LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   iptables port forwarding (https://www.linuxquestions.org/questions/linux-networking-3/iptables-port-forwarding-812778/)

packets 06-07-2010 10:06 PM
iptables port forwarding
 
I've been Googling about port forwarding iptables and even though there's result and I've applied it in my script, I can't make iptables forwading request to another machine so I decided to ask help.

eth0 is my Internet Interface (1.2.3.4 is the public ip)
eth1 is my Lan Interface
eth2 is my DMZ Interface

My Apache test server is 10.0.1.150

Below is my script:

Quote:
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT
$iptables -F FORWARD
$iptables -F -t nat
$iptables -P FORWARD DROP
$iptables -A FORWARD -i eth1 -j ACCEPT
$iptables -A INPUT -i eth1 -j ACCEPT
$iptables -A OUTPUT -o eth1 -j ACCEPT
$iptables -A FORWARD -i eth2 -j ACCEPT
$iptables -A INPUT -i eth2 -j ACCEPT
$iptables -A OUTPUT -o eth2 -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A POSTROUTING -s 0.0.0.0/0 -o eth0 -j SNAT --to-source 1.2.3.4
$iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -o eth2 -j MASQUERADE
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
$iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -I FORWARD -i eth1 -p tcp -m multiport --dport 0:79 -j REJECT
$iptables -I FORWARD -i eth1 -p tcp -m multiport --dport 81:65535 -j REJECT
$iptables -I FORWARD -i eth1 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
$iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i eth0 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
$iptables -A INPUT -p tcp -i eth0 --dport 3500 -j ACCEPT
$iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
$iptables -I FORWARD -i eth0 -p tcp -m state --state NEW -d 10.0.1.150 --dport 80 -j ACCEPT
$iptables -t nat -I PREROUTING -i eth0 -p tcp -d 1.2.3.4 --dport 80 -j DNAT --to-destination 10.0.1.150:80
$iptables -A INPUT -i eth0 -p tcp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "tcp connection: "
$iptables -A INPUT -i eth0 -p udp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "udp connection: "
$iptables -A INPUT -i eth0 -p tcp --dport 0:65535 -j DROP
$iptables -A INPUT -i eth0 -p udp --dport 0:65535 -j DROP
The relevant line here as far as I know is:

Quote:
$iptables -I FORWARD -i eth0 -p tcp -m state --state NEW -d 10.0.1.150 --dport 80 -j ACCEPT
$iptables -t nat -I PREROUTING -i eth0 -p tcp -d 1.2.3.4 --dport 80 -j DNAT --to-destination 10.0.1.150:80
I can telnet port 80 of 10.0.1.150 on the server. I can even view test page using links on the server.

Can anyone tell me what's my mistake here. Linux newbie in iptables.

win32sux 06-08-2010 12:18 AM
Looks to me like it should work as it is. Maybe place a LOG rule at the end of the FORWARD chain so we can see if your test packet is getting filtered there (and if so, what the packet's headers look like)?
Code:
iptables -A FORWARD -j LOG --log-prefix "FORWARD DROP: "
With these types of issues, it's also a good idea to post the output of:
Code:
/sbin/route -n

packets 06-08-2010 12:44 AM
Quote:
place a LOG rule at the end of the FORWARD chain so we can see if your test packet is getting filtered there
I put $iptables -A FORWARD -j LOG --log-prefix "FORWARD DROP: " but doesn't see any packets on syslog. All I can see is the "tcp connection:" which came from limit.

Quote:
With these types of issues, it's also a good idea to post the output of:
Quote:
[root@test ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
202.1.0.24 0.0.0.0 255.255.255.192 U 0 0 0 eth0
10.0.1.0 10.0.1.1 255.255.255.0 UG 0 0 0 eth1
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth2
0.0.0.0 202.1.0.1 0.0.0.0 UG 0 0 0 eth0
202.1.0.24 is just a sample ip and 202.1.0.1 is just a sample gw from the isp.

10.0.1.1 is the gateway of 10.0.1.150

packets 06-08-2010 12:48 AM
I tried to install http and remove lines related to port 80 interface eth0, run script and I can see apache.

So probably culprit is somewhere on the script or routing issue but is it possible routing issue even I could telnet the service (http)??? Server can connect to the private lan server where apache is installed.

win32sux 06-08-2010 12:50 AM
What interface is the Apache server on?

packets 06-08-2010 01:04 AM
Quote:
What interface is the Apache server on?
Apache was installed on the different server not on itself. Apache server was on the private lan

On the FW server, eth1 is the private lan interface

SuperJediWombat! 06-08-2010 09:34 AM
Have you enabled ip forwarding?
Run this to check:
Code:
cat /proc/sys/net/ipv4/ip_forward
If the output is 0 then you need to run this:
Code:
echo "1" > /proc/sys/net/ipv4/ip_forward

If that is not the issue, please run the following commands and post the output to us:
Code:
ip route
ifconfig
iptables-save

packets 06-08-2010 06:42 PM
Quote:
Have you enabled ip forwarding?
Yes. It was already on top of the script I just didn't included it.

Will post later the output of those requested commands.

Thanks!

packets 06-08-2010 07:37 PM
ip route NOTE:

Quote:
[root@test ~]# ip route
202.80.2.0/26 dev eth0 proto kernel scope link src 202.80.2.57
10.0.1.0/24 dev eth1 proto kernel scope link src 10.0.1.210
192.168.1.0/24 via 10.0.1.151 dev eth1
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2
169.254.0.0/16 dev eth2 scope link
10.0.0.0/8 dev eth2 proto kernel scope link src 10.4.0.100
default via 202.84.20.3 dev eth0
iptables-save

Quote:
[root@test ~]# iptables-save
# Generated by iptables-save v1.3.5 on Wed Jun 9 08:46:33 2010
*nat
:PREROUTING ACCEPT [26774:2237252]
:POSTROUTING ACCEPT [3584:431485]
:OUTPUT ACCEPT [3717:440300]
-A PREROUTING -s 192.168.1.200 -i eth1 -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A PREROUTING -d 202.80.2.57 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.1.150:80
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A POSTROUTING -o eth0 -j SNAT --to-source 202.80.2.57
-A POSTROUTING -s 10.0.1.0/255.255.255.0 -o eth2 -j MASQUERADE
COMMIT
# Completed on Wed Jun 9 08:46:33 2010
# Generated by iptables-save v1.3.5 on Wed Jun 9 08:46:33 2010
*filter
:INPUT DROP [17:1156]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1281:194076]
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth2 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 3500 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m limit --limit 1/sec -m tcp -j LOG --log-prefix "tcp connection: "
-A INPUT -i eth0 -p udp -m limit --limit 1/sec -m udp -j LOG --log-prefix "udp connection: "
-A INPUT -i eth0 -p tcp -m tcp -j DROP
-A INPUT -i eth0 -p udp -m udp -j DROP
-A FORWARD -d 10.0.1.150 -i eth0 -o eth1 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A FORWARD -i eth1 -p tcp -m multiport --dports 81:65535 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth1 -p tcp -m multiport --dports 0:79 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth2 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG --log-prefix "FORWARD DROP: "
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth2 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -m state --state NEW -j ACCEPT
COMMIT
# Completed on Wed Jun 9 08:46:33 2010
ifconfig

Quote:
eth0 Link encap:Ethernet HWaddr 00:1B:FC:56:51:88
inet addr:202.80.2.57 Bcast:202.80.2.63 Mask:255.255.255.192
inet6 addr: fe80::21b:fcff:fe56:5188/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3065022 errors:0 dropped:0 overruns:0 frame:100
TX packets:1043939 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1561485718 (1.4 GiB) TX bytes:181875508 (173.4 MiB)
Interrupt:193 Base address:0x2c00

eth1 Link encap:Ethernet HWaddr 00:0E:2E:54:FF:DE
inet addr:10.0.1.210 Bcast:10.0.1.255 Mask:255.255.255.0
inet6 addr: fe80::20e:2eff:fe54:ffde/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1299132 errors:0 dropped:0 overruns:0 frame:0
TX packets:1416915 errors:1 dropped:0 overruns:0 carrier:2
collisions:181467 txqueuelen:1000
RX bytes:207653966 (198.0 MiB) TX bytes:1462420227 (1.3 GiB)
Interrupt:201 Base address:0x4000

eth1:1 Link encap:Ethernet HWaddr 00:0E:2E:54:FF:DE
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:201 Base address:0x4000

eth2 Link encap:Ethernet HWaddr 00:0D:88:CA:DD:8B
inet addr:10.4.0.100 Bcast:10.4.0.255 Mask:255.0.0.0
inet6 addr: fe80::20d:88ff:feca:dd8b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:88956 errors:0 dropped:0 overruns:0 frame:0
TX packets:11047 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:7075999 (6.7 MiB) TX bytes:959796 (937.3 KiB)
Interrupt:185 Base address:0xe400

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1270120 errors:0 dropped:0 overruns:0 frame:0
TX packets:1270120 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:224792304 (214.3 MiB) TX bytes:224792304 (214.3 MiB)

SuperJediWombat! 06-09-2010 06:43 AM
EDIT: I didn't look at your routing table very closely...

Run these commands and see how it goes..
Code:
ip route delete 192.168.1.0/24 via 10.0.1.151 dev eth1
ip route delete 10.0.0.0/8 dev eth2 proto kernel scope link src 10.4.0.100
Assuming that does not fix your problem, can you post the output of:
Code:
cat /proc/sys/net/ipv4/ip_forward

packets 06-09-2010 08:13 PM
Does it make sense if I know I can telnet to the DMZ server on the port I'm trying to forward, do I need to think that problem might still be on the network side? Even if I can trace route succesfully to the dmz server?

Quote:
[root@test rc.d]# traceroute 10.0.1.150
traceroute to 10.0.1.150 (10.0.1.150), 30 hops max, 40 byte packets
1 10.0.1.1 (10.0.1.1) 7.825 ms 7.788 ms 7.842 ms
2 10.0.1.150 (10.0.1.150) 10.501 ms 10.578 ms 1.918 ms
BTW, here's the output

Quote:
[root@test rc.d]# cat /proc/sys/net/ipv4/ip_forward
1

packets 06-10-2010 03:35 AM
Problem fix!

It seems when I added the ff I can now forward ports

Quote:
iptables -I FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -i eth0 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -I PREROUTING 1 -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.4.0.236:80
Here is the complete script:

Quote:
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t nat
/sbin/iptables -P FORWARD DROP
/sbin/iptables -A FORWARD -i eth1 -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth1 -j ACCEPT
/sbin/iptables -A FORWARD -i eth2 -j ACCEPT
/sbin/iptables -A INPUT -i eth2 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth2 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -s 0.0.0.0/0 -o eth0 -j SNAT --to-source 1.2.3.4
/sbin/iptables -I FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -I FORWARD -i eth0 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -I FORWARD -i eth1 -p tcp -m multiport --dport 0:79 -j REJECT
/sbin/iptables -I FORWARD -i eth1 -p tcp -m multiport --dport 81:65535 -j REJECT
/sbin/iptables -I FORWARD -i eth1 -o eth2 -p tcp -m state --state NEW,ESTABLISHED,RELATED -s 10.0.1.156 -d 10.4.0.0/24 -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i eth0 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 3500 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
/sbin/iptables -t nat -I PREROUTING 1 -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.4.0.236:80
/sbin/iptables -A INPUT -i eth0 -p tcp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "tcp connection: "
/sbin/iptables -A INPUT -i eth0 -p udp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "udp connection: "
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 0:65535 -j DROP
/sbin/iptables -A INPUT -i eth0 -p udp --dport 0:65535 -j DROP
Is this secure enough to use for servers?

SuperJediWombat! 06-10-2010 04:01 AM
I would be happy to look at your firewall script and give you an idea of how secure it is, but please post it again from the output of this command:
Code:
iptables-save

packets 06-10-2010 04:10 AM
Here it is. Please inform me if there's any flaw or changes that need to do. Thanks!

Quote:
[root@test rc.d]# iptables-save
# Generated by iptables-save v1.3.5 on Thu Jun 10 17:20:16 2010
*filter
:INPUT DROP [3:571]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [31:9007]
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth2 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 3500 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp -j DROP
-A INPUT -i eth0 -p udp -m udp -j DROP
-A FORWARD -s 10.0.1.156 -d 10.4.0.0/255.255.255.0 -i eth1 -o eth2 -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -p tcp -m multiport --dports 81:65535 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth1 -p tcp -m multiport --dports 0:79 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth0 -o eth2 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth2 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth2 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -m state --state NEW -j ACCEPT
COMMIT
# Completed on Thu Jun 10 17:20:16 2010
# Generated by iptables-save v1.3.5 on Thu Jun 10 17:20:16 2010
*nat
:PREROUTING ACCEPT [3739:351485]
:POSTROUTING ACCEPT [64:3840]
:OUTPUT ACCEPT [68:4056]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.4.0.236:80
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A POSTROUTING -o eth0 -j SNAT --to-source 1.2.3.4
-A POSTROUTING -o eth2 -j MASQUERADE
COMMIT
# Completed on Thu Jun 10 17:20:16 2010

SuperJediWombat! 06-10-2010 09:45 AM
You do not need this line, it is covered by the one above
Code:
-A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
If you wanted to allow ping requests into the
The one should be deleted, port 80 is being routed so it is covered by the FORWARD chain
Code:
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
The 'multiport' module is only for non-sequential numbers (like 25,110,143.) If you are doing a continuous range, it works with the standard '--dport' match. So replace those two rules with this one:
Code:
-A FORWARD -i eth1 -p tcp --dport 81:65535 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth1 -p tcp --dport 0:79 -j REJECT --reject-with icmp-port-unreachable
Hrmm... It will take me to long to do this line by line, here is my suggestion. Test it to check that it works and ask if you have any questions:

Code:
#
# Generated by SuperJediWombat v1.3.3.7 on Thu Jun 10 22:40:16 2010
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth2 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 3500 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth2 -o eth0 -j ACCEPT
-A FORWARD -i eth1 -o eth2 -p tcp -s 10.0.1.156 -d 10.4.0.0/24 -j ACCEPT
-A FORWARD -o eth0 -p tcp --dport 80 -j ACCEPT
-A FORWARD ! -i eth0 -p tcp -j REJECT --reject-with icmp-port-unreachable
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp -d 1.2.3.4 --dport 80 -j DNAT --to-destination 10.4.0.236:80
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A POSTROUTING -o eth0 -j SNAT --to-source 1.2.3.4
-A POSTROUTING -o eth2 -j MASQUERADE
COMMIT
Most of what I cut out was redundant. Covered by either your default policy (drop, except for outbound) or by other rules.

You need to remember that packets that are being routed are covered by the FORWARD chain. INPUT and OUTPUT are only for packets that are addressed directly to or from the firewall itself. If you don't understand that you really need to ask for more clarification.


All times are GMT -5. The time now is 03:25 PM.