IpTables DNating

LostAgain · 09-27-2004, 11:39 AM

wow,

cool website. Still not working though. This is the script that was generated for me:

################################
#!/bin/sh

# iptables script generator: V0.1-2002
# Comes with no warranty!
# e-mail: michael@1go.dk

# Diable forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward

LAN_IP_NET='192.168.0.1/24'
LAN_NIC='eth1'
WAN_IP=xxx.xxx.xxx.xxx'
WAN_NIC='eth0'
FORWARD_IP='192.168.10.35'

# load some modules (if needed)

# Flush
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# enable Masquerade and forwarding
iptables -t nat -A POSTROUTING -s $LAN_IP_NET -j MASQUERADE
iptables -A FORWARD -j ACCEPT -i $LAN_NIC -s $LAN_IP_NET
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# STATE RELATED for router
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Open ports to server on LAN
iptables -A FORWARD -j ACCEPT -p tcp --dport 80
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.10.35:80

# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
#####################################################################3

That didn't work. MAybe I should provide a little more information about the system.
My firewall is a simple bootable cd that is running kernel 2.6.8.1, and runs iptables. Is it possible that iptables is not the problem at all, and that the root of my problem resides elsewhere ? Because, honestly this is ridiculous, every script I try that uses DNAT refuses to work. Maybe I'm just crazy...

-LostAgain

maxut · 09-27-2004, 11:51 AM

the scripts that created by www.iptables-script.dk, work.
u can add "iptables -A INPUT -i lo -j ACCEPT" if u run applications use loopback.

can u post the output of
#iptables -nvL
#iptables -t nat -nvL

LostAgain · 09-27-2004, 12:23 PM

Here is the new script I used:

#################################################################################################### ######
#!/bin/sh

# iptables script generator: V0.1-2002
# Comes with no warranty!
# e-mail: michael@1go.dk

# Diable forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward

LAN_IP_NET='192.168.0.1/24'
LAN_NIC='eth1'
WAN_IP='xxx.xxx.xxx.xxx'
WAN_NIC='eth0'
FORWARD_IP='192.168.10.35'

# load some modules (if needed)

# Flush
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# enable Masquerade and forwarding
iptables -t nat -A POSTROUTING -s $LAN_IP_NET -j MASQUERADE
iptables -A FORWARD -j ACCEPT -i $LAN_NIC -s $LAN_IP_NET
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# STATE RELATED for router
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Open ports to server on LAN
iptables -A FORWARD -j ACCEPT -p tcp --dport 80
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.10.35:80

# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
#################################################################################################### ######

Output of iptables -nvL and iptables -t nat -nvL
#################################################################################################### ######
Chain INPUT (policy DROP 12 packets, 1338 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1410 288K ACCEPT all -- eth1 * 192.168.10.0/24 0.0.0.0/0
1248 685K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 5885 packets, 325K bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.10.35:80

Chain POSTROUTING (policy ACCEPT 1 packets, 55 bytes)
pkts bytes target prot opt in out source destination
68 3956 MASQUERADE all -- * * 192.168.10.0/24 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 1 packets, 55 bytes)
pkts bytes target prot opt in out source destination
#################################################################################################### ######

-LostAgain

LostAgain · 09-27-2004, 06:53 PM

Ok, it appears that I am crazy. My rules are partially working now. From an outside network I can now see my webpage behind the firewall.
Except, It doesn't seem to work from any machine inside the firewall. Which is just wierd. Any ideas ?

-Lost Again

bastard23 · 09-27-2004, 09:12 PM

Answer 1:
It's probably better to do it with your dns / hosts file (www=192.168.10.35 internally and <outside ip> externally).

Answer 2:
to force it through your router (somewhat inefficient), you'll have to change the "-i eth0" to "-d $FW_IP" in your DNAT rule. Your masquerading rule should modify the source address for you. A side affect of this is your http logs won't log internal machines properly. It will always have the router's ip address, not the internal web browsing machine'a.

Nitpick:
You are masquerading on both interfaces by looking at the source network. Another solution would be to look at the NAT HOWTO Destination NAT Onto the Same Network and only SNAT port 80 internally (i.e. don't maquerade on the internal interfaces).

Good Luck,
chris

LostAgain · 09-28-2004, 02:49 PM

well,

I'm trying to work with SNAT now. Still trying to get access to the webserver from inside the lan. I'm using these rules:

iptables -t nat -A OUTPUT --dst $FW_IP -p tcp --dport 80 -j DNAT --to-destination 192.168.10.35

###############################################################################
### PREROUTING
###############################################################################
INET_FACE=eth0
FW_IP=xxx.xxx.xxx.xxx
LAN_IP=192.168.10.1

iptables -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $FW_IP --dport 314 -j DNAT --to-destination 192.168.10.244:22
iptables -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $FW_IP --dport 80 -j DNAT --to-destination 192.168.10.35:80

###############################################################################
### POSTROUTING
###############################################################################

iptables -t nat -A POSTROUTING -p tcp --dst 192.168.10.35 --dport 80 -j SNAT --to-source $LAN_IP
#iptables -t nat -A POSTROUTING -d 192.168.10.35 -s 192.168.10.0/24 -p tcp --dport 80 -j SNAT --to $LAN_IP

iptables -t nat -A POSTROUTING -p ALL -o $INET_IFACE -s $LAN_IP -j MASQUERADE
-------------------------------------------------------------------------------------------

I can see the webserver from the Firewall, and from outside the firewall. Now if only I can see it from the inside, I would be happy. According to what I read, either one of the POSTROUTING rules should work. Doesn't want to though. Ideas ?

Thanks,

-Lost Again

win32sux · 09-28-2004, 03:02 PM

Quote:

Originally posted by LostAgain
iptables -t nat -A OUTPUT --dst $FW_IP -p tcp --dport 80 -j DNAT \
--to-destination 192.168.10.35
iptables -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $FW_IP --dport 314 -j DNAT \
--to-destination 192.168.10.244:22
iptables -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $FW_IP --dport 80 -j DNAT \
--to-destination 192.168.10.35:80
iptables -t nat -A POSTROUTING -p tcp --dst 192.168.10.35 --dport 80 -j SNAT \
--to-source $LAN_IP
iptables -t nat -A POSTROUTING -p ALL -o $INET_IFACE -s $LAN_IP -j MASQUERADE

if you're gonna use SNAT, then forget about MASQUERADE...

you don't need to do POSTROUTING or OUTPUT for those IPs, you need FORWARD...

also, when doing SNAT, you want the source of outgoing packets to be your external ip, not your internal one...

these port-forwarding rules should work fine:

Code:

iptables -t nat -A PREROUTING -p TCP -i $INET_IFACE --dport 314 -j DNAT \
--to-destination 192.168.10.244:22

iptables -t nat -A PREROUTING -p TCP -i $INET_IFACE --dport 80 -j DNAT \
--to-destination 192.168.10.35:80

iptables -A FORWARD -p TCP -d 192.168.10.35 --dport 80 -m state \
--state NEW -j ACCEPT

iptables -A FORWARD -p TCP -d 192.168.10.244 --dport 22 -m state \
--state NEW -j ACCEPT

iptables -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -p ALL -o $INET_IFACE -j SNAT --to-source $FW_IP

win32sux · 09-28-2004, 05:02 PM

try this script i made for you... i've tested it, and i can confirm that it works...

basically, you just need to set the INET_IP variable at the top (i've pre-configured the rest)...

good luck...

Code:

#!/bin/sh

###############################################################################
### Variables
###############################################################################

IPT="/usr/sbin/iptables"
INET_IFACE="eth0"
INET_IP="xxx.xxx.xxx.xxx"
LAN_IFACE="eth1"
LAN_IP="192.168.10.1"
LAN_NET="192.168.10.0/24"
LO_IFACE="lo"
LO_IP="127.0.0.1"


###############################################################################
### Modules
###############################################################################

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_nat_irc
#/sbin/modprobe ip_conntrack_irc


###############################################################################
### Kernel Parameters
###############################################################################

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians


###############################################################################
### Flush Chains and Set Policies
###############################################################################

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
#$IPT -Z


###############################################################################
### INPUT
###############################################################################

$IPT -A INPUT -p ALL -m state --state INVALID -j DROP
$IPT -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPT -A INPUT -p TCP ! --syn -m state --state NEW -j DROP
$IPT -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
$IPT -A INPUT -p ICMP ! --fragment --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ALL -j LOG --log-prefix "INPUT DROP: "


###############################################################################
### OUTPUT
###############################################################################

$IPT -A OUTPUT -p ALL -m state --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -o $LO_IFACE -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LAN_IFACE -s $LAN_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $INET_IFACE -s $INET_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -j LOG --log-prefix "OUTPUT DROP: "


###############################################################################
### FORWARD
###############################################################################

$IPT -A FORWARD -p ALL -m state --state INVALID -j DROP
$IPT -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP
$IPT -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p ALL -i $LAN_IFACE -o $INET_IFACE -s $LAN_NET \
-m state --state NEW -j ACCEPT
$IPT -A FORWARD -p TCP -d 192.168.10.244 --dport 22 -m state \
--state NEW -j ACCEPT
$IPT -A FORWARD -p TCP -d 192.168.10.35 --dport 80 -m state \
--state NEW -j ACCEPT
$IPT -A FORWARD -p ALL -j LOG --log-prefix "FORWARD DROP: "


###############################################################################
### PREROUTING
###############################################################################

$IPT -t nat -A PREROUTING -p TCP -i $INET_IFACE --dport 314 -j DNAT \
--to-destination 192.168.10.244:22
$IPT -t nat -A PREROUTING -p TCP -i $INET_IFACE --dport 80 -j DNAT \
--to-destination 192.168.10.35:80


###############################################################################
### POSTROUTING
###############################################################################

$IPT -t nat -A POSTROUTING -p ALL -o $INET_IFACE -j SNAT --to-source $INET_IP


echo "So let it be written, so let it be done!"

LostAgain · 09-28-2004, 08:19 PM

That's it. I'm crazy.

Thank you very much for all the help, and the scripts. I just tried the exact script above, with no success. I am SURE the script is correct. But I still cannot see the webserver that is behind my firewall from inside my network, if I go to the ip address. Anywhere outside works fine. I think my problem is not with Iptables. Must be some sort of software glitch hiding in the dark recesses of my server room. DAMN GREMLINS!

But, yet I still refuse to give up. One day all in packetland will speak freely amongst themselves and co-exist in harmony.

Avas ye gremlins, where's my power switch.

Thanks all for help. Will let everyone know if I get it working.

-Lost Again

win32sux · 09-28-2004, 08:43 PM

Quote:

Originally posted by LostAgain
I still cannot see the webserver that is behind my firewall from inside my network, if I go to the ip address.

that's weird... what kinda switch/hub are you using??

bastard23 · 09-28-2004, 11:29 PM

What does tcpdump say when you try to access the web server internally:
tcpdump -s0 -v -i eth1 port 80

Good Luck,
chris

maxut · 09-29-2004, 01:57 AM

win32sux:
great work!

LostAgain:
i dont think that DNAT rule will work for local clients. because your server and clients are in same network segment. when client send packets to public ip of server, firewall changes the destination ip of packet to 192.168.10.x and packet is forwarded to web server. but server will send reply of packet directly to the local clients. because source ip is still same. and client never know the meaning of that packet. because client expects source ip of packet is firewall public ip. but it is private of your server (192.168.10.35)

as a solution u can add a new NIC to your linux gateway. and move your server another network segmet. like that:

LAN (clients) (192.168.10.0/24)
|
linux ---------internet
|
DMZ [your server(s) (192.168.20.0/24)

good luck.

LostAgain · 09-29-2004, 10:25 AM

Wow,

win32sux:
I'm using two 3Com Superstack II 3300 SM Switches.

bastard23:
Tried that, but got too much traffic. Don't really want to sift through it. Thanks though.

maxut:
I'm a moron. That makes perfect sense. And now that I think about it, that is exactly how I've done it before. I'm kicking myself for not remembering that I use to have 3 nics instead of 2. My mind is blown. So it appears that my problem is now solved. Atleast I'm considering it that way.

Hehe, how such a simple solution as adding another nic eluded me for days. Most amusing...

Thanks all for your help, I REALLY appreciate it.

-LostAgain