[SOLVED] ppp0, iptables, and port forwarding.

Neosmith20 · 07-14-2012, 02:09 AM

*pulling hair out* I have a setup of iptables from centos 5.8 Kernel Linux 2.6.18-308.11.1.el5 on i686. I recently moved from the inner city to a more rural area and because of that we had to get dsl, before that we had cable. I had setup all my tables and everything was working before we moved and now with the change to dsl i cant get any of my ports open to the outside, 80/443/5222/9091/25565. At the moment i was working on getting 5222 open first as it's a high priority port. I have changed my masq. and all the other int. to represent the changes and yet still my brain is racked. any help is much appreciated.

this is my iptables -nvL -t nat:

Code:

Chain PREROUTING (policy ACCEPT 66 packets, 5692 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1235 76382 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  782 48996 RH-Firewall-1-INPUT-Local  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 512 packets, 32646 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1204 87819 RH-Firewall-1-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 1123 packets, 81927 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain RH-Firewall-1-INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
   22  1092 DNAT       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp multiport ports 5222 to:10.0.1.17:5222
   13   460 DROP       icmp --  ppp0   *       0.0.0.0/0            0.0.0.0/0           icmp type 255
    0     0 ACCEPT     all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
  418 25834 DROP       all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0

Chain RH-Firewall-1-INPUT-Local (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp multiport ports 53
  183 11823 ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp multiport ports 53
  530 31325 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp multiport ports 3128
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp multiport ports 3128
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp multiport ports 3130
    3   156 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp multiport ports 10000

Chain RH-Firewall-1-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
  385 30837 MASQUERADE  tcp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           tcp
  307 24336 MASQUERADE  udp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           udp
    0     0 ACCEPT     all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED
    0     0 DROP       all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0

this is my route -n:

Code:

207.225.112.1   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
10.0.0.0        0.0.0.0         255.255.0.0     U     0      0        0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth1
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 ppp0

any other code u need let me know. thank you.

Neosmith20 · 07-14-2012, 02:13 AM

This is my iptables output:

Code:

# Generated by iptables-save v1.3.5 on Fri Jul 13 20:59:09 2012
*nat
:RH-Firewall-1-INPUT - [0:0]
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:RH-Firewall-1-INPUT-Local - [0:0]
:RH-Firewall-1-OUTPUT - [0:0]
-A PREROUTING -j RH-Firewall-1-INPUT
-A PREROUTING -j RH-Firewall-1-INPUT-Local
-A POSTROUTING -j RH-Firewall-1-OUTPUT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m multiport -i ppp0 --ports 5222 -j DNAT --to-destination 10.0.1.17:5222
-A RH-Firewall-1-INPUT -p icmp -m icmp -i ppp0 --icmp-type any -j DROP
-A RH-Firewall-1-INPUT -m state -i ppp0 --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp0 -j DROP
-A RH-Firewall-1-INPUT-Local -p tcp -m tcp -m multiport -i eth1 --ports 53 -j ACCEPT
-A RH-Firewall-1-INPUT-Local -p udp -m udp -m multiport -i eth1 --ports 53 -j ACCEPT
-A RH-Firewall-1-INPUT-Local -p tcp -m tcp -m multiport -i eth1 --ports 3128 -j ACCEPT
-A RH-Firewall-1-INPUT-Local -p udp -m udp -m multiport -i eth1 --ports 3128 -j ACCEPT
-A RH-Firewall-1-INPUT-Local -p tcp -m tcp -m multiport -i eth1 --ports 3130 -j ACCEPT
-A RH-Firewall-1-INPUT-Local -p tcp -m tcp -m multiport -i eth1 --ports 10000 -j ACCEPT
-A RH-Firewall-1-OUTPUT -p tcp -m tcp -o ppp0 -j MASQUERADE
-A RH-Firewall-1-OUTPUT -p udp -m udp -o ppp0 -j MASQUERADE
-A RH-Firewall-1-OUTPUT -m state -o ppp0 --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-OUTPUT -o ppp0 -j DROP
COMMIT
# Completed on Fri Jul 13 20:59:09 2012
# Generated by iptables-save v1.3.5 on Fri Jul 13 20:59:09 2012
*mangle
:PREROUTING ACCEPT [18654:5273103]
:INPUT ACCEPT [16309:5077099]
:FORWARD ACCEPT [1718:157816]
:OUTPUT ACCEPT [14766:5015635]
:POSTROUTING ACCEPT [16502:5175790]
COMMIT
# Completed on Fri Jul 13 20:59:09 2012
# Generated by iptables-save v1.3.5 on Fri Jul 13 20:59:09 2012
*filter
:INPUT ACCEPT [16310:5079871]
:FORWARD ACCEPT [1718:157816]
:OUTPUT ACCEPT [14767:5018407]
COMMIT
# Completed on Fri Jul 13 20:59:09 2012

lithos · 07-14-2012, 03:00 AM

Quote:

Originally Posted by Neosmith20

-A RH-Firewall-1-INPUT -p tcp -m tcp -m multiport -i ppp0 --ports 5222 -j DNAT --to-destination 10.0.1.17:5222
-A RH-Firewall-1-INPUT -p icmp -m icmp -i ppp0 --icmp-type any -j DROP
-A RH-Firewall-1-INPUT -m state -i ppp0 --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp0 -j DROP
-A RH-Firewall-1-INPUT-Local -p tcp -m tcp -m multiport -i eth1 --ports 53 -j ACCEPT
-A RH-Firewall-1-INPUT-Local -p udp -m udp -m multiport -i eth1 --ports 53 -j ACCEPT
...
[/code]

this looks to me like you have a VPN some kind of connection on your server, which may your ISP block or if you have a router, then your router doesn't forward (allow) vpn connection pass-through.

It's just what I understand your Iptables but I don't know how to solve it.

Neosmith20 · 07-14-2012, 03:17 AM

no vpn.

the connection would be: client on wan side with port 5222 > dnat > local ip and port 5222 -- server answers then local ip > masq > wan conn on port 5222.

SuperJediWombat! · 07-18-2012, 04:01 AM

Your iptables configuration is a mess. You should not be filtering packets from within the nat table.

Try this:

Code:

# Generated by SuperJediWombat v1.0 on Fri Jul 18 16:52:00 2012

*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp -i ppp0 --dport 5222 -j DNAT --to-destination 10.0.1.17:5222
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 53 -j ACCEPT
-A INPUT -p udp -m udp -i eth1 --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 3128 -j ACCEPT
-A INPUT -p udp -m udp -i eth1 --dport 3128 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 3130 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 10000 -j ACCEPT
COMMIT

I have not tested it, make sure that you have local access to the box before you apply it.

Neosmith20 · 07-18-2012, 08:32 AM

Everything seems to working at the moment.

I do agree the tables were a mess.

Neosmith20 · 07-18-2012, 08:54 AM

Was just wondering if this add on would be a bit much, as in stupid, to add to the nat table?

Code:

*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -m state -i ppp0 --state ESTABLISHED,RELATED -j ACCEPT
-A POSTROUTING -m state -o ppp0 --state ESTABLISHED,RELATED -j ACCEPT
-A PREROUTING -p tcp -m tcp -i ppp0 --dport 5222 -j DNAT --to-destination 10.0.1.17:5222
-A PREROUTING -p icmp -m icmp -i ppp0 --icmp-type any -j DROP
-A PREROUTING -i ppp0 -j DROP
-A POSTROUTING -p tcp -m tcp -o ppp0 -j MASQUERADE
-A POSTROUTING -p udp -m udp -o ppp0 -j MASQUERADE
-A POSTROUTING -o ppp0 -j DROP
COMMIT

Neosmith20 · 07-18-2012, 11:47 AM

@SuperJediWombat! Thank you so much for your help! Besides the tables being a mess, what was the real problem? i'm trying to find it...

again thank you soooooooooo much, you saved my life and business. ^_^

Neosmith20 · 07-18-2012, 12:12 PM

This would be my new and improved iptables.

Code:

# Generated by iptables-save v1.3.5 on Wed Jul 18 10:01:18 2012
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 53 -j ACCEPT
-A INPUT -p udp -m udp -i eth1 --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 3128 -j ACCEPT
-A INPUT -p udp -m udp -i eth1 --dport 3128 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 3130 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 10000 -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -j DROP
COMMIT
# Completed on Wed Jul 18 10:01:18 2012
# Generated by iptables-save v1.3.5 on Wed Jul 18 10:01:18 2012
*mangle
:PREROUTING ACCEPT [904:382537]
:INPUT ACCEPT [32:3595]
:FORWARD ACCEPT [809:375381]
:OUTPUT ACCEPT [47:32946]
:POSTROUTING ACCEPT [856:408327]
COMMIT
# Completed on Wed Jul 18 10:01:18 2012
# Generated by iptables-save v1.3.5 on Wed Jul 18 10:01:18 2012
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 80 -j DNAT --to-destination 10.0.1.13:80
-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 443 -j DNAT --to-destination 10.0.1.13:443
-A PREROUTING -p tcp -m tcp -i ppp0 --dport 5222 -j DNAT --to-destination 10.0.1.17:5222
-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 9091
-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 25565 -j DNAT --to-destination 10.0.1.14:25565
-A PREROUTING -p icmp -m icmp -i ppp0 --icmp-type any -j DROP
-A PREROUTING -m state -i ppp0 --state RELATED,ESTABLISHED -j ACCEPT
-A PREROUTING -i ppp0 -j DROP
-A POSTROUTING -m state -o ppp0 --state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -p tcp -m tcp -o ppp0 -j MASQUERADE
-A POSTROUTING -p udp -m udp -o ppp0 -j MASQUERADE
-A POSTROUTING -o ppp0 -j DROP
COMMIT
# Completed on Wed Jul 18 10:01:18 2012

SuperJediWombat! · 07-25-2012, 12:54 AM

No problem, I'm glad that it is working now.

You should not be filtering traffic from within the nat table. This is what your nat table should look like, with the extra rules you have added:

Code:

*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 80 -j DNAT --to-destination 10.0.1.13:80
-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 443 -j DNAT --to-destination 10.0.1.13:443
-A PREROUTING -p tcp -m tcp -i ppp0 --dport 5222 -j DNAT --to-destination 10.0.1.17:5222
-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 25565 -j DNAT --to-destination 10.0.1.14:25565
-A POSTROUTING -o ppp0 -j MASQUERADE

Neosmith20 · 07-25-2012, 09:27 PM

When i had the nat setup without the filtering, i had a massive dos and SYN/ACK attack, i know right how the hell where they getting through my nat O.o. After i had implemented the filtering i noticed that only real traffic was getting through and the hackerz/crackerz traffic had completely stopped.

Currently this is what i'm running under nat:

Code:

*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p icmp -m icmp -i ppp0 --icmp-type any -j DROP
-A PREROUTING -m state -i ppp0 --state ESTABLISHED,RELATED -j ACCEPT
-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 80 -j DNAT --to-destination 10.0.1.13:80
-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 443 -j DNAT --to-destination 10.0.1.13:443
-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 5222 -j DNAT --to-destination 10.0.1.11:5222
-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 9091 -j DNAT --to-destination 10.0.1.11:9091
-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 25565 -j DNAT --to-destination 10.0.1.14:25565
-A PREROUTING -i ppp0 -j DROP
-A POSTROUTING -p tcp -m tcp -o ppp0 -j MASQUERADE
-A POSTROUTING -p udp -m udp -o ppp0 -j MASQUERADE
COMMIT

i don't know why it's when i add the

Code:

-A POSTROUTING -m state -o ppp0 --state ESTABLISHED,RELATED -j ACCEPT and -A POSTROUTING -o ppp0 -j DROP

is when the attacks stopped and normal correct traffic was able to flow.

Neosmith20 · 08-06-2012, 11:22 PM

what i be working with now.

Code:

# Generated by iptables-save v1.3.5 on Wed Jul 18 10:01:18 2012
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -d 224.0.0.251 --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m multiport --ports 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m multiport --ports 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -m multiport --ports 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m multiport --ports 3128 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -m multiport --ports 3128 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m multiport --ports 3130 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -m multiport --ports 3130 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m multiport --ports 10000 -j ACCEPT
-A RH-Firewall-1-INPUT -j DROP
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -m state -o ppp0 --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state -i ppp0 --state ESTABLISHED,RELATED -j ACCEPT
COMMIT
# Completed on Wed Jul 18 10:01:18 2012
# Generated by iptables-save v1.3.5 on Wed Jul 18 10:01:18 2012
*mangle
:PREROUTING ACCEPT [904:382537]
:INPUT ACCEPT [32:3595]
:FORWARD ACCEPT [809:375381]
:OUTPUT ACCEPT [47:32946]
:POSTROUTING ACCEPT [856:408327]
COMMIT
# Completed on Wed Jul 18 10:01:18 2012
# Generated by iptables-save v1.3.5 on Wed Jul 18 10:01:18 2012
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p icmp -m icmp -i ppp0 --icmp-type any -j DROP
-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 80 -j DROP
-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 443 -j DNAT --to-destination 10.0.1.13:443
-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 5222 -j DNAT --to-destination 10.0.1.11:5222
-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 9091 -j DNAT --to-destination 10.0.1.11:9091
-A PREROUTING -p tcp -m tcp -m multiport -i ppp0 --ports 25565 -j DNAT --to-destination 10.0.1.14:25565
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Wed Jul 18 10:01:18 2012