IPTABLES port forwarding woes

IPTABLES port forwarding woes

[Erich Weiler]

Hi All,

I'm having trouble setting up port forwarding on a linux host I have... 
Basically I have 2 machines. One has a public and a private IP address, 
the other just has a private address:


Machine 1:
public IP: 120.1.1.10
private IP: 10.1.1.50

Machine 2:
private IP: 10.1.1.133

I want to ssh to port 2222 on machine 1 from the internet, on the public 
IP, and have it forward to port 22 on machine 2 on the private network. 
  I can't seem to open an SSH socket however when SSHing to port 2222 on 
machine 1's public IP address...  Note that I only want port 2222 routed 
to machine 2, all other ports should connect to machine 1 as normal. 
This is my current IP tables file on machine 1:


# Generated by iptables-save v1.3.5 on Wed May 28 20:56:31 2008
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [66:7948]
-A FORWARD -d 10.1.3.133 -i eth0 -o eth1 -p tcp -m tcp --dport 22 -m 
state --state NEW -j ACCEPT
-A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p all -j ACCEPT
-A INPUT -i eth1 -p all -j ACCEPT
-A OUTPUT -o eth0 -p all -j ACCEPT
-A OUTPUT -o eth1 -p all -j ACCEPT
COMMIT
# Completed on Wed May 28 20:56:31 2008
# Generated by iptables-save v1.3.5 on Wed May 28 20:56:31 2008
*nat
:PREROUTING ACCEPT [451:32699]
:POSTROUTING ACCEPT [2:236]
:OUTPUT ACCEPT [2:236]
-A PREROUTING -d 120.1.1.10 -i eth0 -p tcp -m tcp --dport 2222 -j DNAT 
--to-destination 10.1.3.133:22
-A POSTROUTING -s 10.1.3.133 -o eth0 -j SNAT --to-source 120.1.1.10
COMMIT
# Completed on Wed May 28 20:56:31 2008

This just doesn't seem to work - can anyone see where I'm going wrong? I 
guess I want machine 2 to see connections coming from machine 1 to be 
coming from machine 1's private IP, but I'm not sure the 'source IP' is 
being re-written when it's being forwarded to machine 2... Not sure... 
Anyway, if anyone can see what's wrong here please let me know!!

Thanks so much,
erich

IPTABLES port forwarding woes

[Erich Weiler]

Hi All,

I'm having trouble setting up port forwarding on a linux host I have...
Basically I have 2 machines. One has a public and a private IP address,
the other just has a private address:


Machine 1:
public IP: 120.1.1.10
private IP: 10.1.1.50

Machine 2:
private IP: 10.1.1.133

I want to ssh to port 2222 on machine 1 from the internet, on the public
IP, and have it forward to port 22 on machine 2 on the private network.
  I can't seem to open an SSH socket however when SSHing to port 2222 on
machine 1's public IP address...  Note that I only want port 2222 routed
to machine 2, all other ports should connect to machine 1 as normal.
This is my current IP tables file on machine 1:


# Generated by iptables-save v1.3.5 on Wed May 28 20:56:31 2008
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [66:7948]
-A FORWARD -d 10.1.3.133 -i eth0 -o eth1 -p tcp -m tcp --dport 22 -m
state --state NEW -j ACCEPT
-A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p all -j ACCEPT
-A INPUT -i eth1 -p all -j ACCEPT
-A OUTPUT -o eth0 -p all -j ACCEPT
-A OUTPUT -o eth1 -p all -j ACCEPT
COMMIT
# Completed on Wed May 28 20:56:31 2008
# Generated by iptables-save v1.3.5 on Wed May 28 20:56:31 2008
*nat
:PREROUTING ACCEPT [451:32699]
:POSTROUTING ACCEPT [2:236]
:OUTPUT ACCEPT [2:236]
-A PREROUTING -d 120.1.1.10 -i eth0 -p tcp -m tcp --dport 2222 -j DNAT
--to-destination 10.1.3.133:22
-A POSTROUTING -s 10.1.3.133 -o eth0 -j SNAT --to-source 120.1.1.10
COMMIT
# Completed on Wed May 28 20:56:31 2008

This just doesn't seem to work - can anyone see where I'm going wrong? I
guess I want machine 2 to see connections coming from machine 1 to be
coming from machine 1's private IP, but I'm not sure the 'source IP' is
being re-written when it's being forwarded to machine 2... Not sure...
Anyway, if anyone can see what's wrong here please let me know!!

Thanks so much,
erich

Re: IPTABLES port forwarding woes

[Pascal Hambourg]

Hello,

Erich Weiler a écrit :
> 
> I'm having trouble setting up port forwarding on a linux host I have...
> Basically I have 2 machines. One has a public and a private IP address,
> the other just has a private address:
> 
> Machine 1:
> public IP: 120.1.1.10
> private IP: 10.1.1.50
> 
> Machine 2:
> private IP: 10.1.1.133
> 
> I want to ssh to port 2222 on machine 1 from the internet, on the public
> IP, and have it forward to port 22 on machine 2 on the private network.
>  I can't seem to open an SSH socket however when SSHing to port 2222 on
> machine 1's public IP address...  Note that I only want port 2222 routed
> to machine 2, all other ports should connect to machine 1 as normal.
> This is my current IP tables file on machine 1:
> 
> # Generated by iptables-save v1.3.5 on Wed May 28 20:56:31 2008
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [66:7948]
> -A FORWARD -d 10.1.3.133 -i eth0 -o eth1 -p tcp -m tcp --dport 22 -m
> state --state NEW -j ACCEPT
> -A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i eth0 -p all -j ACCEPT
> -A INPUT -i eth1 -p all -j ACCEPT
> -A OUTPUT -o eth0 -p all -j ACCEPT
> -A OUTPUT -o eth1 -p all -j ACCEPT
> COMMIT
> # Completed on Wed May 28 20:56:31 2008
> # Generated by iptables-save v1.3.5 on Wed May 28 20:56:31 2008
> *nat
> :PREROUTING ACCEPT [451:32699]
> :POSTROUTING ACCEPT [2:236]
> :OUTPUT ACCEPT [2:236]
> -A PREROUTING -d 120.1.1.10 -i eth0 -p tcp -m tcp --dport 2222 -j DNAT
> --to-destination 10.1.3.133:22
> -A POSTROUTING -s 10.1.3.133 -o eth0 -j SNAT --to-source 120.1.1.10
> COMMIT
> # Completed on Wed May 28 20:56:31 2008

Note that ACCEPT-only rules are pointless when the default policy is 
already set to ACCEPT. However I see nothing that could cause the port 
forwarding to fail.

> This just doesn't seem to work - can anyone see where I'm going wrong? I
> guess I want machine 2 to see connections coming from machine 1 to be
> coming from machine 1's private IP, but I'm not sure the 'source IP' is
> being re-written when it's being forwarded to machine 2... Not sure...

No, the source address is not rewritten according to the above ruleset. 
It would require the following (minimal, feel free to add source, 
destination, protocol and port matches) rule :

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 10.1.1.50

However why would you want to do so ? It would hide the real source 
address from the SSH server on machine 2. Doesn't machine 2 use machine 
1's private address as default gateway ?

Maybe it's time to start your favourite packet sniffer on every interface.

Re: IPTABLES port forwarding woes

[Erich Weiler]

> However why would you want to do so ? It would hide the real source 
> address from the SSH server on machine 2. Doesn't machine 2 use machine 
> 1's private address as default gateway ?

Ah, I forgot to mention, machine 2 is on a private network that is not
routed in any way.  So, there is no default gateway for machine 2...
That's why I was thinking the source port would have to be re-written
internally such that machine 2 would know to send it back through
machine 1 and then on to the internet... ?

Re: IPTABLES port forwarding woes

[Pascal Hambourg]

Erich Weiler a écrit :
> 
> Ah, I forgot to mention, machine 2 is on a private network that is not
> routed in any way.  So, there is no default gateway for machine 2...
> That's why I was thinking the source port would have to be re-written
> internally such that machine 2 would know to send it back through
> machine 1 and then on to the internet... ?

Then indeed you need to SNAT the forwarded connection. Also make sure 
that machine 1 has IP forwarding enabled.

Re: IPTABLES port forwarding woes

[Erich Weiler]

Hmmm..  Follow up question to this.  How would the outgoing connection 
back to the internet find it's way back to the remote internet host, if 
the source address was re-written to machine 1 when in came in to begin 
with?  Wouldn't the original remote internet source address be lost in 
all the translation?

Thanks for your insight by the way!

-erich

Pascal Hambourg wrote:
> Erich Weiler a écrit :
>>
>> Ah, I forgot to mention, machine 2 is on a private network that is not
>> routed in any way.  So, there is no default gateway for machine 2...
>> That's why I was thinking the source port would have to be re-written
>> internally such that machine 2 would know to send it back through
>> machine 1 and then on to the internet... ?
> 
> Then indeed you need to SNAT the forwarded connection. Also make sure 
> that machine 1 has IP forwarding enabled.
> -- 
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: IPTABLES port forwarding woes

[Pascal Hambourg]

Erich Weiler a écrit :
> Hmmm..  Follow up question to this.  How would the outgoing connection 
> back to the internet find it's way back to the remote internet host, if 
> the source address was re-written to machine 1 when in came in to begin 
> with?  Wouldn't the original remote internet source address be lost in 
> all the translation?

No, the connection tracking takes care of all this. The NAT operations 
applied by iptables rules to the first packet creating the connection 
are recorded and applied to subsequent packets in the same direction, 
while the inverse operations are applied to reply packets in the 
opposite direction.

> Thanks for your insight by the way!

You're welcome.

Re: IPTABLES port forwarding woes

[Erich Weiler]

> No, the connection tracking takes care of all this. The NAT operations 
> applied by iptables rules to the first packet creating the connection 
> are recorded and applied to subsequent packets in the same direction, 
> while the inverse operations are applied to reply packets in the 
> opposite direction.

Excellent, it works just fine now!  Here's my final iptables file, just 
in case it would help anyone in the list:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [66:7948]
-A FORWARD -d 10.1.3.133 -i eth0 -o eth1 -p tcp -m tcp --dport 22 -m 
state --state NEW -j ACCEPT
-A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [451:32699]
:POSTROUTING ACCEPT [2:236]
:OUTPUT ACCEPT [2:236]
-A PREROUTING -d 120.1.1.10 -i eth0 -p tcp -m tcp --dport 2222 -j DNAT 
--to-destination 10.1.3.133:22
-A POSTROUTING -s 10.1.3.133 -o eth0 -j SNAT --to-source 120.1.1.10
COMMIT
-A POSTROUTING -o eth1 -p tcp --dport 22 -d 10.1.3.133 -j SNAT --to 
10.1.1.50

Thanks again!

-erich