LinuxQuestions.org - [SOLVED] ppp0, iptables, and port forwarding.

- Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)

- - ppp0, iptables, and port forwarding. (https://www.linuxquestions.org/questions/linux-networking-3/ppp0-iptables-and-port-forwarding-4175416644/)

Neosmith20

07-14-2012 02:09 AM

ppp0, iptables, and port forwarding.

*pulling hair out* I have a setup of iptables from centos 5.8 Kernel Linux 2.6.18-308.11.1.el5 on i686. I recently moved from the inner city to a more rural area and because of that we had to get dsl, before that we had cable. I had setup all my tables and everything was working before we moved and now with the change to dsl i cant get any of my ports open to the outside, 80/443/5222/9091/25565. At the moment i was working on getting 5222 open first as it's a high priority port. I have changed my masq. and all the other int. to represent the changes and yet still my brain is racked. any help is much appreciated. :)

this is my iptables -nvL -t nat:

Code:

Chain PREROUTING (policy ACCEPT 66 packets, 5692 bytes)

 pkts bytes target    prot opt in    out    source              destination

 1235 76382 RH-Firewall-1-INPUT  all  --  *      *      0.0.0.0/0            0.0.0.0/0

  782 48996 RH-Firewall-1-INPUT-Local  all  --  *      *      0.0.0.0/0            0.0.0.0/0



Chain POSTROUTING (policy ACCEPT 512 packets, 32646 bytes)

 pkts bytes target    prot opt in    out    source              destination

 1204 87819 RH-Firewall-1-OUTPUT  all  --  *      *      0.0.0.0/0            0.0.0.0/0



Chain OUTPUT (policy ACCEPT 1123 packets, 81927 bytes)

 pkts bytes target    prot opt in    out    source              destination



Chain RH-Firewall-1-INPUT (1 references)

 pkts bytes target    prot opt in    out    source              destination

  22  1092 DNAT      tcp  --  ppp0  *      0.0.0.0/0            0.0.0.0/0          tcp multiport ports 5222 to:10.0.1.17:5222

  13  460 DROP      icmp --  ppp0  *      0.0.0.0/0            0.0.0.0/0          icmp type 255

    0    0 ACCEPT    all  --  ppp0  *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED

  418 25834 DROP      all  --  ppp0  *      0.0.0.0/0            0.0.0.0/0



Chain RH-Firewall-1-INPUT-Local (1 references)

 pkts bytes target    prot opt in    out    source              destination

    0    0 ACCEPT    tcp  --  eth1  *      0.0.0.0/0            0.0.0.0/0          tcp multiport ports 53

  183 11823 ACCEPT    udp  --  eth1  *      0.0.0.0/0            0.0.0.0/0          udp multiport ports 53

  530 31325 ACCEPT    tcp  --  eth1  *      0.0.0.0/0            0.0.0.0/0          tcp multiport ports 3128

    0    0 ACCEPT    udp  --  eth1  *      0.0.0.0/0            0.0.0.0/0          udp multiport ports 3128

    0    0 ACCEPT    tcp  --  eth1  *      0.0.0.0/0            0.0.0.0/0          tcp multiport ports 3130

    3  156 ACCEPT    tcp  --  eth1  *      0.0.0.0/0            0.0.0.0/0          tcp multiport ports 10000



Chain RH-Firewall-1-OUTPUT (1 references)

 pkts bytes target    prot opt in    out    source              destination

  385 30837 MASQUERADE  tcp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0          tcp

  307 24336 MASQUERADE  udp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0          udp

    0    0 ACCEPT    all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0          state NEW,RELATED,ESTABLISHED

    0    0 DROP      all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0

this is my route -n:

Code:

207.225.112.1  0.0.0.0        255.255.255.255 UH    0      0        0 ppp0

10.0.0.0        0.0.0.0        255.255.0.0    U    0      0        0 eth1

169.254.0.0    0.0.0.0        255.255.0.0    U    0      0        0 eth1

0.0.0.0        0.0.0.0        0.0.0.0        U    0      0        0 ppp0

any other code u need let me know. thank you. :)

Neosmith20

07-14-2012 02:13 AM

This is my iptables output:

Code:

# Generated by iptables-save v1.3.5 on Fri Jul 13 20:59:09 2012

*nat

:RH-Firewall-1-INPUT - [0:0]

:PREROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

:RH-Firewall-1-INPUT-Local - [0:0]

:RH-Firewall-1-OUTPUT - [0:0]

-A PREROUTING -j RH-Firewall-1-INPUT

-A PREROUTING -j RH-Firewall-1-INPUT-Local

-A POSTROUTING -j RH-Firewall-1-OUTPUT

-A RH-Firewall-1-INPUT -p tcp -m tcp -m multiport -i ppp0 --ports 5222 -j DNAT --to-destination 10.0.1.17:5222

-A RH-Firewall-1-INPUT -p icmp -m icmp -i ppp0 --icmp-type any -j DROP

-A RH-Firewall-1-INPUT -m state -i ppp0 --state RELATED,ESTABLISHED -j ACCEPT

-A RH-Firewall-1-INPUT -i ppp0 -j DROP

-A RH-Firewall-1-INPUT-Local -p tcp -m tcp -m multiport -i eth1 --ports 53 -j ACCEPT

-A RH-Firewall-1-INPUT-Local -p udp -m udp -m multiport -i eth1 --ports 53 -j ACCEPT

-A RH-Firewall-1-INPUT-Local -p tcp -m tcp -m multiport -i eth1 --ports 3128 -j ACCEPT

-A RH-Firewall-1-INPUT-Local -p udp -m udp -m multiport -i eth1 --ports 3128 -j ACCEPT

-A RH-Firewall-1-INPUT-Local -p tcp -m tcp -m multiport -i eth1 --ports 3130 -j ACCEPT

-A RH-Firewall-1-INPUT-Local -p tcp -m tcp -m multiport -i eth1 --ports 10000 -j ACCEPT

-A RH-Firewall-1-OUTPUT -p tcp -m tcp -o ppp0 -j MASQUERADE

-A RH-Firewall-1-OUTPUT -p udp -m udp -o ppp0 -j MASQUERADE

-A RH-Firewall-1-OUTPUT -m state -o ppp0 --state NEW,ESTABLISHED,RELATED -j ACCEPT

-A RH-Firewall-1-OUTPUT -o ppp0 -j DROP

COMMIT

# Completed on Fri Jul 13 20:59:09 2012

# Generated by iptables-save v1.3.5 on Fri Jul 13 20:59:09 2012

*mangle

:PREROUTING ACCEPT [18654:5273103]

:INPUT ACCEPT [16309:5077099]

:FORWARD ACCEPT [1718:157816]

:OUTPUT ACCEPT [14766:5015635]

:POSTROUTING ACCEPT [16502:5175790]

COMMIT

# Completed on Fri Jul 13 20:59:09 2012

# Generated by iptables-save v1.3.5 on Fri Jul 13 20:59:09 2012

*filter

:INPUT ACCEPT [16310:5079871]

:FORWARD ACCEPT [1718:157816]

:OUTPUT ACCEPT [14767:5018407]

COMMIT

# Completed on Fri Jul 13 20:59:09 2012

lithos

07-14-2012 03:00 AM

Quote:

Originally Posted by Neosmith20 (Post 4727732)

-A RH-Firewall-1-INPUT -p tcp -m tcp -m multiport -i ppp0 --ports 5222 -j DNAT --to-destination 10.0.1.17:5222
-A RH-Firewall-1-INPUT -p icmp -m icmp -i ppp0 --icmp-type any -j DROP
-A RH-Firewall-1-INPUT -m state -i ppp0 --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp0 -j DROP
-A RH-Firewall-1-INPUT-Local -p tcp -m tcp -m multiport -i eth1 --ports 53 -j ACCEPT
-A RH-Firewall-1-INPUT-Local -p udp -m udp -m multiport -i eth1 --ports 53 -j ACCEPT
...
[/code]

this looks to me like you have a VPN some kind of connection on your server, which may your ISP block or if you have a router, then your router doesn't forward (allow) vpn connection pass-through.

It's just what I understand your Iptables but I don't know how to solve it.

Neosmith20

07-14-2012 03:17 AM

no vpn. :) the connection would be: client on wan side with port 5222 > dnat > local ip and port 5222 -- server answers then local ip > masq > wan conn on port 5222. ;)

SuperJediWombat!

07-18-2012 04:01 AM

Your iptables configuration is a mess. You should not be filtering packets from within the nat table.

Try this:

Code:

# Generated by SuperJediWombat v1.0 on Fri Jul 18 16:52:00 2012



*nat

:PREROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

-A PREROUTING -p tcp -m tcp -i ppp0 --dport 5222 -j DNAT --to-destination 10.0.1.17:5222

-A POSTROUTING -o ppp0 -j MASQUERADE

COMMIT



*mangle

:PREROUTING ACCEPT [0:0]

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

COMMIT



*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m tcp -i eth1 --dport 22 -j ACCEPT

-A INPUT -p tcp -m tcp -i eth1 --dport 53 -j ACCEPT

-A INPUT -p udp -m udp -i eth1 --dport 53 -j ACCEPT

-A INPUT -p tcp -m tcp -i eth1 --dport 3128 -j ACCEPT

-A INPUT -p udp -m udp -i eth1 --dport 3128 -j ACCEPT

-A INPUT -p tcp -m tcp -i eth1 --dport 3130 -j ACCEPT

-A INPUT -p tcp -m tcp -i eth1 --dport 10000 -j ACCEPT

COMMIT

I have not tested it, make sure that you have local access to the box before you apply it.

Neosmith20

07-18-2012 08:32 AM

Everything seems to working at the moment. :D I do agree the tables were a mess.

Neosmith20

07-18-2012 08:54 AM

Was just wondering if this add on would be a bit much, as in stupid, to add to the nat table?

Code:

*nat

:PREROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

-A PREROUTING -m state -i ppp0 --state ESTABLISHED,RELATED -j ACCEPT

-A POSTROUTING -m state -o ppp0 --state ESTABLISHED,RELATED -j ACCEPT

-A PREROUTING -p tcp -m tcp -i ppp0 --dport 5222 -j DNAT --to-destination 10.0.1.17:5222

-A PREROUTING -p icmp -m icmp -i ppp0 --icmp-type any -j DROP

-A PREROUTING -i ppp0 -j DROP

-A POSTROUTING -p tcp -m tcp -o ppp0 -j MASQUERADE

-A POSTROUTING -p udp -m udp -o ppp0 -j MASQUERADE

-A POSTROUTING -o ppp0 -j DROP

COMMIT

Neosmith20

07-18-2012 11:47 AM

@SuperJediWombat! Thank you so much for your help! Besides the tables being a mess, what was the real problem? i'm trying to find it... ;) again thank you soooooooooo much, you saved my life and business. ^_^

Neosmith20

07-18-2012 12:12 PM

This would be my new and improved iptables.

Code:

# Generated by iptables-save v1.3.5 on Wed Jul 18 10:01:18 2012

*filter

:FORWARD ACCEPT [0:0]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -i lo -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT

-A INPUT -p tcp -m tcp -i eth1 --dport 22 -j ACCEPT

-A INPUT -p tcp -m tcp -i eth1 --dport 53 -j ACCEPT

-A INPUT -p udp -m udp -i eth1 --dport 53 -j ACCEPT

-A INPUT -p tcp -m tcp -i eth1 --dport 3128 -j ACCEPT

-A INPUT -p udp -m udp -i eth1 --dport 3128 -j ACCEPT

-A INPUT -p tcp -m tcp -i eth1 --dport 3130 -j ACCEPT

-A INPUT -p tcp -m tcp -i eth1 --dport 10000 -j ACCEPT

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -j DROP

COMMIT

# Completed on Wed Jul 18 10:01:18 2012

# Generated by iptables-save v1.3.5 on Wed Jul 18 10:01:18 2012

*mangle

:PREROUTING ACCEPT [904:382537]

:INPUT ACCEPT [32:3595]

:FORWARD ACCEPT [809:375381]

:OUTPUT ACCEPT [47:32946]

:POSTROUTING ACCEPT [856:408327]

COMMIT

# Completed on Wed Jul 18 10:01:18 2012

# Generated by iptables-save v1.3.5 on Wed Jul 18 10:01:18 2012

*nat

:PREROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 80 -j DNAT --to-destination 10.0.1.13:80

-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 443 -j DNAT --to-destination 10.0.1.13:443

-A PREROUTING -p tcp -m tcp -i ppp0 --dport 5222 -j DNAT --to-destination 10.0.1.17:5222

-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 9091

-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 25565 -j DNAT --to-destination 10.0.1.14:25565

-A PREROUTING -p icmp -m icmp -i ppp0 --icmp-type any -j DROP

-A PREROUTING -m state -i ppp0 --state RELATED,ESTABLISHED -j ACCEPT

-A PREROUTING -i ppp0 -j DROP

-A POSTROUTING -m state -o ppp0 --state RELATED,ESTABLISHED -j ACCEPT

-A POSTROUTING -p tcp -m tcp -o ppp0 -j MASQUERADE

-A POSTROUTING -p udp -m udp -o ppp0 -j MASQUERADE

-A POSTROUTING -o ppp0 -j DROP

COMMIT

# Completed on Wed Jul 18 10:01:18 2012

SuperJediWombat!

07-25-2012 12:54 AM

No problem, I'm glad that it is working now.

You should not be filtering traffic from within the nat table. This is what your nat table should look like, with the extra rules you have added:

Code:

*nat

:PREROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 80 -j DNAT --to-destination 10.0.1.13:80

-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 443 -j DNAT --to-destination 10.0.1.13:443

-A PREROUTING -p tcp -m tcp -i ppp0 --dport 5222 -j DNAT --to-destination 10.0.1.17:5222

-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 25565 -j DNAT --to-destination 10.0.1.14:25565

-A POSTROUTING -o ppp0 -j MASQUERADE

Neosmith20

07-25-2012 09:27 PM

When i had the nat setup without the filtering, i had a massive dos and SYN/ACK attack, i know right how the hell where they getting through my nat O.o. After i had implemented the filtering i noticed that only real traffic was getting through and the hackerz/crackerz traffic had completely stopped.

Currently this is what i'm running under nat:

Code:



*nat

:OUTPUT ACCEPT [0:0]

:PREROUTING ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

-A PREROUTING -p icmp -m icmp -i ppp0 --icmp-type any -j DROP

-A PREROUTING -m state -i ppp0 --state ESTABLISHED,RELATED -j ACCEPT

-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 80 -j DNAT --to-destination 10.0.1.13:80

-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 443 -j DNAT --to-destination 10.0.1.13:443

-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 5222 -j DNAT --to-destination 10.0.1.11:5222

-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 9091 -j DNAT --to-destination 10.0.1.11:9091

-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 25565 -j DNAT --to-destination 10.0.1.14:25565

-A PREROUTING -i ppp0 -j DROP

-A POSTROUTING -p tcp -m tcp -o ppp0 -j MASQUERADE

-A POSTROUTING -p udp -m udp -o ppp0 -j MASQUERADE

COMMIT

i don't know why it's when i add the

Code:

-A POSTROUTING -m state -o ppp0 --state ESTABLISHED,RELATED -j ACCEPT and -A POSTROUTING -o ppp0 -j DROP

is when the attacks stopped and normal correct traffic was able to flow.

Neosmith20

08-06-2012 11:22 PM

what i be working with now.

Code:

# Generated by iptables-save v1.3.5 on Wed Jul 18 10:01:18 2012

*filter

:FORWARD ACCEPT [0:0]

:INPUT ACCEPT [0:0]

:RH-Firewall-1-INPUT - [0:0]

:OUTPUT ACCEPT [0:0]

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT

-A RH-Firewall-1-INPUT -p udp -m udp -d 224.0.0.251 --dport 5353 -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m tcp -m multiport --ports 22 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m tcp -m multiport --ports 53 -j ACCEPT

-A RH-Firewall-1-INPUT -p udp -m udp -m multiport --ports 53 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m tcp -m multiport --ports 3128 -j ACCEPT

-A RH-Firewall-1-INPUT -p udp -m udp -m multiport --ports 3128 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m tcp -m multiport --ports 3130 -j ACCEPT

-A RH-Firewall-1-INPUT -p udp -m udp -m multiport --ports 3130 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m tcp -m multiport --ports 10000 -j ACCEPT

-A RH-Firewall-1-INPUT -j DROP

-A INPUT -j RH-Firewall-1-INPUT

-A FORWARD -m state -o ppp0 --state NEW,ESTABLISHED,RELATED -j ACCEPT

-A FORWARD -m state -i ppp0 --state ESTABLISHED,RELATED -j ACCEPT

COMMIT

# Completed on Wed Jul 18 10:01:18 2012

# Generated by iptables-save v1.3.5 on Wed Jul 18 10:01:18 2012

*mangle

:PREROUTING ACCEPT [904:382537]

:INPUT ACCEPT [32:3595]

:FORWARD ACCEPT [809:375381]

:OUTPUT ACCEPT [47:32946]

:POSTROUTING ACCEPT [856:408327]

COMMIT

# Completed on Wed Jul 18 10:01:18 2012

# Generated by iptables-save v1.3.5 on Wed Jul 18 10:01:18 2012

*nat

:PREROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

-A PREROUTING -p icmp -m icmp -i ppp0 --icmp-type any -j DROP

-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 80 -j DROP

-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 443 -j DNAT --to-destination 10.0.1.13:443

-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 5222 -j DNAT --to-destination 10.0.1.11:5222

-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 9091 -j DNAT --to-destination 10.0.1.11:9091

-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 25565 -j DNAT --to-destination 10.0.1.14:25565

-A POSTROUTING -o ppp0 -j MASQUERADE

COMMIT

# Completed on Wed Jul 18 10:01:18 2012

All times are GMT -5. The time now is 02:16 AM.