --dport smtp -j
DNAT --to-destination $int_smtp:25 (works)
 iptables -t nat -A PREROUTING -d $ext_ip -p tcp --dport pop3 -j
DNAT --to-destination $int_pop3:110 (works)
 iptables -t nat -A PREROUTING -d $ext_ip -p tcp --dport http -j
DNAT --to-destination $int_http:80

 web server is running IIS5.
any help would be great!
Big D@ddy

Re: HTTP Port forwarding issues

[Big Daddy]

i have the following rule as well.

iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

----- Original Message ----- 
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.samba.org>
Sent: Monday, July 08, 2002 3:57 PM
Subject: Re: HTTP Port forwarding issues


> On Monday 08 July 2002 8:51 pm, Big Daddy wrote:
> 
> > It worked when I was using a Linksys router. However maybe they have
> > changed it since then. Do my rules look fine?
> 
> Well, I hope these are not your *only* rules ?   I mean, like Stewart 
> suggested, what about the ESTABLISHED packets as well as the NEW ones ?
> 
>  
> 
> Antony.
> 

Re: HTTP Port forwarding issues

[Antony Stone]

On Monday 08 July 2002 9:03 pm, Big Daddy wrote:

> i have the following rule as well.
>
> iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Okay, what about a rule allowing the reply packets back out of eth0 ?

Antony

> ----- Original Message -----
> From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
> To: <netfilter@lists.samba.org>
> Sent: Monday, July 08, 2002 3:57 PM
> Subject: Re: HTTP Port forwarding issues
>
> > On Monday 08 July 2002 8:51 pm, Big Daddy wrote:
> > > It worked when I was using a Linksys router. However maybe they have
> > > changed it since then. Do my rules look fine?
> >
> > Well, I hope these are not your *only* rules ?   I mean, like Stewart
> > suggested, what about the ESTABLISHED packets as well as the NEW ones ?
> >
> >
> >
> > Antony.

RE: HTTP Port forwarding issues

[Stewart Thompson]

Perhaps you should publish your entire rule set. Trying to help you with
piecemeal rules is pretty tough.
The order of the rules is important. Logging is also useful as recommended
in an earlier post. What does
a TCPDUMP show for port 80 on the External and Internal Interfaces. Also,
what are you using to test
your port 80? Internal machines will act very different than machines coming
in from the Internet.

Stu........


-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org]On Behalf Of Big Daddy
Sent: July 8, 2002 1:04 PM
To: Antony Stone; netfilter@lists.samba.org
Subject: Re: HTTP Port forwarding issues

i have the following rule as well.

iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.samba.org>
Sent: Monday, July 08, 2002 3:57 PM
Subject: Re: HTTP Port forwarding issues


> On Monday 08 July 2002 8:51 pm, Big Daddy wrote:
>
> > It worked when I was using a Linksys router. However maybe they have
> > changed it since then. Do my rules look fine?
>
> Well, I hope these are not your *only* rules ?   I mean, like Stewart
> suggested, what about the ESTABLISHED packets as well as the NEW ones ?
>
>
>
> Antony.
>

RE: HTTP Port forwarding issues

[Nathan Cassano]

Remember HTTP runs over UDP protocol also. So for every HTTP TCP rule
add a UDP copy ( -p udp ).

> iptables -A FORWARD -p tcp -i eth0 -d $int_ip -p tcp --dport http -m
state --state NEW -j ACCEPT
>
> iptables -t nat -A PREROUTING -d $ext_ip -p tcp --dport http -j DNAT
--to-destination $int_http:80

Re: HTTP Port forwarding issues

[Big Daddy]

all,
    I guess my ISP is blocking port 80. I configured the web server to use
port 8080 and configured my rules the same as before but used port 8080 and
it worked. thanks for all of the help!

----- Original Message -----
From: "Stewart Thompson" <stewart.thompson@shaw.ca>
To: "Big Daddy" <bigdaddy@monster-solutions.net>; "Antony Stone"
<Antony@Soft-Solutions.co.uk>; <netfilter@lists.samba.org>
Sent: Monday, July 08, 2002 4:11 PM
Subject: RE: HTTP Port forwarding issues


> Perhaps you should publish your entire rule set. Trying to help you with
> piecemeal rules is pretty tough.
> The order of the rules is important. Logging is also useful as recommended
> in an earlier post. What does
> a TCPDUMP show for port 80 on the External and Internal Interfaces. Also,
> what are you using to test
> your port 80? Internal machines will act very different than machines
coming
> in from the Internet.
>
> Stu........
>
>
> -----Original Message-----
> From: netfilter-admin@lists.samba.org
> [mailto:netfilter-admin@lists.samba.org]On Behalf Of Big Daddy
> Sent: July 8, 2002 1:04 PM
> To: Antony Stone; netfilter@lists.samba.org
> Subject: Re: HTTP Port forwarding issues
>
> i have the following rule as well.
>
> iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> ----- Original Message -----
> From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
> To: <netfilter@lists.samba.org>
> Sent: Monday, July 08, 2002 3:57 PM
> Subject: Re: HTTP Port forwarding issues
>
>
> > On Monday 08 July 2002 8:51 pm, Big Daddy wrote:
> >
> > > It worked when I was using a Linksys router. However maybe they have
> > > changed it since then. Do my rules look fine?
> >
> > Well, I hope these are not your *only* rules ?   I mean, like Stewart
> > suggested, what about the ESTABLISHED packets as well as the NEW ones ?
> >
> >
> >
> > Antony.
> >
>
>
>

Re: HTTP Port forwarding issues

[Antony Stone]

On Monday 08 July 2002 9:39 pm, Big Daddy wrote:

> all,
>     I guess my ISP is blocking port 80. I configured the web server to use
> port 8080 and configured my rules the same as before but used port 8080 and
> it worked. thanks for all of the help!

Round of applause to Tom Eastep, I think :-)

 

Antony.

Re: HTTP Port forwarding issues

[Antony Stone]

On Monday 08 July 2002 9:25 pm, Nathan Cassano wrote:

> Remember HTTP runs over UDP protocol also.

WHAT ?????

RFC # ?

 

Antony.

Re: HTTP Port forwarding issues

[Adam D. Barratt]

Antony Stone wrote:

> On Monday 08 July 2002 9:25 pm, Nathan Cassano wrote:
>
> > Remember HTTP runs over UDP protocol also.
>
> WHAT ?????
>
> RFC # ?

I'd disagree with that statement as well, but as a side note HTTP is
not limited to TCP. RFC2616 (HTTP/1.1) says:

<quote>
1.4 Overall Operation
[...]
HTTP communication usually takes place over TCP/IP connections. The
default port is TCP 80 [19], but other ports can be used. This does
not preclude HTTP from being implemented on top of any other protocol
on the Internet, or on other networks. HTTP only presumes a reliable
transport; any protocol that provides such guarantees can be used;
[...]
19.6.3 Changes from RFC 2068
[...]
4. Modified some TCP-specific language, to make it clearer that
non-TCP transports are possible for HTTP.
</quote>

UDP, however, doesn't fit the definition of "reliable transport", IMO.

Adam

RE: HTTP Port forwarding issues

[Nathan Cassano]

Hmm... After a little research it appears that I am wrong. Darn, I hate
looking like a fool. Sorry for the misinformation.

RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1
ftp://ftp.isi.edu/in-notes/rfc2616.txt

Antony Stone wrote:

>> Remember HTTP runs over UDP protocol also.
>
>WHAT ?????
>
>RFC # ?
>
>
>
>Antony.

Re: HTTP Port forwarding issues

[Jan Humme]

Of course, HTTP runs over TCP, but who can explain why in /etc/services:

# grep http /etc/services
#	http://www.isi.edu/in-notes/iana/assignments/port-numbers
http		80/tcp		www www-http	# WorldWideWeb HTTP
http		80/udp		www www-http	# HyperText Transfer Protocol
https		443/tcp				# MCom
https		443/udp				# MCom
gss-http	488/tcp
gss-http	488/udp
http-alt	8008/tcp
http-alt	8008/udp

Ports and port numbers are different for TCP and UDP, right?

Jan Humme.

On Monday 08 July 2002 23:35, Nathan Cassano wrote:
> Hmm... After a little research it appears that I am wrong. Darn, I hate
> looking like a fool. Sorry for the misinformation.
>
> RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1
> ftp://ftp.isi.edu/in-notes/rfc2616.txt
>
> Antony Stone wrote:
> >> Remember HTTP runs over UDP protocol also.
> >
> >WHAT ?????
> >
> >RFC # ?
> >
> >
> >
> >Antony.

tcp/udp ports (was: Re: HTTP Port forwarding issues)

[James Sneeringer]

On Tue, Jul 09, 2002 at 11:52:39AM +0200, Jan Humme wrote:
| Of course, HTTP runs over TCP, but who can explain why in /etc/services:
| http		80/tcp		www www-http	# WorldWideWeb HTTP
| http		80/udp		www www-http	# HyperText Transfer Protocol

The IANA frequently allocates the same port for both protocols.  Take a
look at RFC 1700.  You'll see that most services have both TCP and UDP
ports reserved, even though most probably use only one of them.

| Ports and port numbers are different for TCP and UDP, right?

Correct.  Look at ports 512, 513, and 514 in /etc/services.

-James