RE: Port forward

RE: Port forward

[ASC - Ronald Roeleveld]

[-- Attachment #1: Type: text/plain, Size: 2918 bytes --]

Thanks a lot the error message is gone now,
after I changed the line to:
iptables -t nat -A PREROUTING -p tcp --destination-port 25 -i eth0 -j DNAT
--to-destination 192.168.22.6:25

But when I do iptables --list
I dont see any entrys in the chain for PREROUTING

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  192.168.32.6         anywhere           tcp dpt:ssh
ACCEPT     udp  --  192.168.32.6         anywhere           udp dpt:ssh
ACCEPT     tcp  --  192.168.22.6         anywhere           tcp dpt:ssh
ACCEPT     udp  --  192.168.22.6         anywhere           udp dpt:ssh
ACCEPT     tcp  --  thamaster.xs4all.nl  anywhere           tcp dpt:ssh
ACCEPT     udp  --  thamaster.xs4all.nl  anywhere           udp dpt:ssh
ACCEPT     tcp  --  192.168.22.0/24      anywhere           tcp dpt:www
ACCEPT     udp  --  192.168.22.0/24      anywhere           udp dpt:www
ACCEPT     tcp  --  localnet/24          anywhere           tcp dpt:www
ACCEPT     udp  --  localnet/24          anywhere           udp dpt:www
ACCEPT     all  --  anywhere             anywhere
DROP       tcp  --  anywhere             anywhere           tcp
flags:SYN,RST,ACK/SYN

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere           tcp
flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere           state
ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere           tcp
flags:SYN,RST/SYN TCPMSS clamp to PMTU
TCPMSS     tcp  --  anywhere             anywhere           tcp
flags:SYN,RST/SYN TCPMSS clamp to PMTU

Chain PREROUTING (0 references)
target     prot opt source               destination

Regards,



Ronald Roeleveld 
System Administrator 

ASCINTERNATIONAL 
Vlietweg 17c, 2266 KA, Leidschendam, The Netherlands 
Tel. +31 (0)70 3178400, Fax +31 (0)70 3204760
E-mail: r.roeleveld@ascinternational.nl
<mailto:r.roeleveld@ascinternational.nl> , Website:
http://www.ascinternational.nl <http://www.ascinternational.nl>  

 
 
 


-----Original Message-----
From: Eric Leblond [ mailto:eleblond@init-sys.com
<mailto:eleblond@init-sys.com> ]
Sent: dinsdag 4 februari 2003 11:49
To: ASC - Ronald Roeleveld
Subject: Re: Port forward


On Tue, 2003-02-04 at 11:31, ASC - Ronald Roeleveld wrote:
> Hi all,
> 
> Iam trying to set up a port forward for several hours now, but I don't
> seem to get it working right.
> When I type the following command:
> iptables -A PREROUTING -p tcp --destination-port 25 -i eth0 -j DNAT
> --to-destination 192.168.22.6:25

you forget to specify that you work on the NAT table so add
-t nat
ou your line

--
Éric Leblond
courriel : eleblond@init-sys.com



[-- Attachment #2: Type: text/html, Size: 6316 bytes --]

RE : Port forward

[Franck]

> Thanks a lot the error message is gone now,
> after I changed the line to:
> iptables -t nat -A PREROUTING -p tcp --destination-port 25 -i eth0 -j
DNAT --to-destination 192.168.22.6:25

> But when I do iptables --list
> I dont see any entrys in the chain for PREROUTING

You must specify that you want to list the content of the nat table....

iptables -t nat --list

Re: Port forward

[Sven Schuster]

ASC - Ronald Roeleveld wrote:

 > Thanks a lot the error message is gone now,
 > after I changed the line to:
 > iptables -t nat -A PREROUTING -p tcp --destination-port 25 -i eth0 -j
 > DNAT --to-destination 192.168.22.6:25
 >
 > But when I do iptables --list
 > I dont see any entrys in the chain for PREROUTING
 >
You need to put in the "-t nat" here too to show the nat table:

iptables -t nat --list

Sven

Messages to console

[Len L.]

[-- Attachment #1: Type: text/plain, Size: 403 bytes --]

Hey guys,
 
Not a killer, but I get all the iptable log messages to /dev/console.  I can not find where to control this.  I checked /etc/syslog.conf, but kernal messages was turned off (in fact if I turn kernal logging on I get duplicate messages to the console).  I also did man on iptables, but I do not see any reference to logging to /dev/console 
 
Can anyone point me in the right direction?

[-- Attachment #2: Type: text/html, Size: 654 bytes --]

Re: Messages to console

[André Valente]

hi,

I also had that problem.
i fixed it adding this to the crontab (executing hourly)
/bin/dmesg -n 1

If anyone has a better solution, I would also apreciate.

I don't know if this is a iptables, syslog or other bug.

Thanks
A.V.


On Mon, Aug 18, 2003 at 05:29:13PM -0500, Len L. wrote:
> Hey guys,
>  
> Not a killer, but I get all the iptable log messages to /dev/console.  I can not find where to control this.  I checked /etc/syslog.conf, but kernal messages was turned off (in fact if I turn kernal logging on I get duplicate messages to the console).  I also did man on iptables, but I do not see any reference to logging to /dev/console 
>  
> Can anyone point me in the right direction?

Port forward

[Rimas]

Hi folks,

I have some strange problem with IP forwarding.

Recently I did my work Firewall clean update (migrated from RedHat to
Slackware kernel 2.4.21 with the same configuration like RedHat) and after
this
does not work forward of IP 47 (gre) and tcp 1723 (PPTP) to local network.

The error messages you can see below:

tcpdump -i eth0 | grep pptp
tcpdump: listening on eth0
21:02:09.046791 client_Linux_box_server.3801 > server_Linux_box.pptp: S
2100045603:2100045603(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
21:02:09.047301 server_Linux_box.pptp > client_Linux_box_server.3801: S
3455313091:3455313091(0) ack 2100045604 win 64240 <mss 1460,nop,nop,sackOK>
(DF)
21:02:09.096249 client_Linux_box_server.3801 > server_Linux_box.pptp: P
1:157(156) ack 1 win 64240: pptp CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0)
FRAME_CAP(A) BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(2600) [|pptp] (DF)
21:02:09.096561 server_Linux_box.pptp > client_Linux_box_server.3801: P
1:157(156) ack 157 win 64084: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0)
RESULT_CODE(1) ERR_CODE(0) FRAME_CAP(S) BEARER_CAP(DA) MAX_CHAN(0)
FIRM_REV(2195) [|pptp] (DF)
21:02:09.144887 client_Linux_box_server.3801 > server_Linux_box.pptp: P
157:325(168) ack 157 win 64084: pptp CTRL_MSGTYPE=OCRQ CALL_ID(49152)
CALL_SER_NUM(26411) MIN_BPS(300) MAX_BPS(100000000) BEARER_TYPE(Any)
FRAME_TYPE(E) RECV_WIN(64) PROC_DELAY(0) PHONE_NO_LEN(0) [|pptp] (DF)
21:02:09.146488 server_Linux_box.pptp > client_Linux_box_server.3801: P
157:189(32) ack 325 win 63916: pptp CTRL_MSGTYPE=OCRP CALL_ID(999)
PEER_CALL_ID(49152) RESULT_CODE(1) ERR_CODE(0) CAUSE_CODE(0)
CONN_SPEED(13277755) RECV_WIN(16384) PROC_DELAY(0) PHY_CHAN_ID(0) (DF)
21:02:11.489923 client_Linux_box_server.3801 > server_Linux_box.pptp: P
157:325(168) ack 157 win 64084: pptp CTRL_MSGTYPE=OCRQ CALL_ID(49152)
CALL_SER_NUM(26411) MIN_BPS(300) MAX_BPS(100000000) BEARER_TYPE(Any)
FRAME_TYPE(E) RECV_WIN(64) PROC_DELAY(0) PHONE_NO_LEN(0) [|pptp] (DF)
21:02:11.490227 server_Linux_box.pptp > client_Linux_box_server.3801: . ack
325 win 63916 (DF)
21:02:11.569977 server_Linux_box.pptp > client_Linux_box_server.3801: P
157:189(32) ack 325 win 63916: pptp CTRL_MSGTYPE=OCRP CALL_ID(999)
PEER_CALL_ID(49152) RESULT_CODE(1) ERR_CODE(0) CAUSE_CODE(0)
CONN_SPEED(13277755) RECV_WIN(16384) PROC_DELAY(0) PHY_CHAN_ID(0) (DF)
21:02:11.618680 client_Linux_box_server.3801 > server_Linux_box.pptp: P
325:349(24) ack 189 win 64052: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(999)
SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff) (DF)
21:02:11.788688 server_Linux_box.pptp > client_Linux_box_server.3801: . ack
349 win 63892 (DF)
21:02:48.756981 client_Linux_box_server.3801 > server_Linux_box.pptp: P
349:365(16) ack 189 win 64052: pptp CTRL_MSGTYPE=CCRQ CALL_ID(49152) (DF)
21:02:48.975669 server_Linux_box.pptp > client_Linux_box_server.3801: . ack
365 win 63876 (DF)
21:02:49.758111 client_Linux_box_server.3801 > server_Linux_box.pptp: P
365:381(16) ack 189 win 64052: pptp CTRL_MSGTYPE=StopCCRQ REASON(1) (DF)
21:02:49.758413 server_Linux_box.pptp > client_Linux_box_server.3801: P
189:205(16) ack 381 win 63860: pptp CTRL_MSGTYPE=StopCCRP RESULT_CODE(1)
ERR_CODE(0) (DF)
21:02:49.798872 client_Linux_box_server.3801 > server_Linux_box.pptp: F
381:381(0) ack 205 win 64036 (DF)
21:02:49.799120 server_Linux_box.pptp > client_Linux_box_server.3801: F
205:205(0) ack 382 win 63860 (DF)
21:02:49.833800 client_Linux_box_server.3801 > server_Linux_box.pptp: . ack
206 win 64036 (DF)





Any ideas?



Thanks in advance





Remus

RE: Port forward

[ASC - Ronald Roeleveld]

Why I used telnet was just for testing. I wanted to test to make sure that
if I connected to port 25 with telnet to my firewall that it redirected me
to the mail server. And as it seems it doesn't work, because I get an error
that no connection can me estabslihed. And offcource for management purpose
I use SSH..:)


-----Original Message-----
From: saint [mailto:nagajuna@optushome.com.au]
Sent: dinsdag 4 februari 2003 14:31
To: ASC - Ronald Roeleveld; Netfilter Mailing List
Subject: RE: Port forward


I don't know what your setup is but I myself explicitly FORWARD
things to telnet:

e.g:

# Allow access to machines from the private LAN: 
iptables -A FORWARD -i INTERFACE_CONCERNED -o OUTPUT_INTERFACE -p tcp \
	 -s $LAN_MACHINES --sport $UN_PRIVILEGED_PORTS \
	 -d $DESTINATION_ADDRESS --dport 23 \
	 -m state --state NEW -j ACCEPT

you get the hint.

Any way why use telnet? I recommend secure shell (tcp port 22).

Santos.

Security is a blessing.
	 

RE: Port forward

[Eugene Joubert]

[-- Attachment #1: Type: text/plain, Size: 2670 bytes --]

If you port forwarding happens from outside your linux box going inside your
network you should telnet from an external address to your linux ip on port
25. Also with every PREROUTING entry you would have to have an entry in your
FORWARD chain. This is if your FORWARD default policy is set to drop. If you
have the default policy on your FORWARD chain set to ACCEPT then you DON'T
have to specifically add it.
 
eg iptables -A FORWARD -p tcp -i eth0 -o eth1 -s 0/0 --dport 25 -j ACCEPT
 
Hope this helps
 
PS: Remeber you have to come in from outside your network to test this rule

-----Original Message-----
From: ASC - Ronald Roeleveld [mailto:r.roeleveld@ascinternational.nl] 
Sent: 04 02 2003 15:11 PM
To: 'Eugene Joubert'
Cc: 'netfilter@lists.netfilter.org'
Subject: RE: Port forward


Thanks a lot everyone for the emails...
I did iptables -t nat --list and it now gives me this output:
DNAT       tcp  --  anywhere             anywhere           tcp dpt:smtp
to:192.168.22.6:25
But when I tried to telnet from another machine to 192.168.22.5 port 25 (the
ip of the netfilter firewall/router) it didn't work at all..Do there has to
be a line somewhere that says it's allowed to forward these connections?
 
Regards,
 
Ronald.

-----Original Message-----
From: Eugene Joubert [mailto:eugenej@centratel.co.za]
Sent: dinsdag 4 februari 2003 11:41
To: 'ASC - Ronald Roeleveld';       
Subject: RE: Port forward


remember that you are using DNAT so you would have to specify the -t nat
switch in your line.
 
eg 
 
iptables -t nat -A PREROUTING -p tcp -s 0/0 --dport 25 -i eth0 -j DNAT --to
192.168.22.6:25
 
Hope this helps

-----Original Message-----
From: ASC - Ronald Roeleveld [mailto:r.roeleveld@ascinternational.nl] 
Sent: 04 02 2003 12:31 PM
To: 'netfilter@lists.netfilter.org'
Subject: Port forward


Hi all,
 
Iam trying to set up a port forward for several hours now, but I don't seem
to get it working right.
When I type the following command:
iptables -A PREROUTING -p tcp --destination-port 25 -i eth0 -j DNAT
--to-destination 192.168.22.6:25
I get this output:
iptables: Invalid argument
I did do iptables -X PREROUTING so the chain does exist.
Can anyone please help me out..
What I want is that all incoming connections on eth0 on port 25 are routed
to another machine on the internal network 192.168.22.6
 
Thanks in advance,
Ronald Roeleveld 
System Administrator 

ASCINTERNATIONAL 
Vlietweg 17c, 2266 KA, Leidschendam, The Netherlands 
Tel. +31 (0)70 3178400, Fax +31 (0)70 3204760
E-mail: r.roeleveld@ascinternational.nl
<mailto:r.roeleveld@ascinternational.nl> , Website:
http://www.ascinternational.nl <http://www.ascinternational.nl/>  

 


[-- Attachment #2: Type: text/html, Size: 7880 bytes --]

RE: Port forward

[ASC - Ronald Roeleveld]

[-- Attachment #1: Type: text/plain, Size: 1877 bytes --]

Thanks a lot everyone for the emails...
I did iptables -t nat --list and it now gives me this output:
DNAT       tcp  --  anywhere             anywhere           tcp dpt:smtp
to:192.168.22.6:25
But when I tried to telnet from another machine to 192.168.22.5 port 25 (the
ip of the netfilter firewall/router) it didn't work at all..Do there has to
be a line somewhere that says it's allowed to forward these connections?
 
Regards,
 
Ronald.

-----Original Message-----
From: Eugene Joubert [mailto:eugenej@centratel.co.za]
Sent: dinsdag 4 februari 2003 11:41
To: 'ASC - Ronald Roeleveld';       
Subject: RE: Port forward


remember that you are using DNAT so you would have to specify the -t nat
switch in your line.
 
eg 
 
iptables -t nat -A PREROUTING -p tcp -s 0/0 --dport 25 -i eth0 -j DNAT --to
192.168.22.6:25
 
Hope this helps

-----Original Message-----
From: ASC - Ronald Roeleveld [mailto:r.roeleveld@ascinternational.nl] 
Sent: 04 02 2003 12:31 PM
To: 'netfilter@lists.netfilter.org'
Subject: Port forward


Hi all,
 
Iam trying to set up a port forward for several hours now, but I don't seem
to get it working right.
When I type the following command:
iptables -A PREROUTING -p tcp --destination-port 25 -i eth0 -j DNAT
--to-destination 192.168.22.6:25
I get this output:
iptables: Invalid argument
I did do iptables -X PREROUTING so the chain does exist.
Can anyone please help me out..
What I want is that all incoming connections on eth0 on port 25 are routed
to another machine on the internal network 192.168.22.6
 
Thanks in advance,
Ronald Roeleveld 
System Administrator 

ASCINTERNATIONAL 
Vlietweg 17c, 2266 KA, Leidschendam, The Netherlands 
Tel. +31 (0)70 3178400, Fax +31 (0)70 3204760
E-mail: r.roeleveld@ascinternational.nl
<mailto:r.roeleveld@ascinternational.nl> , Website:
http://www.ascinternational.nl <http://www.ascinternational.nl/>  

 


[-- Attachment #2: Type: text/html, Size: 5956 bytes --]

Re: Port forward

[Patrick Maartense]

do you have MASQERADE out aktive?

for the mailserver the traffic seems to come from the internet , remeber
that yout FW needs masquerading to be aktive and the gateway of your
mailserver needs to be
the firewall



ASC - Ronald Roeleveld wrote:

>  Thanks a lot everyone for the emails...I did iptables -t nat --list
> and it now gives me this output:DNAT       tcp  --
> anywhere             anywhere           tcp dpt:smtp
> to:192.168.22.6:25But when I tried to telnet from another machine to
> 192.168.22.5 port 25 (the ip of the netfilter firewall/router) it
> didn't work at all..Do there has to be a line somewhere that says it's
> allowed to forward these connections?Regards,Ronald.
>
>      -----Original Message-----
>      From: Eugene Joubert [mailto:eugenej@centratel.co.za]
>      Sent: dinsdag 4 februari 2003 11:41
>      To: 'ASC - Ronald Roeleveld';
>      Subject: RE: Port forward
>
>      remember that you are using DNAT so you would have to
>      specify the -t nat switch in your line.eg iptables -t nat -A
>      PREROUTING -p tcp -s 0/0 --dport 25 -i eth0 -j DNAT --to
>      192.168.22.6:25Hope this helps
>
>           -----Original Message-----
>           From: ASC - Ronald Roeleveld
>           [mailto:r.roeleveld@ascinternational.nl]
>           Sent: 04 02 2003 12:31 PM
>           To: 'netfilter@lists.netfilter.org'
>           Subject: Port forward
>
>           Hi all,Iam trying to set up a port forward for
>           several hours now, but I don't seem to get it
>           working right.When I type the following
>           command:iptables -A PREROUTING -p tcp
>           --destination-port 25 -i eth0 -j DNAT
>           --to-destination 192.168.22.6:25I get this
>           output:iptables: Invalid argumentI did do iptables
>           -X PREROUTING so the chain does exist.Can anyone
>           please help me out..What I want is that all
>           incoming connections on eth0 on port 25 are routed
>           to another machine on the internal network
>           192.168.22.6Thanks in advance,Ronald Roeleveld
>           System Administrator
>
>           ASCINTERNATIONAL
>           Vlietweg 17c, 2266 KA, Leidschendam, The
>           Netherlands
>           Tel. +31 (0)70 3178400, Fax +31 (0)70 3204760
>           E-mail: r.roeleveld@ascinternational.nl, Website:
>           http://www.ascinternational.nl
>
--
-------------------------------------------------------------
Computer Service Büro ENTER
Patrick Maartense                 Tel:        +43  2236 42761
am Steinfeld 19a                  FAX:        +43 2236 893970
A-2344 Maria Enzersdorf           Mobil:      +43 664 4200656

e-mail: office@csbenter.at                 patrick@patrick.at
http://www.csbenter.at
-------------------------------------------------------------

RE: Port forward

[saint]

I don't know what your setup is but I myself explicitly FORWARD
things to telnet:

e.g:

# Allow access to machines from the private LAN: 
iptables -A FORWARD -i INTERFACE_CONCERNED -o OUTPUT_INTERFACE -p tcp \
	 -s $LAN_MACHINES --sport $UN_PRIVILEGED_PORTS \
	 -d $DESTINATION_ADDRESS --dport 23 \
	 -m state --state NEW -j ACCEPT

you get the hint.

Any way why use telnet? I recommend secure shell (tcp port 22).

Santos.

Security is a blessing.
	 

RE: Port forward

[Eugene Joubert]

[-- Attachment #1: Type: text/plain, Size: 1253 bytes --]

remember that you are using DNAT so you would have to specify the -t nat
switch in your line.
 
eg 
 
iptables -t nat -A PREROUTING -p tcp -s 0/0 --dport 25 -i eth0 -j DNAT --to
192.168.22.6:25
 
Hope this helps

-----Original Message-----
From: ASC - Ronald Roeleveld [mailto:r.roeleveld@ascinternational.nl] 
Sent: 04 02 2003 12:31 PM
To: 'netfilter@lists.netfilter.org'
Subject: Port forward


Hi all,
 
Iam trying to set up a port forward for several hours now, but I don't seem
to get it working right.
When I type the following command:
iptables -A PREROUTING -p tcp --destination-port 25 -i eth0 -j DNAT
--to-destination 192.168.22.6:25
I get this output:
iptables: Invalid argument
I did do iptables -X PREROUTING so the chain does exist.
Can anyone please help me out..
What I want is that all incoming connections on eth0 on port 25 are routed
to another machine on the internal network 192.168.22.6
 
Thanks in advance,
Ronald Roeleveld 
System Administrator 

ASCINTERNATIONAL 
Vlietweg 17c, 2266 KA, Leidschendam, The Netherlands 
Tel. +31 (0)70 3178400, Fax +31 (0)70 3204760
E-mail: r.roeleveld@ascinternational.nl
<mailto:r.roeleveld@ascinternational.nl> , Website:
http://www.ascinternational.nl <http://www.ascinternational.nl/>  

 


[-- Attachment #2: Type: text/html, Size: 3942 bytes --]

Port forward

[ASC - Ronald Roeleveld]

[-- Attachment #1: Type: text/plain, Size: 855 bytes --]

Hi all,
 
Iam trying to set up a port forward for several hours now, but I don't seem
to get it working right.
When I type the following command:
iptables -A PREROUTING -p tcp --destination-port 25 -i eth0 -j DNAT
--to-destination 192.168.22.6:25
I get this output:
iptables: Invalid argument
I did do iptables -X PREROUTING so the chain does exist.
Can anyone please help me out..
What I want is that all incoming connections on eth0 on port 25 are routed
to another machine on the internal network 192.168.22.6
 
Thanks in advance,
Ronald Roeleveld 
System Administrator 

ASCINTERNATIONAL 
Vlietweg 17c, 2266 KA, Leidschendam, The Netherlands 
Tel. +31 (0)70 3178400, Fax +31 (0)70 3204760
E-mail: r.roeleveld@ascinternational.nl
<mailto:r.roeleveld@ascinternational.nl> , Website:
http://www.ascinternational.nl <http://www.ascinternational.nl/>  

 

[-- Attachment #2: Type: text/html, Size: 2524 bytes --]