LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Iptables can't port forward (PAT Port address translation) (http://www.linuxquestions.org/questions/linux-networking-3/iptables-cant-port-forward-pat-port-address-translation-790351/)

sfrederiksen 02-20-2010 05:38 AM

Iptables can't port forward (PAT Port address translation)
 
Hi,

I'm using a Debian servers, as router/firwall..

I've two ethernet interfaces into the server, one for wan and one for lan. The i use SNAT so my LAN clients can access the internet throgh the debian router. That is working...

Now i want to be able to access servers on the LAN site from the WAN site, and i wanna use port address translation (PAT).

I have a FTP server running on a lan server, so i'm trying to portward port 21.

iptables -t nat -A PREROUTING -p tcp -i eth1 -d (WANIP) --dport 21 -j DNAT --to 192.168.1.2:21

When people try to access my FTP from the WAN site, they are redirected to the local FTP server, and they are promted for crendentials, but when the credentials are typed, and the local ftp server should answer the wan request, the connections dies.

The wan clients are being promted for credentials, so they are redirected to the local lan server, but after that the connections dies, so i think there is some kind of nat problem, when the local lan server is trying to respond to the wan request..

Can you help me out.

Here i my iptables script:

#flush table
iptables -F
#input regler
iptables -P INPUT ACCEPT
#output regler
iptables -P OUTPUT ACCEPT
#Forward
iptables -P FORWARD ACCEPT
#NAT
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o @WAN -j SNAT --to-source WANIP
iptables -t nat -A PREROUTING -p tcp -i eth1 -d (WANIP) --dport 21 -j DNAT --to 192.168.1.2:21

devwatchdog 02-20-2010 06:25 AM

You've got the initial connection covered, but you need something for the data channel. Here's a web site that looked like it described it fairly well:

http://www.sns.ias.edu/~jns/wp/2006/...-tracking-ftp/

You'll have to adapt the concept there to your environment.

seaquesttr 02-20-2010 06:42 AM

You should also allow packets RELATED, ESTABLISHED. FTp is a protocol whis is using an initial startup protocol and uses other ports related with that.
iptable -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Also you should have modprobe

modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

sfrederiksen 02-21-2010 05:35 AM

Quote:

Originally Posted by seaquesttr (Post 3870284)
You should also allow packets RELATED, ESTABLISHED. FTp is a protocol whis is using an initial startup protocol and uses other ports related with that.
iptable -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Also you should have modprobe

modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

I just thought that i already was accepting everything (just whne i'm testing) with these commands:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

?

sfrederiksen 02-21-2010 05:43 AM

Quote:

Originally Posted by devwatchdog (Post 3870271)
You've got the initial connection covered, but you need something for the data channel. Here's a web site that looked like it described it fairly well:

http://www.sns.ias.edu/~jns/wp/2006/...-tracking-ftp/

You'll have to adapt the concept there to your environment.

The website is adding rules til the INPUT and OUTPUT but i'm allready acccepting everything right??

seaquesttr 02-22-2010 03:43 AM

Quote:

Originally Posted by sfrederiksen (Post 3871292)
The website is adding rules til the INPUT and OUTPUT but i'm allready acccepting everything right??

You should modprobe these modules:
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

sfrederiksen 02-23-2010 02:12 AM

Quote:

Originally Posted by seaquesttr (Post 3872288)
You should modprobe these modules:
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

I've already tried that. Still The same, after typing the login crendentials the connections dies.

I've only tried to setup VNC on a loacl PC, and portforwardet port 5900 to that PC.

When I from the outside try to connect to that computer through VNC the same thing i happening. Login crendentials to VNC i apear, but the connection dies after typing them...

rashid_47010 12-20-2011 11:47 AM

rdp behind the iptables
 
below is my network structure:

internet-----------router--------proxy(squid)-----------win-7(rdp)

Squid Proxy:
eth0: 192.168.1.100
eth1: 192.168.3.21
******************
internal Network:
192.168.3.xxx
******************
Pblic IP is nated with internel network IP

Now I want to access the rdp of win-7 machine from outside. but unable to access that

my iptables are given below:
iptables -t nat -A PREROUTING -p tcp --dport 3389 -d 192.168.3.100 -j DNAT --to-destination 192.168.3.xx:3389

*************************************************************************************************
#iptables -nvL
222K 10M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389
431K 179M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

[root@xxxxxxx ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 2861K packets, 248M bytes)
pkts bytes target prot opt in out source destination
1 48 DNAT tcp -- * * 0.0.0.0/0 192.168.1.100 tcp dpt:3389 to:192.168.3.61:3389

#cat /proc/net/ip_conntract | grep 3389
tcp 6 76 SYN_SENT src=xxx.xxx.xxx.xx dst=192.168.3.61 sport=3275 dport=3389 packets=3 bytes=144 [UNREPLIED] src=192.168.3.61 dst=212.100.219.15 sport=3389 dport=3275 packets=0 bytes=0 mark=0 secmark=0 use=1
(i think he is not getting reverse path)

Kindly help me to resolve this issue.

Regards,


All times are GMT -5. The time now is 08:02 AM.