LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 02-20-2010, 04:38 AM   #1
sfrederiksen
LQ Newbie
 
Registered: Jan 2010
Posts: 10

Rep: Reputation: 0
Iptables can't port forward (PAT Port address translation)


Hi,

I'm using a Debian servers, as router/firwall..

I've two ethernet interfaces into the server, one for wan and one for lan. The i use SNAT so my LAN clients can access the internet throgh the debian router. That is working...

Now i want to be able to access servers on the LAN site from the WAN site, and i wanna use port address translation (PAT).

I have a FTP server running on a lan server, so i'm trying to portward port 21.

iptables -t nat -A PREROUTING -p tcp -i eth1 -d (WANIP) --dport 21 -j DNAT --to 192.168.1.2:21

When people try to access my FTP from the WAN site, they are redirected to the local FTP server, and they are promted for crendentials, but when the credentials are typed, and the local ftp server should answer the wan request, the connections dies.

The wan clients are being promted for credentials, so they are redirected to the local lan server, but after that the connections dies, so i think there is some kind of nat problem, when the local lan server is trying to respond to the wan request..

Can you help me out.

Here i my iptables script:

#flush table
iptables -F
#input regler
iptables -P INPUT ACCEPT
#output regler
iptables -P OUTPUT ACCEPT
#Forward
iptables -P FORWARD ACCEPT
#NAT
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o @WAN -j SNAT --to-source WANIP
iptables -t nat -A PREROUTING -p tcp -i eth1 -d (WANIP) --dport 21 -j DNAT --to 192.168.1.2:21
 
Old 02-20-2010, 05:25 AM   #2
devwatchdog
Member
 
Registered: Jan 2010
Posts: 198

Rep: Reputation: 44
You've got the initial connection covered, but you need something for the data channel. Here's a web site that looked like it described it fairly well:

http://www.sns.ias.edu/~jns/wp/2006/...-tracking-ftp/

You'll have to adapt the concept there to your environment.
 
Old 02-20-2010, 05:42 AM   #3
seaquesttr
LQ Newbie
 
Registered: Feb 2010
Posts: 9

Rep: Reputation: 0
You should also allow packets RELATED, ESTABLISHED. FTp is a protocol whis is using an initial startup protocol and uses other ports related with that.
iptable -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Also you should have modprobe

modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
 
Old 02-21-2010, 04:35 AM   #4
sfrederiksen
LQ Newbie
 
Registered: Jan 2010
Posts: 10

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by seaquesttr View Post
You should also allow packets RELATED, ESTABLISHED. FTp is a protocol whis is using an initial startup protocol and uses other ports related with that.
iptable -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Also you should have modprobe

modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
I just thought that i already was accepting everything (just whne i'm testing) with these commands:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

?
 
Old 02-21-2010, 04:43 AM   #5
sfrederiksen
LQ Newbie
 
Registered: Jan 2010
Posts: 10

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by devwatchdog View Post
You've got the initial connection covered, but you need something for the data channel. Here's a web site that looked like it described it fairly well:

http://www.sns.ias.edu/~jns/wp/2006/...-tracking-ftp/

You'll have to adapt the concept there to your environment.
The website is adding rules til the INPUT and OUTPUT but i'm allready acccepting everything right??
 
Old 02-22-2010, 02:43 AM   #6
seaquesttr
LQ Newbie
 
Registered: Feb 2010
Posts: 9

Rep: Reputation: 0
Quote:
Originally Posted by sfrederiksen View Post
The website is adding rules til the INPUT and OUTPUT but i'm allready acccepting everything right??
You should modprobe these modules:
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
 
Old 02-23-2010, 01:12 AM   #7
sfrederiksen
LQ Newbie
 
Registered: Jan 2010
Posts: 10

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by seaquesttr View Post
You should modprobe these modules:
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
I've already tried that. Still The same, after typing the login crendentials the connections dies.

I've only tried to setup VNC on a loacl PC, and portforwardet port 5900 to that PC.

When I from the outside try to connect to that computer through VNC the same thing i happening. Login crendentials to VNC i apear, but the connection dies after typing them...
 
Old 12-20-2011, 10:47 AM   #8
rashid_47010
LQ Newbie
 
Registered: Nov 2004
Location: Saudi Arabia
Distribution: CentOS/Fedora
Posts: 27

Rep: Reputation: 16
rdp behind the iptables

below is my network structure:

internet-----------router--------proxy(squid)-----------win-7(rdp)

Squid Proxy:
eth0: 192.168.1.100
eth1: 192.168.3.21
******************
internal Network:
192.168.3.xxx
******************
Pblic IP is nated with internel network IP

Now I want to access the rdp of win-7 machine from outside. but unable to access that

my iptables are given below:
iptables -t nat -A PREROUTING -p tcp --dport 3389 -d 192.168.3.100 -j DNAT --to-destination 192.168.3.xx:3389

*************************************************************************************************
#iptables -nvL
222K 10M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389
431K 179M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

[root@xxxxxxx ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 2861K packets, 248M bytes)
pkts bytes target prot opt in out source destination
1 48 DNAT tcp -- * * 0.0.0.0/0 192.168.1.100 tcp dpt:3389 to:192.168.3.61:3389

#cat /proc/net/ip_conntract | grep 3389
tcp 6 76 SYN_SENT src=xxx.xxx.xxx.xx dst=192.168.3.61 sport=3275 dport=3389 packets=3 bytes=144 [UNREPLIED] src=192.168.3.61 dst=212.100.219.15 sport=3389 dport=3275 packets=0 bytes=0 mark=0 secmark=0 use=1
(i think he is not getting reverse path)

Kindly help me to resolve this issue.

Regards,
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Need help implementing Port Address Translation with iptables Ashmatash Linux - Networking 4 02-04-2010 10:11 PM
If I forward a port in iptables, does the port have to be open on the firewall? qwertyjjj Linux - Server 4 08-06-2009 09:22 AM
Test if port address translation is working dales79 Linux - Security 1 01-17-2006 07:01 AM
how to forward port to another address cmardhekar Linux - General 1 08-25-2001 09:08 AM


All times are GMT -5. The time now is 12:36 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration