iptables port forwarding problems
Hello-
I am trying to make a cable modem router, with slackware 10. The box that will be the router is a pentium 2 350 Mhz, with 64 MB ram, and a 4 GB hdd. It has two ethernet NIC's. What my network will possibly look like is this when I'm done- [cable modem]----[router (slack 10)]----[switch]----[other computers..] There will be about 5-6 computers behind it, connected via the switch. I already made the router part work with NAT and everything, and there is a DNS server running on the 350 box, witch also works (dnsmasq). The only problem is that I am trying to run a web/ftp/ssh server behind the router, and I can't get port forwarding to work at all, I just keep getting a connection refused. Supposing my ip is 24.238.44.175, and the server's ip behind the router is 192.168.1.106. Here is the iptables script that is ran on boot- Code:
EXTERNAL=eth0 -Jim |
Personally, I think that (-d 192.168.1.106) specifying internal IP addresses as a destination may be getting in the way. If you have just one machine acting as web server, then forward tcp/udp requests for the ports you want to service. My reasoning is that a random user in the world clicking a link to your machine will not be sending any packet that references your 192.168.1.106 machine. instead it will be attempting a connection to your publicly routable IP address with the port number specified.
Your firewall will have to read the port number, and say 'hmmm that needs to be forwarded to this internal IP. hope this helps. jacks4u |
Hi,
You've used 3 times the same port (8022) as a port to be forwarded -- that should make the 2 last lines of your script give some error messages. iptables -t nat -A PREROUTING -p tcp -i $EXTERNAL --dport 8080 -j DNAT --to 192.168.1.106:8080 iptables -t nat -A PREROUTING -p tcp -i $EXTERNAL --dport 8022 -j DNAT --to 192.168.1.106:8022 iptables -t nat -A PREROUTING -p tcp -i $EXTERNAL --dport 8022 -j DNAT --to 192.168.1.106:8021 iptables -t nat -A PREROUTING -p tcp -i $EXTERNAL --dport 8022 -j DNAT --to 192.168.1.106:8020 Here's my conf : iptables -t nat -I PREROUTING -i $EXT_IFACE -d $EXT_IP -p tcp --dport 23 -j DNAT --to-destination $LAZARUS:22 iptables -t nat -I PREROUTING -i $EXT_IFACE -d $EXT_IP -p tcp --dport 20 -j DNAT --to-destination $ARPOULGWEN The nat table entries don't allow the packet to be forwarded, so you were rigth to add the lines : iptables -A FORWARD -p tcp -i $EXTERNAL -d 192.168.1.106 --dport 8080 -j ACCEPT .... Bye |
Still no go
Hello-
OK, from what fr_laz and jacks4u told me, I changed my iptables script around, now it looks like this- Code:
EXTERNAL=eth0 -Jim |
Re,
Did you enable fowarding by : echo 1 > /proc/sys/net/ipv4/ip_forward The 1 in this file enbles your kernel to forward packets between interfaces. If this doesn't work, you could : 1) iptables -t nat -L -v iptables -L -v so as to check the rules are listed and applied 2) try to log the packets you log & accept : iptables -N LOG_DROP iptables -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : ' iptables -A LOG_DROP -j DROP iptables -N LOG_ACCEPT iptables -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : ' iptables -A LOG_ACCEPT -j ACCEPT then change the targets of your rules from DROP to LOG_DROP & from ACCEPT to LOG_ACCEPT. Thus your packets will be logged in /var/log/kernel (or another logfile depending on your syslog conf) Then you'll see what happens with your packets Just one thing with logging : if you log all your packets you'll get _lots_ of log entries ! A last thing : your first version of : iptables -A FORWARD -p tcp -i $EXTERNAL -d 192.168.1.106 --dport 8080 -j ACCEPT ... was correct, you should keep it it's more precise Good luck |
iptables -t nat -A PREROUTING -p tcp -i $EXTERNAL --dport 8080 -j DNAT --to-destination 192.168.1.106:8080
I think this should be: iptables -t nat -A PREROUTING -p tcp -i $EXTERNAL --dport 8080 -d 192.168.1.106 -j DNAT --to-destination 24.238.44.175 or: iptables -t nat -A PREROUTING -d 192.168.1.106 -j DNAT --to-destination 24.238.44.175:8080 This make Internet can access to your internal server. Then you must make the server can response to the requests, you should add: iptables -t nat -A POSTROUTING -p tcp -o $EXTERNAL --sport 8080 -s 24.238.44.175 -j SNAT --to-source 192.168.1.106 iptables -A FORWARD -p tcp -o $EXTERNAL --sport 8080 -j ACCEPT And it seems that you have static IP: 24.238.44.175, so I think should not use MASQUERADE, but -j SNAT: iptables -t nat -A POSTROUTING -o $EXTERNAL -j SNAT I dialup with ADSL, ppp0 and eth0 is the same physical device, so this is enough. While you have 2 ethernet cards, I think there must have some rules between the 2 cards(I'm not very clear about this, you hope you can give me a clear result), I read from a book, it has a line like this: iptables -A INPUT -i eth1 -s 192.168.1.0/24 -d ROUTER-INTERNAL-IP -j ACCEPT I hope this will help you. ------ and also can help myself. |
That log kinda worked...
Hello-
That logging idea that fr_laz had was a good idea, but for some reason wasn't a success (in finding out what was happening to the packets that are suppost to goto my server). I set it up the way he said (I added what he said to my iptables script), ran iptables -F, then ran the script again. I tried to access my http server (http://24.238.44.175:8080/, yes I have a domain, I just don't have it fixed with this ip yet) three times, so I could possibly see it in /var/log/syslog. So, I took a look at syslog, and saw a bunch of packets that were logged. I found out the syntax of the destination port for the log (DPT=xxx), and then ran this- root@oddjob:~# grep DPT=8080 /var/log/syslog And got nothing. Then I skimmed over the file by hand where the iptables stuff is, and still saw nothing. Then I tested my http server locally, just to make sure it was still working (http://goldeneye:8080), and it is still running/working right. I ran tcpdump on the router's, uh, WAN interface (eth0), and tried accessing http://24.238.44.175:8080 again. Nothing in tcpdump came up in there either. I'm really stumped here. Any more idea's/suggestions? Thanks. -Jim |
Chowroc's idea
Hello-
As soon as I posted my last reply, I noticed Chowroc's idea. My IP address is actually dynamic, but it changes rarely. The router has two ethernet cards, eth0 and eth1. The eth0 is the one that my cable modem is plugged into, and eth1 is what my switch is plugged into. From the switch the rest of the computers are plugged in, and another switch comes off of that. My network is small (6 computers, including the router), I just have another switch goto another floor of my house. I tried your idea of making the --to-destination 24.238.44.175:8080, that didn't work either. Also, I forgot to mention. When fr_laz told me to try logging, I would get some warnings/errors when restarting iptables said that "Chain already exsists" (not exactally that, but something like that). So, incase that has anything to do with it. Anymore ideas? I'm about to start looking for one of those automatic iptables script generater things that I've heard about when digging through google, but you don't learn like that now do you? :). Any more idea's though? Thanks. -Jim |
Hi,
What Chowroc wrote : iptables -t nat -A PREROUTING -p tcp -i $EXTERNAL --dport 8080 -d 192.168.1.106 -j DNAT --to-destination 24.238.44.175 was to nat your local machines to your internet IP, ie it permit your local machines to use internet on port 8080 (you don't need it since your masquerading). You want to nat incomming connexions so what you first wrote look nice. Here's a part of my iptables script : EXT_IFACE = eth0 LAN_IFACE = eth1 EXT_IP = "the IP given by my provider" LAZARUS = "192.168.0.80" ARPOULGWEN = "192.168.0.82" echo 1 > /proc/sys/net/ipv4/ip_forward # Forwarding EXT_IFACE port 23 to my machine port 22 iptables -t nat -I PREROUTING -i $EXT_IFACE -d $EXT_IP -p tcp --dport 23 -j DNAT --to-destination $LAZARUS:22 # Allowing ssh packets to go to my computer iptables -I FORWARD -i $EXT_IFACE -o $LAN_IFACE -p tcp -d $LAZARUS --dport 22 -j ACCEPT iptables -I FORWARD -i $LAN_IFACE -o $EXT_IFACE -p tcp -s $LAZARUS --sport 22 -j ACCEPT # Forwarding incomming www packets to my web server iptables -t nat -I PREROUTING -i $EXT_IFACE -d $FREE -p tcp --dport 80 -j DNAT --to-destination $ARPOULGWEN # Allowing www packets to go to my webserver iptables -I FORWARD -i $EXT_IFACE -o $LAN_IFACE -p tcp -d $ARPOULGWEN --dport 80 \ -m state --state NEW,ESTABLISHED -j ACCEPT iptables -I FORWARD -i $LAN_IFACE -o $EXT_IFACE -p tcp -s $ARPOULGWEN --sport 80 \ -m state --state ESTABLISHED -j ACCEPT Did you try the "iptables -t nat -L -v" and "iptables -L -v" commands ? Do you have nat modules or are they built-in in the kernel ? Quote:
Could you post your whole script ? Bye |
Gonna try what you have
Hello-
I'm gonna try what fr_laz is doing for his script (just to match my situation). Yes, the modules are being loaded, since the script is actually part of the slackware boot script (/etc/rc.d/rc.modules), and below my script all the nat modules and other things are being loaded there. See, all my forwarding rules look something like this- Code:
iptables -A FORWARD -p tcp -i $EXTERNAL -d 192.168.1.106 --dport 8020 -j ACCEPT Also, does it make a difference whether I use -I or -A? I know -A means to add a rule to a chain, and -I means insert a rule somewhere in the chain. Is there much of a difference? But I'm gonna go try this now, thanks for all your help so far, hopefully I can get this working! -Jim (ps, this thread isn't over yet) |
Still isn't working...
Hello-
I tried fr_laz's script (after editing it to suit my needs), and it didn't work either. Here is my entire iptables script (or the section where iptables stuff is), and I included the module including part, just incase I am missing any. Code:
From: /etc/rc.d/rc.modules- -Jim EDIT: I fixed my domain (DynDNS) to point to my ip address now, it's badger.homelinux.org, incase it helps at all. |
Re !
Is your internal machine (192.168.0.106) really listening on ports 8080, 8022, 8021, 8020 ? If not, and if it's listening on ports 80, 22, 21 and 20 you should make some port redirection ie : ... -dport 8080 -j DNAT --to-destination 192.168.0.106:80 so that incomming 8080 is being forwarded to IP 192.168.0.106 dport 80. Another thing, in the script you wrote, you don't gives default behaviour to INPUT and OUTPUT (iptables -P INPUT DROP, iptables -P OUTPUT DROP). Laz, |
Yes they are listening
Hello-
Yes, I am sure that they are listening on the correct ports, 8080, 8021, 8022, and 8020. I just tried them all locally ($ ssh goldeneye -p 8022, $ lynx http://goldeneye:8080, $ ftp goldeneye 8021, goldeneye is the name of the computer that is the server here.). I tested it from my router and from goldeneye (ssh into my router, it has a lot of command line programs installed).I added the default policy's, didn't make a difference, a connection refuse is still occuring. I'm going to start loooking up modules for iptables that have to be loaded, I think that I'm missing some, since I don't see where else I'm going wrong. Any more suggestions? Thanks. -Jim |
Re,
You asked : Also, does it make a difference whether I use -I or -A? I know -A means to add a rule to a chain, and -I means insert a rule somewhere in the chain. Is there much of a difference? It makes a _huge_ difference when you have run a script and then add some rules afterwards, since rules are processed one after the other so if you type : iptables -A INPUT -i eth0 -p tcp -j ACCEPT iptables -A INPUT -j DROP iptables -A INPUT -i eth1 -j ACCEPT your packets going to eth1 will be dropped. (don't think it's linked to your problem...) Try to look the modules, but when one is not loaded you get error messages running your script. Good luck, |
Stumped
Hello-
OK, I am completely stumped here. After what fr_laz told me, here is my new iptables script- Code:
-Jim |
All times are GMT -5. The time now is 03:29 PM. |