* Nat port forwarding, Tired of poking around, need serious help from serious guys
@ 2002-09-09 21:24 root
2002-09-11 8:44 ` Anders Fugmann
0 siblings, 1 reply; 2+ messages in thread
From: root @ 2002-09-09 21:24 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 6380 bytes --]
Hi all,
!! warning, this mail is quite long and I don't want to waist your time. Still
I think it can be read within 5-10 mn and is not too borring!!
First of all please send answers to the list or to nkh@cpen.com.
nadim@khemir.net is the one server that I can't get to run! yet!)
I'll do my best to explain the problem and its seting in detail so please send
exact answers, and keep your thoughts if you are not sure. IMHO when I see
the number of messages out there, I think this problem must be answer once
and for all.
History:
This is a test setup:
-Local network with 2 machines, the firewall and a test machine
fix IP adress through bonet.se at khemir.net for the firewall
Layout:
-one firewall running linux 2.4.18-3 on a pII with iptables version 1.2.5 ip
at khemir.net 2 nic.
following modules load OK:
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG # has this something to do with problem 2?
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
( iptables config file can be found attached and is a shell script so please
don'r run it before you go through it as it might break your machine,....
it's derived from the example found on your web site, written by Oskar
Andreasson.)
-one linux 2.4.18-3 running ipchains on local ip 192.168.1.3 with 2 test
users running qmail.
************
Problem 1:
************
- I can't send mail TO my net
- I can't telnet khemir.net 25
How did I try to fix it:
- I read all I could find on the net and on your web site all this in 3
languages
- I read the FAQ
- I read the archives
- I run all the commands I could find in the diffrent documents (an uncredible
amount of different ways to do the same thing and still many rules were
refused by iptables because of incompatible options or not recognized
switches)
Some tests I ran:
-surf the internet from the local computer to test masquerading -> OK
-send mail from the local machine to the rest of the world -> OK
-send mail localy -> OK
- telnet to the local machine port 25 from the Firewall(FW) -> not good when
the firewall on the local machine is on, OK when it's off. all test except
this one are with firewall on local machine down
- ssh to FW -> OK
! had send mail still installed on th FW, remove it too
Where did I run the tests from:
- send mail from my job -> bounce
- ssh to the FW from my job-> OK
- telnet to port 25 from job to local machine (that is after it should have
been forwarded by FW) -> no connection
- same tests from another computer on the net -> same results
- mail from hotmail.com (see there is a use for hotmail.com) -> bounce
! remember that I can send mail outwards and the SMTP server is responding
when I telnet it from the FW.
How do I port forward:
from iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere as17-3-2.ld.bonet.setcp dpt:smtp
to:192.168.1.3:25
### as17-3-2.ld.bonet.se is the same as khemir.net !
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- anywhere anywhere to:217.215.193.214
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
from my rules:
# SMTP server
SMTP_SERVER_IP="192.168.1.3" # on local machine
SMTP_SERVER_PORT="25"
# allow connection on port, quite verbose but copied it from the example
$IPTABLES -A tcp_packets -i $INET_IFACE -p tcp -s 0.0.0.0/0 -d $INET_IP/32
--destination-port $SMTP_SERVER_PORT -j ACCEPT
# now ip and port forward
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp -d $INET_IP --dport
$SMTP_SERVER_PORT -j DNAT --to-destination $SMTP_SERVER_IP:$SMTP_SERVER_PORT
I did a bunch of other tests and all fail. My guess is that I am doing
something wrong but what?
All the rules seem right and all the rules are found on iptables -L, see
output of iptables -L, -L -t nat that are send as an attachement
An extra information:
if I nsllokup my ip adress I get name= as17-3-2-ld.bonet.se
if I nslookup khemir.net I get my ip adress.
I don't know if this important but I wonder how it can be?
Type of help needed:
please pinpoint where I just was too ignorant to do things right.
Anything that is not clear enough? something else I should run and show the
output of?
I am a basic user (2 weeks using linux) so anything you want me to do should
be clearly explained (and hopefully other will profit of your explainations)
************
Problem 2:
************
Logging of the errors found by the FW rules are logged on the console!!!
a/ I don't get why it's logged to my console
the rule matched is: $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state
--state NEW -j LOG --log-prefix "New not syn:".
here is the error (one of them):
New not syn: IN=eth0 OUT=eth1 SRC=192.168.1.3 DST= 64.176.251.148 LEN=52
TOS=0x00 PREC=0x00 TTL=63 ID=63862 DF PROTO=TCP SPT=32797 DPT=80 WINDOW=6432
RES=0x00 ACK FIN URGP=0
Now where is this comming from ??
OK local machine, bu who generates it
I know where it is going to, whois 64.176.251.148:
n/a
po box 3061
florence, Oregon 97439
US
Domain Name: KJKPRODUCTIONS.ORG
Administrative Contact:
kacey donston kadk@starband.net
na
po box 3061
florence, OR 97439
US
Phone: 5419978141
Fax:
Technical Contact:
Tech Support support@linuxwebhost.com
Linuxwebhost.com
10 E. Baltimore St.
Baltimore, Md 21202
US
Phone: 410.234.3300
Fax:
I can't figure why this is happenig and why it logged on the console.
I could DROP these packages instead of logging them when they are generated in
the lan but still it is frustrating to know these error are generated
continuously (I'd guess by a programmer that sends to a closed socket) and
why does my box try to connect to a host I know nothing about?
Note tha these error can also report other ports like 128.105.7.11, ....
Thanks a lot in advance.
Nadim (soon @khemir.net ;-)
[-- Attachment #2: iptables-L-L-tnat --]
[-- Type: text/plain, Size: 3453 bytes --]
Chain INPUT (policy DROP)
target prot opt source destination
bad_tcp_packets tcp -- anywhere anywhere
ACCEPT all -- 192.168.1.0/24 anywhere
ACCEPT all -- fw_local anywhere
ACCEPT all -- 192.168.1.1 anywhere
ACCEPT all -- as17-3-2.ld.bonet.se anywhere
ACCEPT all -- anywhere 192.168.1.255
ACCEPT all -- anywhere as17-3-2.ld.bonet.sestate RELATED,ESTABLISHED
tcp_packets tcp -- anywhere anywhere
udpincoming_packets udp -- anywhere anywhere
icmp_packets icmp -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level debug prefix `IPT INPUT packet died: '
Chain FORWARD (policy DROP)
target prot opt source destination
bad_tcp_packets tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level debug prefix `IPT FORWARD packet died: '
Chain OUTPUT (policy DROP)
target prot opt source destination
bad_tcp_packets tcp -- anywhere anywhere
ACCEPT all -- fw_local anywhere
ACCEPT all -- 192.168.1.1 anywhere
ACCEPT all -- as17-3-2.ld.bonet.se anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level debug prefix `IPT OUTPUT packet died: '
Chain allowed (0 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere
Chain bad_tcp_packets (3 references)
target prot opt source destination
LOG tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW LOG level warning prefix `New not syn:'
DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
Chain icmp_packets (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
Chain tcp_packets (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere as17-3-2.ld.bonet.setcp dpt:smtp
Chain udpincoming_packets (1 references)
target prot opt source destination
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere as17-3-2.ld.bonet.setcp dpt:smtp to:192.168.1.3:25
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- anywhere anywhere to:217.215.193.214
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[-- Attachment #3: rc.firewall.iptables --]
[-- Type: application/x-shellscript, Size: 9359 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Nat port forwarding, Tired of poking around, need serious help from serious guys
2002-09-09 21:24 Nat port forwarding, Tired of poking around, need serious help from serious guys root
@ 2002-09-11 8:44 ` Anders Fugmann
0 siblings, 0 replies; 2+ messages in thread
From: Anders Fugmann @ 2002-09-11 8:44 UTC (permalink / raw)
To: nadim; +Cc: netfilter
root wrote:
> Hi all,
>
> ************
> Problem 1:
> ************
> - I can't send mail TO my net
> - I can't telnet khemir.net 25
You should accept packets comming from the internet to your SMTP server
in the forward queue like:
$IPTABLES -t nat -A FORWARD -i $INET_IFACE -o $LAN_IFACE -p tcp \
-d $SMTP_SERVER_IP --dport $SMTP_SERVER_PORT -j ACCEPT
>
> # allow connection on port, quite verbose but copied it from the example
> $IPTABLES -A tcp_packets -i $INET_IFACE -p tcp -s 0.0.0.0/0 -d $INET_IP/32
> --destination-port $SMTP_SERVER_PORT -j ACCEPT
There is no need for this rule, as you have already send the packets on
the the machine behind the firewall, and this rule is obsoleted.
>
> # now ip and port forward
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp -d $INET_IP --dport
> $SMTP_SERVER_PORT -j DNAT --to-destination $SMTP_SERVER_IP:$SMTP_SERVER_PORT
This seems ok.
>An extra information:
>if I nsllokup my ip adress I get name= as17-3-2-ld.bonet.se
>if I nslookup khemir.net I get my ip adress.
>I don't know if this important but I wonder how it can be?
Very common. IP's can have multible names, but an ip can only have one name.
> ************
> Problem 2:
> ************
> Logging of the errors found by the FW rules are logged on the console!!!
>
> a/ I don't get why it's logged to my console
>
> the rule matched is: $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state
> --state NEW -j LOG --log-prefix "New not syn:".
>
> here is the error (one of them):
>
> New not syn: IN=eth0 OUT=eth1 SRC=192.168.1.3 DST= 64.176.251.148 LEN=52
> TOS=0x00 PREC=0x00 TTL=63 ID=63862 DF PROTO=TCP SPT=32797 DPT=80 WINDOW=6432
> RES=0x00 ACK FIN URGP=0
>
> Now where is this comming from ??
> OK local machine, bu who generates it
These are generated by the logging logging rule as you showed above.
They are harmless and you should not worry.
The reason for why these are logged on the console has todo with the way
the system logger is setup. see syslog.conf(5), and/or change the log
level on the LOG target by adding '--log-level XXX', see iptables(8).
>
> I could DROP these packages instead of logging them when they are generated in
> the lan but still it is frustrating to know these error are generated
> continuously (I'd guess by a programmer that sends to a closed socket)
No thats not is. As I understand the RFC is a bit vague on the subject,
when a socket is closed. netfilter regards the connection as closed as
soon as a FIN packet is seen, but many implementation replys to a fin by
sending "ACK,FIN". This is what you see. This not a bad programmer, just
netfilter beeing too quick on the trigger.
>and
>why does my box try to connect to a host I know nothing about?
Do you really expect us to know? :-). If you dont know why the
connection was established, then look at the output of 'netstat -ap'.
Its a http request, remember that pages includes images from other
servers. This might be some banner server.
Regards
Anders Fugmann
--
Author of FIAIF.
FIAIF Is An Intelligen/Iptables Firewall
http://fiaif.fugmann.dhs.org/
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2002-09-11 8:44 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-09-09 21:24 Nat port forwarding, Tired of poking around, need serious help from serious guys root
2002-09-11 8:44 ` Anders Fugmann
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox