Re: iptables, portforward, DNAT, SNAT

[methodaut@netscape.net (Thomas Meindl)]

Antony Stone <Antony@Soft-Solutions.co.uk> wrote:

>On Thursday 31 October 2002 3:33 pm, Thomas Meindl wrote:
>
>> #!/bin/bash
>>
>> EXTIF=eth0
>> INTIF=eth1
>> EXTIP=www.xxx.yyy.zzz
>> INTIP=192.168.0.1
>> WWWSRV=192.168.0.2
>>
>> #here I'll make some
>> echo 1 > /proc/sys/net/ipv4/*
>
>Does that line really say "echo 1 to every file in the /proc/sys/net/ipv4 
>directory" !?
>
>Why ???

no, i didn't write it that way in the actual script.
just to save some tipping here..

* stands for the three below

sorry for that confusing
I simply should have copied and pasted it like

echo 1 > /proc/sys/net/ipv4/ip_dynaddr
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookie


>
>> #to some features like ip_dynaddr, ip_forward, tcp_syncookie
>>
>> #then I set the default policies
>> #accept everything except the FORWARD chain
>> #and flush them
>> iptables -P INPUT -j ACCEPT
>
>I don't like that - you should have a default DROP on INPUT and then create 
>rules to ACCEPT what you know you want.   Otherwise you're accepting anything 
>anyone cares to send you....
>

I know. I have a more extended script, but to be sure that portforwarding works pretty soon, i'll keep that one simple

>> iptables -F INPUT
>> iptables -P OUTPUT -j ACCEPT
>> iptables -F OUTPUT
>> iptables -P FORWARD -j DROP
>> iptables -F FORWARD
>> iptables -t nat -f        #flush the nat table
>>
>> # and here's my little disaster
>> # i try to forward port 1234 to my internal www-server
>> iptables -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXTIP --dport 1234 -j
>> DNAT --to-destination $WWWSRV:80
>
>Okay - that will redirect the incoming packets on TCP port 1234 to your 
>internal web server, port 80
>
>> iptables -A FORWARD -p tcp -i $EXTIF -o $INTIF -d $WWWSRV --dport 80 -j 
>ACCEPT
>
>That rule will forward the packets through your firewall to the web server 
>(do you have a rule somewhere to allow the replies back again ?)
>
>> iptables -t nat -A POSTROUTING -p tcp -o $EXTIF -s $WWWSRV --sport 80 -j 
>SNAT --to-source $EXTIP:1234
>
>I don't understand this rule - replies from the webserver are going to get 
>automagically reverse NATted anyway, so this rule is redundant...
>
>> # for what i understand from iptables till now is
>> # packet comes in thru ethernet, arrives in kernel
>> # so packet looks like this
>> # ip-layer: source-ip: WWWREQUEST  destination-ip: $EXTIP
>> # tcp-layer: source-port: a port higher than 1024   destination-port: 1234
>> # and hits the PREROUTING chain
>
>Looks good so far.
>
>> # with the DNAT rule above it changes following
>> # ip-layer: source-ip: WWWREQUEST   destination-ip: $WWSRV
>> # tcp-layer: source-port: a port higher than 1024   destination-port: 80
>
>Yup.
>
>> # then hits FORWARD chain (usually it would hit the INPUT chain,
>> # but we changed that with DNAT; it has to go out on $INTIF to reach
>> # its destination..)
>
>Correct.
>
>> # with the FORWARD rule it can bypass..
>
>Sorry - what do you mean ?
>
>> # when applying DNAT all other packets in that stream are bypassed as well
>
>All other packets in that stream are translated (both ways), yes.
>
>> # with this two rules it is sure that a request from a www-client from
>> # the inet is reaching the inner $WWWSRV, and the $WWWSRV can respond but
>> # there is still something wrong with the reply packet:
>> # ip-layer: source-ip: $WWWSRV destination-ip: WWWREQUEST
>> # tcp-layer: source-port: 80   destination-port: 1024:
>
>That's how it goes out from the web server, yes, but that doesn't show the 
>reverse NAT which will have been applied by netfilter by the time it gets 
>back to the client.   Borrowing your terminology, that would look like:
>
>> # ip-layer: source-ip: $EXTIP destination-ip: WWWREQUEST
>> # tcp-layer: source-port: 1234   destination-port: 1024:
>
>> # when the packet arrives at the WWWREQUEST-host-browser it doesn't know
>> # what to do with the packet (there was no request to this host $WWWSRV)
>> # so here comes rule 3; it changes the source ip and port to this
>> # ip-layer: source-ip: $EXTIP destination-ip: WWWREQUEST
>> # tcp-layer: source-port: 1234   destination-port: 1024:
>> # now the packet seems like the awaited reply from the request
>> # he has given to $EXTIP:1234
>
>I think you do not realise that netfilter automagically applies the reverse 
>NAT rules to reply packets, so you do not have to create your own rules to do 
>this.
>
>> # and another few rules to complete the firewall script
>>
>> # allow all connections from inside out and only related
>> # and established ones in
>> iptables -A FORWARD -p tcp -i $EXTIF -o $INTIF -m state --state
>> ESTABLISHED,RELATED -j ACCEPT
>> iptables -A FORWARD -p tcp -o $EXTIF -i $INTIF -j ACCEPT
>
>Okay, these two rules (specifically the last one) will allow your replies 
>back out from the web server to the client.
>
>> # enable masquerading
>> iptables -t NAT -A POSTROUTING -o $EXTIF -j MASQUERADE
>
>"NAT" in this rule should read "nat" - it matters !
>

spelling mistake sorry! nat

>> I hope anyone out there can help me..
>> I tried serveral permutations with the three portforwarding rules:
>
>I think if you remove the third one it will work.

I just tried it without the third (i have tried it that way before)
but it still won't work !!!


>
>> I changed some params or even let them away
>> One Variation was to ACCEPT the full FORWARD chain
>
>Ugh !!!

i know, i know; but one gets really bad ideas when sth doesn't work

> 
>
>Antony.
>
>-- 
>
>It is also possible that putting the birds in a laboratory setting
>inadvertently renders them relatively incompetent.
>
> - Daniel C Dennett
>
>


__________________________________________________________________
The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp 

Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/