Re: Port forwarding - what's wrong with my setup?

Re: Port forwarding - what's wrong with my setup?

[Nandan Bhat]

Hi Mr. Pascal,

Thanks for your response. I am sorry to have responded so late - I was 
out of the city and had no access.

I have modified some of my script statements according to your suggestions

I now have the port forwarding setup working to some extent.

On the 192.168.1.0/24 network, I am able to access the pop and smtp 
server located at 192.168.0.10

On the 192.168.1.0/24 network, I am able to access smtp, pop, ssh, http, 
mysql servers from within the same network.

Out of curiosity, I went over to the 192.168.0.0/24 network and tried to 
do a port scan for my server's external IP (192.168.0.176 - DHCP)
Using Look@LAN software on Windows XP, I saw ports 21, 25 and 110 
detected during the scan, but no ICMP reply.

My knee-jerk reaction was to edit the ICMP rule for INPUT. It was 
earlier above line 27.

But, what is causing ports 25 and 110 to be exposed on my server's IP?

Thanks once again,

Nandan

------ begin rc.firewall-iptables-stronger ------
01 $IPTABLES -P INPUT DROP
02 $IPTABLES -F INPUT
03 $IPTABLES -P OUTPUT DROP
04 $IPTABLES -F OUTPUT
05 $IPTABLES -P FORWARD DROP
06 $IPTABLES -F FORWARD
07 $IPTABLES -F -t nat
08 $IPTABLES -X
09 $IPTABLES -Z
10
11 $IPTABLES -N reject-and-log-it
12 $IPTABLES -A reject-and-log-it -j LOG --log-level info \
13  --log-prefix "iptables"
14 $IPTABLES -A reject-and-log-it -j REJECT
15
16 $IPTABLES -A INPUT -i lo -j ACCEPT
17
18 # for testing purpose only
19 $IPTABLES -A INPUT -p ICMP -j ACCEPT
20
21 $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
22 $IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j reject-and-log-it
23 $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $INTIP -p tcp -m multiport \
24  --dports 22,25,80,139,445,3306 -m state --state NEW -j ACCEPT
25 $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $INTIP -p udp -m multiport \
26  --dports 137,138 -m state --state NEW -j ACCEPT
27 $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j reject-and-log-it
28
29 $IPTABLES -A OUTPUT -p ICMP -m state --state INVALID -j DROP
30 $IPTABLES -A OUTPUT -o lo -j ACCEPT
31 $IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
32 $IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j 
reject-and-log-it
33 $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j reject-and-log-it
34
35 $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state \
36  --state ESTABLISHED,RELATED -j ACCEPT
37 $IPTABLES -A FORWARD -i $INTIF -p tcp -s $INTNET -d $PORTFWIP \
38  --dport 110 -j ACCEPT
39 $IPTABLES -A FORWARD -i $INTIF -p tcp -s $INTNET -d $PORTFWIP \
40  --dport 25 -j ACCEPT
41 $IPTABLES -A FORWARD -j reject-and-log-it
42
43 $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
44 $IPTABLES -t nat -A PREROUTING -p tcp -i $INTIF -d $INTIP \
45  --dport 11002 -j DNAT --to $PORTFWIP:110
46 $IPTABLES -t nat -A PREROUTING -p tcp -i $INTIF -d $INTIP \
47  --dport 25000 -j DNAT --to $PORTFWIP:25
------ end rc.firewall-iptables-stronger ------

Port forwarding - what's wrong with my setup?

[Nandan Bhat]

Hi,

I think port forwarding is a solution to my problem. But I am going 
wrong in my setup.

My setup is as follows:
192.168.1.6 on eth0 is internal network. It is connected to a hub. Hub 
is connected to an ADSL router which is 192.168.1.1
192.168.1.6 will provide local services http (80), mysql (3306), ssh 
(22), smb (various), ftp (21), pop3 (110), smtp (25)
eth1 has dhcp address on 192.168.0.0/24 network and that is all I know 
of the network.
192.168.0.10 is the smtp/pop server on 192.168.0.0/24 network.

Some clients on 192.168.1.0/24 network need to have email access to 
192.168.0.10
I do not trust 192.168.0.0/24 network, to enable all traffic to be allowed.

I intend to have clients connect to 192.168.1.6 on port 11002 
(arbitrary) and have such traffic to be forwarded to 192.168.0.10 on 
port 110. Likewise on 192.168.1.6:25000 to 192.168.0.10:25.

I have slightly appended to the IP-Masquerade-HOWTO (stronger) ruleset, 
what I think should be the configuration for port forwarding. There are 
no errors on running the script. For the sake of brevity, I have left 
out some statements and included only the iptables statements. I'm sorry 
if it is too long.

I expected to be able to telnet 192.168.1.6 on port 11002 and be shown 
the response of 192.168.0.10 for the POP server. But I get connection 
refused. Any pointers?

Nandan Bhat

------------------------------------------------------------------
-- rc.firewall-iptables-stronger begin
------------------------------------------------------------------
01 EXTIF="eth1"
02 INTIF="eth0"
03 EXTIP="`$IFCONFIG $EXTIF | $AWK \
04  /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
05
06 INTNET="192.168.1.0/24"
07 INTIP="192.168.1.6/24"
08 UNIVERSE="0.0.0.0/0"
09
10 echo "1" > /proc/sys/net/ipv4/ip_forward
11 echo "1" > /proc/sys/net/ipv4/ip_dynaddr
12
13 $IPTABLES -P INPUT DROP
14 $IPTABLES -F INPUT
15 $IPTABLES -P OUTPUT DROP
16 $IPTABLES -F OUTPUT
17 $IPTABLES -P FORWARD DROP
18 $IPTABLES -F FORWARD
19 $IPTABLES -F -t nat
20 $IPTABLES -X
21 $IPTABLES -Z
22
23 $IPTABLES -N reject-and-log-it
24 $IPTABLES -A reject-and-log-it -j LOG --log-level info
25 $IPTABLES -A reject-and-log-it -j REJECT
26
27 $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
28 $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
29 $IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j reject-and-log-it
30 $IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
31 $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
32  ESTABLISHED,RELATED -j ACCEPT
33
34 #$IPTABLES -A INPUT -p ICMP --icmp-type any -j ACCEPT
35 $IPTABLES -A INPUT -p 50 -j ACCEPT
36 $IPTABLES -A INPUT -p 51 -j ACCEPT
37 $IPTABLES -A INPUT -i $INTIF -m state --state ESTABLISHED,RELATED -j 
ACCEPT
38
39 $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $INTIP -m state --state NEW \
40  -m tcp -p tcp --dport 21 -j ACCEPT
41 $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $INTIP -m state --state NEW \
42  -m tcp -p tcp --dport 22 -j ACCEPT
43 $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $INTIP -m state --state NEW \
44  -m tcp -p tcp --dport 25 -j ACCEPT
45 $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $INTIP -m state --state NEW \
46  -m tcp -p tcp --dport 80 -j ACCEPT
47 $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $INTIP -m state --state NEW \
48  -m udp -p udp --dport 137 -j ACCEPT
49 $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $INTIP -m state --state NEW \
50  -m udp -p udp --dport 138 -j ACCEPT
51 $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $INTIP -m state --state NEW \
52  -m tcp -p tcp --dport 139 -j ACCEPT
53 $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $INTIP -m state --state NEW \
54  -m tcp -p tcp --dport 445 -j ACCEPT
55 $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $INTIP -m state --state NEW \
56  -m tcp -p tcp --dport 3306 -j ACCEPT
57 $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j reject-and-log-it
58
59 $IPTABLES -A OUTPUT -m state -p icmp --state INVALID -j DROP
60 $IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
61 $IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
62 $IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
63 $IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j 
reject-and-log-it
64 $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
65 $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j reject-and-log-it
66
67 $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state 
ESTABLISHED,RELATED \
68  -j ACCEPT
69 $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
70
71 $IPTABLES -A FORWARD -i $INTIF -p tcp -s $INTNET --sport 11002 \
72  -d 192.168.0.10 --dport 110 -j ACCEPT
73 $IPTABLES -A FORWARD -i $INTIF -p tcp -s $INTNET --sport 25000 \
74  -d 192.168.0.10 --dport 25 -j ACCEPT
75 $IPTABLES -A FORWARD -j reject-and-log-it
76
77 $IPTABLES -t nat -A PREROUTING -p tcp -i $INTIF -d $INTIP \
78  --dport 11002 -j DNAT --to 192.168.0.10:110
79 $IPTABLES -t nat -A PREROUTING -p tcp -i $INTIF -d $INTIP \
80  --dport 25000 -j DNAT --to 192.168.0.10:25

------------------------------------------------------------------
-- rc.firewall-iptables-stronger end
------------------------------------------------------------------

Re: Port forwarding - what's wrong with my setup?

[Pascal Hambourg]

Hello,

Nandan Bhat a écrit :
> 
> I intend to have clients connect to 192.168.1.6 on port 11002 
> (arbitrary) and have such traffic to be forwarded to 192.168.0.10 on 
> port 110. Likewise on 192.168.1.6:25000 to 192.168.0.10:25.
[...]
> I expected to be able to telnet 192.168.1.6 on port 11002 and be shown 
> the response of 192.168.0.10 for the POP server. But I get connection 
> refused. Any pointers?

Is the connection refused immediately or does it hangs and fail ?
Do you see related lines in the reject logs ?
Did you try from this box or from hosts in the internal network ? NAT 
rules in the PREROUTING chain do not work with locally generated packets.

> 07 INTIP="192.168.1.6/24"

A single IP address has a /32 prefix length or no prefix length. Here I 
think 192.168.1.6/24 is equivalent to 192.168.1.0/24 (bits beyond the 
prefix length are ignored) so it makes -s/-d matches broader than they 
should be.

> 27 $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

My advice is don't overload the rules with useless matches. If a rule 
does not care about a given packet parameter (source/destination 
address/port, protocol, ICMP type, state...), just don't put the match. 
It will make your rules shorter and more readable.

> 30 $IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT

If you don't trust the external network, you don't want to accept all 
ICMP types on the external interface.

> 39 $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $INTIP -m state --state NEW \
> 40  -m tcp -p tcp --dport 21 -j ACCEPT
> 41 $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $INTIP -m state --state NEW \
> 42  -m tcp -p tcp --dport 22 -j ACCEPT
> 43 $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $INTIP -m state --state NEW \
> 44  -m tcp -p tcp --dport 25 -j ACCEPT
> 45 $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $INTIP -m state --state NEW \
> 46  -m tcp -p tcp --dport 80 -j ACCEPT
> 47 $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $INTIP -m state --state NEW \
> 48  -m udp -p udp --dport 137 -j ACCEPT
> 49 $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $INTIP -m state --state NEW \
> 50  -m udp -p udp --dport 138 -j ACCEPT
> 51 $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $INTIP -m state --state NEW \
> 52  -m tcp -p tcp --dport 139 -j ACCEPT
> 53 $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $INTIP -m state --state NEW \
> 54  -m tcp -p tcp --dport 445 -j ACCEPT
> 55 $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $INTIP -m state --state NEW \
> 56  -m tcp -p tcp --dport 3306 -j ACCEPT

You can replace all this with two rules with the 'multiport' match. Or 
you can "factorize" the common matches "-i $INTIF -s $INTNET -d $INTIP 
-m state --state NEW" with a user defined chain to make the rules 
shorter (thus more readable). :-)

> 69 $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> 70
> 71 $IPTABLES -A FORWARD -i $INTIF -p tcp -s $INTNET --sport 11002 \
> 72  -d 192.168.0.10 --dport 110 -j ACCEPT
> 73 $IPTABLES -A FORWARD -i $INTIF -p tcp -s $INTNET --sport 25000 \
> 74  -d 192.168.0.10 --dport 25 -j ACCEPT

There is no reason that the source port of the DNATed packets would be 
equal to the original destination port, so these two rules would not 
match. However they are unused because the rule in line #69 accepts the 
packets before.

> 77 $IPTABLES -t nat -A PREROUTING -p tcp -i $INTIF -d $INTIP \
> 78  --dport 11002 -j DNAT --to 192.168.0.10:110
> 79 $IPTABLES -t nat -A PREROUTING -p tcp -i $INTIF -d $INTIP \
> 80  --dport 25000 -j DNAT --to 192.168.0.10:25

Isn't there a MASQUERADE rule in the POSTROUTING chain for packets 
leaving $EXTIF from $INTNET ? The server 192.168.0.10 may refuse 
communications from this netblock.