LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 07-08-2005, 10:04 AM   #1
gauge73
Member
 
Registered: Jan 2003
Location: Dallas, TX
Distribution: Fedora Core 4
Posts: 420

Rep: Reputation: 30
Port forwarding in iptables


I have an old firewall script that I wrote a couple years ago. I really don't remember how this works, but I can't seem to get port forwarding to function properly. If I remember correctly, this used to work. Anyay, here is the iptables command I'm using in the script:

$ipt -t nat -A PREROUTING -p tcp -i $ext_if --destination-port $port -j DNAT --to-destination $ip

ipt=/sbin/iptables
ext_if=eth0
port=25
ip=<internal ip of my email server>

I'm trying to telnet to the email server from an outside host, and it's not answering. I've got a tcpdump looking for all packets in which the dst port is 25 on both interfaces. I see the packets coming in on eth0 (external) but not eth1 (internal). What am I doing wrong?
 
Old 07-08-2005, 10:48 AM   #2
fr_laz
Member
 
Registered: Jan 2005
Location: Cork Ireland
Distribution: Debian
Posts: 384

Rep: Reputation: 32
Hi,

your rule is correct, so, I would think that either routing isn't enabled (echo 1 > /proc/sys/net/ipv4/ip_forward), or there's a filtering rule that blocks the packets.
 
Old 07-08-2005, 11:53 AM   #3
gauge73
Member
 
Registered: Jan 2003
Location: Dallas, TX
Distribution: Fedora Core 4
Posts: 420

Original Poster
Rep: Reputation: 30
I'm thinking that the problem is with my order of chains... I'm assuming that this will start on the INPUT chain...

Looking from top to bottom, the rules for the INPUT chain should send the packet to the spoofed chain first. This will simply check for a private source IP being sent from the outside. This will not catch the packets in question, so they will not be blocked.

After the spoofed chain, the packet should move on to my ext_input chain. This basically jumps to accept for any ports that should be accepted by the iptables machine itself.

If there are no matches after that, it appears the packet should hit the default policy for INPUT. The line I have listed in my original post (the rule to forward) is in a chain I created that will only be jumped to from FORWARD. How do I know if the packet is getting to the FORWARD chain (and thus jumping to my chain with the rule in my original post)?

I'm afraid I'm a bit rusty with all this stuff. I'm also curious how I can look at my logs to find out what is happening with the packets.
 
Old 07-08-2005, 12:23 PM   #4
fr_laz
Member
 
Registered: Jan 2005
Location: Cork Ireland
Distribution: Debian
Posts: 384

Rep: Reputation: 32
there's a log target that you can use:
Code:
iptables -N LOG_DROP
iptables -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
iptables -A LOG_DROP -j DROP
iptables -N LOG_ACCEPT
iptables -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
iptables -A LOG_ACCEPT -j ACCEPT
these are the chain I use... you only have to use -j LOG_ACCEPT instead of -j ACCEPT so that the matching packets are loged.
of course you may have to define these chains in the table which interests you (nat).

since iptables is used by the kernel, the logs go into /var/log/messages and /var/log/kernel.log
be carefull: the logs are usually very verbose if you enable it for all packets (you'll have an entry per packet!).
 
Old 07-08-2005, 01:36 PM   #5
gauge73
Member
 
Registered: Jan 2003
Location: Dallas, TX
Distribution: Fedora Core 4
Posts: 420

Original Poster
Rep: Reputation: 30
I think I may have figured out the issue here. I have the rule listed in my first post in my in_forward chain. After that rule I placed another rule saying to jump to the log_drop. After rebuilding the chains and testing a connection, I saw dropped packets saying they were destined for the email server's IP. So, they had already been natted by that first rule. I figured that after they were NAT'd, the packets were automatically accepted. Do I need to make my default policy in my FORWARD chain to be accept? Or should I create a rule to accept anything that has been NAT'd to a valid internal IP?


Effectively, the rules are like this:

/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i etho --destination-port 25 -j DNAT --to-destination <email server's IP>
/usr/sbin/iptables -A in_forward -j log_drop


And this is what I'm seeing in the logs:

kernel: [IPTABLES DROP] : IN=eth0 OUT=eth1 SRC=66.69.139.158 DST=<email server's IP> LEN=60 TOS=0x10 PREC=0x00 TTL=51 ID=9271 DF PROTO=TCP SPT=39401 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
 
Old 07-08-2005, 02:04 PM   #6
fr_laz
Member
 
Registered: Jan 2005
Location: Cork Ireland
Distribution: Debian
Posts: 384

Rep: Reputation: 32
re,

as you figured out, packets that are (de)nated go in the forward chain... so you have to add specific rule for them (if you want your linux box to be a firewall) or to accept everything (if it just act as a Nat router). The first being, to my mind, better, but it depends whether security is important or not.
you should have a quick look at http://iptables-tutorial.frozentux.n...RSINGOFTABLES, there's a picture that explains quite well the way packets go from a chain to another.
 
Old 07-08-2005, 03:18 PM   #7
gauge73
Member
 
Registered: Jan 2003
Location: Dallas, TX
Distribution: Fedora Core 4
Posts: 420

Original Poster
Rep: Reputation: 30
I have a variable for each port forwarding target that has a space-delineated list of values starting with the IP address of the target followed by the ports to be forwarded. I just added at the end of this loop the following rule:

$ipt -A in_forward -d $ip -j ACCEPT

This should be secure because by this time it should have already been through the spoof chain. If it was spoofed, it would have already been dropped. If not, then it must have already been NAT'd.

Thanks so much for the help.
 
Old 07-08-2005, 03:22 PM   #8
fr_laz
Member
 
Registered: Jan 2005
Location: Cork Ireland
Distribution: Debian
Posts: 384

Rep: Reputation: 32
welcome!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables port forwarding geoff3425 Slackware 13 12-20-2011 11:50 AM
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 08:35 PM
port forwarding with iptables kkennedy Linux - Networking 1 09-01-2005 07:48 PM
Iptables -- Port Forwarding slack_baby Linux - Networking 3 06-03-2004 03:29 PM
IPTABLES #Port Forwarding goldenmag Linux - Security 4 11-21-2003 08:10 AM


All times are GMT -5. The time now is 06:02 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration