Iptables port-forwarding

ginojo · 01-10-2015, 09:23 AM

Hello there,

Im having some difficulties with configuring my main-servers (192.168.2.121) iptables. I want him to forward port 21 (FTP) to another machine in the network (192.168.2.130). But every attempt fails. This is my current iptables-config.

Code:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7:1244]
:fail2ban-SSH - [0:0]
-A INPUT -p udp -m udp --dport 1723 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT 
-A INPUT -s 192.0.0.0/8 -i ppp0 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8112 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1812 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 1812 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1900 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 1900 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8200 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 25 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 80 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 110 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 548 -j ACCEPT 
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 143 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 443 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 587 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 465 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 993 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 995 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 3306 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 25565 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 30212 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 137 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 138 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25565 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 30212 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 62000:63000 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT 
-A INPUT -i bond0 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -i bond0 -j ACCEPT 
-A FORWARD -d 192.168.2.130/32 -p tcp -m tcp --dport 21 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -p udp -m udp --dport 5353 -j ACCEPT 
-A OUTPUT -o bond0 -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT 
-A fail2ban-SSH -s 222.161.209.92/32 -j REJECT --reject-with icmp-port-unreachable 
-A fail2ban-SSH -s 94.21.192.222/32 -j REJECT --reject-with icmp-port-unreachable 
-A fail2ban-SSH -j RETURN 
COMMIT
*nat
:PREROUTING ACCEPT [3:5643]
:POSTROUTING ACCEPT [3:575]
:OUTPUT ACCEPT [4:897]
-A PREROUTING -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.2.130:21 
-A PREROUTING -d 192.168.2.121/32 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.2.130:21 
-A POSTROUTING -o bond0 -j MASQUERADE 
-A POSTROUTING -o ppp0 -j MASQUERADE 
-A POSTROUTING -d 192.168.2.130/32 -p tcp -m tcp --dport 21 -j SNAT --to-source 192.168.2.130 
COMMIT

It works when I telnet 192.168.2.130 on port 21, but it doesn't when I telnet 192.168.2.121 on port 21 (Connection refused).

I hope you guys can help me out with this?

Thank you!
Gino

smallpond · 01-10-2015, 07:11 PM

You are forwarding in one direction, but how can you get the reply packets to go back through your NAT?

vincix · 01-11-2015, 02:30 PM

Somehow unrelated: I'd suggest you group your iptables rules relative to the protocols to make it more readable. For instance, mail related (25, 110, 143, 993, etc.):

Code:

-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp -m multiport --dports 25,80,110,143

(or just use -m state instead of conntrack and then -m multiport)

Aren't these two rules redundant?

Quote:

-A PREROUTING -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.2.130:21
-A PREROUTING -d 192.168.2.121/32 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.2.130:21

I think the second line is unnecessary, isn't it? If all packets, regardless of the IP destination, with port 21 are going to be forwarded to .130:21, then what's the use for the second rule? It only says that packages with host destination 192.168.2.121:21 will be fowarded to .130:21, but this is already included in the first rule, isn't it?

vincix · 01-11-2015, 02:50 PM

In my opinion you should delete this:

Quote:

-A POSTROUTING -d 192.168.2.130/32 -p tcp -m tcp --dport 21 -j SNAT --to-source 192.168.2.130

I don't think it makes too much sense (someone more knowledgeable correct me if I'm wrong). You're saying that packets that have a destination of .130:21 should have their source IP changed to the same ip as the destination.

To simply forward ftp data just use DNAT (PREROUTING).

I think the main problem is that traffic that goes into your server is not forwarded because of this rule:

Quote:

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

You should move it at the end of the FORWARD chain, otherwise all traffic that you want to forward is being dropped, before other rules in the FORWARD chain can be read.

ginojo · 01-12-2015, 05:37 AM

Hi vincix,

Thanks for your help. I got it working with the following config file.

Code:

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.2.130:21 -m comment --comment "FTP"
-A POSTROUTING -d 192.168.2.130/32 -p tcp -m tcp --dport 21 -j SNAT --to-source 192.168.2.121 -m comment --comment "FTP"
-A POSTROUTING -j MASQUERADE
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -i lo -j ACCEPT -m comment --comment "Accept localhost" 
-A INPUT -p icmp -j ACCEPT -m comment --comment "Accept PING"
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Accept current connections"

-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT -m comment --comment "FTP"
-A INPUT -p tcp -s 192.168.2.0/24,192.168.15.0/24 -m tcp --dport 22 -j ACCEPT -m comment --comment "SSH"
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -m comment --comment "SMTP Server-layer"
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -m comment --comment "HTTP"
-A INPUT -p udp -m state --state NEW -m udp --dport 80 -j ACCEPT -m comment --comment "HTTP"
-A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT -m comment --comment "POP3 v3"
-A INPUT -p tcp -m state --state NEW -m tcp --dport 137 -j ACCEPT -m comment --comment "NetBIOS naming service" 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 138 -j ACCEPT -m comment --comment "NetBIOS datagram service" 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT -m comment --comment "NetBIOS session service"
-A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT -m comment --comment "IMAP"
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -m comment --comment "HTTPS"
-A INPUT -p udp -m state --state NEW -m udp --dport 443 -j ACCEPT -m comment --comment "HTTPS"
-A INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT -m comment --comment "SMTPS"
-A INPUT -p tcp -m tcp --dport 548 -j ACCEPT -m comment --comment "AFP over TCP"  
-A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT -m comment --comment "SMTP"   
-A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT -m comment --comment "IMAPS" 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT -m comment --comment "POP3S" 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1723 -j ACCEPT -m comment --comment "PPTP" 
-A INPUT -p udp -m state --state NEW -m udp --dport 1723 -j ACCEPT -m comment --comment "PPTP" 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1812 -j ACCEPT -m comment --comment "RADIUS"
-A INPUT -p udp -m state --state NEW -m udp --dport 1812 -j ACCEPT -m comment --comment "RADIUS"
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1900 -j ACCEPT -m comment --comment "UPnP Discovery"
-A INPUT -p udp -m state --state NEW -m udp --dport 1900 -j ACCEPT -m comment --comment "UPnP Discovery"
-A INPUT -p udp -m state --state NEW -m udp --dport 3306 -j ACCEPT -m comment --comment "MySQL"
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT -m comment --comment "MySQL" 
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT -m comment --comment "Multicast DNS"
-A INPUT -j DROP -m comment --comment "Drop other input"

-A FORWARD -i br0 -j ACCEPT -m comment --comment "Accept forwarding from bridge (br0)"
-A FORWARD -j DROP -m comment --comment "Reject other forwarding"

COMMIT

About your suggestion. So you say I should use:

Code:

-A INPUT -m state --state NEW -m tcp -p tcp -m multiport --dports 25,110,143,465,587,993,995 -j ACCEPT -m comment --comment "Mail-server"

Is this the right syntax?

Thank you very much!
Gino

vincix · 01-12-2015, 10:28 AM

No, that's not exactly the right syntax.

You either use:

Code:

-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp -m multiport --dports 25,110,etc. -j ACCEPT

OR:

Code:

-A INPUT -p tcp -m multiport --dports 25,110,etc. -m state --state NEW -j ACCEPT

You could go for the second one, to be consistent with the other rules. The thing is -m state is becoming deprecated (it's already obsolete on kernel 3.6), but I don't think you should be worried about that.

One more thing, neither POP, nor IMAP, nor SMTP uses UDP. SO I'd delete the UDP rules that accept mail traffic. At least try it that way and see if your email works (there shouldn't be absolutely any problems) and then save it if it's fine. Otherwise, letting UDP ports open unnecessarily is a security vulnerability.

You should also change that POSTROUTING rule that I was talking to you about. Did you do anything about it? What are you actually trying to achieve with this rule? -A POSTROUTING -d 192.168.2.130/32 -p tcp -m tcp --dport 21 -j SNAT --to-source 192.168.2.130

As I've already said, it doesn't seem too make much sense to me, because you're sending a packet with the same source and destination IP.

So delete it and show me your NAT (POST and PREROUTING) rules and let's see I'm able to offer you any more useful advice.