Failing to get forwarding to work fully.

Failing to get forwarding to work fully.

[David Wynter]

Hi,

I have tried to get this iptables script on my Centos 4.4 machine 
working, with some help, but still have not succeeded in forwarding port 
722 to a machine on the LAN attached to the machine running iptables 
attached to the internet. The logging of the FORWARD packets just before 
drop tells me they are being forwarded. I also made sure the the LAN 
attached machine on eth0 does accept ssh -D 722 once I logged into the 
public facing machine via ssh. So I kinda assume it is the return packet 
that is the problem, but cannot see why. Ideas? 333.333.333.333 is 
substituted for the public IP addr, 111.111.111.111  222.222.222.222 are 
machines I want to be the only ones that can access. eth0 is th eLAN NIC 
and eth1 is the public facing NIC.

# Generated by iptables-save v1.2.11 on Thu Dec 15 17:00:25 2005
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i eth0 -j LOG --log-level debug
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth0 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -j DROP
-A INPUT -s 111.111.111.111 -p tcp --dport 22 -j ACCEPT
-A INPUT -s 222.222.222.222 -p tcp --dport 22 -j ACCEPT
-A INPUT -p ipv6-crypt -j ACCEPT
-A INPUT -p ipv6-auth -j ACCEPT
-A INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -p udp -m udp --dport 631 -j ACCEPT
-A INPUT -d
 333.333.333.333 -i eth1 -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -d 333.333.333.333 -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 5/sec -j ACCEPT
-A INPUT -p tcp -m multiport --dports 21,22,443,80,8080 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j LOG --log-level debug
-A FORWARD -d 192.168.0.0/255.255.255.0 -i eth1 -o eth0 -p tcp -m multiport --dports 22,3306 -m state --state NEW -j ACCEPT
-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -j LOG --log-prefix "FORWARD DROP: "
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 333.333.333.333 -d 192.168.0.0/255.255.255.0 -o eth0 -j ACCEPT
-A OUTPUT -s 192.168.0.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -o eth0 -j
 ACCEPT
-A OUTPUT -d 192.168.0.0/255.255.255.0 -o eth1 -j DROP
-A OUTPUT -s 333.333.333.333 -o eth1 -j ACCEPT
-A OUTPUT -j DROP
COMMIT
# Completed on Thu Dec 15 17:00:25 2005
# Generated by iptables-save v1.2.11 on Thu Dec 15 17:00:25 2005
*nat
:PREROUTING ACCEPT [2:208]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 333.333.333.333 -p tcp -j LOG --log-level debug
-A PREROUTING -i eth1 -p tcp -d 333.333.333.333 --dport 3307 -j DNAT --to-destination 192.168.0.223:3306
-A PREROUTING -i eth1 -p tcp -d 333.333.333.333 --dport 722 -j DNAT --to-destination 192.168.0.223:22
-A POSTROUTING -o eth1 -j SNAT --to-source 333.333.333.333
COMMIT
# Completed on Thu Dec 15 17:00:25 2005






**

Failing to get forwarding to work fully.

[David at roamware]

Hi,

I have tried to get this iptables script on my Centos 4.4 machine 
working, with some help, but still have not succeeded in forwarding port 
722 to a machine on the LAN attached to the machine running iptables 
attached to the internet. The logging of the FORWARD packets just before 
drop tells me they are being forwarded. I also made sure the the LAN 
attached machine on eth0 does accept ssh -D 722 once I logged into the 
public facing machine via ssh. So I kinda assume it is the return packet 
that is the problem, but cannot see why. Ideas? 333.333.333.333 is 
substituted for the public IP addr, 111.111.111.111  222.222.222.222 are 
machines I want to be the only ones that can access. eth0 is the LAN NIC 
and eth1 is the public facing NIC.

# Generated by iptables-save v1.2.11 on Thu Dec 15 17:00:25 2005
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i eth0 -j LOG --log-level debug
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth0 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -j DROP
-A INPUT -s 111.111.111.111 -p tcp --dport 22 -j ACCEPT
-A INPUT -s 222.222.222.222 -p tcp --dport 22 -j ACCEPT
-A INPUT -p ipv6-crypt -j ACCEPT
-A INPUT -p ipv6-auth -j ACCEPT
-A INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -p udp -m udp --dport 631 -j ACCEPT
-A INPUT -d
333.333.333.333 -i eth1 -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -d 333.333.333.333 -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 5/sec -j ACCEPT
-A INPUT -p tcp -m multiport --dports 21,22,443,80,8080 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j LOG --log-level debug
-A FORWARD -d 192.168.0.0/255.255.255.0 -i eth1 -o eth0 -p tcp -m multiport --dports 22,3306 -m state --state NEW -j ACCEPT
-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -j LOG --log-prefix "FORWARD DROP: "
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 333.333.333.333 -d 192.168.0.0/255.255.255.0 -o eth0 -j ACCEPT
-A OUTPUT -s 192.168.0.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -o eth0 -j
ACCEPT
-A OUTPUT -d 192.168.0.0/255.255.255.0 -o eth1 -j DROP
-A OUTPUT -s 333.333.333.333 -o eth1 -j ACCEPT
-A OUTPUT -j DROP
COMMIT
# Completed on Thu Dec 15 17:00:25 2005
# Generated by iptables-save v1.2.11 on Thu Dec 15 17:00:25 2005
*nat
:PREROUTING ACCEPT [2:208]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 333.333.333.333 -p tcp -j LOG --log-level debug
-A PREROUTING -i eth1 -p tcp -d 333.333.333.333 --dport 3307 -j DNAT --to-destination 192.168.0.223:3306
-A PREROUTING -i eth1 -p tcp -d 333.333.333.333 --dport 722 -j DNAT --to-destination 192.168.0.223:22
-A POSTROUTING -o eth1 -j SNAT --to-source 333.333.333.333
COMMIT


David

RE: Failing to get forwarding to work fully.

[Rob Sterenborg]

> I have tried to get this iptables script on my Centos 4.4 machine
> working, with some help, but still have not succeeded in forwarding
> port 722 to a machine on the LAN attached to the machine running
> iptables attached to the internet. The logging of the FORWARD
> packets just before drop tells me they are being forwarded. I also
> made sure the the LAN attached machine on eth0 does accept ssh -D
> 722 once I logged into the public facing machine via ssh. So I kinda
> assume it is the return packet that is the problem, but cannot see
> why. Ideas? 333.333.333.333 is substituted for the public IP addr,
> 111.111.111.111 222.222.222.222 are machines I want to be the only
> ones that can access. eth0 is the LAN NIC and eth1 is the public
> facing NIC.
> 
> # Generated by iptables-save v1.2.11 on Thu Dec 15 17:00:25 2005
> *filter

[...]

> -A FORWARD -j LOG --log-level debug
> -A FORWARD -d 192.168.0.0/255.255.255.0 -i eth1 -o eth0 \
>     -p tcp -m multiport --dports 22,3306 -m state --state NEW \
>     -j ACCEPT

So NEW packets forwarded to port 22 will be allowed.

> -A FORWARD -i eth1 -o eth0 -m state \
>     --state RELATED,ESTABLISHED -j ACCEPT

Here you are only accepting packets from eth1 -> eth0 in a RELATED or
ESTABLISHED connection. What about the return packets that will go from
eth0 -> eth1? I really don't think you can setup a connection this way.
Try:

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT


Grts,
Rob

Re: Failing to get forwarding to work fully.

[David at roamware]

Rob Sterenborg wrote:
>> I have tried to get this iptables script on my Centos 4.4 machine
>> working, with some help, but still have not succeeded in forwarding
>> port 722 to a machine on the LAN attached to the machine running
>> iptables attached to the internet. The logging of the FORWARD
>> packets just before drop tells me they are being forwarded. I also
>> made sure the the LAN attached machine on eth0 does accept ssh -D
>> 722 once I logged into the public facing machine via ssh. So I kinda
>> assume it is the return packet that is the problem, but cannot see
>> why. Ideas? 333.333.333.333 is substituted for the public IP addr,
>> 111.111.111.111 222.222.222.222 are machines I want to be the only
>> ones that can access. eth0 is the LAN NIC and eth1 is the public
>> facing NIC.
>>
>> # Generated by iptables-save v1.2.11 on Thu Dec 15 17:00:25 2005
>> *filter
>>     
>
> [...]
>
>   
>> -A FORWARD -j LOG --log-level debug
>> -A FORWARD -d 192.168.0.0/255.255.255.0 -i eth1 -o eth0 \
>>     -p tcp -m multiport --dports 22,3306 -m state --state NEW \
>>     -j ACCEPT
>>     
>
> So NEW packets forwarded to port 22 will be allowed.
>
>   
>> -A FORWARD -i eth1 -o eth0 -m state \
>>     --state RELATED,ESTABLISHED -j ACCEPT
>>     
>
> Here you are only accepting packets from eth1 -> eth0 in a RELATED or
> ESTABLISHED connection. What about the return packets that will go from
> eth0 -> eth1? I really don't think you can setup a connection this way.
> Try:
>
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>   

Tried this, it made no difference. I broadened the ports on the NEW to 
cover 722, so there was no confusion to the port 22 used to connect to 
the machine with the public facing NIC. Do I need a postrouting rule for 
the FORWARD used for the return packets?

David
>
> Grts,
> Rob
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>   

RE: Failing to get forwarding to work fully.

[Rob Sterenborg]

> Tried this, it made no difference. I broadened the ports on the NEW
> to cover 722, so there was no confusion to the port 22 used to connect
> to the machine with the public facing NIC.

Actually, this should be working:

-P FORWARD DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state NEW -i eth1 -o eth0 \
  -d 192.168.0.0/16 -p tcp --dport 22 -ACCEPT

-t nat -A PREROUTING -i eth1 -p tcp --dport 722 -j DNAT \
  --to 192.168.0.223:22

If you're running a local ssh server on port 22 there will be no
confusion on this host. You'll be accepting packets on (local) port 22
which are accepted in the INPUT chain. Packets forwarded from port 722
to 192.168.0.223:22 will (only) travel the FORWARD chain (of the filter
table) because they're routed through the host.

> Do I need a postrouting rule for the FORWARD used for the return
packets?

No that would be handled by the RELATED,ESTABLISHED rule.
Besides, you already have an SNAT rule:

-A POSTROUTING -o eth1 -j SNAT --to-source 333.333.333.333

so you should be able to access the internet from 192.168.0.223, but
that should not be related to the problem.


Grts,
Rob