LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-26-2015, 01:01 PM   #1
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,666

Rep: Reputation: 186Reputation: 186
how to forward port to interface


I have the iptables script shown below. On eth2 is a wireless access point. When using the firewall smart phone cannot get email or browse. When the firewall is replaced with a dhcp router (no port settings) it works fine. I am concluding that some ports need to be opened on the firewall. I'll ty ports 587 and 993 first.

The question is how to configure this?

I'm thinking the following:

iptables -A INPUT -i eth0 -p tcp -m multiport --dports 20028,8084,587,993 -j ACCEPT
iptables -t nat -A POSTROUTING -i eth0 -p tcp -m multiport --dports 597,993 -o eth2

but this is just a guess. Maybe I want the FORWARD chain? As this is a live system, I'd rather have some expert guidance before trying it.

Code:
    SAMSUNG=192.168.168.10
    KEYTEL="-m iprange --src-range 76.10.200.63-76.10.200.68"

    iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
    iptables --append FORWARD --in-interface eth1 -j ACCEPT
    iptables --append FORWARD --in-interface eth2 -j ACCEPT

    iptables -P INPUT DROP

    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -i eth1 -j ACCEPT
    iptables -A INPUT -i eth2 -j ACCEPT

    iptables -A INPUT -i eth0 -p tcp -m multiport --dports 20028,8084 -j ACCEPT
    iptables -A INPUT -i eth0 $KEYTEL -p tcp --syn -m multiport --dports 21,5090,5003,6001,6002 -j ACCEPT

    iptables -t nat -A PREROUTING -i eth0 $KEYTEL -p tcp -m multiport --dports 21,5090,5003,6001,6002 -j DNAT --to-destination $SAMSUNG
 
Old 06-26-2015, 07:46 PM   #2
allend
LQ 5k Club
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware64-15.0
Posts: 6,409

Rep: Reputation: 2775Reputation: 2775Reputation: 2775Reputation: 2775Reputation: 2775Reputation: 2775Reputation: 2775Reputation: 2775Reputation: 2775Reputation: 2775Reputation: 2775
Rather than guessing, I suggest you log what traffic is being dropped, and use the information that is logged to adjust your rules. Something like 'dmesg | grep SRC=' will give lines like
Quote:
Jun 27 00:22:28 Magpie kernel: [ 148.443018] IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1b:a9:bb:f5:8b:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=29750 PROTO=UDP SPT=68 DPT=67 LEN=556
To setup logging, in my firewall script I have
Code:
#
echo "  Creating a DROP chain.."
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info
$IPTABLES -A drop-and-log-it -j REJECT
In my firewall script I have, at the end of all the input rules
Code:
# Catch all rule, all other incoming is denied and logged.
#
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
 
Old 07-10-2015, 03:01 PM   #3
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,666

Original Poster
Rep: Reputation: 186Reputation: 186
Not sure that is going to help me. I added the drop-and-log-it rules to iptables. Between 11:54AM and 12:30PM I logged 30 "iptables drop" messages. I had at least 3 cellphones (one was an Android, the others iPhones) connected to this network. The incoming source IPs and ports are shown below. I looked up the IPs to see where they are coming from. I don't see much useful here.

On the surface, this seems like it shouldn't be hard. All inbound ports on the firewall are blocked. No outbound ports are block. Related/Established connections are accepted. Seems to me, anything originating on the cellphone would have nothing blocked going out, and "responses" would make it back through incoming. That's not happening -- but only with cellphone. Laptops have no problem. With no firewall, cellphone have no problem.

My conclusion is that some incoming port from who-knows-where (Verizon?) must be opened for cellphone to work. If so, it seems that the port would be well known, but I can find nothing on this. Yet the fact remains, with firewall cellphone don't work; without firewall they work.


SRC=104.143.8.102 DPT=445 Versaweb, Las Vegas (2)
SRC=17.143.161.225 DPT=54142 APPLE-WWNET, Apple Inc., Cupertino CA
SRC=71.6.216.61 DPT=5353 CARINET-5, Customer: Rapid7, Austin TX
SRC=89.248.160.196 DPT=5900 Ecatel LTD, Netherlands
SRC=180.241.137.123 DPT=571 PT TELKOM INDONESIA, Jakarta
SRC=114.119.4.47 DPT=25 Shenzhen Aosida Comm., China
SRC=178.255.50.94 DPT=571 Petit Telecom, Netherlands
SRC=78.111.31.54 DPT=445 Farlep Invest PrJSC, Ukraine (2)
SRC=61.183.128.6 DPT=8123 Capital Online, China
SRC=81.133.61.166 DPT=23 BT Openworld, UK
SRC=98.102.63.106 DPT=138 (my webserver) (6)
SRC=119.9.90.66 DPT=23 Rackspace, San Antonio, TX
SRC=199.203.59.117 DPT=80 S.E.A - Multimedia, Tel Aviv
SRC=199.203.59.122 DPT=2222 S.E.A - Multimedia, Tel Aviv
SRC=199.203.59.120 DPT=2083 S.E.A - Multimedia, Tel Aviv
SRC=71.6.167.142 DPT=2323 CariNet, San Diego, CA
SRC=36.239.146.48 DPT=445 HINET, Taipei (2)
SRC=196.20.148.106 DPT=23 MauritiusTelecom, Mauritius
SRC=222.45.149.250 DPT=23 China TieTong Telecomm, China
SRC=179.116.193.253 DPT=53 TELEF‘NICA BRASIL
SRC=118.129.132.98 DPT=445 LG DACOM Corp., Seoul (2)
 
Old 07-10-2015, 04:14 PM   #4
michaelk
Moderator
 
Registered: Aug 2002
Posts: 25,916

Rep: Reputation: 5988Reputation: 5988Reputation: 5988Reputation: 5988Reputation: 5988Reputation: 5988Reputation: 5988Reputation: 5988Reputation: 5988Reputation: 5988Reputation: 5988
I agree since we do do not know how your network is configured and what you posted is a bit of a mess. What linux distribution/version are you running?

Before we get to the rules. You have 3 network adapters eth0,eth1 and eth2? How are they configured? IP address, netmask etc. Have you thought about binding eth1 and eth2 so the wireless and wired are on the same network?

How is your DHCP server configured? Did you include both eth1 and eth2 as interfaces?

Did you configure IP forwarding? It can be configured on boot by setting IP_forward in sysctl.conf (depends on distribution).
echo "1" > /proc/sys/net/ipv4/ip_forward
 
Old 07-13-2015, 12:56 AM   #5
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,666

Original Poster
Rep: Reputation: 186Reputation: 186
The messages I posted are simply stripped down editions of the /var/log/messages entries generated by the drop-and-log-it rules suggested by allend. One complete message entry looks like this:
Code:
Jul 13 01:43:19 firewall kernel: [2041585.538152] iptables dropped IN=eth0 OUT= MAC=c8:9c:dc:6e:24:e8:00:24:dc:ce:b5:55:08:00 SRC=116.49.159.49 DST=98.102.63.109 LEN=90 TOS=0x00 PREC=0xC0 TTL=51 ID=50967 PROTO=ICMP TYPE=3 CODE=3 [SRC=98.102.63.109 DST=116.49.159.49 LEN=62 TOS=0x00 PREC=0x20 TTL=246 ID=27711 DF PROTO=UDP SPT=571 DPT=53 LEN=42 ]
My point with that posting was seeing if ports being rejected by iptables in the 1/2 hour I was testing with the cell phones had anything to do with ports needed by the cell phone to get a connection.

Yes, IP forwarding is configured and working. I mentioned that connections with the eth2 interface work fine with laptops (can connect to Internet, get mail, etc.) either wired or wireless, but not with cell-phones. My iptables script is posted in my initial message.

eth0 is the Internet facing NIC. eth1 is dedicated to a single Samsung phone system at 192.168.168.10, no DHCP. DHCP is configured for eth2 only which goes to a switch having up to a dozen+ wired connections, plus a Wireless Access Point. The cell phones do get an IP address from the DHCP server. eth1 and eth2 have no relation to each other.

I am running Slackware 64 14.1, kernel 3.10.17.
 
Old 07-17-2015, 10:59 AM   #6
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,666

Original Poster
Rep: Reputation: 186Reputation: 186
Let's take a new approach. The cell phones work OK without the firewall. Regardless of which ports are being used, I'd like to see if I can route traffic through the firewall. So, I would I send all ports not routed elsewhere to the eth2 device? Would it be adding the following to the end:

iptables -t nat -A POSTROUTING --in-interface eth0 --out-interface eth2 -j MASQUERADE
 
Old 07-17-2015, 01:07 PM   #7
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
Have a look at these rules. I wasn't sure about what you are doing with the last 2 rules though. If these connections are to continue onto another device then these should be in the FORWARD chain as all INPUT chains stop at this device.

Code:
    SAMSUNG=192.168.168.10
    KEYTEL="-m iprange --src-range 76.10.200.63-76.10.200.68"

    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD	DROP

    iptables -t nat -A PREROUTING -i eth0 $KEYTEL -p tcp -m multiport --dports 21,5090,5003,6001,6002 -j DNAT --to-destination $SAMSUNG

    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    
    iptables -A FORWARD -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i eth1 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i eth2 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

    iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -i eth1 -m conntrack --ctstate NEW -j ACCEPT
    iptables -A INPUT -i eth2 -m conntrack --ctstate NEW -j ACCEPT

    iptables -A INPUT -i eth0 -p tcp -m conntrack --ctstate NEW -m multiport --dports 20028,8084 -j ACCEPT
    iptables -A INPUT -i eth0 $KEYTEL -p tcp -m conntrack --ctstate NEW -m multiport --dports 21,5090,5003,6001,6002 -j ACCEPT
 
Old 07-21-2015, 12:20 AM   #8
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,666

Original Poster
Rep: Reputation: 186Reputation: 186
I'll give your suggested rules a shot. I think I have questions, but I'll wait until I test.

Quote:
I wasn't sure about what you are doing with the last 2 rules ... If these connections are to continue onto another device then these should be in the FORWARD chain as all INPUT chains stop at this device.
Ports 20028 and 8084 are suppose to route to the localhost

Ports 21, .... 6002 are suppose to route the the SAMSUNG at 192.168.168.10 on eth1

everything else should get dropped

Does that alter your suggestion?

ALTHOUGH - to just test to see about these cell phones getting through at all, I thought I'd try accepting ALL INPUT ports, routing specified ports to local host and SAMSUNG as stated above, and routing everything else to eth2. That way, the cell phones should just work since nothing it being blocked.

What about trying that idea?

Last edited by mfoley; 07-21-2015 at 12:35 AM.
 
Old 07-21-2015, 12:14 PM   #9
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
Code:
    iptables -A FORWARD -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i eth1 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i eth2 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

All other rules aside the above do the following:

Traffic from eth1 to anywhere is allowed
Traffic from eth2 to anywhere is allowed
Traffic from eth0 is only allowed if one of the other interface started the conversation.

So if your phones are on eth2 as long as they start any conversation the return traffic should be allowed back in. There are exceptions to this rule for example if the outbound request needs to trigger a new inbound request that isn't going to be allowed.

Last edited by lazydog; 07-21-2015 at 12:16 PM.
 
Old 07-21-2015, 03:01 PM   #10
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,666

Original Poster
Rep: Reputation: 186Reputation: 186
Well, this is the strangest thing. Your suggested rules didn't work either. The cell phones get a DHCP address and show connected, but cannot get mail ("Network not available"), nor use the web browser (Web page not available). Meanwhile, WIN7 laptops and workstations can connect just fine and get web pages and email. All devices (phones, laptops) are connecting via the Wireless Access Point.

I'm stumped!!! Ideas??

Last edited by mfoley; 07-21-2015 at 03:03 PM.
 
Old 07-21-2015, 07:25 PM   #11
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
Can the phone ping their gateway?
 
Old 07-23-2015, 02:38 PM   #12
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,666

Original Poster
Rep: Reputation: 186Reputation: 186
Quote:
Originally Posted by lazydog View Post
Can the phone ping their gateway?
How would I do that from e.g. Android?

next test: I've stripped the iptables settings down to the basics:

Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth2 -j ACCEPT

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth2 -j ACCEPT
I have DHCPD running for eth2. The eth2 "wire" connects to a switch for wired connections and to a EnGenius wireless access point.

Laptops connected wirelessly get IP addresses and can connect to the Internet, no problem.

Android and iPhone cellphones get IP addresses, but get "Network not available" and cannot connect to the Internet.

Why?
 
Old 07-27-2015, 01:42 PM   #13
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
Quote:
Originally Posted by mfoley View Post
How would I do that from e.g. Android?
There is a CLI program for Android in the market place.

[quote]next test: I've stripped the iptables settings down to the basics:

Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth2 -j ACCEPT

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth2 -j ACCEPT
Is this your complete firewall rules? Are there any firewalls on any other device that the traffic passes through?

Quote:
I have DHCPD running for eth2. The eth2 "wire" connects to a switch for wired connections and to a EnGenius wireless access point.

Laptops connected wirelessly get IP addresses and can connect to the Internet, no problem.

Android and iPhone cellphones get IP addresses, but get "Network not available" and cannot connect to the Internet.

Why?
That, my friend, is what we are trying to figure out.
 
Old 07-27-2015, 09:57 PM   #14
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,666

Original Poster
Rep: Reputation: 186Reputation: 186
Interesting results from latest test, but first, your questions ...

Quote:
There is a CLI program for Android in the market place.
OK, I'll look for that.

Quote:
Is this your complete firewall rules?
For my latest test scenario, yes. INPUT, OUTPUT and FORWARD tables are all defaulted to ACCEPT, so I probably don't even need the 1st three rules.

Quote:
Are there any firewalls on any other device that the traffic passes through?
The firewall is connected directly to the ISP upstream. No firewall that I know of (and phones work OK if I connect Internet hose directly to the switch having the WAP). Hosts connected downstream to eth2 are currently various iPhones an Android, and a Win7 laptop. I don't know what firewalls the cell phones have. The WIN7 (where everything works) has a vanilla Windows firewall.

So, latest test ... I ran tcpdump on the firewall and attempted to sync email from the Android - failed with "Network not available", as usual, but the following is the tcpdump output:

Code:
> tcpdump -tttt -v -i eth2 host 192.168.1.208
tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
2015-07-24 13:33:02.713776 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has dns-cac-lb-01.rr.com tell 192.168.1.208, length 46
2015-07-24 13:33:03.717401 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has dns-cac-lb-01.rr.com tell 192.168.1.208, length 46
2015-07-24 13:33:04.722048 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has dns-cac-lb-01.rr.com tell 192.168.1.208, length 46
Looks like it's trying (and not succeeding) to do an ARP request to dns-cac-lb-01.rr.com. The URL tells me it has something to do with DNS and the rr.com is RoadRunner, the cable service hosting the POP mail server for this android device (though dns-cac-lb-01.rr.com's IP is not the IP of the POP Server). Beyond that, I have no idea what is going on except that it will do this for a long time and possibly eventually quit, but I've never waited that long.

Next - I don't have ping on the Android, but I do have ConnectBot which gives me a ssh connection and shell CLI on the target host. I used ConnectBot to ssh to the firewall and did successfully connect. Interestingly, after connecting via ssh, suddenly my Android could get email and connect via the browser. This remained true even after I logged off the ssh session (RELATED,ESTABLISED at work?). However, after I restart the phone I was back to the usual inability to connect via email or web. When I re-logged on via ssh, email and web connections were back!

Surely this is a clue?

Last edited by mfoley; 07-27-2015 at 10:22 PM.
 
Old 07-29-2015, 08:49 PM   #15
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
Sounds like the problem is with your phone and not the network. For some reason your phone doesn't know how to get from point A to point B until you show it.


As for a PING tool for Android.
 
  


Reply

Tags
iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] iptables port forward not working for port range mapping to anohter Port range in Linux 2.6.39 kinghong66 Linux - Networking 2 06-17-2015 07:17 PM
[SOLVED] Forward port 2201 on VM host to port 22 on VM guest oliverkinne Linux - Networking 9 08-06-2014 09:07 AM
iptable port forward between two lan interface chuikingman Linux - Server 5 05-21-2012 09:04 AM
Iptables can't port forward (PAT Port address translation) sfrederiksen Linux - Networking 7 12-20-2011 10:47 AM
Forward port port 80 to lan web server dulaus Linux - Networking 9 10-04-2002 03:45 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:48 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration