Re: Nat port forwarding, Tired of poking around, need serious help from serious guys

[Anders Fugmann <afu@fugmann.dhs.org>]

root wrote:
> Hi all,
> 
> ************
> Problem 1:
> ************
> - I can't send mail TO my net
> - I can't telnet khemir.net 25
You should accept packets comming from the internet to your SMTP server 
in the forward queue like:
$IPTABLES -t nat -A FORWARD -i $INET_IFACE -o $LAN_IFACE -p tcp \
	-d $SMTP_SERVER_IP --dport $SMTP_SERVER_PORT -j ACCEPT
> 
>  # allow connection on port, quite verbose but copied it from the example
>  $IPTABLES -A tcp_packets -i $INET_IFACE -p tcp -s 0.0.0.0/0 -d $INET_IP/32 
> --destination-port $SMTP_SERVER_PORT -j ACCEPT
There is no need for this rule, as you have already send the packets on 
the the machine behind the firewall, and this rule is obsoleted.

> 
>  # now ip and port forward
>  $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp -d $INET_IP --dport 
> $SMTP_SERVER_PORT -j DNAT --to-destination $SMTP_SERVER_IP:$SMTP_SERVER_PORT
This seems ok.

 >An extra information:
 >if I nsllokup my ip adress I get name= as17-3-2-ld.bonet.se
 >if I nslookup khemir.net I get my ip adress.

 >I don't know if this important but I wonder how it can be?
Very common. IP's can have multible names, but an ip can only have one name.

> ************
> Problem 2:
> ************
> Logging of the errors found by the FW rules are logged on the console!!!
> 
> a/ I don't get why it's logged to my console
> 
> the rule matched is:  $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state 
> --state NEW -j LOG  --log-prefix "New not syn:". 
> 
> here is the error (one of them):
> 
> New not syn: IN=eth0 OUT=eth1 SRC=192.168.1.3 DST= 64.176.251.148 LEN=52 
> TOS=0x00 PREC=0x00 TTL=63 ID=63862 DF PROTO=TCP SPT=32797 DPT=80 WINDOW=6432 
> RES=0x00 ACK FIN URGP=0
> 
> Now where is this comming from ??
> OK local machine, bu who generates it
These are generated by the logging logging rule as you showed above. 
They are harmless and you should not worry.

The reason for why these are logged on the console has todo with the way 
the system logger is setup. see syslog.conf(5), and/or change the log 
level on the LOG target by adding '--log-level XXX', see iptables(8).

> 
> I could DROP these packages instead of logging them when they are generated in 
> the lan but still it is frustrating to know these error are generated 
> continuously (I'd guess by a programmer that sends to a closed socket) 
No thats not is. As I understand the RFC is a bit vague on the subject, 
when a socket is closed. netfilter regards the connection as closed as 
soon as a FIN packet is seen, but many implementation replys to a fin by 
sending "ACK,FIN". This is what you see. This not a bad programmer, just 
netfilter beeing too quick on the trigger.

>and 
>why does my box try to connect to a host I know nothing about?
Do you really expect us to know? :-). If you dont know why the 
connection was established, then look at the output of 'netstat -ap'. 
Its a http request, remember that pages includes images from other 
servers. This might be some banner server.

Regards
Anders Fugmann

-- 
Author of FIAIF.
FIAIF Is An Intelligen/Iptables Firewall
http://fiaif.fugmann.dhs.org/