PCAnywhere and netfilter

PCAnywhere and netfilter

[cc]

Hi,

I am having some troubles figuring out how to get a remote
PCAnywhere station log onto a local pcanywhere station.

Here's my config:

Firewall  :  (eth0 : external IP) - a.b.c.d
             (eth1 : internal IP - 192.168.5.17)
Int IP (one with PCAnywhere) : 192.168.5.31

Here's my attempt at a netfilter script for this:

iptables -A INPUT -i eth0 -d 192.168.5.31 -p tcp --dport "5631:5632" -j
ACCEPT
iptables -A INPUT -i eth0 -d 192.168.5.31 -p udp --dport "5631:5632" -j
ACCEPT

iptables -t nat -A PREROUTING -i eth0 -d a.b.c.d -p tcp --dport
"5631:5632" -j DNAT --to 192.168.5.31
iptables -t nat -A PREROUTING -i eth0 -d a.b.c.d -p udp --dport
"5631:5632" -j DNAT --to 192.168.5.31


I actually got this off the net and am still trying to disect it.
Am I supposed to have Output, or just forward chains since in essence
I'm just forwarding the PCA packets to a different station?

I'm still barely understanding Netfilters.  For the other services
(smtp, www, etc...) they are working.  I don't understand why I'm
having so much trouble with PCAnywhere.

Thanks

Edmund

Re: PCAnywhere and netfilter

[Chris Wilson]

Hi Edmund,

> I am having some troubles figuring out how to get a remote
> PCAnywhere station log onto a local pcanywhere station.
[...]
> Here's my attempt at a netfilter script for this:
> 
> iptables -A INPUT -i eth0 -d 192.168.5.31 -p tcp --dport "5631:5632" -j
> ACCEPT
> iptables -A INPUT -i eth0 -d 192.168.5.31 -p udp --dport "5631:5632" -j
> ACCEPT

I think this is wrong. You need to put the rules in FORWARD, since having 
been DNAT'ed, the packet is no longer destined for the local host, and 
will be routed by the machine. The rules you need are:

iptables -A FORWARD -i eth0 -d 192.168.5.31 -p tcp --dport "5631:5632" \
	-j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.5.31 -p udp --dport "5631:5632" \
	-j ACCEPT

In fact you can make this tighter as well, since pcAnywhere uses only UDP 
port 5632 and TCP port 5631:

iptables -A FORWARD -i eth0 -d 192.168.5.31 -p tcp --dport 5631 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.5.31 -p udp --dport 5632 -j ACCEPT

> iptables -t nat -A PREROUTING -i eth0 -d a.b.c.d -p tcp --dport
> "5631:5632" -j DNAT --to 192.168.5.31
> iptables -t nat -A PREROUTING -i eth0 -d a.b.c.d -p udp --dport
> "5631:5632" -j DNAT --to 192.168.5.31

These rules are correct, although you can tighten them up in the same way 
as above.

> I actually got this off the net and am still trying to disect it.
> Am I supposed to have Output, or just forward chains since in essence
> I'm just forwarding the PCA packets to a different station?

Just FORWARD. The packets will never go into INPUT nor will the replies go 
out of OUTPUT.

Cheers, Chris.
-- 
   ___ __     _
 / __// / ,__(_)_  | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |

Re: PCAnywhere and netfilter

[Chris Wilson]

Hi Edmund,

On Mon, 30 Jun 2003, cc wrote:

> ACCEPT     tcp  --  anywhere             192.168.5.31       tcp dpt:5631
> ACCEPT     udp  --  anywhere             192.168.5.31       udp dpt:5632
> ACCEPT     tcp  --  192.168.5.31         anywhere           tcp dpt:5631
> ACCEPT     udp  --  192.168.5.31         anywhere           udp dpt:5632

Is this a listing from FORWARD or PREROUTING? In fact, could you send 
the output of "iptables -L -n -v" and "iptables -t nat -L -n -v"?

> I've even modified the script to the following:
> (Yes, it is a trial and error effort as I've exhausted
> my limited knowledge in what's going on.)
> 
> PC_INT_IP="192.168.5.31"
> EX_IP="aa.bb.cc.dd"
> 
> $IPTABLES -t nat -A PREROUTING -i eth0 -d $EX_IP -p tcp \
>           --dport 5631 -j DNAT --to $PC_INT_IP
> $IPTABLES -t nat -A PREROUTING -i eth0 -d $EX_IP -p udp \
>           --dport 5632 -j DNAT --to $PC_INT_IP

Which interface is your external, and which is internal? If eth0 is 
external, and you have an ACCEPT ESTABLISHED rule, then all you need is 
the two rules above, and:

> $IPTABLES -A FORWARD -i eth0 -d $PC_INT_IP -p tcp --dport 5631 -j ACCEPT
> $IPTABLES -A FORWARD -i eth0 -d $PC_INT_IP -p udp --dport 5632 -j ACCEPT

> Here's where I'm completely confused.  Let's say:
>  I = some Internet IP
>  L = some LAN IP
> Fo = firewall's external IP,
> Fi = firewall's internal IP
>  P = PCAnywhere machine.
> 
> I -> Fo -> Fi -> P

I think this is the wrong way to look at NAT, although it's probably OK 
for routing.

Basically there are 3 stages:

- Packet arrives at machine (destination field is EX_IP)
- Packet passes through PREROUTING which rewrites the destination to 
  PC_INT_IP. The source address is not changed and the Firewall internal 
  IP (Fi) is not involved.
- Packet passes through FORWARD and is filtered based on the NEW 
  destination IP address (PC_INT_IP)

The reply packets should be covered by an ESTABLISHED rule, if any.

You could try to telnet from outside to EX_IP port 5631. If it says "Press 
[ENTER]" then your rules are OK. If it gives "Connection refused" then the 
internal machine is not listening. If it times out after 30 seconds then 
the NAT is still broken.

Please send tcpdumps of internal interface, along with "iptables -L ..."
as requested above.

> Does anyone have a working PCAnywhere-permitted firewall script?

Not a script, but it works for us here.

I've added netfilter@lists.netfilter.org back onto the CC: list, so that 
you can benefit from the advice of others as well as me, and our 
discussion should be recorded to help others in future.

Cheers, Chris.
-- 
   ___ __     _
 / __// / ,__(_)_  | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |

Re: PCAnywhere and netfilter

[cc]

Chris Wilson wrote:

Hi Chris!

Just want to update that it's now working!  There were
a few issues that contributed to me having so much
trouble.

1) We were running two different broadband suppliers.
   One was being phased out while the other was being
    phased in. :)  So the PCAnywhere system wasn't using
     the right Router (don't know if this actually makes
    any difference).

2) I was using a my workstation (has PCAnywhere installed)
   to log on to the other PCAnywhere station but via the
   Internet IP and not the stated local IP.  Meaning,
    if aa.bb.cc.dd was my given Internet IP, I'd use my
    local station to access the aa.bb.cc.dd to access
    the PCAnywhere station.

(I know. Stupid, but I needed to test whether or not I could
connect.  I know using the actual machine's LAN IP works.  I
just didn't know if I could go via the External IP.

   ie.  MyMachine -> Firewall's Ext IP -> PCAnywhere.)

Anyway, it works.  I'm surprised I'm had so much trouble
with this.  It seemed pretty straight forward.

Thanks for all the help Chris!

Edmund


-- 
email: cc@belfordhk.com  | "A man who knows not where he goes,
                         |  knows not when he arrives."
                         |                - Anon