LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 04-24-2011, 10:47 PM   #1
san_patil
LQ Newbie
 
Registered: Dec 2010
Posts: 4

Rep: Reputation: 0
Unhappy IP Forwading ( how to with Iptables ) ?


We are stuck big time with IP forwarding where we have to use IP tables. Any advice will be appreciated.

Setup
Machine A --> Machine B -->Machine C

- Machine A connects with Machine B on "internal network"
- Machine B has 2 NIC (and two IP address) , one connected to Machine A (internal network) and one connected to Machine C (External Network)

We need all traffic coming from Machine A which flows to Machine B on port 60 to be directed/forwaded to Machine C (port 60).
Not allowed to configure Machine B as a gateway . Things work with rinetd program when we do a tcp redirect from Machine B port 60 to Machine C (port 60).

But just unable to make it work with IP tables rules. We tried following,but in vain

iptables -t nat -A PREROUTING -s Machine_A -d Machine_C -p tcp --dport 60 -j DNAT --to-destination Machine_C .6:60
/sbin/iptables -A FORWARD -i Machine_B -o Machine_C -p tcp --dport 60 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Any valued inputs?
 
Old 04-25-2011, 12:41 AM   #2
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
Could you explain where Machine C is? What is between B and C because it looks like you can use forwarding instead instead of NAT.
 
Old 04-25-2011, 07:20 AM   #3
grzesiek
LQ Newbie
 
Registered: Nov 2010
Location: Poland
Distribution: Debian
Posts: 20

Rep: Reputation: 0
Code:
/sbin/iptables -A FORWARD -i Machine_B -o Machine_C -p tcp --dport 60 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
should not be ?
Code:
/sbin/iptables -A FORWARD -i Machine_A -o Machine_C -p tcp --dport 60 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 
Old 04-25-2011, 11:02 AM   #4
san_patil
LQ Newbie
 
Registered: Dec 2010
Posts: 4

Original Poster
Rep: Reputation: 0
>>What is between B and C because it looks like you can use forwarding instead instead of NAT.
Setup for Clarity:
Machine A
IP address: i.i.i.1

Machine B has 2 IP
Internal IP: i.i.i.2 (on another NIC)
External IP: x.x.x.1 (on one NIC)

Machine C
IP address: x.x.x.2

Machine B and Machine C are in the same network (intranet) where Machine B can connect to Machine C only via its external IP (x.x.x.x)
Machine B and Machine A are in internal privatenetwork where Machine B can connect to Machine A only via its internal IP (i.i.i.i)

Machine A <i.i.i.1> <--> Machine B (i.i.i.2>:60 <---> Machine B <x.x.x.1> <---> Machine C <x.x.x.2>:60

Basically forward auditd log from Machine A in internal network to auditd (port 60) on Machine C on external network via Machine A.

We tried the rinetd equivalent rules given below,but in vain.
http://www.debian-administration.org/articles/595

YourIP= i.i.i.1
YourPort=60
TargetIP=x.x.x.2
TargetPort=60

iptables -t nat -A PREROUTING --dst $YourIP -p tcp --dport $YourPort -j DNAT \
--to-destination $TargetIP:$TargetPort
iptables -t nat -A POSTROUTING -p tcp --dst $TargetIP --dport $TargetPort -j SNAT \
--to-source $YourIP
iptables -t nat -A OUTPUT --dst $YourIP -p tcp --dport $YourPort -j DNAT \
--to-destination $TargetIP:$TargetPort

Any Advice ?

Last edited by san_patil; 04-25-2011 at 11:16 AM.
 
Old 04-27-2011, 11:15 PM   #5
san_patil
LQ Newbie
 
Registered: Dec 2010
Posts: 4

Original Poster
Rep: Reputation: 0
Thumbs up

Following is what worked for me- for others benefit
Step 1:
n/w interface of internal IP i.i.i.2 ( say data0) should be able to send data to External server (MAchine C) via its external IP
( x.x.x.1 whoes n/w interface = ethX0); making sure that the External Server should not be able to contact management node's internal IP)

So we need to make sure that on Machine B the two NIC card are configured such that all data from internal NIC(data0) can be forwarded
outside via external NIC (ethX0)

Flush out iptables and Run the following on Machine B

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state NEW -i ! ethX0 -j ACCEPT / * make sure this rule does not screw up contacting the management GUI from outside world */
iptables -A FORWARD -i ethX0 -o data0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the Management node internal IP(interface = data0)
iptables -A FORWARD -i data0 -o ethX0 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o ethX0 -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i ethX0 -o ethX0 -j REJECT

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward

How to make sure the above worked:
ping -I <Machine B internal IP> <IP of Machine C which is a external audit Server>
Machine B internal IP = i.i.i.2
Machine C IP = x.x.x.2
eg: ping -I i.i.i.2 x.x.x.2 <<This will work only on successfully execution of above rule>>
When this works you are now sure that packets relayed to management internal IP can be forwarded to external IP
To make sure that external world cannot ping management node internal IP ensure the following
Go to x.x.x.2 and ping i.i.i.2.If its unable to ping , we are safe.

Step 2

Forward auditd logs being sent by Machine A ( via audisp) to Machine B internal IP address ( n/w interface = data0) and predefined port to external auditd server (Machine C)
and its port 60.
Machine B node internal IP = i.i.i.2 ,Port = 6333 (you can take any port as configured for audisp on Machine A)
IP of external audit Server (Machine C) = x.x.x.2, Port = 60

Run the below on Machine B
iptables -t nat -A PREROUTING --dst i.i.i.2 -p tcp --dport 6333 -j DNAT --to-destination x.x.x.2:60
iptables -t nat -A POSTROUTING -p tcp --dst x.x.x.2 --dport 60 -j SNAT --to-source i.i.i.2
iptables -t nat -A OUTPUT --dst i.i.i.2 -p tcp --dport 6333 -j DNAT --to-destination x.x.x.2:60


This makes the following setup work - where Machine B has two IP address one internal network and one external network
Machine A <i.i.i.1> <--> Machine B (i.i.i.2>:6333 <---> Machine C <x.x.x.2>:60


How to make sure the above worked for audit log forwarding from Machine A on internal network to Machine C on external network
1. Restart auditd on Machine A (service auditd restart)
2. On Machine A , Make sure in /var/log/messages (tail -f /var/log/messages) you see comments like "audisp-remote: Connected to i.i.i.2", which indicates that the audisp on storage node was able to connect to management node on given port
3. auditctl -m "AUDITLOG : Message from Machine A"
4. Check in /var/log/audit/audit.log for the above entry on Machine C
 
  


Reply

Tags
port forwarding


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables - Port Forwading SouthernSoul Linux - Networking 5 04-25-2010 05:08 PM
iptables (IP-Forwading) jay123 Linux - Networking 3 12-09-2008 06:23 AM
IP Forwading in iptables (different network) janhouse00 Linux - Networking 1 01-01-2006 07:34 AM
iptables: about FORWADING and nat fei Linux - Networking 36 05-22-2005 11:30 PM
Iptables - Port Forwading - Rh 9.0 dude_228 Linux - Networking 7 06-16-2003 04:20 AM


All times are GMT -5. The time now is 08:08 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration