From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Nick Vazirianis" Subject: port forwarding not working Date: Thu, 15 Apr 2004 23:57:19 +1000 Sender: netfilter-admin@lists.netfilter.org Message-ID: <004601c422f1$9162a3c0$ce00a8c0@xppro1> Reply-To: "Nick Vazirianis" Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0042_01C42345.62D57B50" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: netfilter@lists.netfilter.org This is a multi-part message in MIME format. ------=_NextPart_000_0042_01C42345.62D57B50 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0043_01C42345.62D57B50" ------=_NextPart_001_0043_01C42345.62D57B50 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable iptables v1.2.8 Linux Fedora Core 1 Kernel 2.6.3 I am having some trouble getting port forwarding within the attached = script. Please refer the line starting # enable port forwarding for = BitTorrent Incoming packets to these ports are being dropped (and logged) by the section lower down in the script, I have tried adding the enable port forward section in different parts of the script, but this makes no difference. =20 could soneone please help, I even tried adding the line=20 $IPTABLES -A INPUT -i $EXT_IF -p tcp --dport 6881:6885 -j ACCEPT but i believe this only allows incoming into the firwall and not = redirecting to another host someone please help ------=_NextPart_001_0043_01C42345.62D57B50 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
iptables=20 v1.2.8
Linux Fedora Core 1
Kernel 2.6.3
 
I am having=20 some trouble getting port forwarding within the attached=20 script.
 Please refer the line starting     = # enable=20 port forwarding for BitTorrent
Incoming packets to these ports are = being=20 dropped (and logged) by the
section lower down in the script, I have = tried=20 adding the enable port
 forward section in different parts of = the=20 script, but this makes no
difference.
 
could soneone please help, I even tried = adding the=20 line
$IPTABLES -A INPUT -i $EXT_IF -p tcp --dport 6881:6885 -j = ACCEPT
but i believe this only allows incoming into the firwall and not=20 redirecting to another host
 
someone please help =
------=_NextPart_001_0043_01C42345.62D57B50-- ------=_NextPart_000_0042_01C42345.62D57B50 Content-Type: text/plain; name="rc2.firewall.txt" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="rc2.firewall.txt" #!/bin/sh ## ## IPTables firewall script for Linux gateway machine ## connected to Telstra Bigpond Advance (Cable). ## ## This firewall script uses stateful inspection to allow packets=20 ## in for connections that have already been established.=20 ## ## It is possible to tighten up this script a lot more, however ## it is designed to allow most Internet services to be accessable ## from within your network while still providing a good level of ## security for your Linux server and internal network. ##=20 ## ## v1.0 20/01/02 - Con Tassios ## IPTABLES=3D"/sbin/iptables" MODPROBE=3D"/sbin/modprobe" # External network interface (BPA) EXT_IF=3D"eth0" EXT_IP=3D`/sbin/ifconfig $EXT_IF | grep inet | cut -d: -f2 | cut -d\ = -f1` # Internal network interface (LAN) INT_IF=3D"eth1" INT_NET=3D"192.168.0.0/24" XPPRO1=3D"192.168.0.206" ANY=3D"0.0.0.0/0" # Filename for incoming/outgoing byte counters ACCF=3D/var/log/TRAFFIC LOCK=3D/tmp/TRAFFIC.lck start() { $MODPROBE ip_tables $MODPROBE iptable_nat $MODPROBE ip_nat_ftp $MODPROBE ip_conntrack $MODPROBE ip_conntrack_ftp # Start firewall rules # Set to default values reset BPA_AUTH_SVR=3D`host dce-server | grep address | cut -f4 -d" "` =20 # Get byte counters getcounters # Set default policy $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT ACCEPT # # [ TRAF ] Accounting chains # $IPTABLES -N TRAF-IN $IPTABLES -N TRAF-OUT # # [ INPUT ] # $IPTABLES -F INPUT # Byte counter for incoming traffic $IPTABLES -A INPUT -i $EXT_IF -j TRAF-IN -c $X1 # Allow BPA heartbeat packets=20 $IPTABLES -A INPUT -s $BPA_AUTH_SVR -i $EXT_IF -p udp --dport 5050 = -j ACCEPT # Allow all packets from localhost and internal network $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -i $INT_IF -j ACCEPT # Allow all packets from these hosts (example) #$IPTABLES -A INPUT -s 136.186.1.50 -i $EXT_IF -j ACCEPT # HTTP # allow all http/https incoming/return connections $IPTABLES -A INPUT -i $EXT_IF -p tcp -s 0/0 --sport 80 -m state = --state ESTABLISHED,RELATED -j ACCEPT # $IPTABLES -A INPUT -i $EXT_IF -p tcp -s 0/0 --sport 443 -m state = --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -i $EXT_IF -p tcp -d 0/0 --dport 80 -j ACCEPT # $IPTABLES -A INPUT -i $EXT_IF -p tcp -d 0/0 --dport 443 -j ACCEPT # SMTP $IPTABLES -A INPUT -i $EXT_IF -p tcp -s 0/0 --sport 25 -m state = --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -i $EXT_IF -p tcp -d 0/0 --dport 25 -j ACCEPT # DAD #$IPTABLES -A INPUT -i $EXT_IF -p udp -s 144.132.126.147 -j ACCEPT #$IPTABLES -A INPUT -i $EXT_IF -p udp -d 144.132.126.147 -j ACCEPT #$IPTABLES -A INPUT -i $EXT_IF -p tcp -s 144.132.126.147 -j ACCEPT #$IPTABLES -A INPUT -i $EXT_IF -p tcp -d 144.132.126.147 -j ACCEPT # Stateful inspection - Allow packets in from connections already = established $IPTABLES -A INPUT -i $EXT_IF -m state --state ESTABLISHED,RELATED = -j ACCEPT ## ## [ FORWARD ] ## $IPTABLES -F FORWARD $IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -j TRAF-IN -c $X3 $IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -j TRAF-OUT -c $X4 $IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -s $ANY -d $INT_NET -m = state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INT_IF -d $ANY -j ACCEPT #$IPTABLES -A FORWARD -j LOG --log-prefix "netfilter: " ## ## [ OUTPUT ] ## =20 # Byte counter for outgoing traffic $IPTABLES -A OUTPUT -o $EXT_IF -j TRAF-OUT -c $X2 ## ## [ NAT ] ## $IPTABLES -F -t nat $IPTABLES -t nat -F POSTROUTING #$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -s $INT_NET -j SNAT = --to-source $EXT_IP #$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -s $INT_NET -j = MASQUERADE iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0/24 -j MASQUERADE=20 # enable port forwarding for BitTorrent $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 6881 -j = DNAT --to-destination 192.168.0.206:6881=20 $IPTABLES -A FORWARD -s 6881 -p tcp --dport 6881 -j ACCEPT $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 6882 -j = DNAT --to-destination 192.168.0.206:6882 $IPTABLES -A FORWARD -s 6882 -p tcp --dport 6882 -j ACCEPT $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 6883 -j = DNAT --to-destination 192.168.0.206:6883=20 $IPTABLES -A FORWARD -s 6883 -p tcp --dport 6883 -j ACCEPT $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 6884 -j = DNAT --to-destination 192.168.0.206:6884=20 $IPTABLES -A FORWARD -s 6884 -p tcp --dport 6884 -j ACCEPT $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 6885 -j = DNAT --to-destination 192.168.0.206:6885=20 $IPTABLES -A FORWARD -s 6885 -p tcp --dport 6885 -j ACCEPT =20 ## ## Transparent proxy - Uncomment this to forward HTTP traffic on = port 80 to Squid=20 ## #$IPTABLES -t nat -A PREROUTING -i $INT_IF -p tcp --dport 80 -j = REDIRECT --to-port 3128 # DROP packets from invalid source $IPTABLES -A INPUT -i $EXT_IF -s 10.0.0.0/8 -j DROP $IPTABLES -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP $IPTABLES -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP $IPTABLES -A INPUT -i $EXT_IF -s 169.254.0.0/16 -j DROP # LOG and DENY everything else #$IPTABLES -A INPUT -i $EXT_IF -j LOG --log-prefix "netfilter: " # UDP, log & drop iptables -A INPUT -i $EXT_IF -p udp -j LOG --log-level debug = --log-prefix "IPTABLES UDP-IN: " iptables -A INPUT -i $EXT_IF -p udp -j DROP # ICMP, log & drop iptables -A INPUT -i $EXT_IF -p icmp -j LOG --log-level debug = --log-prefix "IPTABLES ICMP-IN: " iptables -A INPUT -i $EXT_IF -p icmp -j DROP # Windows NetBIOS noise, log & drop iptables -A INPUT -i $EXT_IF -p tcp -s 0/0 --sport 137:139 -j LOG = --log-level debug --log-prefix "IPTABLES NETBIOS-IN: " iptables -A INPUT -i $EXT_IF -p tcp -s 0/0 --sport 137:139 -j DROP # IGMP noise, log & drop iptables -A INPUT -i $EXT_IF -p 2 -j LOG --log-level debug = --log-prefix "IPTABLES IGMP-IN: " iptables -A INPUT -i $EXT_IF -p 2 -j DROP # TCP, log & drop iptables -A INPUT -i $EXT_IF -p tcp -j LOG --log-level debug = --log-prefix "IPTABLES TCP-IN: " iptables -A INPUT -i $EXT_IF -p tcp -j DROP # Anything else not allowed, log & drop iptables -A INPUT -i $EXT_IF -j LOG --log-level debug --log-prefix = "IPTABLES UNKNOWN-IN: " iptables -A INPUT -i $EXT_IF -j DROP } getcounters() { X1=3D"0 0" X2=3D"0 0" X3=3D"0 0" X4=3D"0 0" if [ -s $ACCF ]; then X1=3D`grep INPUT $ACCF | cut -d" " -f2,3` X2=3D`grep OUTPUT $ACCF | cut -d" " -f2,3` X3=3D`grep FORW-IN $ACCF | cut -d" " -f2,3` X4=3D`grep FORW-OUT $ACCF | cut -d" " -f2,3` fi } # Save byte counters save() { # Save iptables rules and accounting information lockfile -l300 -r5 $LOCK >/dev/null 2>&1 if [ $? -eq 0 ]; then X=3D`$IPTABLES -nL | wc -l | sed "s/ //g"` if [ $X -gt "8" ]; then=20 $IPTABLES -nvxL INPUT | grep TRAF-IN | awk '{print "INPUT = " $1" "$2}' > $ACCF $IPTABLES -nvxL OUTPUT | grep TRAF-OUT | awk '{print "OUTPUT = " $1" "$2}' >>$ACCF $IPTABLES -nvxL FORWARD | grep TRAF-IN | awk '{print = "FORW-IN " $1" "$2}' >>$ACCF $IPTABLES -nvxL FORWARD | grep TRAF-OUT | awk '{print = "FORW-OUT "$1" "$2}' >>$ACCF fi rm -f $LOCK fi } reset() { # Reset to default values $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P OUTPUT ACCEPT $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -t mangle -F $IPTABLES -X $IPTABLES -t nat -X $IPTABLES -t mangle -X } stop() { save reset } # DROP all packets from external interface, allow from internal network lock() { reset getcounters $IPTABLES -N TRAF-IN $IPTABLES -N TRAF-OUT $IPTABLES -A INPUT -i $EXT_IF -j TRAF-IN -c $X1 $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -i $INT_IF -j ACCEPT $IPTABLES -A INPUT -j DROP } case "$1" in start) start ;; stop) stop ;; save) save ;; lock) lock ;; restart) stop start ;; *) echo $"Usage: $0 {start|stop|save|lock|restart}" esac exit ------=_NextPart_000_0042_01C42345.62D57B50-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ray Leach Subject: Re: port forwarding not working Date: Thu, 15 Apr 2004 16:07:16 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <1082038036.23863.41.camel@raylinux.internal> References: <004601c422f1$9162a3c0$ce00a8c0@xppro1> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-dHtQUGkZ7yryZcqeIesU" Return-path: In-Reply-To: <004601c422f1$9162a3c0$ce00a8c0@xppro1> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: Netfilter Mailing List --=-dHtQUGkZ7yryZcqeIesU Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Thu, 2004-04-15 at 15:57, Nick Vazirianis wrote: > iptables v1.2.8 > Linux Fedora Core 1 > Kernel 2.6.3 > =20 > I am having some trouble getting port forwarding within the attached > script. > Please refer the line starting # enable port forwarding for > BitTorrent > Incoming packets to these ports are being dropped (and logged) by the > section lower down in the script, I have tried adding the enable port > forward section in different parts of the script, but this makes no > difference. > =20 > could soneone please help, I even tried adding the line=20 > $IPTABLES -A INPUT -i $EXT_IF -p tcp --dport 6881:6885 -j ACCEPT > but i believe this only allows incoming into the firwall and not > redirecting to another host > =20 > someone please help=20 Maybe the source s not 6881 ... $IPTABLES -A FORWARD -s 6881 -p tcp --dport 6881 -j ACCEPT try $IPTABLES -A FORWARD -p tcp --dport 6881 -j ACCEPT instead --=20 -- Raymond Leach Network Support Specialist http://www.knowledgefactory.co.za "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import" Key fingerprint =3D 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28 -- --=-dHtQUGkZ7yryZcqeIesU Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQBAfpcTh1fuR/Bv+ygRAgRNAKC6q/YaRuMylI4NHhm3so72bkDpgwCgg+cz 09uh3l8mUJ90MWYOJBAQjpA= =z0L1 -----END PGP SIGNATURE----- --=-dHtQUGkZ7yryZcqeIesU-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Antony Stone Subject: Re: port forwarding not working Date: Thu, 15 Apr 2004 15:16:34 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: <200404151516.34180.Antony@Soft-Solutions.co.uk> References: <004601c422f1$9162a3c0$ce00a8c0@xppro1> Reply-To: Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <004601c422f1$9162a3c0$ce00a8c0@xppro1> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org On Thursday 15 April 2004 2:57 pm, Nick Vazirianis wrote: > I am having some trouble getting port forwarding within the attached > script. > > I even tried adding the line > $IPTABLES -A INPUT -i $EXT_IF -p tcp --dport 6881:6885 -j ACCEPT > but i believe this only allows incoming into the firwall and not > redirecting to another host Correct. INPUT rules are for packets terminating on the machine. FORWARD rules are for packets going somewhere else. The problem is that your FORWARD rules allowing traffic to the newly-translated address for the BitTorrent service are specifying a source *address* of 6881, 6882, 6883 etc. No way will that work. I'm not sure whether you meant to specify a source port (--sport) instead of an address, or whether it should be left out completely, and just use the destination port in the rule? Regards, Antony. -- What is this talk of "software release"? Our software evolves and matures until it is capable of escape, leaving a bloody trail of designers and quality assurance people in its wake. Please reply to the list; please don't CC me. From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Alexander Economou" Subject: Re: port forwarding not working Date: Thu, 15 Apr 2004 17:28:02 +0300 (EEST) Sender: netfilter-admin@lists.netfilter.org Message-ID: <33770.212.251.31.59.1082039282.squirrel@newmail.gnet.gr> References: <004601c422f1$9162a3c0$ce00a8c0@xppro1> <1082038036.23863.41.camel@raylinux.internal> Reply-To: aecon@gnet.gr Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <1082038036.23863.41.camel@raylinux.internal> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: Ray Leach Cc: netfilter@lists.netfilter.org 0 > On Thu, 2004-04-15 at 15:57, Nick Vazirianis wrote: >> iptables v1.2.8 >> Linux Fedora Core 1 >> Kernel 2.6.3 >> >> I am having some trouble getting port forwarding within the attached >> script. >> Please refer the line starting # enable port forwarding for >> BitTorrent >> Incoming packets to these ports are being dropped (and logged) by the >> section lower down in the script, I have tried adding the enable port >> forward section in different parts of the script, but this makes no >> difference. >> >> could soneone please help, I even tried adding the line >> $IPTABLES -A INPUT -i $EXT_IF -p tcp --dport 6881:6885 -j ACCEPT >> but i believe this only allows incoming into the firwall and not >> redirecting to another host >> >> someone please help > Maybe the source s not 6881 ... > $IPTABLES -A FORWARD -s 6881 -p tcp --dport 6881 -j ACCEPT > try > $IPTABLES -A FORWARD -p tcp --dport 6881 -j ACCEPT > instead > -- > -- > Raymond Leach > Network Support Specialist > http://www.knowledgefactory.co.za > "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import" > Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28 > -- > If i understood well , you have a linux firewall with a dmz ip and you want to redirect traffic from a real ip to lan ip of your network.If i am correct then you should do : iptables -t nat -F iptables -t nat -A POSTROUTING -o dmzinterface -j MASQUERADE iptables -t nat -A PREROUTING -p tcp -d dmzip --dport 6181 -j DNAT --to lanip:6181 iptables -t nat -A PREROUTING -p tcp -d dmzip --dport 6182 -j DNAT --to lanip:6182 etc etc dmzinterface is the interface with the real ip eg eth0 -- Alexander Economou From mboxrd@z Thu Jan 1 00:00:00 1970 From: Antony Stone Subject: Re: port forwarding not working Date: Thu, 15 Apr 2004 15:53:36 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: <200404151553.36634.Antony@Soft-Solutions.co.uk> References: <004601c422f1$9162a3c0$ce00a8c0@xppro1> <1082038036.23863.41.camel@raylinux.internal> <33770.212.251.31.59.1082039282.squirrel@newmail.gnet.gr> Reply-To: netfilter@lists.netfilter.org Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <33770.212.251.31.59.1082039282.squirrel@newmail.gnet.gr> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org On Thursday 15 April 2004 3:28 pm, Alexander Economou wrote: > If i understood well , you have a linux firewall with a dmz ip and you > want to redirect traffic from a real ip to lan ip of your network.If i am > correct then you should do : > > iptables -t nat -F > iptables -t nat -A POSTROUTING -o dmzinterface -j MASQUERADE I disagree with this rule. It will make all connections to servers in the DMZ network appear to come from the firewall, which will destroy any useful logging on the services which are running. > iptables -t nat -A PREROUTING -p tcp -d dmzip --dport 6181 -j DNAT --to > lanip:6181 > iptables -t nat -A PREROUTING -p tcp -d dmzip --dport 6182 -j DNAT --to > lanip:6182 > etc etc It's important to remember that in addition to the PREROUTING rules to do the address translation, you need FORWARDign rules to allow the now-translated packets through the firewall. It was the FORWARDing rules which were the problem in Nick's script. Regards, Antony. -- Wanted: telepath. You know where to apply. Please reply to the list; please don't CC me. From mboxrd@z Thu Jan 1 00:00:00 1970 From: aksingh@hss.hns.com Subject: Re: port forwarding not working Date: Thu, 15 Apr 2004 20:38:11 +0530 Sender: netfilter-admin@lists.netfilter.org Message-ID: Mime-Version: 1.0 Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: netfilter@lists.netfilter.org hi, I am working on this, just wanted to know if there can be a better solution to this problem : problem : to take a packet from the kernel before the routing decision is made by ip, give it to a user space process which decides whether it wants to play with the packet or wants to return it to the kernel. soultion im thinking of : use netfilter hook to capture PRE_ROUTING packets, define a call back function in a kernel module and open a char device to write the sk_buff to this char device, a user space process reads this and writes back to the char device if needed, the driver for this char device calls the ip route lookup function and based on the routing decision, calls etheroutput to send the packet to its actual destination. issues : 1. Does this solution sound ok, will this work or am i dong something incorrect here. 2. If this works, this solution would require two copies, one from the kernel sk_buff to the char device and then back from the user space process to the char device, how much of a overhead would that be ? can a better/easier approach be followed. Do put in our suggestions. Regards, Amit Antony Stone @lists.netfilter.org on 04/15/2004 08:23:36 PM Please respond to netfilter@lists.netfilter.org Sent by: netfilter-admin@lists.netfilter.org To: netfilter@lists.netfilter.org cc: Subject: Re: port forwarding not working On Thursday 15 April 2004 3:28 pm, Alexander Economou wrote: > If i understood well , you have a linux firewall with a dmz ip and you > want to redirect traffic from a real ip to lan ip of your network.If i am > correct then you should do : > > iptables -t nat -F > iptables -t nat -A POSTROUTING -o dmzinterface -j MASQUERADE I disagree with this rule. It will make all connections to servers in the DMZ network appear to come from the firewall, which will destroy any useful logging on the services which are running. > iptables -t nat -A PREROUTING -p tcp -d dmzip --dport 6181 -j DNAT --to > lanip:6181 > iptables -t nat -A PREROUTING -p tcp -d dmzip --dport 6182 -j DNAT --to > lanip:6182 > etc etc It's important to remember that in addition to the PREROUTING rules to do the address translation, you need FORWARDign rules to allow the now-translated packets through the firewall. It was the FORWARDing rules which were the problem in Nick's script. Regards, Antony. -- Wanted: telepath. You know where to apply. Please reply to the list; please don't CC me. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Cedric Blancher Subject: Re: port forwarding not working Date: Thu, 15 Apr 2004 17:58:02 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <1082044682.1700.15.camel@anduril.intranet.cartel-securite.net> References: <004601c422f1$9162a3c0$ce00a8c0@xppro1> <1082038036.23863.41.camel@raylinux.internal> <33770.212.251.31.59.1082039282.squirrel@newmail.gnet.gr> <200404151553.36634.Antony@Soft-Solutions.co.uk> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <200404151553.36634.Antony@Soft-Solutions.co.uk> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="iso-8859-1" To: netfilter@lists.netfilter.org Le jeu 15/04/2004 =E0 16:53, Antony Stone a =E9crit : > > iptables -t nat -A POSTROUTING -o dmzinterface -j MASQUERADE > I disagree with this rule. It will make all connections to servers in= the=20 > DMZ network appear to come from the firewall, which will destroy any us= eful=20 > logging on the services which are running. One may just add a "-s $LAN" statement so DMZ do not see packets using internal addressing scheme (obfuscation), but keep external addresses unmodified for logging purposes. --=20 http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Neil Aggarwal" Subject: Port forwarding not working Date: Sat, 28 Apr 2007 22:15:33 -0500 Message-ID: <000001c78a0c$a7b02cd0$dededede@neilhp> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org Hello: I have a Linux box acting as a firewall and gateway for my local internet. The private IP is 192.168.1.1 Behind that, I have a Linksys VPN box. Its IP is 192.168.1.101. If I go to my Linux box and issue this command: telnet 192.168.1.101 1723 I get this output: Trying 192.168.1.101... Connected to 192.168.1.101 (192.168.1.101). Escape character is '^]'. Everything is fine. I can connect to the Linksys box without a problem. Now, I want to set up routing from the external world to be able to access the Linksys box. I added this rule to my firewall to do the forwarding: /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $ETH0_IP --sport 1024: --dport 1723 -j DNAT --to $LINKSYS_VPN_IP:1723 It is all one one line, I added link breaks for readability. When I tried to telnet to port 1723 on my public IP, I saw logs from my firewall for inbound packets so I added these rules: /sbin/iptables -A FORWARD -i eth0 -o eth1 -d $LINKSYS_VPN_IP -p tcp --sport 1024: --dport 1723 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -t nat -A POSTROUTING -o eth1 -d $LINKSYS_VPN_IP -p tcp --sport 1024: --dport 1723 -m state --state NEW,ESTABLISHED -j ACCEPT But, I am not seeing any logs for the outbound packets from the Linksys box and the telnet session from the remore computer is not connecting. Any ideas what is going on? Thanks, Neil -- Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com FREE! Eliminate junk email and reclaim your inbox. Visit http://www.spammilter.com for details. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jim Laurino Subject: Re: Port forwarding not working Date: Sun, 29 Apr 2007 10:39:54 -0400 Message-ID: <1177857594l.3596l.2l@soapy> References: <1177830613l.3596l.1l@soapy> <000c01c78a5f$3d392570$dededede@neilhp> Reply-To: nfcan.x.jimlaur@dfgh.net Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <000c01c78a5f$3d392570$dededede@neilhp> (from +nfcan+jimlaur+ce6b708e36.neil#JAMMConsulting.com@spamgourmet.com on Sun Apr 29 09:06:44 2007) Content-Disposition: inline List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org On 04/29/2007 09:06:44 AM, Neil Aggarwal - neil@JAMMConsulting.com wrote: > Jim: >=20 > > Maybe you could use SNAT to make the packets appear > > to come from the firewall, then they ought to come back.=20 >=20 > How do I set up the SNAT rule? >=20 This will make the packet look like it came from the firewall: /sbin/iptables -t nat -I POSTROUTING -o eth1 -d $LINKSYS_VPN_IP \=20 -p tcp --dport 1723 -j SNAT --to-source 192.168.1.1 (where 192.168.1.1 is the ip address of the firewall on eth1 side) If postrouting still has a default drop policy etc. then this rule must be found before the accept rule, that is why it has -I, to put it first. HTH --=20 Jim Laurino nfcan.x.jimlaur@dfgh.net Please reply to the list. Only mail from the listserver reaches this address. From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Neil Aggarwal" Subject: RE: Port forwarding not working Date: Sun, 29 Apr 2007 21:11:29 -0500 Message-ID: <000001c78acc$ddb29be0$dededede@neilhp> References: <1177857594l.3596l.2l@soapy> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1177857594l.3596l.2l@soapy> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org Jim: That did it! I guess the Linksys box was only going to respond to local IP addresses. I was able to use your example to set up the routing for the gre protocol as well. Thank you for your help. Neil -- Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com FREE! Eliminate junk email and reclaim your inbox. Visit http://www.spammilter.com for details. -----Original Message----- From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Jim Laurino Sent: Sunday, April 29, 2007 9:40 AM To: netfilter@lists.netfilter.org Subject: Re: Port forwarding not working On 04/29/2007 09:06:44 AM, Neil Aggarwal - neil@JAMMConsulting.com wrote: > Jim: > > > Maybe you could use SNAT to make the packets appear > > to come from the firewall, then they ought to come back. > > How do I set up the SNAT rule? > This will make the packet look like it came from the firewall: /sbin/iptables -t nat -I POSTROUTING -o eth1 -d $LINKSYS_VPN_IP \ -p tcp --dport 1723 -j SNAT --to-source 192.168.1.1 (where 192.168.1.1 is the ip address of the firewall on eth1 side) If postrouting still has a default drop policy etc. then this rule must be found before the accept rule, that is why it has -I, to put it first. HTH -- Jim Laurino nfcan.x.jimlaur@dfgh.net Please reply to the list. Only mail from the listserver reaches this address.