http PREROUTING works but other ports do not

http PREROUTING works but other ports do not

[mictlan tecutli]

[-- Attachment #1: Type: text/plain, Size: 649 bytes --]

Hola,

i´m using iptables v1.2.3. i  got a strange problem where i´m using
esentialy the same rules to forward  (PREROUTING) various ports in a
vserver setup with a single static ip (xxx.xxx.xxx). my vservers on on
the 10.10.10.0 network. with the configuration i´ve attached to this
mail, i can view the web pages hosted in 10.10.10.20, but can not reach the ssh servers on the same host, nor those on other hosts. nor can i reach icecast on port 8000. in the config i´ve included, you´ll se i´ve tried subtle variations on the distint hosts. none of the variations you see there work. 

i´d apreciate any help. 


saludo, 
kev

[-- Attachment #2: iptables.rules --]
[-- Type: application/octet-stream, Size: 2199 bytes --]

# Generated by iptables-save v1.3.6 on Mon Nov 10 19:36:22 2008
*mangle
:PREROUTING ACCEPT [24220:15248964]
:INPUT ACCEPT [22833:15132977]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [20501:9117977]
:POSTROUTING ACCEPT [20501:9117977]
COMMIT
# Completed on Mon Nov 10 19:36:22 2008
# Generated by iptables-save v1.3.6 on Mon Nov 10 19:36:22 2008
*raw
:PREROUTING ACCEPT [24220:15248964]
:OUTPUT ACCEPT [20501:9117977]
COMMIT
# Completed on Mon Nov 10 19:36:22 2008
# Generated by iptables-save v1.3.6 on Mon Nov 10 19:36:22 2008
*nat
:PREROUTING ACCEPT [2401:224057]
:POSTROUTING ACCEPT [150:9814]
:OUTPUT ACCEPT [358:23029]
-A PREROUTING -d xxx.xxx.xxx.0/255.255.255.0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.10.20:80 
-A PREROUTING -i eth0 -p tcp -m tcp --dport 2230 -j DNAT --to-destination 10.10.10.30:22 
-A PREROUTING -d xxx.xxx.xxx.9 -p tcp -m tcp --dport 2220 -j DNAT --to-destination 10.10.10.20:22 
-A PREROUTING -i eth0 -p tcp -m tcp --dport 2260 -j DNAT --to-destination 10.10.10.60:22 
-A PREROUTING -d xxx.xxx.xxx.0/255.255.255.0 -p tcp -m tcp --dport 8000 -j DNAT --to-destination 10.10.10.20:8000 
-A PREROUTING -d xxx.xxx.xxx.0/255.255.255.0 -p tcp -m tcp --dport 2250 -j DNAT --to-destination 10.10.10.50:22 
-A POSTROUTING -s 10.10.10.0/255.255.255.0 -d ! 10.10.10.0/255.255.255.0 -j SNAT --to-source xxx.xxx.xxx.9 
COMMIT
# Completed on Mon Nov 10 19:36:22 2008
# Generated by iptables-save v1.3.6 on Mon Nov 10 19:36:22 2008
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i dummy0 -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -s ! 10.10.10.0/255.255.255.0 -p udp -m udp --dport 514 -j DROP 
-A INPUT -s ! 10.10.10.0/255.255.255.0 -p udp -m udp --dport 3551 -j DROP 
-A INPUT -p tcp -m tcp --dport 2250 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 2230 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 2220 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT 
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-port-unreachable 
-A OUTPUT -j ACCEPT 
COMMIT
# Completed on Mon Nov 10 19:36:22 2008

Re: http PREROUTING works but other ports do not

[Grant Taylor]

On 11/10/2008 7:48 PM, mictlan tecutli wrote:
> i'm using iptables v1.2.3. i got a strange problem where i'm using 
> esentialy the same rules to forward  (PREROUTING) various ports in a 
> vserver setup with a single static ip (xxx.xxx.xxx). my vservers on on 
> the 10.10.10.0 network. with the configuration i've attached to this 
> mail, i can view the web pages hosted in 10.10.10.20, but can not reach 
> the ssh servers on the same host, nor those on other hosts. nor can i 
> reach icecast on port 8000. in the config i've included, you'll se i've 
> tried subtle variations on the distint hosts. none of the variations you 
> see there work.

I can't say for sure, but I do see a few things that are odd.
  - You are making reference to both ports 2220 and 2222.  Is one of 
them a typo?
  - I can't tell what your real destination IP is, xxx.xxx.xxx.0/24 
(your subnet) or xxx.xxx.xxx.9 (a specific host).  I'm going to think 
that it's .9 and refer back to the above point.
  - Will you please clarify what is your internal and external 
interface, eth0 verses what?
  - Do you have specific IPs in your network assigned / allocated to 
individual virtual servers?  Or are you doing everything based on port?

> i'd apreciate any help.

Think about and respond to the above.  I can't do much more with out 
some more information.



Grant. . . .

Re: http PREROUTING works but other ports do not

[mictlan tecutli]

first of all thanks for the quick responce. i´ll attempt to answer your questions as clearly as possible. 

> I can't say for sure, but I do see a few things that are odd.
>   - You are making reference to both ports 2220 and 2222.  Is one of 
> them a typo?

nope i´m using both of them. i have ssh on port 2222 on the host running the firewall (that is to say the host hosting the vservers). and port 2220 get forwared to 10.10.10.20:22, that is to say the standard ssh port on 10.10.10.20, which is on a virtual interface callded dummy0:something. each vserver has an ip in the 10.10.10.* net, and the external interface is eth0 and corresponds to xxx.xxx.xxx.9. 

>   - I can't tell what your real destination IP is, xxx.xxx.xxx.0/24 
> (your subnet) or xxx.xxx.xxx.9 (a specific host).  I'm going to think 
> that it's .9 and refer back to the above point.

i´ve tried using a destination address ("-d") of the specific address (xxx.xxx.xxx.9) and the subnet (xxx.xxx.xxx.0/24) on diferent in order to try all the posible variations hope that one of them would work :/

>   - Will you please clarify what is your internal and external 
> interface, eth0 verses what?

eth0 is external and dummy0 is internal virtual interface. 

>   - Do you have specific IPs in your network assigned / allocated to 
> individual virtual servers?  Or are you doing everything based on port?

i have specific ips (10.10.10.*) assignied to the individial virtual virtual servers. all of the virtual servers run ssh on port 22. in the host, iptables recieves a request for, say, port 2220 and sends it on to port 22 and the ip in question (10.10.10.20 in this case).

Re: http PREROUTING works but other ports do not

[Grant Taylor]

On 11/12/08 17:02, mictlan tecutli wrote:
> first of all thanks for the quick responce. i'll attempt to answer 
> your questions as clearly as possible.

You are welcome.  I'm sorry that this reply has been so long in coming, 
but I have not had the time to provide a proper reply.

> nope i'm using both of them. i have ssh on port 2222 on the host 
> running the firewall (that is to say the host hosting the vservers). 
> and port 2220 get forwared to 10.10.10.20:22, that is to say the 
> standard ssh port on 10.10.10.20, which is on a virtual interface 
> callded dummy0:something. each vserver has an ip in the 10.10.10.* 
> net, and the external interface is eth0 and corresponds to 
> xxx.xxx.xxx.9.

*nod*

> i've tried using a destination address ("-d") of the specific address 
> (xxx.xxx.xxx.9) and the subnet (xxx.xxx.xxx.0/24) on diferent in 
> order to try all the posible variations hope that one of them would 
> work :/

Hum.  I'm betting that it will work when we figure out what is 
preventing things from working.

> eth0 is external and dummy0 is internal virtual interface.

Thank you.

> i have specific ips (10.10.10.*) assignied to the individial virtual 
> virtual servers. all of the virtual servers run ssh on port 22. in 
> the host,    iptables recieves a request for, say, port 2220 and sends 
> it on to port 22 and the ip in question (10.10.10.20 in this case).

*nod*

Just to make sure we are on the same page, is it safe to say the following:
  - All external access is to the same IP xxx.xxx.xxx.9.
  - The host has its ssh high ported to port 2222.
  - Each virtual system has an internal IP of 10.10.10.<something>.
  - Each virtual systems SSH is high ported to 22<something> where the 
<something> is the last octet of the IP.
    (Note that this scheme, nice as it is, will not allow you to have an 
internal virtual system at 10.10.10.22.)

(I'm presuming the above is correct for the sake of discussion.)

I would expect this very basic firewall setup be sufficient for what you 
are wanting.

    iptables -t nat -A PREROUTING -i ${EXT} -d xxx.xxx.xxx.9 -p tcp -m 
tcp --dport 2220 -j DNAT --to-destination 10.10.10.20:22
    iptables -t nat -A PREROUTING -i ${EXT} -d xxx.xxx.xxx.9 -p tcp -m 
tcp --dport 2230 -j DNAT --to-destination 10.10.10.30:22
    iptables -t nat -A PREROUTING -i ${EXT} -d xxx.xxx.xxx.9 -p tcp -m 
tcp --dport 2240 -j DNAT --to-destination 10.10.10.40:22

    iptables -t nat -A POSTROUTING -o ${EXT} -j MASQUERADE

    iptables -t filter -P FORWARD DROP
    iptables -t filter -A FORWARD -i ${EXT} -o ${INT} -m state --state 
ESTABLISHED,RELATED -j ACCEPT
    iptables -t filter -A FORWARD -i ${INT} -o ${EXT} -j ACCEPT
    iptables -t filter -A FORWARD -i ${EXT} -o ${INT} -d 10.10.10.20 -p 
tcp -m tcp --dport 22 -j ACCEPT
    iptables -t filter -A FORWARD -i ${EXT} -o ${INT} -d 10.10.10.30 -p 
tcp -m tcp --dport 22 -j ACCEPT
    iptables -t filter -A FORWARD -i ${EXT} -o ${INT} -d 10.10.10.40 -p 
tcp -m tcp --dport 22 -j ACCEPT

If you can, please try this type of firewall rule set to see if things 
work.  I'm wondering if there is not something else in play that is 
interfering with the result you want.

This is a very minimalist    iptables firewall that does very simple 
stateful filtering.  You will likely want to filter inbound traffic to 
the host (but is not forwarded to any virtual systems).  You may even 
want to, and possibly should, filter outbound traffic from the virtual 
systems.

A suggestion.  If you do egress filtering, I'd add the following rule to 
the end of the filter table FORWARD chain:

    iptables -t filter -A FORWARD -i ${INT} -o ${EXT} -s 10.10.10.0/24 
-j REJECT

This will allow your firewall to send ICMP notifications back to 
internal systems immediately if their outbound traffic is rejected, thus 
(hopefully) preventing timeouts and other weird errors.

You may want to REJECT traffic on the external interface as well, 
however this practice is questionable.  IMHO I think this is a nice idea 
(same reason as you want to use it internally) but there are 
implications to doing it, not the least of which include bandwidth and / 
or participating in (D)DoS attacks.

Additionally, you may want to do the following two rules that allow the 
virtual systems to be able to reach each other via the external address.

  - Remove the "-i ${EXT}" from the nat table PREROUTING chain to allow 
the rules to operate on inbound and outbound traffic.
  - Add the following rule to your nat table POSTROUTING chain to 
support this and avoid the "TCP Triangle".

    iptables -t nat -A POSTROUTING -o ${INT} -s 10.10.10.0/24 -d 
10.10.10.0/24 -j MASQUERADE

Refer to other posts in the mailing list archive to understand why.)



Grant. . . .