LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-05-2004, 12:09 AM   #1
alon005
LQ Newbie
 
Registered: Oct 2004
Posts: 9

Rep: Reputation: 0
iptables rules on gateway


Hi,

I have a firewall running on a gateway. This gateway has 4 interfaces, two interfaces with public IP's and two with private. At the moment, two public IP's accept traffic on port 80 on both public IP's and both redirect the traffic to single IP on private network,
a.b.c.d:80 (Pub) -> x.y.z.y:80 (Priv)
e.f.g.h:80 (Pub) -> x.y.z.y:80 (Priv)

Problem:

I want to remove one rule which redirects e.f.g.h:80 to internal IP so that everything else is unaffected(all other rules) and add another rule that accepts traffic on this e.f.g.h:80 (Public) and redirects to private
IP on 8080 port eg

e.f.g.h:80 -> r.t.y.u:8080

All other rules must remain the same.

Any help will be appreciated.
 
Old 10-05-2004, 01:44 AM   #2
scottman
Member
 
Registered: Jul 2004
Location: USA
Distribution: Slackware, FreeBSD, LFS
Posts: 72

Rep: Reputation: 15
Hey alon005,

I did a quick lookup for you at

http://www.linuxsecurity.com/resourc...-tutorial.html

A rule like this to replace your old one might help, in fact you should just be able to append the port to the end of the --to-destination.

Code:
iptables -t nat -A PREROUTING -p tcp -d e.f.g.h --dport 80 -j DNAT \
--to-destination r.t.y.u:8080
I've never done this before, just read about it, so please let me know if this works.
 
Old 10-05-2004, 01:59 AM   #3
alon005
LQ Newbie
 
Registered: Oct 2004
Posts: 9

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by scottman
Hey alon005,

I did a quick lookup for you at

http://www.linuxsecurity.com/resourc...-tutorial.html

A rule like this to replace your old one might help, in fact you should just be able to append the port to the end of the --to-destination.

Code:
iptables -t nat -A PREROUTING -p tcp -d e.f.g.h --dport 80 -j DNAT \
--to-destination r.t.y.u:8080
I've never done this before, just read about it, so please let me know if this works.

Don't you have to FORWARD and -j to ACCEPT after PREROUTING ?

This is what I wrote , but I haven't tested it yet:

ethX is on e.f.g.h

-t nat -A PREROUTING -p tcp -i ethX --dport 80 -j DNAT --to-destination r.t.y.u:8080
-A FORWARD -p tcp -i ethX -d r.t.y.u --dport 8080 -j ACCEPT

Would it be better to use -d switch and e.f.g.h instead of interface , -i ethX ?
 
Old 10-05-2004, 04:00 AM   #4
scottman
Member
 
Registered: Jul 2004
Location: USA
Distribution: Slackware, FreeBSD, LFS
Posts: 72

Rep: Reputation: 15
You should be able to use -d and/or -i depending on your preferences. And your right about the forward, and that rule should work. But looking at it a little closer, I'm wonding how it's going to get from port 8080 back to 80. Do we need yet another rule in there? I'm thinking with just those two, traffic coming in will be aimed at port 80, but the response will be source port 8080. Maybe another rule to change it back, specifying r.t.y.u:8080 to r.t.y.u:80?
 
Old 10-05-2004, 11:12 AM   #5
alexon
LQ Newbie
 
Registered: Sep 2004
Posts: 4

Rep: Reputation: 0
Quote:
Originally posted by scottman
You should be able to use -d and/or -i depending on your preferences. And your right about the forward, and that rule should work. But looking at it a little closer, I'm wonding how it's going to get from port 8080 back to 80. Do we need yet another rule in there? I'm thinking with just those two, traffic coming in will be aimed at port 80, but the response will be source port 8080. Maybe another rule to change it back, specifying r.t.y.u:8080 to r.t.y.u:80?

It's interesting that so many people are visiting this forum and not too many people are suggesting how to DNAT and forward the traffic using ipfilters.

Thanks for your replies and the url link you gave is great too. As I understood reading the tutorial, once the rule i s matched the tcp connection will be allowed to rreach the internal box on LAN using dnat. Then, service on internal box replies back to firewall/gateway which un-dnat this connection and also uses routing database to find the path to the source of the packet. Once, connection is established then the stream will be allowed since we have ESTABLISHED state set.

That's how I understood.
no extra rule is needed to get the packet back from destination.

I am still unclear if FORWAD should be used or not.
 
Old 10-05-2004, 12:31 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Unless you have your default FORWARD policy set to accept, then you'll need a rule to forward the traffic as well. DNAT simply does the network address translation, it doesn't allow movement of packets from one interface to another, which is the function of the FORWARD chain.

If your ESTABLISHED rule is in the INPUT chain, then it won't even see these packets (once the DNAT occurs, the packet is non-local and is handled by the FORWARD chain instead of the INPUT chain). Plus, without a rule to allow NEW traffic, then incoming http traffic would never be allowed.
 
Old 10-05-2004, 01:05 PM   #7
alexon
LQ Newbie
 
Registered: Sep 2004
Posts: 4

Rep: Reputation: 0
Quote:
Originally posted by Capt_Caveman
Unless you have your default FORWARD policy set to accept, then you'll need a rule to forward the traffic as well. DNAT simply does the network address translation, it doesn't allow movement of packets from one interface to another, which is the function of the FORWARD chain.

If your ESTABLISHED rule is in the INPUT chain, then it won't even see these packets (once the DNAT occurs, the packet is non-local and is handled by the FORWARD chain instead of the INPUT chain). Plus, without a rule to allow NEW traffic, then incoming http traffic would never be allowed.
FORWARD policy to forward packets from gateway to internal machine on _specified_ ports ? Packet non-local , you mean packet isn't local to th host (firewall), because it is local on private network after address translation is done. Assuming what you are suggesting is correct, I haven't tested the ruleset yet , do I have to set ESTABLISHED in state in PREROUTING chain? It'd bbe easier to follow if you could give a couple of examples. In the tutorial, why the author didn't mention anything about the FORWARD policy when he/she was giving an exmple to redirect the traffic to internal machine? This is where it gets confusing

Quote: "... Since DNAT requires quite a lot of work to work properly, I have decided to add a larger explanation on how to work with it. Let's take a brief example on how things would be done normally. We want to publish our website via our Internet connection. We only have one IP address, and the HTTP server is located on our internal network. Our firewall has the external IP address $INET_IP, and our HTTP server has the internal IP address $HTTP_IP and finally the firewall has the internal IP address $LAN_IP. The first thing to do is to add the following simple rule to the PREROUTING chain in the nat table:

iptables -t nat -A PREROUTING --dst $INET_IP -p tcp --dport 80 -j DNAT \
--to-destination $HTTP_IP


Now, all packets from the Internet going to port 80 on our firewall are redirected (or DNAT'ed) to our internal HTTP server. If you test this from the Internet, everything should work just perfect. So, what happens if you try connecting from a host on the same local network as the HTTP server? It will simply not work. This is a problem with routing really. We start out by dissect what happens in a normal case. The external box has IP address $EXT_BOX, to maintain readability.

1. Packet leaves the connecting host going to $INET_IP and source $EXT_BOX.
2. Packet reaches the firewall.
3. Firewall DNAT's the packet and runs the packet through all different chains etcetera.
4. Packet leaves the firewall and travels to the $HTTP_IP.
5. Packet reaches the HTTP server, and the HTTP box replies back through the firewall, if that is the box that the routing database has entered as the gateway for $EXT_BOX. Normally, this would be the default gateway of the HTTP server.
6. Firewall Un-DNAT's the packet again, so the packet looks as if it was replied to from the firewall itself.
7. Reply packet travels as usual back to the client $EXT_BOX. "
Tutorial on iptables from linuzquestiuons.irg site.

Thanks for yoru reply.
 
Old 10-05-2004, 07:37 PM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Read a little further:
Quote:
Note: Everyone should realize that these rules only effects how the packet is DNAT'ed and SNAT'ed properly. In addition to these rules, you may also need extra rules in the filter table (FORWARD chain) to allow the packets to traverse through those chains as well. Don't forget that all packets have already gone through the PREROUTING chain, and should hence have their destination addresses rewritten already by DNAT.
Look at the diagram in section 3.1, See how after the mangle and nat PREROUTING chains there is a routing decision. If the packet is local (addressed to the firewall) the it is sent to the INPUT chains (the left-hand side of the fork in the diagram), if the packet is not addressed to the firewall and requires that the firewall route the packet then it is sent to the FORWARD chain (the right-hand side of the fork).

So when the packet arrives, it passes through the mangle and nat PREROUTING chains. Here the destination address is changed to the internal webserver's IP address. The packet then reaches the first routing decision. Since it is now not addressed to the firewall (we DNATed it to the internal webservers address), it is sent to the FORWARD chain.

At this point the packet is in the FORWARD chain and if you don't have any rules to accept it for forwarding then it will reach the default FORWARD chain policy. If the policy is accept, then it will get forwarded, otherwise it will be dropped/rejected. As a note, it's not a good idea to have a default policy of accept in the FORWARD chain as you want to restrict the kind of traffic that you are allowing into the LAN.

So in most cases you will need the following rules to get DNAT working:
1. A prerouting rule to DNAT the packet
2. A forwarding rule to allow the packet to move from the external interface to the internal interface
3. A forwarding rule to allow the reply back out (move from internal to external)
4. Turn on packet forwarding in the kernel

So the iptables rules for that would look like:
Code:
iptables -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 80 -j DNAT --to-destination $WEBSERVER_IP
iptables -A FORWARD -i $EXT_INTERFACE -o $INT_INTERFACE -p tcp  --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INT_INTERFACE -o $EXT_INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables Rules metallica1973 Linux - Security 26 09-14-2005 12:10 AM
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 01:40 AM
iptables rules Hegemon Linux - Networking 0 01-28-2004 02:20 AM
iptables rules Darin Linux - Security 1 01-23-2003 04:32 PM
iptables rules hazza96 Linux - Security 3 09-09-2001 11:16 AM


All times are GMT -5. The time now is 03:54 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration