From: root <root@khemir.net>
To: netfilter@lists.netfilter.org
Subject: Nat port forwarding, Tired of poking around, need serious help from serious guys
Date: Mon, 9 Sep 2002 23:24:11 +0200 [thread overview]
Message-ID: <200209092324.11891.root@khemir.net> (raw)
[-- Attachment #1: Type: text/plain, Size: 6380 bytes --]
Hi all,
!! warning, this mail is quite long and I don't want to waist your time. Still
I think it can be read within 5-10 mn and is not too borring!!
First of all please send answers to the list or to nkh@cpen.com.
nadim@khemir.net is the one server that I can't get to run! yet!)
I'll do my best to explain the problem and its seting in detail so please send
exact answers, and keep your thoughts if you are not sure. IMHO when I see
the number of messages out there, I think this problem must be answer once
and for all.
History:
This is a test setup:
-Local network with 2 machines, the firewall and a test machine
fix IP adress through bonet.se at khemir.net for the firewall
Layout:
-one firewall running linux 2.4.18-3 on a pII with iptables version 1.2.5 ip
at khemir.net 2 nic.
following modules load OK:
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG # has this something to do with problem 2?
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
( iptables config file can be found attached and is a shell script so please
don'r run it before you go through it as it might break your machine,....
it's derived from the example found on your web site, written by Oskar
Andreasson.)
-one linux 2.4.18-3 running ipchains on local ip 192.168.1.3 with 2 test
users running qmail.
************
Problem 1:
************
- I can't send mail TO my net
- I can't telnet khemir.net 25
How did I try to fix it:
- I read all I could find on the net and on your web site all this in 3
languages
- I read the FAQ
- I read the archives
- I run all the commands I could find in the diffrent documents (an uncredible
amount of different ways to do the same thing and still many rules were
refused by iptables because of incompatible options or not recognized
switches)
Some tests I ran:
-surf the internet from the local computer to test masquerading -> OK
-send mail from the local machine to the rest of the world -> OK
-send mail localy -> OK
- telnet to the local machine port 25 from the Firewall(FW) -> not good when
the firewall on the local machine is on, OK when it's off. all test except
this one are with firewall on local machine down
- ssh to FW -> OK
! had send mail still installed on th FW, remove it too
Where did I run the tests from:
- send mail from my job -> bounce
- ssh to the FW from my job-> OK
- telnet to port 25 from job to local machine (that is after it should have
been forwarded by FW) -> no connection
- same tests from another computer on the net -> same results
- mail from hotmail.com (see there is a use for hotmail.com) -> bounce
! remember that I can send mail outwards and the SMTP server is responding
when I telnet it from the FW.
How do I port forward:
from iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere as17-3-2.ld.bonet.setcp dpt:smtp
to:192.168.1.3:25
### as17-3-2.ld.bonet.se is the same as khemir.net !
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- anywhere anywhere to:217.215.193.214
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
from my rules:
# SMTP server
SMTP_SERVER_IP="192.168.1.3" # on local machine
SMTP_SERVER_PORT="25"
# allow connection on port, quite verbose but copied it from the example
$IPTABLES -A tcp_packets -i $INET_IFACE -p tcp -s 0.0.0.0/0 -d $INET_IP/32
--destination-port $SMTP_SERVER_PORT -j ACCEPT
# now ip and port forward
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp -d $INET_IP --dport
$SMTP_SERVER_PORT -j DNAT --to-destination $SMTP_SERVER_IP:$SMTP_SERVER_PORT
I did a bunch of other tests and all fail. My guess is that I am doing
something wrong but what?
All the rules seem right and all the rules are found on iptables -L, see
output of iptables -L, -L -t nat that are send as an attachement
An extra information:
if I nsllokup my ip adress I get name= as17-3-2-ld.bonet.se
if I nslookup khemir.net I get my ip adress.
I don't know if this important but I wonder how it can be?
Type of help needed:
please pinpoint where I just was too ignorant to do things right.
Anything that is not clear enough? something else I should run and show the
output of?
I am a basic user (2 weeks using linux) so anything you want me to do should
be clearly explained (and hopefully other will profit of your explainations)
************
Problem 2:
************
Logging of the errors found by the FW rules are logged on the console!!!
a/ I don't get why it's logged to my console
the rule matched is: $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state
--state NEW -j LOG --log-prefix "New not syn:".
here is the error (one of them):
New not syn: IN=eth0 OUT=eth1 SRC=192.168.1.3 DST= 64.176.251.148 LEN=52
TOS=0x00 PREC=0x00 TTL=63 ID=63862 DF PROTO=TCP SPT=32797 DPT=80 WINDOW=6432
RES=0x00 ACK FIN URGP=0
Now where is this comming from ??
OK local machine, bu who generates it
I know where it is going to, whois 64.176.251.148:
n/a
po box 3061
florence, Oregon 97439
US
Domain Name: KJKPRODUCTIONS.ORG
Administrative Contact:
kacey donston kadk@starband.net
na
po box 3061
florence, OR 97439
US
Phone: 5419978141
Fax:
Technical Contact:
Tech Support support@linuxwebhost.com
Linuxwebhost.com
10 E. Baltimore St.
Baltimore, Md 21202
US
Phone: 410.234.3300
Fax:
I can't figure why this is happenig and why it logged on the console.
I could DROP these packages instead of logging them when they are generated in
the lan but still it is frustrating to know these error are generated
continuously (I'd guess by a programmer that sends to a closed socket) and
why does my box try to connect to a host I know nothing about?
Note tha these error can also report other ports like 128.105.7.11, ....
Thanks a lot in advance.
Nadim (soon @khemir.net ;-)
[-- Attachment #2: iptables-L-L-tnat --]
[-- Type: text/plain, Size: 3453 bytes --]
Chain INPUT (policy DROP)
target prot opt source destination
bad_tcp_packets tcp -- anywhere anywhere
ACCEPT all -- 192.168.1.0/24 anywhere
ACCEPT all -- fw_local anywhere
ACCEPT all -- 192.168.1.1 anywhere
ACCEPT all -- as17-3-2.ld.bonet.se anywhere
ACCEPT all -- anywhere 192.168.1.255
ACCEPT all -- anywhere as17-3-2.ld.bonet.sestate RELATED,ESTABLISHED
tcp_packets tcp -- anywhere anywhere
udpincoming_packets udp -- anywhere anywhere
icmp_packets icmp -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level debug prefix `IPT INPUT packet died: '
Chain FORWARD (policy DROP)
target prot opt source destination
bad_tcp_packets tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level debug prefix `IPT FORWARD packet died: '
Chain OUTPUT (policy DROP)
target prot opt source destination
bad_tcp_packets tcp -- anywhere anywhere
ACCEPT all -- fw_local anywhere
ACCEPT all -- 192.168.1.1 anywhere
ACCEPT all -- as17-3-2.ld.bonet.se anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level debug prefix `IPT OUTPUT packet died: '
Chain allowed (0 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere
Chain bad_tcp_packets (3 references)
target prot opt source destination
LOG tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW LOG level warning prefix `New not syn:'
DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
Chain icmp_packets (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
Chain tcp_packets (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere as17-3-2.ld.bonet.setcp dpt:smtp
Chain udpincoming_packets (1 references)
target prot opt source destination
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere as17-3-2.ld.bonet.setcp dpt:smtp to:192.168.1.3:25
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- anywhere anywhere to:217.215.193.214
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[-- Attachment #3: rc.firewall.iptables --]
[-- Type: application/x-shellscript, Size: 9359 bytes --]
next reply other threads:[~2002-09-09 21:24 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-09-09 21:24 root [this message]
2002-09-11 8:44 ` Nat port forwarding, Tired of poking around, need serious help from serious guys Anders Fugmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200209092324.11891.root@khemir.net \
--to=root@khemir.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox