Port Forwarding with iptables

Port Forwarding with iptables

[Wilson Mak]

Hi all,

I like to do the portforwarding with iptables(forward web traffic of an 
alias IP - <ext ip> to internal web server).  Here is what I have:

iptables -t nat -A PREROUTING -i eth0 -d <ext ip> -p tcp --dport 80 -j
DNAT --to 10.1.0.12:80
iptables -A INPUT -p tcp -i eth0 -d <ext ip> --dport 80 -m state
--state NEW -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d <ext ip> --dport 80 -m
state --state NEW -j ACCEPT

However, it keep droping the packets when getting to the NAT box.

Logs
====
(With iptables -A FORWARD -d 10.1.0.12 -j LOG; iptable -A FORWARD -j DROP)

kernel: IN=eth0 OUT=eth1 SRC=202.xxx.122.xxx DST=10.1.0.12 LEN=48
TOS=0x00 PREC=0x00 TTL=120 ID=6491 DF PROTO=TCP SPT=4023 DPT=80
WINDOW=64240 RES=0x00 SYN URGP=0

Any clues?  Did I miss something here?

Thanks,
Wilson

RE: Port Forwarding with iptables

[Jason Opperisano]

> Hi all,
>
> I like to do the portforwarding with iptables(forward web traffic of an
> alias IP - <ext ip> to internal web server).  Here is what I have:
>
> iptables -t nat -A PREROUTING -i eth0 -d <ext ip> -p tcp --dport 80 -j
> DNAT --to 10.1.0.12:80

ok

> iptables -A INPUT -p tcp -i eth0 -d <ext ip> --dport 80 -m state
> --state NEW -j ACCEPT

um--nope.  the packets are going to be FORWARD-ed--they will never be seen by the INPUT chain.

> iptables -A FORWARD -p tcp -i eth0 -o eth1 -d <ext ip> --dport 80 -m
> state --state NEW -j ACCEPT

hmm...let's hold off on this for a sec...

> However, it keep droping the packets when getting to the NAT box.
>
> Logs
> ====
> (With iptables -A FORWARD -d 10.1.0.12 -j LOG; iptable -A FORWARD -j DROP)
>
> kernel: IN=eth0 OUT=eth1 SRC=202.xxx.122.xxx DST=10.1.0.12 LEN=48
> TOS=0x00 PREC=0x00 TTL=120 ID=6491 DF PROTO=TCP SPT=4023 DPT=80
> WINDOW=64240 RES=0x00 SYN URGP=0
>
> Any clues?  Did I miss something here?

yeah--read that log entry.  now look at your FORWARD rule.  now read that log entry again.  got it?

no?  ok...  look at the "-d <ext ip>" in the rule and the "DST=10.1.0.12" in the log entry.

DNAT happens in PREROUTING; as in, "before routing"--so any FORWARD rules will see the DNAT-ed address, not the original dest IP.  try:

  iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 10.1.0.12 \
    --dport 80 -m state --state NEW -j ACCEPT

hopefully you also something along the lines of this somewhere as well:

  iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

-j

Re: Port Forwarding with iptables

[George Alexandru Dragoi]

On Thu, 19 Aug 2004 18:57:59 +0800, Wilson Mak
<wilson.mak@digitalview.com> wrote:
> Hi all,
> 
> I like to do the portforwarding with iptables(forward web traffic of an
> alias IP - <ext ip> to internal web server).  Here is what I have:
> 
> iptables -t nat -A PREROUTING -i eth0 -d <ext ip> -p tcp --dport 80 -j
> DNAT --to 10.1.0.12:80
> iptables -A INPUT -p tcp -i eth0 -d <ext ip> --dport 80 -m state
> --state NEW -j ACCEPT
> iptables -A FORWARD -p tcp -i eth0 -o eth1 -d <ext ip> --dport 80 -m
> state --state NEW -j ACCEPT
Take a look at -d param



> However, it keep droping the packets when getting to the NAT box.
> 
> Logs
> ====
> (With iptables -A FORWARD -d 10.1.0.12 -j LOG; iptable -A FORWARD -j DROP)
> 
> kernel: IN=eth0 OUT=eth1 SRC=202.xxx.122.xxx DST=10.1.0.12 LEN=48
> TOS=0x00 PREC=0x00 TTL=120 ID=6491 DF PROTO=TCP SPT=4023 DPT=80
> WINDOW=64240 RES=0x00 SYN URGP=0
Now look at DST,

Q: Do they match? :)

 
> Any clues?  Did I miss something here?
> 
> Thanks,
> Wilson
> 
> 


-- 
Bla bla

Re: Port Forwarding with iptables

[Nick Drage]

On Thu, Aug 19, 2004 at 06:57:59PM +0800, Wilson Mak wrote:
> Hi all,
> 
> I like to do the portforwarding with iptables(forward web traffic of an 
> alias IP - <ext ip> to internal web server).  Here is what I have:
> 
> iptables -t nat -A PREROUTING -i eth0 -d <ext ip> -p tcp --dport 80 -j
> DNAT --to 10.1.0.12:80
> iptables -A INPUT -p tcp -i eth0 -d <ext ip> --dport 80 -m state
> --state NEW -j ACCEPT
> iptables -A FORWARD -p tcp -i eth0 -o eth1 -d <ext ip> --dport 80 -m
> state --state NEW -j ACCEPT
> 
> However, it keep droping the packets when getting to the NAT box.
> 
> Logs
> ====
> (With iptables -A FORWARD -d 10.1.0.12 -j LOG; iptable -A FORWARD -j DROP)
> 
> kernel: IN=eth0 OUT=eth1 SRC=202.xxx.122.xxx DST=10.1.0.12 LEN=48
> TOS=0x00 PREC=0x00 TTL=120 ID=6491 DF PROTO=TCP SPT=4023 DPT=80
> WINDOW=64240 RES=0x00 SYN URGP=0
> 
> Any clues?  Did I miss something here?

( caveat, this is a quick email during a lunch break at work, so it's
all "best guess" )

The rules in the PREROUTING table are executed before those in the
FORWARD table, so the packet has a destination of 10.1.0.12 when it hits
the FORWARD table.  So your third line should be

iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 10.1.0.12 --dport 80 -m
state --state NEW -j ACCEPT

Let me know how you get on :)


-- 
"I think a church with a lightning rod shows a decided lack of confidence"

Re: Port Forwarding with iptables

[Alejandro Flores]

	Hello Wilson,

> iptables -t nat -A PREROUTING -i eth0 -d <ext ip> -p tcp --dport 80 -j
> DNAT --to 10.1.0.12:80

	That's ok.

> iptables -A INPUT -p tcp -i eth0 -d <ext ip> --dport 80 -m state
> --state NEW -j ACCEPT

	This rule is only necessary if you have a webserver running on you
firewall. 

> iptables -A FORWARD -p tcp -i eth0 -o eth1 -d <ext ip> --dport 80 -m
> state --state NEW -j ACCEPT

	Ops. You made a mistake. You have added a rule which changes the
destination IP address to your internal webserver, remember? Your
forward rule must specify the internal address as destination.
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 10.1.0.12/32 --dport 80
--syn -j ACCEPT

Regards,
-- 
--
Alejandro Flores
http://www.triforsec.com.br/
http://www.defenselayer.com/
http://www.nabucodonosor.com/

Re: Port Forwarding with iptables

[Wilson Mak]

Nick Drage wrote:

>On Thu, Aug 19, 2004 at 06:57:59PM +0800, Wilson Mak wrote:
>  
>
>>Hi all,
>>
>>I like to do the portforwarding with iptables(forward web traffic of an 
>>alias IP - <ext ip> to internal web server).  Here is what I have:
>>
>>iptables -t nat -A PREROUTING -i eth0 -d <ext ip> -p tcp --dport 80 -j
>>DNAT --to 10.1.0.12:80
>>iptables -A INPUT -p tcp -i eth0 -d <ext ip> --dport 80 -m state
>>--state NEW -j ACCEPT
>>iptables -A FORWARD -p tcp -i eth0 -o eth1 -d <ext ip> --dport 80 -m
>>state --state NEW -j ACCEPT
>>
>>However, it keep droping the packets when getting to the NAT box.
>>
>>Logs
>>====
>>(With iptables -A FORWARD -d 10.1.0.12 -j LOG; iptable -A FORWARD -j DROP)
>>
>>kernel: IN=eth0 OUT=eth1 SRC=202.xxx.122.xxx DST=10.1.0.12 LEN=48
>>TOS=0x00 PREC=0x00 TTL=120 ID=6491 DF PROTO=TCP SPT=4023 DPT=80
>>WINDOW=64240 RES=0x00 SYN URGP=0
>>
>>Any clues?  Did I miss something here?
>>    
>>
>
>( caveat, this is a quick email during a lunch break at work, so it's
>all "best guess" )
>
>The rules in the PREROUTING table are executed before those in the
>FORWARD table, so the packet has a destination of 10.1.0.12 when it hits
>the FORWARD table.  So your third line should be
>
>iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 10.1.0.12 --dport 80 -m
>state --state NEW -j ACCEPT
>
>Let me know how you get on :)
>
>
>  
>
Thanks for all who help on this issue.  I mis-type the rule here.  Yes 
you guys are right, the rule should be: -d 10.1.0.12.  But still it 
doesn't work.  Do I need to enable something in the kernel when using 
Port-Forwarding?

Here are what I have now
===================
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -t nat -A PREROUTING -i eth0 -d <ext ip - an alias ip>  -p tcp 
--dport 80 -j DNAT --to 10.1.0.12:80
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 10.1.0.12 --dport 80 -m 
state --state NEW -j ACCEPT
iptables -A FORWARD -t filter -i eth1 -m state --state 
NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state --state 
ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Many thanks,
Wilson  

Re: Port Forwarding with iptables

[Nick Drage]

On Fri, Aug 20, 2004 at 06:06:38PM +0800, Wilson Mak wrote:
> Nick Drage wrote:

Excuse the short answer...

> Thanks for all who help on this issue.  I mis-type the rule here.  Yes 
> you guys are right, the rule should be: -d 10.1.0.12.  But still it 
> doesn't work.  Do I need to enable something in the kernel when using 
> Port-Forwarding?

Try:

echo 1 > /proc/sys/net/ipv4/ip_forward

If you google for that you should find an explanation :)

-- 
"I think a church with a lightning rod shows a decided lack of confidence"

Re: Port Forwarding with iptables

[Wilson Mak]

Nick Drage wrote:

>On Fri, Aug 20, 2004 at 06:06:38PM +0800, Wilson Mak wrote:
>  
>
>>Nick Drage wrote:
>>    
>>
>
>Excuse the short answer...
>
>  
>
>>Thanks for all who help on this issue.  I mis-type the rule here.  Yes 
>>you guys are right, the rule should be: -d 10.1.0.12.  But still it 
>>doesn't work.  Do I need to enable something in the kernel when using 
>>Port-Forwarding?
>>    
>>
>
>Try:
>
>echo 1 > /proc/sys/net/ipv4/ip_forward
>
>If you google for that you should find an explanation :)
>
>  
>
Yap! I did set this bit to 1.  Any other stuffs I missed?  That's 
absolutely weird.  It used to work perfectly with ipchains plus 
ipmasqadm.  Actually, the packets did forward to the internal server ( I 
capture the packets with ethereal), but looks like the response packets 
can't get through the NAT box.

Thanks,
Wilson