iptables local port forwarding

iptables local port forwarding

[Mark Ord]

I'm sure the answer to this is out there somewhere on the internet,
however numberous searches since I installed Debian a couple of months
ago haven't provided the exact answer to what I want.

My setup is:

Debian woody
uname: Linux scholars 2.4.18-mppe #1 Sat Dec 20 13:42:14 EST 2003 i686 unknown
iptables: iptables v1.2.6a
eth0: 10.0.13.192 (-> internet)
eth1: 192.168.0.1 (-> lan)

I have iptables setup, firewalling eth0 (the internet) extensively, and
doing NAT for my lan, and some custom port forwards.

One is forwarding port 81 -> 80 - due to my provider firewalling port
80:
     iptables -t nat -I PREROUTING -p tcp --dport 81 -j REDIRECT --to 80

This works for connections coming in on both eth0, and eth1. However, I
can't connect to port 81 on the iptables machine (no matter what
iptables rules I try). On the lan side, I use a http proxy residing on
the iptables machine, hence can not connect to port 81 from the lan when
going through the proxy. It's not a huge problem (since I can and do use
port 80 from the lan side), I'm moreso just really interested in whether this
actually IS possible, and if not, why?

While making this work isn't critical, I would like to do some other
fancy forwarding which requires the same sort of thing. (ssh port
forwarding on the iptables machine, then forwarding ports on specific
nic interfaces to the ssh forwarded port on lo, to avoid having to bind ssh
forwarded ports with 'GatewayPorts yes'). Basically I'd like to know if
this crazy type of setup is acheivable.

TIA.
Mark.

Re: iptables local port forwarding

[Antony Stone]

On Saturday 03 April 2004 10:50 am, Mark Ord wrote:

> I have iptables setup, firewalling eth0 (the internet) extensively, and
> doing NAT for my lan, and some custom port forwards.
>
> One is forwarding port 81 -> 80 - due to my provider firewalling port
> 80:
>      iptables -t nat -I PREROUTING -p tcp --dport 81 -j REDIRECT --to 80
>
> This works for connections coming in on both eth0, and eth1. However, I
> can't connect to port 81 on the iptables machine (no matter what
> iptables rules I try).

That rule looks fine to me, and you must obviously have an appropriate INPUT 
rule allowing the connection to port 80 after the REDIRECT has completed, 
otherwise you wouldn't be able to connect directly to port 80 which you say 
works fine.

The only thing I can think to ask is whether "iptables -L -t nat -nvx" shows 
the packet/byte counters for this rule incrementing when you do try to access 
port 81?

Perhaps a few judicious LOGging rules (before and after the REDIRECT in the 
nat table, before and after the ACCEPT in the INPUT chain) will tell you 
something useful?

Regards,

Antony.

-- 
Most people have more than the average number of legs.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: iptables local port forwarding

[Bill Davidsen]

Antony Stone wrote:
> On Saturday 03 April 2004 10:50 am, Mark Ord wrote:
> 
> 
>>I have iptables setup, firewalling eth0 (the internet) extensively, and
>>doing NAT for my lan, and some custom port forwards.
>>
>>One is forwarding port 81 -> 80 - due to my provider firewalling port
>>80:
>>     iptables -t nat -I PREROUTING -p tcp --dport 81 -j REDIRECT --to 80
>>
>>This works for connections coming in on both eth0, and eth1. However, I
>>can't connect to port 81 on the iptables machine (no matter what
>>iptables rules I try).
> 
> 
> That rule looks fine to me, and you must obviously have an appropriate INPUT 
> rule allowing the connection to port 80 after the REDIRECT has completed, 
> otherwise you wouldn't be able to connect directly to port 80 which you say 
> works fine.
> 
> The only thing I can think to ask is whether "iptables -L -t nat -nvx" shows 
> the packet/byte counters for this rule incrementing when you do try to access 
> port 81?
> 
> Perhaps a few judicious LOGging rules (before and after the REDIRECT in the 
> nat table, before and after the ACCEPT in the INPUT chain) will tell you 
> something useful?

Actually, you need to allow port 81 in, it doesn't become 80 until after 
the rewrite.

-- 
bill davidsen <davidsen@tmr.com>
   CTO TMR Associates, Inc
   Doing interesting things with small computers since 1979

Re: iptables local port forwarding

[Antony Stone]

On Saturday 03 April 2004 6:30 pm, Bill Davidsen wrote:

> Antony Stone wrote:
> > On Saturday 03 April 2004 10:50 am, Mark Ord wrote:
> >>I have iptables setup, firewalling eth0 (the internet) extensively, and
> >>doing NAT for my lan, and some custom port forwards.
> >>
> >>One is forwarding port 81 -> 80 - due to my provider firewalling port
> >>80:
> >>     iptables -t nat -I PREROUTING -p tcp --dport 81 -j REDIRECT --to 80
> >>
> >>This works for connections coming in on both eth0, and eth1. However, I
> >>can't connect to port 81 on the iptables machine (no matter what
> >>iptables rules I try).
> >
> > That rule looks fine to me, and you must obviously have an appropriate
> > INPUT rule allowing the connection to port 80 after the REDIRECT has
> > completed, otherwise you wouldn't be able to connect directly to port 80
> > which you say works fine.
> >
> > The only thing I can think to ask is whether "iptables -L -t nat -nvx"
> > shows the packet/byte counters for this rule incrementing when you do try
> > to access port 81?
> >
> > Perhaps a few judicious LOGging rules (before and after the REDIRECT in
> > the nat table, before and after the ACCEPT in the INPUT chain) will tell
> > you something useful?
>
> Actually, you need to allow port 81 in, it doesn't become 80 until after
> the rewrite.

No, PREROUTING happens before INPUT, therefore the INPUT rule needs to allow 
the translated packet, not the original one.

Regards,

Antony.

-- 
The lottery is a tax for people who can't do maths.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: iptables local port forwarding

[Mark Ord]

On Sat, Apr 03, 2004 at 11:27:02AM +0100, Antony Stone wrote:

> That rule looks fine to me, and you must obviously have an appropriate INPUT 
> rule allowing the connection to port 80 after the REDIRECT has completed, 
> otherwise you wouldn't be able to connect directly to port 80 which you say 
> works fine.

Correct. I've further confirmed this by adding the rule as the final one
created (hence first in NAT's INPUT table), to isolate the output.
  iptables -I INPUT -j ACCEPT -p tcp --dport 81 -s 192.168.0.1 -d 192.168.0.1

Doing a "iptables -L -t filter -nvx" and "nc -s 192.168.0.1 192.168.0.1"
sees the packet count for that rule increment. IE:
 2028   121680 ACCEPT     tcp  --  * * 192.168.0.1   192.168.0.1  tcp dpt:81

The packets are certainly being accepted.

> The only thing I can think to ask is whether "iptables -L -t nat -nvx" shows 
> the packet/byte counters for this rule incrementing when you do try to access 
> port 81?

They're not. External connections do (elsewhere on the LAN, or from the
internet, but we already know that, as those redirects work), but connections
from the iptables machine never show up in the nat table. All the policies are
ACCEPT, and I've added a logging rule BEFORE the redirect - it appears it just
never gets to the nat table.

Checking out logging, and table listings, I can tell these packets do go
to the mangle table. However, that is a bit beyond me at this point.

Now that I have a bit more of an idea what is going on, I've done
another search, can hit this, which says that this actually isn't
possible, as the PREROUTING table is bypassed on local connections.

http://linux.org.mt/article/tomcat-ports

Thanks for your response,
Mark.
> 
> 

Re: iptables local port forwarding

[Antony Stone]

On Sunday 04 April 2004 12:03 pm, Mark Ord wrote:

> On Sat, Apr 03, 2004 at 11:27:02AM +0100, Antony Stone wrote:
>
> > The only thing I can think to ask is whether "iptables -L -t nat -nvx"
> > shows the packet/byte counters for this rule incrementing when you do try
> > to access port 81?
>
> They're not. External connections do (elsewhere on the LAN, or from the
> internet, but we already know that, as those redirects work), but
> connections from the iptables machine never show up in the nat table.

Hey - wait a minute - did I miss something there?   You're trying to NAT 
packets from the netfilter machine itself in the PREROUTING chain???

No - won't work.

Sorry, I thought you were trying to get this working from the Internet - I 
must have missed something in a previous posting about trying to do it from 
the machine itself.

> Now that I have a bit more of an idea what is going on, I've done
> another search, can hit this, which says that this actually isn't
> possible, as the PREROUTING table is bypassed on local connections.

I agree.   You have to do it in the nat table of the OUTPUT chain (that's why 
it's there).

Regards,

Antony.

-- 
If you want to be happy for an hour, get drunk.
If you want to be happy for a year, get married.
If you want to be happy for a lifetime, get a garden.

                                                     Please reply to the list;
                                                           please don't CC me.