LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 04-07-2016, 02:00 AM   #1
slugman
Member
 
Registered: Jun 2010
Location: AZ
Distribution: Slackware
Posts: 106

Rep: Reputation: 1
Assistance with IPtables, subsonic configuration


Hey Guys, i'm trying to configure a server whose primary purpose is to host subsonic. The subsonic host is running slackware64-current (from a few days ago). After I installed the latest JRE, the installer ran fine (using the stand-alone installer). Once installation was complete, and I was able to bring up localhost:4040 (the subsonic configuration site).

The next phase of the installation is to setup port forwarding. If your router doesn't support UPnP, then you basically have to manually configure your router to forward tcp 4040.

So, thats where my issue comes in. In my home network, my router is a linux host: a 32-bit slackware-current from June-2015. I've been using my linux-host as a router for 5 months now.

Back to the main issue, in order to forward port 4040, I'll have to accomplish this with iptables.

I did some reading of my own, and I came up with the following. Can you guys take a look and see if I configured this correctly? Note: the big gap in the middle is like 400 lines where I completely drop several ips. If you need to see my entire iptables configuration, let me know:

*Note: eth1 is the public address (WAN facing) and eth2 is the local address (192.168.0.1). The subsonic host is 192.168.0.200.

Code:
# Generated by iptables-save v1.4.20 on Mon Oct 25 09:04:39 2004
*raw
:PREROUTING ACCEPT [559608:656849109]
:OUTPUT ACCEPT [2085:318530]
COMMIT
# Completed on Mon Oct 25 09:04:39 2004
# Generated by iptables-save v1.4.20 on Mon Oct 25 09:04:39 2004
*nat
:PREROUTING ACCEPT [1:344]
:INPUT ACCEPT [1:344]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 4040 -j DNAT --to-destination 192.168.0.200
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -d 192.168.0.200/32 -o eth2 -p tcp -m tcp --dport 4040 -j SNAT --to-source 192.168.0.1
COMMIT
# Completed on Mon Oct 25 09:04:39 2004
# Generated by iptables-save v1.4.20 on Mon Oct 25 09:04:39 2004
*filter
:INPUT ACCEPT [1079:79301]
:FORWARD ACCEPT [112:7207]
:OUTPUT ACCEPT [713:100888]
after the OUTPUT ACCEPT, there are 422 lines like the following:
-A INPUT -s ip/32 -j DROP

...where ip is an ipv4 address. Immediately following the last few addresses, is the last few port forward entries:

Code:
-A FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 4040 --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i eth1 -o eth2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth2 -o eth1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
I seem to be running into some issues though. Primarily, i'm not even certain if port 4040 is acutally being forwarded to my subsonic server (192.168.0.200), in my current iptables confiuraiot.
 
Old 04-07-2016, 03:09 AM   #2
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
You could use tcpdump on your subsonic server to see if things get forwarded. Also can do this on your router/firewall system.

What I'm not so sure about is the --tcp-flags in your FORWARD rule with --dport 4040. Might want to try without the --tcp-flags options. I also would move the RELATED,ESTABLISHED rules above the NEW rule. Also this is pure make up.

Did you enable ip_forward in /proc or through sysctl?

Quote:
cat /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_forward # to enable it
echo 0 > /proc/sys/net/ipv4/ip_forward # to disable it
 
Old 04-08-2016, 01:54 AM   #3
slugman
Member
 
Registered: Jun 2010
Location: AZ
Distribution: Slackware
Posts: 106

Original Poster
Rep: Reputation: 1
So, slackware has an rc script (basically an init script), rc.ip_forward, which basically does this when enabled:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
/bin/grep ipv4 /etc/sysctl.conf | sysctl -p - 1> /dev/null 2> /dev/null
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
/bin/grep ipv6 /etc/sysctl.conf | sysctl -p - 1> /dev/null 2> /dev/null
Thats what I'm doing to enable ipv4 forwarding, I've set it to run at boot. On the router's public interface eth1, I have it set to receive an address via dhcp (which it does from my cable modem). On the routers private interface eth2, I am running a dhcp server (dhcpd). And thats basically it, the lan systems get an address via dhcp and boom they are online.

I was using that setup for a while and realized I was getting slamed up the wazoo from everyone this side of china town and back. So, any address I found attempting to login, I basically created a drop rule to drop. those are the 400 or so entries in between.

The more I talk about this, the more I realize I should probably update my rules list..

Last edited by slugman; 04-08-2016 at 02:02 AM. Reason: Woops
 
Old 04-08-2016, 02:16 AM   #4
pingu_penguin
Member
 
Registered: Aug 2004
Location: pune
Distribution: Slackware
Posts: 349

Rep: Reputation: 60
I would assign static ips to the subsonic host if I were you.

The reason being if dhcp lease expires the subsonic host would get a new ip and then,
you would have to add another/extra port forwarding rule to your router.

But I guess I will leave you with that decision.

Also , I think you just need two lines for port forwarding on the linux-router host :

#echo 1 > /proc/sys/net/ipv4/ip_forward (i.e setup forwarding which I presume you have done already)
and
# iptables -t nat -A PREROUTING -p tcp --destination <your router public_ip> --dport 4040 -j DNAT --to-destination 192.168.0.200
 
Old 04-08-2016, 02:29 AM   #5
slugman
Member
 
Registered: Jun 2010
Location: AZ
Distribution: Slackware
Posts: 106

Original Poster
Rep: Reputation: 1
hey guys, so I was able to figure it out. Thanks Zhijim for getting me going in the right direction. I tried modifying my existing rules--I removed the tcp-flags as you suggested. Unfortunately iptables refused to load at the line directly after it (426).

Also, let me take the time to elaborate on this "iptables.conf" thing I'm using. Its really an iptables-save, directed to iptables.conf. Also to be honest, I wasn't quite sure in what order I was supposed to put them in the file, it seems that there is a structure to where the commands go.

This time, I started from scratch by flushing all the rules:
Code:
#!/bin/bash
#
# iptables reset
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
After flushing all the rules, I reloaded the block rules (my previous configuration). Looking at my previous configuration, I realized that this entire time I had been forgetting to masquerade my internal network. So I added this rule by running the following at the cli:
Code:
iptables -A POSTROUTING ! -d 192.168.0.0/16 -o eth1 -j MASQUERADE
This got me thinking however, that perhaps the issue lay with my forwarding rules. I had no doubt that could be the case--this was literally my first attempt after googling a few articles. I went over my history and looked at the articles I read the first time:
- https://www.digitalocean.com/communi...-with-iptables

...however this time, I tried the following article instead:
- http://www.systutorials.com/1372/set...oute-on-linux/

I liked this approach. I took the advanced sample case and modified it for my own. Again, I decided to modify iptables on the fly and running these on the cli:
Code:
-A PREROUTING -p tcp -m tcp --dport 4040 -j DNAT --to-destination 192.168.0.200:4040
So, I have to admit, I was complicating things a lot. Subsonic has a feature where they'll provide a subsonic address for you, and you simply create your username, and they do the dns stuff for you. Or, you can set it up on your own. I went the solo route at first, signed up for dyndns and everything, got ddclient working on my system, but once the variables starting getting out of control, I decided to go the easy route to make sure whether subsonic was acutally working.

I'm glad I decided to do just that, I chose my own hostname (the first option), in the subsonic network settings. It turns out I got it working right after I made my last iptables change! Requests to the address resolved succesfully

The real test was to try it on an external network. So I got on my cellphone, disabled wifi, and tried it again. I knew it was working when I saw my external ip load in the address bar

So, Its hard to talk about the iptables.conf file without actually looking at it. Therefore, I decided to attach the latest copy. Note: this is the iptables-save that I created with after I: ran flush script, loaded block rules, added the maquerading rule manually for my internal network, and finally the adding the forwading rules manually. It turns out I also forgot to add another masquerading rule after the port forwarding, this is to make sure the packets are properly nated.
Attached Files
File Type: txt iptables-conf.txt (15.7 KB, 11 views)
 
Old 04-08-2016, 02:38 AM   #6
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
*edit start*
Nice one. So you good and going?

I'd say iptables-save is the way to go. It's a lot faster then having a million iptables -A. IIRC the whole table gets loaded after each one. Thus taking ages if you have a lot of them.
Clean start is always good. Solve the problem on a single basis and then integrate it into the running system. Helps one to focus on the job.

You can ignore most of the things I wrote. I was writing while you did
*edit end*

Either go with a static ip on the subsonic host (as pingu said) or at least make a reservation for it in dhcpd so it always gets the same ip.

@pingu he allready has the -t nat -A PREROUTING setup. Also without the -d option. But this should not matter that much. Also in this configuration you could test the forward from within your local network.

Where we go from here. You could test the forwarding localy with a third machine. Firing up subsonic and use the external IP of your gateway. If that works fine. If not create the same iptables rules you all ready got but with a target of -j LOG --log-prefix "description of the rule". This rule would go before the actually rule. (Don't do this for the 400 blocking rules ). Then tail -f on syslog or where you log iptables and try to connect to the subsonic from outside.

Example:
Quote:
-A PREROUTING -i eth1 -p tcp -m tcp --dport 4040 -j LOG --log-prefix "DNAT 192.168.0.200"
-A PREROUTING -i eth1 -p tcp -m tcp --dport 4040 -j DNAT --to-destination 192.168.0.200
Nother thing to debug with is tcpdump. We need more info and actually error message to help you further.

The concept of dynamic dns ring some bells? You have a way to know your WAN IP?

Checkout fail2ban for the blocking of rogue nations xD

Last edited by zhjim; 04-08-2016 at 02:44 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Assistance with iptables Ruler2112 Linux - Security 3 06-08-2009 12:18 PM
iptables assistance for snmp jeebus2121 Linux - Networking 2 02-27-2008 07:42 AM
Slack 12 + Beryl configuration assistance!!! joker20 Slackware 1 09-18-2007 10:41 AM
Gotomail Configuration assistance required jefx Linux - Software 4 05-04-2003 09:59 AM
Need some assistance with iptables rulesets... Diluted Linux - Networking 1 04-16-2003 07:53 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:15 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration