Re: port forwarding partially working (SOLVED)

["Raul I. Becette" <raulbecette@unp.edu.ar>]

Raul I. Becette wrote:

> Cedric Blancher wrote:
>
>> Le mercredi 16 février 2005 à 17:58 -0300, Raul I. Becette a écrit :
>>  
>>
>>> I am having trouble forwarding ports to internal servers.
>>> $IPTABLES -A FORWARD -i $PUB_IF -p tcp --dport 1024 -j ACCEPT
>>> $IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 1024 -j 
>>> DNAT --to $SERV_BIBL:110
>>> works ok when I telnet $PUB_IF 1024. I got redirected to the POP 
>>> server with no problems.
>>>   
>>
>>
>> I should not.
>>  
>>
> How can I accomplish the port forwarding for the services?
>
> What I want to do is assign ports 1024-1030 to redirect services for 
> $SERV_BIBL, ports 1031-1039 to redirect services for $SERV_ING and so on.
>
>> If you DNAT your connexion to $PUB_IF port 1024 to $SERV_BIBL:110, then
>> your FORWARD chain will see a packet to destined to port 110, not 1024.
>> If you just look at Netfilter architecture, you will see FORWARD chain
>> traversal occurs _after_ PREROUTING traversal. Thus, packets are already
>> NDATed and have their destination modified when hitting FORWARD rules.
>>
>> That's why, in order to accept your DNATed connection, you should have :
>>
>> $IPTABLES -A FORWARD -i $PUB_IF -p tcp --dport 110 -j ACCEPT
>>
>> If it works anyway, it means you must have some kind of overlaping rule
>> that accidentally accepts thoses packets.
>>
>> Now, going to your script, there's indeed a rule that accepts
>> destination port 110 whatever their destination is :
>>
>> $IPTABLES -A FORWARD -i $PUB_IF -p tcp --dport 110 -j ACCEPT
>>
>> So your stuff works, but that's an accident !
>>
>>
>>  
>>
> Why is an accident?
>
> TIA
>
Hello list

I solved the problem modifying the FORWARD line adding the state of the 
connection as NEW

$IPTABLES -A FORWARD -p tcp --dport $SERVICE_PORT -m state --state NEW 
-j ACCEPT

and deleted the FORWARD lines that accepted connections with --dport 
10nn. The PREROUTING chain takes care of redirecting that port.

That part of my script now is:

# Abro el puerto de smtp para enviar los correos desde unpata hacia a La 
Gran Bestia POP
$IPTABLES -A FORWARD -i $PUB_IF -s $LAN_SMTP -p tcp --dport 25 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 25 -j DNAT --to 
$LAN_POP:25

# Abro puertos para servicios accesibles desde Internet
$IPTABLES -A FORWARD -i $PUB_IF -p tcp --dport 21 -m state --state NEW 
-j ACCEPT

# POP a cuentas unpata.edu.ar y unp.edu.ar
$IPTABLES -A FORWARD -i $PUB_IF -p tcp --dport 110 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 110 -j DNAT 
--to $LAN_POP:110

# Servicios biblioteca.unp.edu.ar
$IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 1024 -j DNAT 
--to $SERV_BIBL:21
$IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 1025 -j DNAT 
--to $SERV_BIBL:25
$IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 1026 -j DNAT 
--to $SERV_BIBL:110

# Servicios ing.unp.edu.ar
$IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 1030 -j DNAT 
--to $SERV_ING:21
$IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 1031 -j DNAT 
--to $SERV_ING:110


I used information from the "slow ftp" thread and wondered myself "what 
if I specify the state of the connection?"
It worked.

Thanks a lot for the help

-- 


-----------------------------------------------------------------
Raul I. Becette
E-mail: raulbecette@unp.edu.ar
Area Redes y Telecomunicaciones
Univ. Nac. de la Patagonia San Juan Bosco
Ciudad Universitaria - Km.4.
9000 - Comodoro Rivadavia - Chubut
Tel/Fax : (0297) - 4550073
------------------------------------------------------------------