[SOLVED] iptables port forward issue

leosophy · 08-19-2010, 05:22 AM

I have a iptables issue, environment as follow:
1, Server R - 192.168.0.1 (ext. router) , ext ip (202.123.123.1)
2, Server W - 192.168.0.21 (web server)

Server R need a NAT.(ipforward)

Server W serve the portforward(port 80) from Server R

I have succesfully setup the prerouting and postrouting via the following iptables command:
/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE

But, my web server's log, all the web request are using Server R's ipaddress 192.168.0.1 for recording(httpd.access log), so I can't get the external ip...

I think it's postrouting problems, but I can't find out the solutions event using SNAT(maybe wrong config), I think the MASQUERADE changing all the source ip.

Please help!!!

TheMadIndian · 08-19-2010, 12:08 PM

Quote:

Originally Posted by leosophy

I have a iptables issue, environment as follow:
1, Server R - 192.168.0.1 (ext. router) , ext ip (202.123.123.1)
2, Server W - 192.168.0.21 (web server)

Server R need a NAT.(ipforward)

Server W serve the portforward(port 80) from Server R

I have succesfully setup the prerouting and postrouting via the following iptables command:
/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE

But, my web server's log, all the web request are using Server R's ipaddress 192.168.0.1 for recording(httpd.access log), so I can't get the external ip...

I think it's postrouting problems, but I can't find out the solutions event using SNAT(maybe wrong config), I think the MASQUERADE changing all the source ip.

Please help!!!

if server R 192.168.0.1 = eth0 and 202.123.123.1 = eth1

your iptables rule should be

Code:

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.123.123.1 --dport 80 -j DNAT --to-destination 192.168.0.21

leosophy · 08-19-2010, 12:34 PM

Thanks TheMadIndian!

My problems is not the PREROUTING, the port forward is no problems.

After doing the port forward, the source ip to web server is "192.168.0.1" which is charging the guest external ip address.

So I think the problem is come from postrouting.

Current script:

Code:

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.123.123.1 --dport 80 -j DNAT --to-destination 192.168.0.21
/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE

If I don't use postrouting script
"/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE"
, then web redirection is fail.

So strange..

Quote:

Originally Posted by TheMadIndian

if server R 192.168.0.1 = eth0 and 202.123.123.1 = eth1

your iptables rule should be

Code:

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.123.123.1 --dport 80 -j DNAT --to-destination 192.168.0.21

TheMadIndian · 08-19-2010, 01:32 PM

Quote:

Originally Posted by leosophy

Thanks TheMadIndian!

My problems is not the PREROUTING, the port forward is no problems.

After doing the port forward, the source ip to web server is "192.168.0.1" which is charging the guest external ip address.

So I think the problem is come from postrouting.

Current script:

Code:

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.123.123.1 --dport 80 -j DNAT --to-destination 192.168.0.21
/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE

If I don't use postrouting script
"/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE"
, then web redirection is fail.

So strange..

Can you send me or post your whole script?

TheMadIndian · 08-19-2010, 01:37 PM

a real quick example

Code:

#!/bin/bash

iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X


echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.123.123.1 --dport 80 -j DNAT --to-destination 192.168.0.21

leosophy · 08-19-2010, 01:43 PM

Hi TheMadIndian,

I'm using Fedora release 12 (Constantine).

eth1 = 202.123.123.1
eth0 = 192.168.0.1

iptables script
/etc/sysconfig/iptables

Code:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6844:428603]
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth1 -j DROP
-A FORWARD -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

NAT script

Code:

modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
/sbin/iptables -t nat -F
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.21:80
/sbin/iptables -t nat -A PREROUTING -i eth0 -d 202.123.123.1 -p tcp --dport 80 -j DNAT --to 192.168.0.21:80
/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward

Thanks!!

Quote:

Originally Posted by TheMadIndian

Can you send me or post your whole script?

TheMadIndian · 08-19-2010, 01:54 PM

Quote:

Originally Posted by leosophy

Hi TheMadIndian,

I'm using Fedora release 12 (Constantine).

eth1 = 202.123.123.1
eth0 = 192.168.0.1

iptables script
/etc/sysconfig/iptables

Code:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6844:428603]
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth1 -j DROP
-A FORWARD -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

NAT script

Code:

modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
/sbin/iptables -t nat -F
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.21:80
/sbin/iptables -t nat -A PREROUTING -i eth0 -d 202.123.123.1 -p tcp --dport 80 -j DNAT --to 192.168.0.21:80
/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward

Thanks!!

Not sure how this works

Code:

/sbin/iptables -t nat -A PREROUTING -i eth0 -d 202.123.123.1 -p tcp --dport 80 -j DNAT --to 192.168.0.21:80

should be

Code:

/sbin/iptables -t nat -A PREROUTING -i eth1 -d 202.123.123.1 -p tcp --dport 80 -j DNAT --to 192.168.0.21:80

TheMadIndian · 08-19-2010, 01:54 PM

Try running the one I posted real quick to see if that resolves the source IP issue

leosophy · 08-19-2010, 03:46 PM

Finish testing... but fail (Can't redirect to my web server.. 404 error).

But If I change the postrouting script as follow:

Code:

iptables -t nat -A POSTROUTING -j MASQUERADE

After remove "-o eth1", then it can redirect to web server. But still showing the "wrong source ipaddress" from apache log(only 192.168.0.1).

Apache Log:

Code:

192.168.0.1 - - [20/Aug/2010:04:48:35 +0800] "GET / HTTP/1.1" 200 22890

I wanner 192.168.0.1 be a external guest ip address...

Seems the Postrouting changing the source ipaddress. I'm using another router for port forward, it can show the external ip address from my web server...

So strange..

Quote:

Originally Posted by TheMadIndian

a real quick example

Code:

#!/bin/bash

iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X


echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.123.123.1 --dport 80 -j DNAT --to-destination 192.168.0.21

TheMadIndian · 08-20-2010, 08:57 AM

Quote:

Originally Posted by leosophy

Finish testing... but fail (Can't redirect to my web server.. 404 error).

But If I change the postrouting script as follow:

Code:

iptables -t nat -A POSTROUTING -j MASQUERADE

After remove "-o eth1", then it can redirect to web server. But still showing the "wrong source ipaddress" from apache log(only 192.168.0.1).

Apache Log:

Code:

192.168.0.1 - - [20/Aug/2010:04:48:35 +0800] "GET / HTTP/1.1" 200 22890

I wanner 192.168.0.1 be a external guest ip address...

Seems the Postrouting changing the source ipaddress. I'm using another router for port forward, it can show the external ip address from my web server...

So strange..

You're running what I sent you as a script and as root correct?

I just ran that script on F11 and F13 and Centos5 and it works and I'm forwarding currently from my F13 router to a windows IIS6 server
note I did change to port 443 because my ISP doesnt allow port 80 on the cable modem so to test external IP getting through I had to use 443

rule

Code:

ifconfig eth1 |grep "inet addr" |awk -F ':' '{print $2}' | awk -F ' ' '{print $1}' > /usr/local/bin/ispIP.txt
ispIP=`cat /usr/local/bin/ispIP.txt`
iptables -t nat -A PREROUTING -p tcp -i eth1 -d $ispIP --dport 443 -j DNAT --to-destination 192.168.252.35

iis log entry

Code:

2010-08-20 13:45:58 W3SVC1132167246 192.168.252.35 GET /Default.aspx - 443 - 65.206.51.78 Wget/1.12+(linux-gnu) 200 0 0

Send me the output of

service iptables status

leosophy · 08-20-2010, 10:46 AM

service iptables status as follow

Some of port forward inside script. Not only web server but also ftp server grep the "router internal ip".

Code:

Table: mangle
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination

Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 to:192.168.0.21:80
2    DNAT       tcp  --  0.0.0.0/0            "ext-ip-addr"      tcp dpt:80 to:192.168.0.21:80
3    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2112 to:192.168.0.21:21
4    DNAT       tcp  --  0.0.0.0/0            "ext-ip-addr"      tcp dpt:2112 to:192.168.0.21:21
5    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2111 to:192.168.0.253:21
6    DNAT       tcp  --  0.0.0.0/0            "ext-ip-addr"      tcp dpt:2111 to:192.168.0.253:21

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
6    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:20
8    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2111
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2112
11   DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Quote:

Originally Posted by TheMadIndian

You're running what I sent you as a script and as root correct?

I just ran that script on F11 and F13 and Centos5 and it works and I'm forwarding currently from my F13 router to a windows IIS6 server
note I did change to port 443 because my ISP doesnt allow port 80 on the cable modem so to test external IP getting through I had to use 443

rule

Code:

ifconfig eth1 |grep "inet addr" |awk -F ':' '{print $2}' | awk -F ' ' '{print $1}' > /usr/local/bin/ispIP.txt
ispIP=`cat /usr/local/bin/ispIP.txt`
iptables -t nat -A PREROUTING -p tcp -i eth1 -d $ispIP --dport 443 -j DNAT --to-destination 192.168.252.35

iis log entry

Code:

2010-08-20 13:45:58 W3SVC1132167246 192.168.252.35 GET /Default.aspx - 443 - 65.206.51.78 Wget/1.12+(linux-gnu) 200 0 0

Send me the output of

service iptables status

TheMadIndian · 08-20-2010, 11:13 AM

Quote:

Originally Posted by leosophy

service iptables status as follow

Some of port forward inside script. Not only web server but also ftp server grep the "router internal ip".

Code:

Table: mangle
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination

Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 to:192.168.0.21:80
2    DNAT       tcp  --  0.0.0.0/0            "ext-ip-addr"      tcp dpt:80 to:192.168.0.21:80
3    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2112 to:192.168.0.21:21
4    DNAT       tcp  --  0.0.0.0/0            "ext-ip-addr"      tcp dpt:2112 to:192.168.0.21:21
5    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2111 to:192.168.0.253:21
6    DNAT       tcp  --  0.0.0.0/0            "ext-ip-addr"      tcp dpt:2111 to:192.168.0.253:21

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
6    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:20
8    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2111
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2112
11   DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

This is bothering me
1 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.0.21:80
2 DNAT tcp -- 0.0.0.0/0 "ext-ip-addr" tcp dpt:80 to:192.168.0.21:80

can you run the script I sent and then send me the output of service iptables status please?

leosophy · 08-20-2010, 12:04 PM

Service iptables status (Your script)

Code:

Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination

Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    DNAT       tcp  --  0.0.0.0/0            202.123.123.1      tcp dpt:80 to:192.168.0.21:80

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Quote:

Originally Posted by TheMadIndian

This is bothering me
1 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.0.21:80
2 DNAT tcp -- 0.0.0.0/0 "ext-ip-addr" tcp dpt:80 to:192.168.0.21:80

can you run the script I sent and then send me the output of service iptables status please?

leosophy · 08-20-2010, 12:11 PM

Quote from http://www.billauer.co.il/ipmasq-html.html.
14 The wrong way to masquerade
iptables -t nat -A POSTROUTING -j MASQUERADE
This makes masquerading the default policy for any outgoing packet
... including any forwarded packet.
All forwarded packets will appear to come from the masquerading host.
May confuse firewalls
Even worse, may confuse service applications to compromise security

That's why the web redirection is done after running this script. All forwarded packets will appear to come from the masquerading host. So, that's why I only see "192.168.0.1" in all logs..

Even using your script, it's still fail.

Is it the routing problems?

Quote:

Originally Posted by leosophy

Service iptables status (Your script)

Code:

Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination

Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    DNAT       tcp  --  0.0.0.0/0            202.123.123.1      tcp dpt:80 to:192.168.0.21:80

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

TheMadIndian · 08-20-2010, 12:38 PM

I just caught this, 202.123.123.1 thats generally a router address, i'd be surprised if thats the address you're getting from the ISP

If eth0 is your local and and eth1 is your internet connection on the router run this

otherwise send me the output of ifconfig

Code:

#!/bin/bash

iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X

ifconfig eth1 |grep "inet addr" |awk -F ':' '{print $2}' | awk -F ' ' '{print $1}' > /usr/local/bin/ispIP.txt
ispIP=`cat /usr/local/bin/ispIP.txt`

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp -i eth1 -d $ispIP --dport 80 -j DNAT --to-destination 192.168.0.21

If this works we'll need to add some rules to lock things down