Port Forwarding

Port Forwarding

[jen140]

Hello.
I am running Debian(5.0.3), and have kernel version: 2.6.26-2-686.
And I have just installed the iptables v1.4.5.
After  searching for help on debian and ubuntu forums, i didnt get any
response, so I'm writing here.
My network configuration is next:
eth0 is my internet interface and has dinamic ip(83.x.x.x).
eth1 is my intranet interface and has static ip(192.168.0.1).
The server machine(thise pc) shares internet with other machines.
At debian start iptables has the next config:
iptables -P FORWARD ACCEPT
iptables --table nat -A POSTROUTING --out-interface eth0 -j MASQUERADE
So now getting to the problem.
I  wanted  to configure port forwarding, and forward port 135 from Any
address  that  comes from eth0 (internet) to ip 192.168.0.200 and same
port(135).
I've tryied running the next:
iptables -F
iptables -t nat -F
iptables -P FORWARD ACCEPT
iptables --table nat -A POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --table nat -A PREROUTING --in-interface eth0 -j DNAT -p tcp --dport 135 --to 192.168.0.200:135
But   the   problem   is   that  it  is  filtered  (I  check  it  with
nmap-online.com service).
Am i doing anything wrong or my kernel doesnt support it ?
Thanks in advance.
Have a good day.

Re: Port Forwarding

[John A. Sullivan III]

On Sun, 2009-10-11 at 01:30 +0100, jen140@gmail.com wrote:
> Hello.
> I am running Debian(5.0.3), and have kernel version: 2.6.26-2-686.
> And I have just installed the iptables v1.4.5.
> After  searching for help on debian and ubuntu forums, i didnt get any
> response, so I'm writing here.
> My network configuration is next:
> eth0 is my internet interface and has dinamic ip(83.x.x.x).
> eth1 is my intranet interface and has static ip(192.168.0.1).
> The server machine(thise pc) shares internet with other machines.
> At debian start iptables has the next config:
> iptables -P FORWARD ACCEPT
> iptables --table nat -A POSTROUTING --out-interface eth0 -j MASQUERADE
> So now getting to the problem.
> I  wanted  to configure port forwarding, and forward port 135 from Any
> address  that  comes from eth0 (internet) to ip 192.168.0.200 and same
> port(135).
> I've tryied running the next:
> iptables -F
> iptables -t nat -F
> iptables -P FORWARD ACCEPT
> iptables --table nat -A POSTROUTING --out-interface eth0 -j MASQUERADE
> iptables --table nat -A PREROUTING --in-interface eth0 -j DNAT -p tcp --dport 135 --to 192.168.0.200:135
> But   the   problem   is   that  it  is  filtered  (I  check  it  with
> nmap-online.com service).
> Am i doing anything wrong or my kernel doesnt support it ?
> Thanks in advance.
> Have a good day.
<snip>
Have you checked to make sure the rule is actually loading (iptables -v
-n -t nat -L PREROUTING)? I haven't checked it but I'm not sure if you
need to place the argument to DNAT immediately after it for it to be
understood, in other words:
iptables -t nat -A PREROUTING -i eth0 -p 6 --dport 135 -j DNAT
--to-destination 192.168.0.200

I'd also be very careful about allowing Internet access to port 135; it
is a very dangerous port.  It also tends to then map the service to
another port - how will you allow that port in?

I also usually do not set the FORWARD POLICY to ACCEPT.  I set it to
DROP and then explicitly allow any traffic from the outside world in.
Hope this helps - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

Re: Port Forwarding

[Brian Austin - Standard Universal]

and dont forget to enable ip forwarding, or nothing will get through!



jen140@gmail.com wrote:
> Hello.
> I am running Debian(5.0.3), and have kernel version: 2.6.26-2-686.
> And I have just installed the iptables v1.4.5.
> After  searching for help on debian and ubuntu forums, i didnt get any
> response, so I'm writing here.
> My network configuration is next:
> eth0 is my internet interface and has dinamic ip(83.x.x.x).
> eth1 is my intranet interface and has static ip(192.168.0.1).
> The server machine(thise pc) shares internet with other machines.
> At debian start iptables has the next config:
> iptables -P FORWARD ACCEPT
> iptables --table nat -A POSTROUTING --out-interface eth0 -j MASQUERADE
> So now getting to the problem.
> I  wanted  to configure port forwarding, and forward port 135 from Any
> address  that  comes from eth0 (internet) to ip 192.168.0.200 and same
> port(135).
> I've tryied running the next:
> iptables -F
> iptables -t nat -F
> iptables -P FORWARD ACCEPT
> iptables --table nat -A POSTROUTING --out-interface eth0 -j MASQUERADE
> iptables --table nat -A PREROUTING --in-interface eth0 -j DNAT -p tcp --dport 135 --to 192.168.0.200:135
> But   the   problem   is   that  it  is  filtered  (I  check  it  with
> nmap-online.com service).
> Am i doing anything wrong or my kernel doesnt support it ?
> Thanks in advance.
> Have a good day.
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>   

Re: Port Forwarding

[Pascal Hambourg]

Hello,

jen140@gmail.com a écrit :
> I  wanted  to configure port forwarding, and forward port 135 from Any
> address  that  comes from eth0 (internet) to ip 192.168.0.200 and same
> port(135).
[...]
> But   the   problem   is   that  it  is  filtered  (I  check  it  with
> nmap-online.com service).

Did you check with a packet sniffer that these packets are actually
received by the internet interface ? They may be filtered by either your
ISP or the sender's ISP.

Re: Port Forwarding

[jen140]

It is enabled.
jen140@server:~$ cat /proc/sys/net/ipv4/ip_forward
1
But still doesnt work =(.

Re: Port Forwarding

[jen140]

Thanks for your fast responses.
First of all i checked all the next rules:
iptables -A tcp_packets -p TCP -s 0/0 --dport 139 -j ACCEPT
iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 139 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 83.132.157.x --dport 139 -j DNAT --to 192.168.0.200:139
//filtered <-
iptables -t nat -I PREROUTING -p tcp -i eth0 --dport 139 -j DNAT --to 192.168.0.200:139
//filtered <-
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 83.132.157.x --dport 139 -j DNAT --to 192.168.0.200:139
iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.200 --dport 139 -j ACCEPT
//closed <- host down
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 139 -j DNAT --to 192.168.0.200:139
iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.200 --dport 139 -j ACCEPT
//filtered <-
iptables -t nat -I PREROUTING -p tcp -i eth0 --dport 139 -j DNAT --to 192.168.0.200:139
iptables -A FORWARD -p tcp -i eth0 -d 83.132.157.x --dport 139 -j ACCEPT
//filtered <- host down
iptables -t nat -I PREROUTING -p tcp -i eth0 --dport 139 -j DNAT --to 192.168.0.200:139
iptables -A FORWARD -p tcp -i eth0 --dport 139 -j ACCEPT
//filtered
With my friend's help.
And none of them directed the output.
There  is  no  problem  to  forward  the  port 139, because it will be
forwarded to a honeypot machine =) (running on virtualbox).
When  started  to  test  with the ipmasq the host stopped to listen on
other  ports  (ssh  for  lan for example),but connection sharing still
works.
And my friend couldnt connect to the host.

Port Forwarding

[Barry A Rich]

Our basic configuration load balances connections across two uplink modems.
The IP addressing looks like this:

                    |-------------| 192.168.4.1         192.168.4.2
        192.160.0.1 |        eth1 |-------------------------------- Modem 1
LAN ----------------| eth0        |
                    |        eth2 |-------------------------------- Modem 2
                    |-------------| 192.168.5.1         192.168.5.2


The basic setup for the load balancing is as follows:

iptables -A INPUT -i eth0 -s 192.168.0.0/24 -d 0.0.0.0/0 -j ACCEPT

iptables -A INPUT -i eth1 -s 192.168.4.0/24 -d 0.0.0.0/0 -j ACCEPT

iptables -A INPUT -i eth2 -s 192.168.5.0/24 -d 0.0.0.0/0 -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -o eth0 -s 192.168.4.1 -d 192.168.0.0/24 -j ACCEPT

iptables -A OUTPUT -o eth0 -s 192.168.5.1 -d 192.168.0.0/24 -j ACCEPT

iptables -A OUTPUT -o eth1 -s 192.168.4.1 -d 0.0.0.0/0 -j ACCEPT

iptables -A OUTPUT -o eth2 -s 192.168.5.1 -d 0.0.0.0/0 -j ACCEPT

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.4.1

iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to 192.168.5.1

ip route add 192.168.4.2 dev eth1 table uplink1

ip route add default via 192.168.4.1 table uplink1

ip route add 192.168.5.2 dev eth1 table uplink2

ip route add default via 192.168.5.1 table uplink2

ip route add 192.168.4.2 dev eth1

ip route add 192.168.5.2 dev eth2

ip rule add from 192.168.4.1 table uplink1

ip rule add from 192.168.5.1 table uplink2

ip route add default scope global nexthop dev eth1 weight 1 nexthop dev eth2
weight 1

This is all working. Connections are balanced across the uplinks. It turns
out the modems have a TCP control port (5000). The port number cannot be
changed on the modems. I want LAN hosts to be able to connect to both modem
control ports. The port number can be changed on the host software, so I
assigned different ports on the LAN (5000 and 5001) and tried to redirect
the ports as follows:

iptables -t nat -A PREROUTING -p tcp -d 192.168.0.1 --dport 5000 -j DNAT
--to 192.168.4.2:5000

iptables -t nat -A PREROUTING -p tcp -d 192.168.0.1 --dport 5001 -j DNAT
--to 192.168.5.2:5000

It does not work and I'm not sure what's wrong. What is the correct way to
do this?

Thanks.

Re: Port Forwarding

[Aleksander Kamenik]

Barry A Rich wrote:
> iptables -t nat -A PREROUTING -p tcp -d 192.168.0.1 --dport 5000 -j DNAT
> --to 192.168.4.2:5000
> 
> iptables -t nat -A PREROUTING -p tcp -d 192.168.0.1 --dport 5001 -j DNAT
> --to 192.168.5.2:5000
> 
> It does not work and I'm not sure what's wrong. What is the correct way to
> do this?

I'd say your modems don't know nothing about the 192.168.0.x subnet, so 
they route the reply packets via their default route which is the ISP's 
gateway.

If you can add the 192.168.0.x route to the modem, you might be fine.

Or you could SNAT the packets going to the modems (in addition to the 
DNAT) as if they are from 192.168.4.x and 192.168.5.x respectively.

Though I have to say it, do you really need the 192.168.4/5.x subnets?

Regards,

-- 

Aleksander Kamenik
System Administrator
Krediidiinfo AS
an Experian Company
Phone: +372 665 9649
Email: aleksander@krediidiinfo.ee

http://www.krediidiinfo.ee/
http://www.experiangroup.com/

Port forwarding

[Błażej Ślusarek]

Hello, could anyone help me to enable port forwarding on a server
which default policies are PREROUTING DROP and FORWARD DROP? I'm
actually asking for a correct set of instructions.

Thanks.

Re: Port forwarding

[Elvir Kuric]

Hi Blazej,

take a look in : http://iptables-tutorial.frozentux.net/iptables-tutorial.html

it is super place for reference,

Nice regards,

Elvir Kuric

On Sat, Dec 13, 2008 at 12:33 AM, B³a¿ej ¦lusarek <beju@beju.xon.pl> wrote:
> Hello, could anyone help me to enable port forwarding on a server
> which default policies are PREROUTING DROP and FORWARD DROP? I'm
> actually asking for a correct set of instructions.
>
> Thanks.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: Port forwarding

[Błażej Ślusarek]

Does really nobody know how to do port forwarding?

Re: Port forwarding

[Ivan Petrushev]

I think lots of people know how to forward ports.
Default policy doesn't concern you - it is DEFAULT. Once you add rules
that match the desired packets these rules do something and it is not
the default chain action.
Here is example port forwarding:
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.2 --dport 27015 -j
DNAT --to-destination 192.168.0.34
iptables -t nat -A PREROUTING -p udp -d 192.168.1.2 --dport 27015 -j
DNAT --to-destination 192.168.0.34
And if your default FORWARD policy is DROP, then you should change it
to ACCEPT for the matched by the upper rules packets:
iptables -I FORWARD -d 192.168.1.2 -j ACCEPT

Port forwarding

[Stian B. Barmen]

[-- Attachment #1: Type: text/plain, Size: 1475 bytes --]

I am wondering how to enable port forwarding from a DMZ to an internal 
network. The machine forwarding is just a normal Linux machine, no firewall in 
the DMZ, and I want it to forward one port to an internal machine on the 
intenal network. Note, the DMZ machine has only one network card, the network 
with the internal machine is behind the firewall, and another router. 
Connectivity from the DMZ machine to the internal machine works.

Here is my ipables:

# Generated by iptables-save v1.3.4 on Tue Feb 28 14:24:10 2006
*nat
:PREROUTING ACCEPT [1014:84065]
:POSTROUTING ACCEPT [1243:92537]
:OUTPUT ACCEPT [1237:92240]
-A PREROUTING -d 217.20.20.160 -i eth0 -p tcp -m tcp --dport 81 -j 
DNAT --to-destination 10.22.0.79:8081
COMMIT
# Completed on Tue Feb 28 14:24:10 2006
# Generated by iptables-save v1.3.4 on Tue Feb 28 14:24:10 2006
*filter
:INPUT ACCEPT [124031010:45151447581]
:FORWARD ACCEPT [12:576]
:OUTPUT ACCEPT [155888838:182283994852]
COMMIT
# Completed on Tue Feb 28 14:24:10 2006

I just used the command:
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 217.20.20.160 --dport 81 -j 
DNAT --to 10.22.0.79:8081

# cat /proc/sys/net/ipv4/ip_forward
1

Also I enabled ip_forward.

But when I try to connect to 217.20.20.160:81 it just times out waiting for an 
answer. Do I need more in this minimalistic setup to make it work?

Note, the ip addresses are bogus, but representative. (the 217 is public ip 
and the 10 is private)

Best regards
Stian B. Barmen

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 4490 bytes --]

port forwarding

[DurgaPrasad Adusumalli]

I am trying to use iptables firewall in an environment where there is
lot of incoming traffic destined to different web servers,ftp servers
running on different machine in LAN. I have done this using port
forwarding.

The problem I face with this is very frequently the rules go on and
off. They do not work but are listed when iptables -L -n command is
issued.

Can anyone please suggest any additional modules that I may need to
use apart  from ip_nat,ip_conntrack, ip_nat_ftp and ip_conntrack_ftp.

Thanks in advance.
Durga Prasad.

Re: port Forwarding

[diadicic]

Cool, I ll give that a try.

Sorry about the typo in the SNAT statment

Thanks again.

----- Original Message -----
From: Jason Opperisano <opie@817west.com>
Date: Tuesday, November 16, 2004 11:48 am
Subject: Re: port Forwarding

> On Tue, 2004-11-16 at 11:44, diadicic@optonline.net wrote:
> > Can someone help me understand this?
> > 
> >   I have a firewall setup up with two nic's in it.
> > 
> >                1 eth0 24.190.x.x  which is my Internet connection
> >                2 eth1 172.16.12.165 which is a local area network.
> > 
> >               I have a web server at 172.16.12.160  “I hope thats 
> clear”> 
> >     Now if I port forward this way it will not work.
> > 
> >              “iptables -A PREROUTING -i eth0 -t nat -p tcp –dport 
> 80 -j DNAT –to 
> >                 172.16.12.160:80”
> >                “iptables -A FORWARD -p tcp -d 172.16.12.160 
> –dport 80 -i eth0 -o eth1 
> >                  -j ACCEPT”
> > 
> > 
> > But if I do it this way It will work:
> > 
> >                  “iptables -t nat  -A PREROUTING -p tcp –dport 80 
> -d 24.190.x.x -i eth0 -j   
> >                    DNAT --to-destination 172.16.12.160  
> 172.16.12.160”> 
> >                    “iptables -A POSTROUTING -p tcp –dport 80 -d 
> 172.16.12.160 -j SNAT -o    
> >                      eth1 –to-source 172.16.12.165”
> > 
> > 
> > Could anyone please explain why the first way did not work, all 
> the directions I read claim that is how to port forward.
> 
> because the default gateway of 172.16.12.160 is not 172.16.12.165?
> 
> -j
> 
> --
> "Oh, so they have internet on computers now!"
> 	--The Simpsons
> 
> 
>

port Forwarding

[diadicic]

Can someone help me understand this?

  I have a firewall setup up with two nic's in it.

               1 eth0 24.190.x.x  which is my Internet connection
               2 eth1 172.16.12.165 which is a local area network.

              I have a web server at 172.16.12.160  “I hope thats clear”

    Now if I port forward this way it will not work.

             “iptables -A PREROUTING -i eth0 -t nat -p tcp –dport 80 -j DNAT –to 
                172.16.12.160:80”
               “iptables -A FORWARD -p tcp -d 172.16.12.160 –dport 80 -i eth0 -o eth1 
                 -j ACCEPT”


But if I do it this way It will work:

                 “iptables -t nat  -A PREROUTING -p tcp –dport 80 -d 24.190.x.x -i eth0 -j   
                   DNAT --to-destination 172.16.12.160  172.16.12.160”

                   “iptables -A POSTROUTING -p tcp –dport 80 -d 172.16.12.160 -j SNAT -o    
                     eth1 –to-source 172.16.12.165”


Could anyone please explain why the first way did not work, all the directions I read claim that is how to port forward.


Any help is appreciated



Thanks 
Dominic Iadicicco

Re: port Forwarding

[Jason Opperisano]

On Tue, 2004-11-16 at 11:44, diadicic@optonline.net wrote:
> Can someone help me understand this?
> 
>   I have a firewall setup up with two nic's in it.
> 
>                1 eth0 24.190.x.x  which is my Internet connection
>                2 eth1 172.16.12.165 which is a local area network.
> 
>               I have a web server at 172.16.12.160  “I hope thats clear”
> 
>     Now if I port forward this way it will not work.
> 
>              “iptables -A PREROUTING -i eth0 -t nat -p tcp –dport 80 -j DNAT –to 
>                 172.16.12.160:80”
>                “iptables -A FORWARD -p tcp -d 172.16.12.160 –dport 80 -i eth0 -o eth1 
>                  -j ACCEPT”
> 
> 
> But if I do it this way It will work:
> 
>                  “iptables -t nat  -A PREROUTING -p tcp –dport 80 -d 24.190.x.x -i eth0 -j   
>                    DNAT --to-destination 172.16.12.160  172.16.12.160”
> 
>                    “iptables -A POSTROUTING -p tcp –dport 80 -d 172.16.12.160 -j SNAT -o    
>                      eth1 –to-source 172.16.12.165”
> 
> 
> Could anyone please explain why the first way did not work, all the directions I read claim that is how to port forward.

because the default gateway of 172.16.12.160 is not 172.16.12.165?

-j

--
"Oh, so they have internet on computers now!"
	--The Simpsons

Port forwarding

[Mike]

Hi All

I bet this has been asked many times before but I have searched and
searched trying to find the answer.

Is it possible to port forward one port from the outside world to many
clients inside the LAN. I have it working fine for single addresses and
it seems I can list each IP forward individually so that
narc-forward.conf ends up huge as each line goes in for each IP address
on the network with the same port.

The question basically is to find out if there is anyway that a range of
IP addresses can be stipulated easily in narc-forward.conf???

Mike

Re: Port forwarding

[Jason Opperisano]

On Thu, 2004-10-28 at 00:30, Mike wrote:
> Hi All
> 
> I bet this has been asked many times before but I have searched and
> searched trying to find the answer.
> 
> Is it possible to port forward one port from the outside world to many
> clients inside the LAN. I have it working fine for single addresses and
> it seems I can list each IP forward individually so that
> narc-forward.conf ends up huge as each line goes in for each IP address
> on the network with the same port.
> 
> The question basically is to find out if there is anyway that a range of
> IP addresses can be stipulated easily in narc-forward.conf???
> 
> Mike

no.  the quad of:

src_ip:src_port,dst_ip:dst_port

is unique.

once you create a rule that says "translate packets from any IP address
destined for 1.2.3.4:80 to 5.6.7.8:80" no other rule that tries to map
1.2.3.4:80 will match.

this is not a limitation of netfilter--just a fact of life.

you either need (a) more public IP's, or (b) some sort of
application-level proxy that can redirect the traffic to multiple hosts
based on the application-level data.

in the case of HTTP, you could use squid or apache+mod_rewrite to take a
single and redirect to multiple servers based on host-header
redirection, or full URL rewriting.

-j

-- 
Jason Opperisano <opie@817west.com>

RE: Port forwarding

[Jason Opperisano]

On Fri, 2004-09-17 at 09:52, KUCKAERTZ Régis - NVISION wrote:
> > is it possible that $REAL_IP is a local IP address on the 
> > machine running netfilter?  the reason i ask is that the 
> > packet counters on the FORWARD chain are zero (whereas INPUT 
> > and OUTPUT are over 40000).
> 
> Unfortunately, it is not. Really weird, since packets are correctly DNAT'ed
> _before_ going through the filter rules, then the kernel should detect that
> they are not intended to it, neh?
> 
> I tried tcpdump'ing the $REAL_IP and $REAL_PORT, but then nothing matched
> the filter.
> 
> I must have forgot one thing, since _it worked_ in the past!! :'(
> 
> Thanks for your help!
> 

stupid question:  is IP forwarding enabled (sysctl net.ipv4.ip_forward)?

'nother stupid question:  is routing correctly configured from the
netfilter machine to $REAL_MACHINE; i.e., can you ping $REAL_IP from the
netfilter machine?

-j

-- 
Jason Opperisano <opie@817west.com>

RE: Port forwarding

[KUCKAERTZ Régis - NVISION]

> stupid question:  is IP forwarding enabled (sysctl 
> net.ipv4.ip_forward)?

argh, last week there was a maintenance cycle in our datacenter and every
machine was rebooted. I thought

echo "1" > /proc/sys/net/ipv4/ip_forward

would be persistant but I was wrong. Also I forgot to check if it was still
there after the reboot. Really sorry, this is time lost!

Thank you very much, good job!

Régis

Re: Port forwarding

[Mohamed Eldesoky]

you can set it in /etc/sysctl.conf


On Fri, 17 Sep 2004 16:09:59 +0200, KUCKAERTZ Régis - NVISION
<regis@nvision.lu> wrote:
> > stupid question:  is IP forwarding enabled (sysctl
> > net.ipv4.ip_forward)?
> 
> argh, last week there was a maintenance cycle in our datacenter and every
> machine was rebooted. I thought
> 
> echo "1" > /proc/sys/net/ipv4/ip_forward
> 
> would be persistant but I was wrong. Also I forgot to check if it was still
> there after the reboot. Really sorry, this is time lost!
> 
> Thank you very much, good job!
> 
> Régis
> 
> 



-- 
Mohamed Eldesoky
www.eldesoky.net
RHCE

RE: Port forwarding

[Jason Opperisano]

On Fri, 2004-09-17 at 09:23, KUCKAERTZ Régis - NVISION wrote:
> $ iptables -vnxL -t nat; iptables -vnxL -t mangle; iptables -vnxL
> 
> # nat table
> Chain PREROUTING (policy ACCEPT 2439 packets, 148991 bytes)
>     pkts      bytes target     prot opt in     out     source
> destination         
>       17       1020 DNAT       tcp  --  *      *       0.0.0.0/0
> $MASK_IP         tcp dpt:$MASK_PORT to:$REAL_IP:$REAL_PORT 
> 
> Chain POSTROUTING (policy ACCEPT 741 packets, 45651 bytes)
>     pkts      bytes target     prot opt in     out     source
> destination         
>        0          0 SNAT       tcp  --  *      *       0.0.0.0/0
> $REAL_IP         tcp dpt:$REAL_PORT to:$MASK_IP 
> 
> Chain OUTPUT (policy ACCEPT 741 packets, 45651 bytes)
>     pkts      bytes target     prot opt in     out     source
> destination         
> 
> # mangle table
> Chain PREROUTING (policy ACCEPT 1567265 packets, 1105330580 bytes)
>     pkts      bytes target     prot opt in     out     source
> destination         
> 
> Chain OUTPUT (policy ACCEPT 1181535 packets, 615648770 bytes)
>     pkts      bytes target     prot opt in     out     source
> destination         
> 
> # filter table
> Chain INPUT (policy ACCEPT 44233 packets, 9251612 bytes)
>     pkts      bytes target     prot opt in     out     source
> destination         
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>     pkts      bytes target     prot opt in     out     source
> destination         
>        0          0 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0          state RELATED,ESTABLISHED 
>        0          0 ACCEPT     tcp  --  *      *       0.0.0.0/0
> $REAL_IP           tcp dpt:$REAL_PORT
> 
> Chain OUTPUT (policy ACCEPT 41927 packets, 30331854 bytes)
>     pkts      bytes target     prot opt in     out     source
> destination   

is it possible that $REAL_IP is a local IP address on the machine
running netfilter?  the reason i ask is that the packet counters on the
FORWARD chain are zero (whereas INPUT and OUTPUT are over 40000).

-j

-- 
Jason Opperisano <opie@817west.com>

RE: Port forwarding

[KUCKAERTZ Régis - NVISION]

> is it possible that $REAL_IP is a local IP address on the 
> machine running netfilter?  the reason i ask is that the 
> packet counters on the FORWARD chain are zero (whereas INPUT 
> and OUTPUT are over 40000).

Unfortunately, it is not. Really weird, since packets are correctly DNAT'ed
_before_ going through the filter rules, then the kernel should detect that
they are not intended to it, neh?

I tried tcpdump'ing the $REAL_IP and $REAL_PORT, but then nothing matched
the filter.

I must have forgot one thing, since _it worked_ in the past!! :'(

Thanks for your help!

> 
> -j
> 
> --
> Jason Opperisano <opie@817west.com>
> 
> 

Re: Port forwarding

[Jason Opperisano]

On Fri, 2004-09-17 at 08:32, KUCKAERTZ Régis - NVISION wrote:
> Halo,
> 
> I've set up rules so that packets sent to $MASK_IP:$MASK_PORT are forwarded
> to $REAL_IP:$REAL_PORT with the source address being replaced by $MASK_IP:
> 
> # 1. Changing destination address
> $IPTABLES -t nat -A PREROUTING -p tcp --dest $MASK_IP --dport $MASK_PORT -j
> DNAT --to-destination $REAL_IP:$REAL_PORT
> 
> # 2. Accepting forwarded packets
> $IPTABLES -A FORWARD -p tcp --dest $REAL_IP --dport $REAL_PORT -j ACCEPT

if that's your only FORWARD rule, and the POLICY of FORWARD is set to
DROP--you're not allowing reply packets back through the machine (SYN's
will get through, but SYN-ACK's will be blocked).

  iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

would help in this situation.

> # 3. IP masquerading after filtering
> $IPTABLES -t nat -A POSTROUTING --dest $REAL_IP --dport $REAL_PORT -j SNAT
> --to-source $MASK_IP
> 
> 
> When I telnet on $MASK_IP:$MASK_PORT, it's hanging... I tried sniffing with
> tcpdump (although I must honestly confess that I don't know if the following
> request is good), and here is what I got:

um--where are you telnet-ing from, and where are you tcdump-ing at?

> $TCPDUMP \(dst host $MASK_IP and dst port $MASK_PORT\) or \(src host
> $MASK_IP and src port $MASK_PORT\)

that filter is overly complicated:

  $TCPDUMP host $MASK_IP and port $MASK_PORT

is equivalent to what you're trying to capture.

> tcpdump: listening on eth0
> 14:32:28.568875 x.x.x.x.46569 > $REAL_IP.$REAL_PORT: S
> 2813621631:2813621631(0) win 5840 <mss 1460,sackOK,timestamp 46292274
> 0,nop,wscale 0> (DF) [tos 0x10] 
> 14:32:31.568875 x.x.x.x.46569 > $REAL_IP.$REAL_PORT: S
> 2813621631:2813621631(0) win 5840 <mss 1460,sackOK,timestamp 46292574
> 0,nop,wscale 0> (DF) [tos 0x10] 
> 14:32:37.568875 x.x.x.x.46569 > $REAL_IP.$REAL_PORT: S
> 2813621631:2813621631(0) win 5840 <mss 1460,sackOK,timestamp 46293174
> 0,nop,wscale 0> (DF) [tos 0x10] 

if your BPF specifies $MASK_IP and $MASK_PORT why is your capture
showing $REAL_IP and $REAL_PORT?  those packets shouldn't even match the
filter...

> Nothing seems to get back... any idea?

it *never* hurts to provide us with:

  iptables -vnxL -t nat; iptables -vnxL -t mangle; iptables -vnxL

-j

-- 
Jason Opperisano <opie@817west.com>

RE: Port forwarding

[KUCKAERTZ Régis - NVISION]

> if that's your only FORWARD rule, and the POLICY of FORWARD 
> is set to DROP--you're not allowing reply packets back 
> through the machine (SYN's will get through, but SYN-ACK's 
> will be blocked).
> 
>   iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> would help in this situation.

Did it, but nothing changed

> um--where are you telnet-ing from, and where are you tcdump-ing at?

I'm telnet'ing on a different host (otherwise I would have set the
appropriate rule in the OUTPUT chain), but I do the dump on the "gateway"

>   $TCPDUMP host $MASK_IP and port $MASK_PORT
> 
> is equivalent to what you're trying to capture.

Thanks!!

> if your BPF specifies $MASK_IP and $MASK_PORT why is your 
> capture showing $REAL_IP and $REAL_PORT?  those packets 
> shouldn't even match the filter...

Maybe that's because I do the dump on the same machine that does the DNAT?

I hope what follows will help you spot my mistake!

Régis

$ iptables -vnxL -t nat; iptables -vnxL -t mangle; iptables -vnxL

# nat table
Chain PREROUTING (policy ACCEPT 2439 packets, 148991 bytes)
    pkts      bytes target     prot opt in     out     source
destination         
      17       1020 DNAT       tcp  --  *      *       0.0.0.0/0
$MASK_IP         tcp dpt:$MASK_PORT to:$REAL_IP:$REAL_PORT 

Chain POSTROUTING (policy ACCEPT 741 packets, 45651 bytes)
    pkts      bytes target     prot opt in     out     source
destination         
       0          0 SNAT       tcp  --  *      *       0.0.0.0/0
$REAL_IP         tcp dpt:$REAL_PORT to:$MASK_IP 

Chain OUTPUT (policy ACCEPT 741 packets, 45651 bytes)
    pkts      bytes target     prot opt in     out     source
destination         

# mangle table
Chain PREROUTING (policy ACCEPT 1567265 packets, 1105330580 bytes)
    pkts      bytes target     prot opt in     out     source
destination         

Chain OUTPUT (policy ACCEPT 1181535 packets, 615648770 bytes)
    pkts      bytes target     prot opt in     out     source
destination         

# filter table
Chain INPUT (policy ACCEPT 44233 packets, 9251612 bytes)
    pkts      bytes target     prot opt in     out     source
destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source
destination         
       0          0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
       0          0 ACCEPT     tcp  --  *      *       0.0.0.0/0
$REAL_IP           tcp dpt:$REAL_PORT

Chain OUTPUT (policy ACCEPT 41927 packets, 30331854 bytes)
    pkts      bytes target     prot opt in     out     source
destination   

Port forwarding

[KUCKAERTZ Régis - NVISION]

Halo,

I've set up rules so that packets sent to $MASK_IP:$MASK_PORT are forwarded
to $REAL_IP:$REAL_PORT with the source address being replaced by $MASK_IP:

# 1. Changing destination address
$IPTABLES -t nat -A PREROUTING -p tcp --dest $MASK_IP --dport $MASK_PORT -j
DNAT --to-destination $REAL_IP:$REAL_PORT

# 2. Accepting forwarded packets
$IPTABLES -A FORWARD -p tcp --dest $REAL_IP --dport $REAL_PORT -j ACCEPT

# 3. IP masquerading after filtering
$IPTABLES -t nat -A POSTROUTING --dest $REAL_IP --dport $REAL_PORT -j SNAT
--to-source $MASK_IP


When I telnet on $MASK_IP:$MASK_PORT, it's hanging... I tried sniffing with
tcpdump (although I must honestly confess that I don't know if the following
request is good), and here is what I got:

$TCPDUMP \(dst host $MASK_IP and dst port $MASK_PORT\) or \(src host
$MASK_IP and src port $MASK_PORT\)
tcpdump: listening on eth0
14:32:28.568875 x.x.x.x.46569 > $REAL_IP.$REAL_PORT: S
2813621631:2813621631(0) win 5840 <mss 1460,sackOK,timestamp 46292274
0,nop,wscale 0> (DF) [tos 0x10] 
14:32:31.568875 x.x.x.x.46569 > $REAL_IP.$REAL_PORT: S
2813621631:2813621631(0) win 5840 <mss 1460,sackOK,timestamp 46292574
0,nop,wscale 0> (DF) [tos 0x10] 
14:32:37.568875 x.x.x.x.46569 > $REAL_IP.$REAL_PORT: S
2813621631:2813621631(0) win 5840 <mss 1460,sackOK,timestamp 46293174
0,nop,wscale 0> (DF) [tos 0x10] 

Nothing seems to get back... any idea?

Thanks in advance,

Régis KUCKAERTZ
-----------------------------------------
NVISION sa - Luxembourg
Internet Services & Network Programming

50, rue des Prés
L-7333 Steinsel
Tél: (+352) 26 34 09 08
Fax: (+352) 26 34 09 07
http://www.nvision.lu/

Port forwarding.

[Gunnar Frödin]

Hi all.
I'm trying to setup a firewall/port forwarder but can't get things going.
Some facts:
LAN is my internal network and WAN is external.
I have a static ip# on WAN and LAN.
Access to SSH on firewall works.
IP Forwarding and NAT from LAN to WAN works :-)

The problem:
On my LAN i have another machine with web, mail, ftp-server(192.168.0.100)
witch have to be accessible from the WAN.
But I just cant get it working.

Question:
At http://iptables-tutorial.frozentux.net/iptables-tutorial.html#DNATTARGET
(Oskar Andreasson) says
Quote
"This last rule will seriously harm your logging, so it is really advisable
not to use this method, but the whole example is still a valid one for all
of those who can't afford to set up a specific DMZ or alike. What will
happen is this, packet comes from the Internet, gets SNAT'ed and DNAT'ed,
and finally hits the HTTP server (for example). The HTTP server now only
sees the request as if it was coming from the firewall, and hence logs all
requests from the internet as if they came from the firewall."
End quote.
Is there some way to do this so the logging sees the "right" IP# ???


Regards Gunnar Frödin (Sweden)

One more thing: I'm trying all this out with WMware(www.vmware.com/),
Virtual Machine Software, but I havent read anything about some limitations
with that.


# DNAT/SNAT Port Forwarding
# this is the prerouting dnat
iptables -A PREROUTING -t nat -p tcp -d 217.215.x.x --dport 25 -j
DNAT --to-destination 192.168.0.100:25
# This allows packets from external->internal
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.0.100 --dport 25 -m
state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# This allows packets from internal->external
iptables -A FORWARD -p tcp -i eth1 -o eth0 -s 192.168.0.100 --sport 25 -m
state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# This enables access to the 'public' server from the internal network
iptables -A POSTROUTING -t nat -p tcp -d 192.168.0.100 -s
192.168.0.0/24 --dport 25 -j SNAT --to-source 192.168.0.100:25

Re: Port forwarding.

[Antony Stone]

On Monday 28 June 2004 10:16 am, Gunnar Frödin wrote:

> Hi all.
> I'm trying to setup a firewall/port forwarder but can't get things going.
> Some facts:
> LAN is my internal network and WAN is external.
> I have a static ip# on WAN and LAN.
> Access to SSH on firewall works.
> IP Forwarding and NAT from LAN to WAN works :-)
>
> The problem:
> On my LAN i have another machine with web, mail, ftp-server(192.168.0.100)
> witch have to be accessible from the WAN.
> But I just cant get it working.
>
> Question:
> At http://iptables-tutorial.frozentux.net/iptables-tutorial.html#DNATTARGET
> (Oskar Andreasson) says
> Quote
> "This last rule will seriously harm your logging, so it is really advisable
> not to use this method, but the whole example is still a valid one for all
> of those who can't afford to set up a specific DMZ or alike. What will
> happen is this, packet comes from the Internet, gets SNAT'ed and DNAT'ed,
> and finally hits the HTTP server (for example). The HTTP server now only
> sees the request as if it was coming from the firewall, and hence logs all
> requests from the internet as if they came from the firewall."
> End quote.
> Is there some way to do this so the logging sees the "right" IP# ???

Sure - just don't do the SNAT rule which makes the packets look like they came 
from the firewall.

The only reason why you would need to add SNAT is to make the server 
accessible to people both outside and *inside* your network, by using the 
public IP address.

The recommended way to do it (which is far simpler, and results in the correct 
IP addresses going into the log files) is to use split DNS, so people on the 
outside see the public IP, and people on the inside see the private IP, then 
the routing just works normally.

Regards,

Antony.

-- 
In science, one tries to tell people
in such a way as to be understood by everyone
something that no-one ever knew before.

In poetry, it is the exact opposite.

 - Paul Dirac

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Port forwarding.

[Gunnar Frödin]

Ok about the splitt DNS, i'm new at this(Linux) but I think I know, but if
you have the time, some more info would be god, there is a DNS on
192.168.0.100

The real problem is that the port forwarding dose not work at all !!!

//Gunnar



On Monday 28 June 2004 10:16 am, Gunnar Frödin wrote:

> Hi all.
> I'm trying to setup a firewall/port forwarder but can't get things going.
> Some facts:
> LAN is my internal network and WAN is external.
> I have a static ip# on WAN and LAN.
> Access to SSH on firewall works.
> IP Forwarding and NAT from LAN to WAN works :-)
>
> The problem:
> On my LAN i have another machine with web, mail, ftp-server(192.168.0.100)
> witch have to be accessible from the WAN.
> But I just cant get it working.
>
> Question:
> At
http://iptables-tutorial.frozentux.net/iptables-tutorial.html#DNATTARGET
> (Oskar Andreasson) says
> Quote
> "This last rule will seriously harm your logging, so it is really
advisable
> not to use this method, but the whole example is still a valid one for all
> of those who can't afford to set up a specific DMZ or alike. What will
> happen is this, packet comes from the Internet, gets SNAT'ed and DNAT'ed,
> and finally hits the HTTP server (for example). The HTTP server now only
> sees the request as if it was coming from the firewall, and hence logs all
> requests from the internet as if they came from the firewall."
> End quote.
> Is there some way to do this so the logging sees the "right" IP# ???

Sure - just don't do the SNAT rule which makes the packets look like they
came
from the firewall.

The only reason why you would need to add SNAT is to make the server
accessible to people both outside and *inside* your network, by using the
public IP address.

The recommended way to do it (which is far simpler, and results in the
correct
IP addresses going into the log files) is to use split DNS, so people on the
outside see the public IP, and people on the inside see the private IP, then
the routing just works normally.

Regards,

Antony.

--
In science, one tries to tell people
in such a way as to be understood by everyone
something that no-one ever knew before.

In poetry, it is the exact opposite.

 - Paul Dirac

                                                     Please reply to the
list;
                                                           please don't CC
me.

Re: Port forwarding.

[Antony Stone]

On Monday 28 June 2004 11:18 am, Gunnar Frödin wrote:

> Ok about the splitt DNS, i'm new at this(Linux) but I think I know, but if
> you have the time, some more info would be god, there is a DNS on
> 192.168.0.100

Is that DNS server providing responses to internal clients only, or to 
external clients as well (in which case, how have you done the DNAT rules for 
that one!?)

> The real problem is that the port forwarding dose not work at all !!!

What, not even from the outside?   Hm.   The ruleset you posted looked 
sensible enough.

Two questions then:

1. Is the public address 217.215.x.x which you are using as the original 
destination in your DNAT rule bound to the external interface (eth0) of the 
firewall?

2. What do the packet counts for the appropriate rules show from "iptables -L 
FORWARD -nvx; iptables -L PREROUTING -t nat -nvx"?

The packet counts should show us whether packets are:
a) arriving
b) getting DNATted
c) being FORWARDed
d) getting replies

Regards,

Antony.

-- 
Ramdisk is not an installation procedure.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Port forwarding.

[Gunnar Frödin]

Lets wait with the dns config for a moment ok?

Answer to question 1: YES

Answer to question 2:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source
destination
       6      360 ACCEPT     tcp  --  eth0   eth1    0.0.0.0/0
192.168.0.100      tcp dpt:25 state NEW,RELATED,ESTABLISHED
       0        0 ACCEPT     tcp  --  eth1   eth0    192.168.0.100
0.0.0.0/0          tcp spt:25 state NEW,RELATED,ESTABLISHED


Chain PREROUTING (policy ACCEPT 20 packets, 2796 bytes)
    pkts      bytes target     prot opt in     out     source
destination
       1       60 DNAT       tcp  --  *      *       0.0.0.0/0
10.20.30.40        tcp dpt:25 to:192.168.0.100:25

I tryed to telnet in, witch times-out after 6 attempts






On Monday 28 June 2004 11:18 am, Gunnar Frödin wrote:

> Ok about the splitt DNS, i'm new at this(Linux) but I think I know, but if
> you have the time, some more info would be god, there is a DNS on
> 192.168.0.100

Is that DNS server providing responses to internal clients only, or to
external clients as well (in which case, how have you done the DNAT rules
for
that one!?)

> The real problem is that the port forwarding dose not work at all !!!

What, not even from the outside?   Hm.   The ruleset you posted looked
sensible enough.

Two questions then:

1. Is the public address 217.215.x.x which you are using as the original
destination in your DNAT rule bound to the external interface (eth0) of the
firewall?

2. What do the packet counts for the appropriate rules show from
"iptables -L
FORWARD -nvx; iptables -L PREROUTING -t nat -nvx"?

The packet counts should show us whether packets are:
a) arriving
b) getting DNATted
c) being FORWARDed
d) getting replies

Regards,

Antony.

--
Ramdisk is not an installation procedure.

                                                     Please reply to the
list;
                                                           please don't CC
me.

Re: Port forwarding.

[Antony Stone]

On Monday 28 June 2004 1:20 pm, Gunnar Frödin wrote:

> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>     pkts      bytes target     prot opt in     out     source
> destination
>        6      360 ACCEPT     tcp  --  eth0   eth1    0.0.0.0/0
> 192.168.0.100      tcp dpt:25 state NEW,RELATED,ESTABLISHED

Okay, so we *are* seeing packets to the mail server being forwarded through 
the firewall.

>        0        0 ACCEPT     tcp  --  eth1   eth0    192.168.0.100
> 0.0.0.0/0          tcp spt:25 state NEW,RELATED,ESTABLISHED

But we are not seeing any replies coming back.

> Chain PREROUTING (policy ACCEPT 20 packets, 2796 bytes)
>     pkts      bytes target     prot opt in     out     source
> destination
>        1       60 DNAT       tcp  --  *      *       0.0.0.0/0
> 10.20.30.40        tcp dpt:25 to:192.168.0.100:25

And, indeed, the DNAT is working (not surprising, since we saw forwarded 
packets).

> I tryed to telnet in, witch times-out after 6 attempts

The 6 packets we can see in the FORWARD rule above :)

Okay, three more questions:

1. Is a mail server running on 192.168.0.100 (!) ?   Can you telnet to it on 
the real 192.168.0.100 address from a local client?

2. Are there any access controls on the mail server, restricting the IPs from 
which it will accept connections?

3. Does the default route of the mail server point back to the firewall?

Regards,

Antony

-- 
Software development can be quick, high quality, or low cost.

The customer gets to pick any two out of three.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Port forwarding.

[Gunnar Frödin]

Okey it works now........
The fault was in question 3.
the mail server pointed at another router/firewall.
and the mail server reported the "external" ip# in response to a smtp helo
command. nice :-) but as I understan it shound't well well.

Thanks for now Antony.

Regards Gunnar



Okay, three more questions:

1. Is a mail server running on 192.168.0.100 (!) ?   Can you telnet to it on
the real 192.168.0.100 address from a local client?

2. Are there any access controls on the mail server, restricting the IPs
from
which it will accept connections?

3. Does the default route of the mail server point back to the firewall?

Regards,

Antony

--
Software development can be quick, high quality, or low cost.

The customer gets to pick any two out of three.

                                                     Please reply to the
list;
                                                           please don't CC
me.

Re: Forwarding and masquerading got broken

[Lawrence G. Hunsicker]

Michael Gale said:

Hello,

	Look the section"
--snip--
# --------( Sysctl Tuning - Recommended Parameters )--------

# Turn off IP forwarding by default
# (this will be enabled if you require masquerading)

if [ -e /proc/sys/net/ipv4/ip_forward ]; then
   echo 0 > /proc/sys/net/ipv4/ip_forward
fi
--snip--

The "echo 0" in the "/proc/sys/net/ipv4/ip_forward" is disabling 
ip_forwarding -- which is need to forward packets.

Change the "echo 0" to "echo 1"

Mike:

Thanks for the suggestion.  Note, though, that further down in the file 
there is a parallel section cating 1 to the same address to turn on 
kernel forwarding.  I have checked the actual setting after boot up by 
lessing the address, and it is indeed already set to one.  I'll check 
changing this line, but I suspect that this is not where my problem is.

Any other suggestions?


-- 
Lawrence G. Hunsicker
lhunsicker@mchsi.com

Port Forwarding

[Remus]

Hi folks,

I have a PREROUTING rule:
iptables -t nat -A PREROUTING -d $EXTERNALIP_1 -s some_external_IP -p 47 -j
DNAT --to 192.168.0.19

How to add more source addresses which will be able to connect?


Thanks in advance

Remus

RE: Port Forwarding

[Rob Sterenborg]

> iptables -t nat -A PREROUTING -d $EXTERNALIP_1 -s 
> some_external_IP -p 47 -j
> DNAT --to 192.168.0.19
> 
> How to add more source addresses which will be able to connect?

Add more rules like these that allow it.
Or maybe you compiled a new kernel with netfilter iprange support.
http://www.netfilter.org/documentation/pomlist/pom-combined.html#iprange


Gr,
Rob

Re: Port Forwarding

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 628 bytes --]

On Wed, 2003-12-03 at 10:26, Remus wrote:
> Hi folks,
> 
> I have a PREROUTING rule:
> iptables -t nat -A PREROUTING -d $EXTERNALIP_1 -s some_external_IP -p 47 -j
> DNAT --to 192.168.0.19
> 
Just add more rules with different -s some_external_IP's

> How to add more source addresses which will be able to connect?
> 
> 
> Thanks in advance
> 
> Remus
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

RE: Port Forwarding

[Mark E. Donaldson]

A method that works well for me, and I use it extensively, is to place all
your IP addresses in a text file, and feed the file to the script.  With
this method, all you need to do is update (edit) the text file as needed for
adding or deleting IP's.  For instance, if you wanted to sneak TFTP through
the firewall (which I don't really recommend), you could add this rule:

####################################################################
# TFTP
####################################################################
# if TFTP enabled redirect to port 69 on internal TFTP server
if [ "$TFTP_SERVER" = "1" ] ;
then
	while read TRUSTED;
	do
		$IPT -t nat -A PREROUTING -p udp -s $TRUSTED
--destination-port 69 -i $FW_INET_IFACE -j LOG --log-level $LOG_LEVEL
--log-prefix "DNAT IN TFTP OK: "
		$IPT -t nat -A PREROUTING -p udp -s $TRUSTED
--destination-port 69 -i $FW_INET_IFACE -j DNAT --to-destination
$INTERNAL_TFTP:69
	done < $TRUSTED_LIST
fi

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Remus
Sent: Wednesday, December 03, 2003 12:27 AM
To: netfilter@lists.netfilter.org
Subject: Port Forwarding 

Hi folks,

I have a PREROUTING rule:
iptables -t nat -A PREROUTING -d $EXTERNALIP_1 -s some_external_IP -p 47 -j
DNAT --to 192.168.0.19

How to add more source addresses which will be able to connect?


Thanks in advance

Remus

Re: Port Forwarding

[Rimas]

Thanks guys for the help. It help me.

I have another iptables setmark question.
This is a small part of my script:

The line below is OK
iptables -t mangle -A PREROUTING -i eth2 -s 10.105.105.0/24 -p tcp --dport
1723 -j MARK --set-mark 0x960

But how mark just IP port 47, because the line below does not I want.
iptables -t mangle -A PREROUTING -i eth2 -s 10.105.105.0/24 -p 47 -j
MARK --set-mark 0x960

ip rule add fwmark 0x960 table localvpn
ip route add default via $P2 dev eth0 table localvpn



Thanks in advance

Remus



----- Original Message ----- 
From: "Mark E. Donaldson" <markee@bandwidthco.com>
To: "'Remus'" <rmocius@auste.elnet.lt>; <netfilter@lists.netfilter.org>
Sent: Wednesday, December 03, 2003 4:27 PM
Subject: RE: Port Forwarding


> A method that works well for me, and I use it extensively, is to place all
> your IP addresses in a text file, and feed the file to the script.  With
> this method, all you need to do is update (edit) the text file as needed
for
> adding or deleting IP's.  For instance, if you wanted to sneak TFTP
through
> the firewall (which I don't really recommend), you could add this rule:
>
> ####################################################################
> # TFTP
> ####################################################################
> # if TFTP enabled redirect to port 69 on internal TFTP server
> if [ "$TFTP_SERVER" = "1" ] ;
> then
> while read TRUSTED;
> do
> $IPT -t nat -A PREROUTING -p udp -s $TRUSTED
> --destination-port 69 -i $FW_INET_IFACE -j LOG --log-level $LOG_LEVEL
> --log-prefix "DNAT IN TFTP OK: "
> $IPT -t nat -A PREROUTING -p udp -s $TRUSTED
> --destination-port 69 -i $FW_INET_IFACE -j DNAT --to-destination
> $INTERNAL_TFTP:69
> done < $TRUSTED_LIST
> fi
>
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Remus
> Sent: Wednesday, December 03, 2003 12:27 AM
> To: netfilter@lists.netfilter.org
> Subject: Port Forwarding
>
> Hi folks,
>
> I have a PREROUTING rule:
> iptables -t nat -A PREROUTING -d $EXTERNALIP_1 -s some_external_IP -p
47 -j
> DNAT --to 192.168.0.19
>
> How to add more source addresses which will be able to connect?
>
>
> Thanks in advance
>
> Remus
>
>
>

RE: Port Forwarding

[Mark E. Donaldson]

A method that works well for me, and I use it extensively, is to place all
your IP addresses in a text file, and feed the file to the script.  With
this method, all you need to do is update (edit) the text file as needed for
adding or deleting IP's.  For instance, if you wanted to sneak TFTP through
the firewall (which I don't really recommend), you could add this rule:

####################################################################
# TFTP
####################################################################
# if TFTP enabled redirect to port 69 on internal TFTP server
if [ "$TFTP_SERVER" = "1" ] ;
then
	while read TRUSTED;
	do
		$IPT -t nat -A PREROUTING -p udp -s $TRUSTED
--destination-port 69 -i $FW_INET_IFACE -j LOG --log-level $LOG_LEVEL
--log-prefix "DNAT IN TFTP OK: "
		$IPT -t nat -A PREROUTING -p udp -s $TRUSTED
--destination-port 69 -i $FW_INET_IFACE -j DNAT --to-destination
$INTERNAL_TFTP:69
	done < $TRUSTED_LIST
fi

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Remus
Sent: Wednesday, December 03, 2003 12:27 AM
To: netfilter@lists.netfilter.org
Subject: Port Forwarding 

Hi folks,

I have a PREROUTING rule:
iptables -t nat -A PREROUTING -d $EXTERNALIP_1 -s some_external_IP -p 47 -j
DNAT --to 192.168.0.19

How to add more source addresses which will be able to connect?


Thanks in advance

Remus

RE: Port Forwarding

[Fritz Mesedilla]

I think we may be able to help you. Please give us what config you have done.

For a web server, some need to have 4 rules... prerouting a forward rule, postrouting and another forward rule.

If you have set iptables -P forward ACCEPT then you only need 2 rules... prerouting and postrouting rules.

Send us what you have done and we will try to help you.


Cheers,

fritz <www.mesedilla.com>
---
+ Basta Ikaw Lord



> -----Original Message-----
> From: Jason Mallory [mailto:jason@phxrising.com]
> Sent: Tuesday, October 28, 2003 6:17 AM
> To: netfilter@lists.netfilter.org
> Subject: Port Forwarding
> 
> 
> I am tring to do a simple port forwarding from the Internet 
> to a mcahine 
> on my LAN. This has proven IMPOSSIBE! No matter how I try to forward 
> ports, its not working. I am thinking about just setting up a simple 
> Windows XP box and doing it that way after trying for 12 hours and 5 
> different configuration methods. Any last suggestions before I switch?
> 
> 
> 

----------------------------------------------------------------------
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender immediately by e-mail and delete this e-mail from your
system. Please note that any views or opinions presented in this
email are solely those of the author and do not necessarily represent
those of the company. Finally, the recipient should check this email
and any attachments for the presence of viruses. The company accepts
no liability for any damage caused by any virus transmitted by this
email. 

Overture Media, Inc.
Direct Line: (632) 635-4785
Trunkline:   (632) 631-8971 Local 146
Fax: (632) 637-2206
Level 1 Summit Media Offices, Robinsons Galleria EDSA Cor. Ortigas Ave., Quezon City 1100

RE: Port Forwarding

[Babar Kazmi]

[-- Attachment #1: Type: text/html, Size: 5378 bytes --]

RE: Port Forwarding

[Gaby Schilders]

No suggestions. Go for the WinXP solution if you feel more comfortable
with that.

<sarcasm>
Just make sure you don't come running back when it is haxored into
oblivion by a script-kiddy with too much time on his hands and a MS
30-day exploit in his hands will you?
</sarcasm>

If you think this to be a harsh reply, then maybe you can try to
include a little bit more about your situation the next time you ask
for help? Like what your setup is, what you've tried already, what
part of the fine manuals you didn't understand... That sort of
thing.

If you still want to put some effort into the Linux/netfilter
solution I suggest you do those things and put your problem on the
list again. (If you want to know where to look things up, by all
means ask).

Good luck!

Gaby

-----Original Message-----
From: Jason Mallory [mailto:jason@phxrising.com]
Sent: maandag 27 oktober 2003 23:17
To: netfilter@lists.netfilter.org
Subject: Port Forwarding


I am tring to do a simple port forwarding from the Internet to a mcahine 
on my LAN. This has proven IMPOSSIBE! No matter how I try to forward 
ports, its not working. I am thinking about just setting up a simple 
Windows XP box and doing it that way after trying for 12 hours and 5 
different configuration methods. Any last suggestions before I switch?

Port Forwarding

[Jason Mallory]

I am tring to do a simple port forwarding from the Internet to a mcahine 
on my LAN. This has proven IMPOSSIBE! No matter how I try to forward 
ports, its not working. I am thinking about just setting up a simple 
Windows XP box and doing it that way after trying for 12 hours and 5 
different configuration methods. Any last suggestions before I switch?

RE: Port Forwarding

[Rob Sterenborg]

> I am tring to do a simple port forwarding from the Internet 
> to a mcahine on my LAN. This has proven IMPOSSIBE! No matter 

Sure it's possible. But you didn't tell us what you have already done !

For http (make sure your routing tables are correct) :
----------------
if_inet="eth0"
if_lan="eth1"
ip_webserver="192.168.1.100"

echo 0 > /proc/sys/net/ipv4/ip_forward

iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED \
  -j ACCEPT
iptables -A FORWARD -i $if_inet -o $if_lan -p tcp --dport 80 \
  -j ACCEPT
iptables -t nat -A PREROUTING -i if_inet -p tcp --dport 80 \
  -j DNAT --to-destination $ip_webserver

echo 1 > /proc/sys/net/ipv4/ip_forward
----------------


Gr,
Rob

Port Forwarding

[Aris Santillan]

[-- Attachment #1: Type: text/plain, Size: 575 bytes --]

hi guys


i ve 2 server A and B
A have 190.200.1.62
B have 190.200.1.61


190.200.1.62 is binded to an external IP(203.167.117.154)
in the Cisco router.



i want to forward incoming HTTP request to 190.200.1.61 w/c is my 
web server

i do this


echo '1' > /etc/sys/net/ipv4/ip_forward

iptables -t nat -A prerouting -p tcp -i eth0 -d 190.200.1.62 --dport 80 -j DNAT --to 190.200.1.61:80
iptables -A FORWARD -p tcp -i eth0 -d 190.200.1.61 --dport 80 -j ACCEPT


but it seems doesnt work..... i need ur advice & solutions

thanks in advance
aris

[-- Attachment #2: Type: text/html, Size: 1542 bytes --]

RE: port forwarding

[George Vieira]

You can't. FTP doesn't send any header information like http's virtual host information on which site it's for.

the only option is to use different ports for different sites..

ftp www.domain/com:10021
ftp www.domain2/com:10022
ftp www.domain3/com:10023

that's the only what I know.

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

Phone   : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
 

-----Original Message-----
From: Sathi [mailto:sathiyan@gmx.net]
Sent: Wednesday, July 23, 2003 4:06 PM
To: Netfilter Mailing List
Subject: port forwarding


Hello All,

I am running squid reverse proxy for 5 different web servers.

I want to provide ftp access to clients so that they can update the web page
content.

As all the host name resolve to the single address i find problem in port
forward the ftp request to the correct backend web server.

How to make port forward the ftp request to the correct web server using
iptables.

Regards
Sathi

port forwarding

[Sathi]

Hello All,

I am running squid reverse proxy for 5 different web servers.

I want to provide ftp access to clients so that they can update the web page
content.

As all the host name resolve to the single address i find problem in port
forward the ftp request to the correct backend web server.

How to make port forward the ftp request to the correct web server using
iptables.

Regards
Sathi

Re: port forwarding

[Nils Juergens]

On Wed, 23.07.03, Sathi <sathiyan@gmx.net> wrote:

> I am running squid reverse proxy for 5 different web servers.
> 
> I want to provide ftp access to clients so that they can update the web page
> content.
> 
> As all the host name resolve to the single address i find problem in port
> forward the ftp request to the correct backend web server.

If you have more than one IP you could set up your DNS like this:

say your domains are
customer1.yourdomain.example
customer2.yourdomain.example
...
customer5.yourdomain.example

which all resolve to the same IP. Now set up new entries

ftp1.yourdomain.example
ftp2.yourdomain.example
...
ftp5.yourdomain.example

which point to the corresponding server (not to the same ip). Now you only
have to tell your customers which host to use an you are all set.

I think another solution would be to use a ftp proxy, where your clients get
redirected based upon username.

User A logs in as 'usera@customer1.yourdomain.example', the ftp-proxy looks up
the corresponding ftp-server from a table and redirects the ftp session to
that ftp-server. 'userb@customer1.yourdomain.example' is redirected to the
same server, where 'userc@customer2.yourdomain.example' is redirected to
another server.

cya,

Nils


-- 
Nils Juergens  | ju@isf.rwth-aachen.de
Having problems sending big files over the net?
Try out Efisto (http://efisto.rnbhq.org).

RE: Port forwarding

[George Vieira]

PREROUTING only works for packets passing through the firewall and not FOR the firewall to itself. There is no NAT for an incoming connection on it's local process as it's ALREADY there at the service not a packet that's coming in. if you know what I mean.

If you had multiple IPs which were NATted to an internal server then you can NAT the OUTPUT chain but not when the destination IP is the firewall itself..

One sneaky what of doing it is to put a /etc/hosts file of the internal machine.. eg.

192.168.0.1           www.yourdomain.com

When you browse the name it'll go directly to the internal machine. But remember to use names not IPs..
Outsiders get NATed and the firewall browses by the internal machine.

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au
 

-----Original Message-----
From: Dhyanesh Ramaiya [mailto:dhyanesh@intafrica.com]
Sent: Thursday, June 05, 2003 7:49 PM
To: netfilter@lists.netfilter.org
Subject: Port forwarding


Dear all,

I have a linux router (Redhat 9.0) with iptables 1.2.7a-2. I have setup port
forwarding rules as below to allow SMTP and POP3 to a machine on the
internal network.

iptables -t nat -A PREROUTING -j DNAT -p tcp -d <public_ip> --dport 110 --to
<private_ip>:110
iptables -t nat -A PREROUTING -j DNAT -p tcp -d <public_ip> --dport 25 --to
<private_ip>:25

What happens, is that when I try to telnet port 25 or 110 from the router
itself, it doesn't connect and gives the error "Connection refused".
However, from any other machine on the network it connects. Thinking that
some firewall rules might be blocking the connection, the default policy of
all chains is set to accept.

Dhyanesh Ramaiya
dhyanesh@intafrica.com

Re: Question about nfmark

[Cedric Blancher]

Le mer 04/06/2003 à 20:01, Abhinav Gupta a écrit :
> I am a newbie to netfilter. While going through some code, I saw a 
> comment that nfmark can be used for communicating between the different 
> hooks. Could someone please explain me how this can be done.

Netfilter gives you the ability to mark packets using mangle table MARK
target (mangle table is attached to every hook in the stack). This mark,
commonly called nfmark (Netfilter mark) is a field within the data
structure that contains the packet (skb). This means once a packet is
marked, mark will be carried the whole packet life into the system.

Now, you have a mark match that allows you to read nfmark field. This
means in on given hook, you can extract information from another hook
though nfmark.

An example... Suppose you implement DNAT. This sits in PREROUTING chain.

	iptables -t nat -A PREROUTING -d $PUB_IP -j DNAT --to $PRIV_IP

How can I filter packets destined to $PUB_IP form those which were
destined to $PRIV_IP as they appear the same way into FORWARD chain ?
Use mark.

	iptables -t mangle -A PREROUTING -d $PRIV_IP -j MARK --mark 0x01

Then, in filter table, I do this :

	iptables -A FORWARD -m mark --mark 0x01 -j DROP

As I don't people access directly my private IP. Doing this, you get in
FORWARD chain information that would not be available otherwise.


Besides this, nfmark is more powerful than this as it allows Netfilter
to communicate with routing and QoS processes. This means you can take
routing or QoS decisions based on nfmark. Transparent proxying can be
done using nfmark (see http://lartc.org/), as well as QoS. This allows
you to use all Netfilter packet matching capabilities for routing and
shaping.

-- 
Cédric Blancher  <blancher@cartel-securite.fr>
IT systems and networks security - Cartel Sécurité
Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE

Port forwarding

[Dhyanesh Ramaiya]

Dear all,

I have a linux router (Redhat 9.0) with iptables 1.2.7a-2. I have setup port
forwarding rules as below to allow SMTP and POP3 to a machine on the
internal network.

iptables -t nat -A PREROUTING -j DNAT -p tcp -d <public_ip> --dport 110 --to
<private_ip>:110
iptables -t nat -A PREROUTING -j DNAT -p tcp -d <public_ip> --dport 25 --to
<private_ip>:25

What happens, is that when I try to telnet port 25 or 110 from the router
itself, it doesn't connect and gives the error "Connection refused".
However, from any other machine on the network it connects. Thinking that
some firewall rules might be blocking the connection, the default policy of
all chains is set to accept.

Dhyanesh Ramaiya
dhyanesh@intafrica.com

Re: Port forwarding

[Philip Craig]

Dhyanesh Ramaiya wrote:
> iptables -t nat -A PREROUTING -j DNAT -p tcp -d <public_ip> --dport 110 --to
> <private_ip>:110
> iptables -t nat -A PREROUTING -j DNAT -p tcp -d <public_ip> --dport 25 --to
> <private_ip>:25
> 
> What happens, is that when I try to telnet port 25 or 110 from the router
> itself, it doesn't connect and gives the error "Connection refused".
> However, from any other machine on the network it connects. Thinking that
> some firewall rules might be blocking the connection, the default policy of
> all chains is set to accept.

Packets from the router itself do not go through the PREROUTING
chain, so they aren't being NATed.  You'll need to add similar
NAT rules in the OUTPUT chain.

-- 
Philip Craig - philipc@snapgear.com - http://www.SnapGear.com
SnapGear - Custom Embedded Solutions and Security Appliances

RE: Port forwarding

[Dhyanesh Ramaiya]

Thank you all for your responses. I had in mind to update the /etc/hosts
file (as was suggested by George), but didn't want to do it straight away
without knowing the reasons. Will try to put the NAT rules in the output
chain to solve this problem.

Dhyanesh Ramaiya

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Philip Craig
Sent: Friday, June 06, 2003 11:15 AM
To: Dhyanesh Ramaiya
Cc: netfilter@lists.netfilter.org
Subject: Re: Port forwarding


Dhyanesh Ramaiya wrote:
> iptables -t nat -A PREROUTING -j DNAT -p tcp -d <public_ip> --dport
110 --to
> <private_ip>:110
> iptables -t nat -A PREROUTING -j DNAT -p tcp -d <public_ip> --dport
25 --to
> <private_ip>:25
>
> What happens, is that when I try to telnet port 25 or 110 from the router
> itself, it doesn't connect and gives the error "Connection refused".
> However, from any other machine on the network it connects. Thinking that
> some firewall rules might be blocking the connection, the default policy
of
> all chains is set to accept.

Packets from the router itself do not go through the PREROUTING
chain, so they aren't being NATed.  You'll need to add similar
NAT rules in the OUTPUT chain.

--
Philip Craig - philipc@snapgear.com - http://www.SnapGear.com
SnapGear - Custom Embedded Solutions and Security Appliances

port forwarding

[Fox]

Hi Everybody.

I want to forward all the packets to port 80 and 443 to 16721 and
using the following rules:

# 80->16721->80
${IPTABLES} -t nat -A PREROUTING -s 0.0.0.0/0 -d 192.168.0.1 -p tcp --dport 80 -j DNAT \
--to-destination 192.168.0.1:16721
${IPTABLES} -t nat -A POSTROUTING -s 192.168.0.1 -d 0/0 -p tcp --sport 16721 -j SNAT \
 --to-source 192.168.0.1:80

# 443->16721->443
${IPTABLES} -t nat -A PREROUTING -s 0.0.0.0/0 -d 192.168.0.1 -p tcp --dport 443 -j DNAT \
--to-destination 192.168.0.1:16721
${IPTABLES} -t nat -A POSTROUTING -s 192.168.0.1 -d 0/0 -p tcp --sport 16721 -j SNAT \
 --to-source 192.168.0.1:443

I'm just wondering - won't the source address of packets to 443 be
changed to 192.168.0.1:80 instead of 192.168.0.1:443 when they're
replied to the client?

I don't know what type of connection tracking to use. Your help is
appreciated.

Thanks in advance.

Fox

RE: port forwarding

[Rob Sterenborg]

> I want to forward all the packets to port 80 and 443 to 16721 and
> using the following rules:
> 
> # 80->16721->80
> ${IPTABLES} -t nat -A PREROUTING -s 0.0.0.0/0 -d 192.168.0.1 
> -p tcp --dport 80 -j DNAT \
> --to-destination 192.168.0.1:16721
> ${IPTABLES} -t nat -A POSTROUTING -s 192.168.0.1 -d 0/0 -p 
> tcp --sport 16721 -j SNAT \
>  --to-source 192.168.0.1:80
> 
> # 443->16721->443
> ${IPTABLES} -t nat -A PREROUTING -s 0.0.0.0/0 -d 192.168.0.1 
> -p tcp --dport 443 -j DNAT \
> --to-destination 192.168.0.1:16721
> ${IPTABLES} -t nat -A POSTROUTING -s 192.168.0.1 -d 0/0 -p 
> tcp --sport 16721 -j SNAT \
>  --to-source 192.168.0.1:443
> 
> I'm just wondering - won't the source address of packets to 443 be
> changed to 192.168.0.1:80 instead of 192.168.0.1:443 when they're
> replied to the client?

NAT will handle that, but I'm not sure if this setup is going to work :
you are forwarding both http and https to the same port.

> I don't know what type of connection tracking to use. Your help is
> appreciated.

With conntrack, you don't need the postrouting rules.

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i <if_inet> -d 192.168.0.1 -p tcp --dport 80 \
 -j ACCEPT
iptables -A FORWARD -i <if_inet> -d 192.168.0.1 -p tcp --dport 443 \
 -j ACCEPT

iptables -t nat -A PREROUTING -i <if_inet> -p tcp --dport 80 \
 -j DNAT --to-destination 192.168.0.1:16721
iptables -t nat -A PREROUTING -i <if_inet> -p tcp --dport 443 \
 -j DNAT --to-destination 192.168.0.1:16721

If I were you I'd make the webserver listen on 16722 (or whatever) for
https and forward port 443 to 16722.


Gr,
Rob

Port Forwarding

[Brei, Matt]

[-- Attachment #1.1: Type: text/plain, Size: 621 bytes --]

Hello all.  
 
I'm using iptables on RH 8.0 to route and firewall my cable connection
to the rest of the lan.  My problem is joining games (Ghost Recon) on
ubi.com from behind the firewall.  Ubi.com requires port 80 for http
which works fine, port 6667 for chat which also works fine, and
40000-42000 for the game (I'm assuming) which seems to be random when I
run nmap on machines running the game with no firewall.  Is there a way
to allow one or multiple machines behind the firewall to join/host a
game by forwarding the ports.  I attached my iptables script that I'm
currently using.
 
Thanks,
Matt
 

[-- Attachment #1.2: Type: text/html, Size: 4544 bytes --]

[-- Attachment #2: route.rtf.txt --]
[-- Type: text/plain, Size: 7632 bytes --]


#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <blueflux@koffein.net>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

###########################################################################
#
# Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24 
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.254"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BCAST_ADRESS="192.168.255.255"
LAN_IFACE="eth1"

###########################################################################
#
w
# Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

###########################################################################
#
# Internet Configuration.
#

INET_IP="12.251.163.214"
INET_IFACE="eth0"

###########################################################################
#
# IPTables Configuration.
#

IPTABLES="/sbin/iptables"

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#
/sbin/depmod -a

#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE

#
# Support for owner matching
#
#/sbin/modprobe ipt_owner

#
# Support for connection tracking of FTP and IRC.
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc


###########################################################################
#
# 3. /proc set up.
#
# Enable ip_forward if you have two or more networks, including the
# Internet, that needs forwarding of packets through this box. This is
# critical since it is turned off as default in Linux.
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# Dynamic IP users:
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. IPTables rules set up.
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains.
# Drop ALL packets

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# bad_tcp_packets chain
#
# Take care of bad TCP packets that we don't want.
#

$IPTABLES -N bad_tcp_packets
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# Do some checks for obviously spoofed IP's
#

$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 172.16.0.0/12 -j DROP

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#
# The allowed chain for TCP connections
#

$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# ICMP rules
#

# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 110 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1723 -j allowed

#
# UDP ports
#

# nondocumented commenting out of these rules
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

##########################
# INPUT chain
#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for incoming packets from the internet.
#

$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets

#
# VPN for incoming connections to 192.168.0.1
#

$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 1723 -j DNAT --to 192.168.0.1
$IPTABLES -t nat -A PREROUTING -i eth0 -p 47 -j DNAT --to 192.168.0.1
$IPTABLES -A FORWARD -p tcp -d 192.168.0.1/16 --dport 1723 -j ACCEPT
$IPTABLES -A FORWARD -p 47 -d 192.168.0.1/16 -j ACCEPT

#
#E-Mail routes to 192.168.0.1 
#

$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to 192.168.0.1
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 110 -j DNAT --to 192.168.0.1
$IPTABLES -A FORWARD -p tcp -d 192.168.0.1 --dport 25 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s 192.168.0.1 --dport 25 -j ACCEPT

# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

###############################
# OUTPUT chain
#
#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

Re: Port Forwarding

[Dan Egli]

Brei, Matt wrote:

> Hello all.
>
> I’m using iptables on RH 8.0 to route and firewall my cable connection 
> to the rest of the lan. My problem is joining games (Ghost Recon) on 
> ubi.com from behind the firewall. Ubi.com requires port 80 for http 
> which works fine, port 6667 for chat which also works fine, and 
> 40000-42000 for the game (I’m assuming) which seems to be random when 
> I run nmap on machines running the game with no firewall. Is there a 
> way to allow one or multiple machines behind the firewall to join/host 
> a game by forwarding the ports. I attached my iptables script that I’m 
> currently using.
>
> Thanks,
>
> Matt
>
Shouldn't need anything that specific. The port forwarding is to allow 
packets that origonate OUTSITE the system to be sent to a specific 
computer. I'm on a cable modem at home and I play Unreal Tournament 2003 
great with simple masquerading.

After reading your script, (which in my simple opinion is overly 
complicated), the line:

> $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

would normally be enough. I use port forwarding for UT2003 only because I run a game server behind the firewall, so I need to allow connections from the inet to the server. But w/o the server, I have no need of port forwarding. Naturally nmap won't see the ports because technically the port is not open. nmap only checks for a port that is (or at least appears to be) open and listening for connections. if I did not have port forward on, and I was in a UT2003 game and someone hit my inet IP on one of the game ports (7777 for example) they would get a ICMP_PORT_UNREACHABLE error (connection refused). 

Are you on a static IP or a dynamic? I am on a dynamic and my Masquerading line: iptables -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth1 -j MASQUERADE 

works grand. Cannot see why it would not work for you. Try disabling the port forwarding. Can you connect to a web site from a machine behind the firewall? IF so there should be no reason I am aware of that you cannot connect to the game server.

--- Dan

Port forwarding

[Brei, Matt]

[-- Attachment #1: Type: text/plain, Size: 8629 bytes --]

Hello all.  
 
I'm using iptables on RH 8.0 to route and firewall my cable connection
to the rest of the lan.  My problem is joining games (Ghost Recon) on
ubi.com from behind the firewall.  Ubi.com requires port 80 for http
which works fine, port 6667 for chat which also works fine, and
40000-42000 for the game (I'm assuming) which seems to be random when I
run nmap on machines running the game with no firewall.  Is there a way
to allow one or multiple machines behind the firewall to join/host a
game by forwarding the ports.  I attached my iptables script that I'm
currently using.
 
Thanks,
Matt
 
 
#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and
iptables
#
# Copyright (C) 2001  Oskar Andreasson <blueflux@koffein.net>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#
 
########################################################################
###
#
# 1. Configuration options.
#
 
########################################################################
###
#
# Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first
24 
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#
 
LAN_IP="192.168.0.254"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BCAST_ADRESS="192.168.255.255"
LAN_IFACE="eth1"
 
########################################################################
###
#
w
# Localhost Configuration.
#
 
LO_IFACE="lo"
LO_IP="127.0.0.1"
 
########################################################################
###
#
# Internet Configuration.
#
 
INET_IP="12.251.163.214"
INET_IFACE="eth0"
 
########################################################################
###
#
# IPTables Configuration.
#
 
IPTABLES="/sbin/iptables"
 
########################################################################
###
#
# 2. Module loading.
#
 
#
# Needed to initially load modules
#
/sbin/depmod -a
 
#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
 
#
# Support for owner matching
#
#/sbin/modprobe ipt_owner
 
#
# Support for connection tracking of FTP and IRC.
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
 
 
########################################################################
###
#
# 3. /proc set up.
#
# Enable ip_forward if you have two or more networks, including the
# Internet, that needs forwarding of packets through this box. This is
# critical since it is turned off as default in Linux.
#
 
echo "1" > /proc/sys/net/ipv4/ip_forward
 
#
# Dynamic IP users:
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
 
########################################################################
###
#
# 4. IPTables rules set up.
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains.
# Drop ALL packets
 
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
 
#
# bad_tcp_packets chain
#
# Take care of bad TCP packets that we don't want.
#
 
$IPTABLES -N bad_tcp_packets
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG
\
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
 
#
# Do some checks for obviously spoofed IP's
#
 
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 172.16.0.0/12 -j DROP
 
#
# Enable simple IP Forwarding and Network Address Translation
#
 
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source
$INET_IP
 
#
# Bad TCP packets we don't want
#
 
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
 
#
# Accept the packets we actually want to forward
#
 
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
 
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
 
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets
 
#
# The allowed chain for TCP connections
#
 
$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
 
#
# ICMP rules
#
 
# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
 
#
# TCP rules
#
 
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 110 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1723 -j allowed
 
#
# UDP ports
#
 
# nondocumented commenting out of these rules
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j
ACCEPT
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j
ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j
ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j
ACCEPT
 
##########################
# INPUT chain
#
# Bad TCP packets we don't want.
#
 
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
 
#
# Rules for incoming packets from the internet.
#
 
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
 
#
# VPN for incoming connections to 192.168.0.1
#
 
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 1723 -j DNAT --to
192.168.0.1
$IPTABLES -t nat -A PREROUTING -i eth0 -p 47 -j DNAT --to 192.168.0.1
$IPTABLES -A FORWARD -p tcp -d 192.168.0.1/16 --dport 1723 -j ACCEPT
$IPTABLES -A FORWARD -p 47 -d 192.168.0.1/16 -j ACCEPT
 
#
#E-Mail routes to 192.168.0.1 
#
 
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to
192.168.0.1
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 110 -j DNAT --to
192.168.0.1
$IPTABLES -A FORWARD -p tcp -d 192.168.0.1 --dport 25 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s 192.168.0.1 --dport 25 -j ACCEPT
 
# Rules for special networks not part of the Internet
#
 
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state
ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "
 
###############################
# OUTPUT chain
#
#
# Bad TCP packets we don't want.
#
 
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
 
#
# Special OUTPUT rules to decide which IP's to allow.
#
 
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
 
#
# Log weird packets that don't match the above.
#
 
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
 
 
 

[-- Attachment #2: Type: text/html, Size: 77243 bytes --]

port forwarding

[Maxim Berlin]

Hello all,

Players at my office asks me to give them access to outside counterstrike
server, UDP 21705. unfortunatelly, i am brand new in iptables, so i've
read the docs and started make rules, but they does not work.
Then i've tried simple
root@woody~/iptables>cat 1.sh
#!/bin/sh
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -v -F -t nat
iptables -v -F
iptables -v -A FORWARD -p tcp --dport 205 -j ACCEPT
iptables -v -t nat -A PREROUTING -p tcp --dport 205 -j DNAT --to-destination 172.17.32.12:25

, then telnet to woody:205 and there is no refusal and no answer.

root@woody~/iptables>cat /proc/net/ip_conntrack
[...]
tcp      6 118 SYN_SENT src=172.17.32.5 dst=172.17.144.110 sport=2020 dport=205 [UNREPLIED] src=172.17.32.12 dst=172.17.32.5 sport=25 dport=2020 use=1

Can someone please tell me, what i am doing wrong? why [UNREPLIED]?
should i create rule to pass packets back from 172.17.32.5 to client?

p.s. iptables v1.2.6a, kernel 2.4.18

Best wishes,
 Maxim                          mailto:mak@rtsnet.ru

Re: port forwarding

[Andrew Smith]

If they want to play on an external server then there is
nothing required other than standard masquerading/nat

HOWEVER, if you resrtict outgoing (and return) ports then
you need to allow UDP on port 21705
(I'm not sure if TCP is used at all?)

WARNING
if 3 or 4 people do a standard full server update at the
same time it will fill your conntrack table and you will
start dropping other connections for a while

Counterstrike is beyond the tiny limitation of a 64K conntrack
table and since you cannot specifically say to timeout the
counterstrike server update connections quickly (due to the
fact that you will never need to do this - yeah I know that's
wrong but ... that's what the netfilter developers say)
you end up filling the conntrack table

You need to be able to set it to handle about 20,000 connections
per user that is using Counterstrike but I think it is limited
to only 64K - but I'm not 100% certain.

Anyone know for sure if there is a small limit in the size of
the conntrack table? Hopefully there isn't ... but others have
said otherwise. Maybe that has change recently?

> Hello all,
> 
> Players at my office asks me to give them access to outside
> counterstrike server, UDP 21705. unfortunatelly, i am brand new in
> iptables, so i've read the docs and started make rules, but they does
> not work.
> Then i've tried simple
> root@woody~/iptables>cat 1.sh
> #!/bin/sh
> echo 1 > /proc/sys/net/ipv4/ip_forward
> iptables -v -F -t nat
> iptables -v -F
> iptables -v -A FORWARD -p tcp --dport 205 -j ACCEPT
> iptables -v -t nat -A PREROUTING -p tcp --dport 205 -j DNAT
> --to-destination 172.17.32.12:25
> 
> , then telnet to woody:205 and there is no refusal and no answer.
> 
> root@woody~/iptables>cat /proc/net/ip_conntrack
> [...]
> tcp      6 118 SYN_SENT src=172.17.32.5 dst=172.17.144.110 sport=2020
> dport=205 [UNREPLIED] src=172.17.32.12 dst=172.17.32.5 sport=25
> dport=2020 use=1
> 
> Can someone please tell me, what i am doing wrong? why [UNREPLIED]?
> should i create rule to pass packets back from 172.17.32.5 to client?
> 
> p.s. iptables v1.2.6a, kernel 2.4.18
> 
> Best wishes,
> Maxim                          mailto:mak@rtsnet.ru

Re: port forwarding

[Roy Sigurd Karlsbakk]

Andrew Smith wrote:

>If they want to play on an external server then there is
>nothing required other than standard masquerading/nat
>
>HOWEVER, if you resrtict outgoing (and return) ports then
>you need to allow UDP on port 21705
>(I'm not sure if TCP is used at all?)
>
>WARNING
>if 3 or 4 people do a standard full server update at the
>same time it will fill your conntrack table and you will
>start dropping other connections for a while
>
>Counterstrike is beyond the tiny limitation of a 64K conntrack
>table and since you cannot specifically say to timeout the
>counterstrike server update connections quickly (due to the
>fact that you will never need to do this - yeah I know that's
>wrong but ... that's what the netfilter developers say)
>you end up filling the conntrack table
>
>You need to be able to set it to handle about 20,000 connections
>per user that is using Counterstrike but I think it is limited
>to only 64K - but I'm not 100% certain.
>
>  
>
Then what sort of idiot was there that wrote the counterstrike protocol?
I mean - 20.000 connections per user???? It's crazy! How about a good 
old TCP connection instead?

Re: port forwarding

[Andrew Smith]

> Andrew Smith wrote:
> 
>>If they want to play on an external server then there is
>>nothing required other than standard masquerading/nat
>>
>>HOWEVER, if you resrtict outgoing (and return) ports then
>>you need to allow UDP on port 21705
>>(I'm not sure if TCP is used at all?)
>>
>>WARNING
>>if 3 or 4 people do a standard full server update at the
>>same time it will fill your conntrack table and you will
>>start dropping other connections for a while
>>
>>Counterstrike is beyond the tiny limitation of a 64K conntrack
>>table and since you cannot specifically say to timeout the
>>counterstrike server update connections quickly (due to the
>>fact that you will never need to do this - yeah I know that's
>>wrong but ... that's what the netfilter developers say)
>>you end up filling the conntrack table
>>
>>You need to be able to set it to handle about 20,000 connections
>>per user that is using Counterstrike but I think it is limited
>>to only 64K - but I'm not 100% certain.
>>
>>  
>>
> Then what sort of idiot was there that wrote the counterstrike
> protocol? I mean - 20.000 connections per user???? It's crazy! How
> about a good  old TCP connection instead?

It's not the protocol - that's how it checks all 20,000 (more or less)
servers currently available to determine the "ping" times so you
can work out which ones would be best to play on.

It isn't a real "ping" it's just UDP packets going back and forth
from your client to EACH server available to determine the performance
if you were playing on them.
(That's why conntrack keeps track of them ... for too long)

Basically, you start CounterStrike, then tell it to get a server
list and then it gets the "ping" times for each of the servers in
the server list - often 20,000 of them
(yes there are only a handful of central list servers that have
the active game server lists - and all game servers must register
with the central servers if they want to be known for anyone to
play on the net)
Then you choose the server you want and start playing

When you play a game that 50ms means the difference between winning
and losing - you need to know which servers are responding well to
your connection - and no other computer can find that out for you.

-- 
-Cheers
-Andrew

MS ... if only he hadn't been hang gliding!

Re: port forwarding

[Roy Sigurd Karlsbakk]

> > Then what sort of idiot was there that wrote the counterstrike
> > protocol? I mean - 20.000 connections per user???? It's crazy! How
> > about a good  old TCP connection instead?
>
> It's not the protocol - that's how it checks all 20,000 (more or less)
> servers currently available to determine the "ping" times so you
> can work out which ones would be best to play on.
>
> It isn't a real "ping" it's just UDP packets going back and forth
> from your client to EACH server available to determine the performance
> if you were playing on them.
> (That's why conntrack keeps track of them ... for too long)
>
> Basically, you start CounterStrike, then tell it to get a server
> list and then it gets the "ping" times for each of the servers in
> the server list - often 20,000 of them
> (yes there are only a handful of central list servers that have
> the active game server lists - and all game servers must register
> with the central servers if they want to be known for anyone to
> play on the net)
> Then you choose the server you want and start playing
>
> When you play a game that 50ms means the difference between winning
> and losing - you need to know which servers are responding well to
> your connection - and no other computer can find that out for you.

but is the client checking all 20.000 servers continously, or just at startup?
-- 
Roy Sigurd Karlsbakk, Datavaktmester
ProntoTV AS - http://www.pronto.tv/
Tel: +47 9801 3356

Computers are like air conditioners.
They stop working when you open Windows.

Re: port forwarding

[Andrew Smith]

>> > Then what sort of idiot was there that wrote the counterstrike
>> > protocol? I mean - 20.000 connections per user???? It's crazy! How
>> > about a good  old TCP connection instead?
>>
>> It's not the protocol - that's how it checks all 20,000 (more or less)
>> servers currently available to determine the "ping" times so you can
>> work out which ones would be best to play on.
>>
>> It isn't a real "ping" it's just UDP packets going back and forth from
>> your client to EACH server available to determine the performance if
>> you were playing on them.
>> (That's why conntrack keeps track of them ... for too long)
>>
>> Basically, you start CounterStrike, then tell it to get a server list
>> and then it gets the "ping" times for each of the servers in the
>> server list - often 20,000 of them
>> (yes there are only a handful of central list servers that have
>> the active game server lists - and all game servers must register with
>> the central servers if they want to be known for anyone to
>> play on the net)
>> Then you choose the server you want and start playing
>>
>> When you play a game that 50ms means the difference between winning
>> and losing - you need to know which servers are responding well to
>> your connection - and no other computer can find that out for you.
> 
> but is the client checking all 20.000 servers continously, or just at
> startup? -- 
> Roy Sigurd Karlsbakk, Datavaktmester

Of course it is only when you request the list or request
an update of the net times for the list of game servers.
The problem is that netfilter conntrack keeps track of the
connections for too long - they are only needed for a VERY
short time.
Normally you want long tracking, in this case you certainly
do not, for the game server status'.
Thus if you have a good connection, all 20,000 can happen
within the conntrack timout period and thus all 20,000 end
up in the conntrack table.
If you have 3 or 4 people doing this at the same time (this
can be common to have a few people logging in to play together
at the same time) then you can get more than 60,000 connections
in the conntrack table ... which means it's full if it goes
over 64K

-- 
-Cheers
-Andrew

MS ... if only he hadn't been hang gliding!