LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   iptables port forward issue (http://www.linuxquestions.org/questions/linux-networking-3/iptables-port-forward-issue-827171/)

leosophy 08-19-2010 06:22 AM

iptables port forward issue
 
I have a iptables issue, environment as follow:
1, Server R - 192.168.0.1 (ext. router) , ext ip (202.123.123.1)
2, Server W - 192.168.0.21 (web server)

Server R need a NAT.(ipforward)

Server W serve the portforward(port 80) from Server R

I have succesfully setup the prerouting and postrouting via the following iptables command:
/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE

But, my web server's log, all the web request are using Server R's ipaddress 192.168.0.1 for recording(httpd.access log), so I can't get the external ip...

I think it's postrouting problems, but I can't find out the solutions event using SNAT(maybe wrong config), I think the MASQUERADE changing all the source ip.

Please help!!!

TheMadIndian 08-19-2010 01:08 PM

Quote:

Originally Posted by leosophy (Post 4071067)
I have a iptables issue, environment as follow:
1, Server R - 192.168.0.1 (ext. router) , ext ip (202.123.123.1)
2, Server W - 192.168.0.21 (web server)

Server R need a NAT.(ipforward)

Server W serve the portforward(port 80) from Server R

I have succesfully setup the prerouting and postrouting via the following iptables command:
/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE

But, my web server's log, all the web request are using Server R's ipaddress 192.168.0.1 for recording(httpd.access log), so I can't get the external ip...

I think it's postrouting problems, but I can't find out the solutions event using SNAT(maybe wrong config), I think the MASQUERADE changing all the source ip.

Please help!!!

if server R 192.168.0.1 = eth0 and 202.123.123.1 = eth1

your iptables rule should be

Code:

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.123.123.1 --dport 80 -j DNAT --to-destination 192.168.0.21

leosophy 08-19-2010 01:34 PM

Web guest source address problems..
 
Thanks TheMadIndian!

My problems is not the PREROUTING, the port forward is no problems.

After doing the port forward, the source ip to web server is "192.168.0.1" which is charging the guest external ip address.

So I think the problem is come from postrouting.

Current script:
Code:

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.123.123.1 --dport 80 -j DNAT --to-destination 192.168.0.21
/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE

If I don't use postrouting script
"/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE"
, then web redirection is fail.

So strange..


Quote:

Originally Posted by TheMadIndian (Post 4071441)
if server R 192.168.0.1 = eth0 and 202.123.123.1 = eth1

your iptables rule should be

Code:

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.123.123.1 --dport 80 -j DNAT --to-destination 192.168.0.21


TheMadIndian 08-19-2010 02:32 PM

Quote:

Originally Posted by leosophy (Post 4071466)
Thanks TheMadIndian!

My problems is not the PREROUTING, the port forward is no problems.

After doing the port forward, the source ip to web server is "192.168.0.1" which is charging the guest external ip address.

So I think the problem is come from postrouting.

Current script:
Code:

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.123.123.1 --dport 80 -j DNAT --to-destination 192.168.0.21
/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE

If I don't use postrouting script
"/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE"
, then web redirection is fail.

So strange..

Can you send me or post your whole script?

TheMadIndian 08-19-2010 02:37 PM

a real quick example

Code:

#!/bin/bash

iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X


echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.123.123.1 --dport 80 -j DNAT --to-destination 192.168.0.21


leosophy 08-19-2010 02:43 PM

iptables config and nat script
 
Hi TheMadIndian,

I'm using Fedora release 12 (Constantine).

eth1 = 202.123.123.1
eth0 = 192.168.0.1

iptables script
/etc/sysconfig/iptables
Code:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6844:428603]
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth1 -j DROP
-A FORWARD -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

NAT script
Code:

modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
/sbin/iptables -t nat -F
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.21:80
/sbin/iptables -t nat -A PREROUTING -i eth0 -d 202.123.123.1 -p tcp --dport 80 -j DNAT --to 192.168.0.21:80
/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward

Thanks!!

Quote:

Originally Posted by TheMadIndian (Post 4071520)
Can you send me or post your whole script?


TheMadIndian 08-19-2010 02:54 PM

Quote:

Originally Posted by leosophy (Post 4071532)
Hi TheMadIndian,

I'm using Fedora release 12 (Constantine).

eth1 = 202.123.123.1
eth0 = 192.168.0.1

iptables script
/etc/sysconfig/iptables
Code:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6844:428603]
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth1 -j DROP
-A FORWARD -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

NAT script
Code:

modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
/sbin/iptables -t nat -F
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.21:80
/sbin/iptables -t nat -A PREROUTING -i eth0 -d 202.123.123.1 -p tcp --dport 80 -j DNAT --to 192.168.0.21:80
/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward

Thanks!!

Not sure how this works

Code:

/sbin/iptables -t nat -A PREROUTING -i eth0 -d 202.123.123.1 -p tcp --dport 80 -j DNAT --to 192.168.0.21:80
should be

Code:

/sbin/iptables -t nat -A PREROUTING -i eth1 -d 202.123.123.1 -p tcp --dport 80 -j DNAT --to 192.168.0.21:80

TheMadIndian 08-19-2010 02:54 PM

Try running the one I posted real quick to see if that resolves the source IP issue

leosophy 08-19-2010 04:46 PM

Same problems
 
Finish testing... but fail (Can't redirect to my web server.. 404 error).

But If I change the postrouting script as follow:
Code:

iptables -t nat -A POSTROUTING -j MASQUERADE
After remove "-o eth1", then it can redirect to web server. But still showing the "wrong source ipaddress" from apache log(only 192.168.0.1).

Apache Log:
Code:

192.168.0.1 - - [20/Aug/2010:04:48:35 +0800] "GET / HTTP/1.1" 200 22890
I wanner 192.168.0.1 be a external guest ip address...

Seems the Postrouting changing the source ipaddress. I'm using another router for port forward, it can show the external ip address from my web server...

So strange..

Quote:

Originally Posted by TheMadIndian (Post 4071525)
a real quick example

Code:

#!/bin/bash

iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X


echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.123.123.1 --dport 80 -j DNAT --to-destination 192.168.0.21



TheMadIndian 08-20-2010 09:57 AM

Quote:

Originally Posted by leosophy (Post 4071655)
Finish testing... but fail (Can't redirect to my web server.. 404 error).

But If I change the postrouting script as follow:
Code:

iptables -t nat -A POSTROUTING -j MASQUERADE
After remove "-o eth1", then it can redirect to web server. But still showing the "wrong source ipaddress" from apache log(only 192.168.0.1).

Apache Log:
Code:

192.168.0.1 - - [20/Aug/2010:04:48:35 +0800] "GET / HTTP/1.1" 200 22890
I wanner 192.168.0.1 be a external guest ip address...

Seems the Postrouting changing the source ipaddress. I'm using another router for port forward, it can show the external ip address from my web server...

So strange..

You're running what I sent you as a script and as root correct?

I just ran that script on F11 and F13 and Centos5 and it works and I'm forwarding currently from my F13 router to a windows IIS6 server
note I did change to port 443 because my ISP doesnt allow port 80 on the cable modem so to test external IP getting through I had to use 443

rule
Code:

ifconfig eth1 |grep "inet addr" |awk -F ':' '{print $2}' | awk -F ' ' '{print $1}' > /usr/local/bin/ispIP.txt
ispIP=`cat /usr/local/bin/ispIP.txt`
iptables -t nat -A PREROUTING -p tcp -i eth1 -d $ispIP --dport 443 -j DNAT --to-destination 192.168.252.35

iis log entry
Code:

2010-08-20 13:45:58 W3SVC1132167246 192.168.252.35 GET /Default.aspx - 443 - 65.206.51.78 Wget/1.12+(linux-gnu) 200 0 0
Send me the output of

service iptables status

leosophy 08-20-2010 11:46 AM

service iptables status
 
service iptables status as follow

Some of port forward inside script. Not only web server but also ftp server grep the "router internal ip".

Code:

Table: mangle
Chain PREROUTING (policy ACCEPT)
num  target    prot opt source              destination

Chain INPUT (policy ACCEPT)
num  target    prot opt source              destination

Chain FORWARD (policy ACCEPT)
num  target    prot opt source              destination

Chain OUTPUT (policy ACCEPT)
num  target    prot opt source              destination

Chain POSTROUTING (policy ACCEPT)
num  target    prot opt source              destination

Table: nat
Chain PREROUTING (policy ACCEPT)
num  target    prot opt source              destination
1    DNAT      tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:80 to:192.168.0.21:80
2    DNAT      tcp  --  0.0.0.0/0            "ext-ip-addr"      tcp dpt:80 to:192.168.0.21:80
3    DNAT      tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:2112 to:192.168.0.21:21
4    DNAT      tcp  --  0.0.0.0/0            "ext-ip-addr"      tcp dpt:2112 to:192.168.0.21:21
5    DNAT      tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:2111 to:192.168.0.253:21
6    DNAT      tcp  --  0.0.0.0/0            "ext-ip-addr"      tcp dpt:2111 to:192.168.0.253:21

Chain POSTROUTING (policy ACCEPT)
num  target    prot opt source              destination
1    MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target    prot opt source              destination

Table: filter
Chain INPUT (policy ACCEPT)
num  target    prot opt source              destination
1    ACCEPT    icmp --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0
3    ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
4    ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0
5    ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:80
6    ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:443
7    ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:20
8    ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:21
9    ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:2111
10  ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:2112
11  DROP      all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
num  target    prot opt source              destination
1    ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0          state NEW,RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
num  target    prot opt source              destination



Quote:

Originally Posted by TheMadIndian (Post 4072406)
You're running what I sent you as a script and as root correct?

I just ran that script on F11 and F13 and Centos5 and it works and I'm forwarding currently from my F13 router to a windows IIS6 server
note I did change to port 443 because my ISP doesnt allow port 80 on the cable modem so to test external IP getting through I had to use 443

rule
Code:

ifconfig eth1 |grep "inet addr" |awk -F ':' '{print $2}' | awk -F ' ' '{print $1}' > /usr/local/bin/ispIP.txt
ispIP=`cat /usr/local/bin/ispIP.txt`
iptables -t nat -A PREROUTING -p tcp -i eth1 -d $ispIP --dport 443 -j DNAT --to-destination 192.168.252.35

iis log entry
Code:

2010-08-20 13:45:58 W3SVC1132167246 192.168.252.35 GET /Default.aspx - 443 - 65.206.51.78 Wget/1.12+(linux-gnu) 200 0 0
Send me the output of

service iptables status


TheMadIndian 08-20-2010 12:13 PM

Quote:

Originally Posted by leosophy (Post 4072511)
service iptables status as follow

Some of port forward inside script. Not only web server but also ftp server grep the "router internal ip".

Code:

Table: mangle
Chain PREROUTING (policy ACCEPT)
num  target    prot opt source              destination

Chain INPUT (policy ACCEPT)
num  target    prot opt source              destination

Chain FORWARD (policy ACCEPT)
num  target    prot opt source              destination

Chain OUTPUT (policy ACCEPT)
num  target    prot opt source              destination

Chain POSTROUTING (policy ACCEPT)
num  target    prot opt source              destination

Table: nat
Chain PREROUTING (policy ACCEPT)
num  target    prot opt source              destination
1    DNAT      tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:80 to:192.168.0.21:80
2    DNAT      tcp  --  0.0.0.0/0            "ext-ip-addr"      tcp dpt:80 to:192.168.0.21:80
3    DNAT      tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:2112 to:192.168.0.21:21
4    DNAT      tcp  --  0.0.0.0/0            "ext-ip-addr"      tcp dpt:2112 to:192.168.0.21:21
5    DNAT      tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:2111 to:192.168.0.253:21
6    DNAT      tcp  --  0.0.0.0/0            "ext-ip-addr"      tcp dpt:2111 to:192.168.0.253:21

Chain POSTROUTING (policy ACCEPT)
num  target    prot opt source              destination
1    MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target    prot opt source              destination

Table: filter
Chain INPUT (policy ACCEPT)
num  target    prot opt source              destination
1    ACCEPT    icmp --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0
3    ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
4    ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0
5    ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:80
6    ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:443
7    ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:20
8    ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:21
9    ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:2111
10  ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:2112
11  DROP      all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
num  target    prot opt source              destination
1    ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0          state NEW,RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
num  target    prot opt source              destination


This is bothering me
1 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.0.21:80
2 DNAT tcp -- 0.0.0.0/0 "ext-ip-addr" tcp dpt:80 to:192.168.0.21:80


can you run the script I sent and then send me the output of service iptables status please?

leosophy 08-20-2010 01:04 PM

Service iptables status (Your script)
 
Service iptables status (Your script)

Code:

Chain PREROUTING (policy ACCEPT)
num  target    prot opt source              destination

Chain INPUT (policy ACCEPT)
num  target    prot opt source              destination

Chain FORWARD (policy ACCEPT)
num  target    prot opt source              destination

Chain OUTPUT (policy ACCEPT)
num  target    prot opt source              destination

Chain POSTROUTING (policy ACCEPT)
num  target    prot opt source              destination

Table: nat
Chain PREROUTING (policy ACCEPT)
num  target    prot opt source              destination
1    DNAT      tcp  --  0.0.0.0/0            202.123.123.1      tcp dpt:80 to:192.168.0.21:80

Chain POSTROUTING (policy ACCEPT)
num  target    prot opt source              destination
1    MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target    prot opt source              destination

Table: filter
Chain INPUT (policy ACCEPT)
num  target    prot opt source              destination
1    ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
num  target    prot opt source              destination
1    ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0          state NEW,RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
num  target    prot opt source              destination

Quote:

Originally Posted by TheMadIndian (Post 4072543)
This is bothering me
1 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.0.21:80
2 DNAT tcp -- 0.0.0.0/0 "ext-ip-addr" tcp dpt:80 to:192.168.0.21:80


can you run the script I sent and then send me the output of service iptables status please?


leosophy 08-20-2010 01:11 PM

About MASQUERADE
 
Quote from http://www.billauer.co.il/ipmasq-html.html.
14 The wrong way to masquerade
iptables -t nat -A POSTROUTING -j MASQUERADE
This makes masquerading the default policy for any outgoing packet
... including any forwarded packet.
All forwarded packets will appear to come from the masquerading host.
May confuse firewalls
Even worse, may confuse service applications to compromise security

That's why the web redirection is done after running this script. All forwarded packets will appear to come from the masquerading host. So, that's why I only see "192.168.0.1" in all logs..

Even using your script, it's still fail.

Is it the routing problems?



Quote:

Originally Posted by leosophy (Post 4072579)
Service iptables status (Your script)

Code:

Chain PREROUTING (policy ACCEPT)
num  target    prot opt source              destination

Chain INPUT (policy ACCEPT)
num  target    prot opt source              destination

Chain FORWARD (policy ACCEPT)
num  target    prot opt source              destination

Chain OUTPUT (policy ACCEPT)
num  target    prot opt source              destination

Chain POSTROUTING (policy ACCEPT)
num  target    prot opt source              destination

Table: nat
Chain PREROUTING (policy ACCEPT)
num  target    prot opt source              destination
1    DNAT      tcp  --  0.0.0.0/0            202.123.123.1      tcp dpt:80 to:192.168.0.21:80

Chain POSTROUTING (policy ACCEPT)
num  target    prot opt source              destination
1    MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target    prot opt source              destination

Table: filter
Chain INPUT (policy ACCEPT)
num  target    prot opt source              destination
1    ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
num  target    prot opt source              destination
1    ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0          state NEW,RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
num  target    prot opt source              destination



TheMadIndian 08-20-2010 01:38 PM

I just caught this, 202.123.123.1 thats generally a router address, i'd be surprised if thats the address you're getting from the ISP

If eth0 is your local and and eth1 is your internet connection on the router run this

otherwise send me the output of ifconfig

Code:

#!/bin/bash

iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X

ifconfig eth1 |grep "inet addr" |awk -F ':' '{print $2}' | awk -F ' ' '{print $1}' > /usr/local/bin/ispIP.txt
ispIP=`cat /usr/local/bin/ispIP.txt`

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp -i eth1 -d $ispIP --dport 80 -j DNAT --to-destination 192.168.0.21


If this works we'll need to add some rules to lock things down


All times are GMT -5. The time now is 10:22 PM.