iptables port redirection woes.

linuxlover.chaitanya · 06-17-2010, 03:48 AM

Hello all,

There is this server where in I want to use port redirection using iptables. For port redirection I have used nat table with PREROUTING chain and REDIRECT option.
Like:

Code:

iptables -t nat -A PREROUTING -p tcp --dport pop3 -j REDIRECT --to-port 8110

It just does not work. I have tried to redirect other ports as well but nothing works.
Where am I missing?

iptables -t nat -L -v output:

Code:

Chain PREROUTING (policy ACCEPT 1111 packets, 83779 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 REDIRECT   tcp  --  any    any     anywhere             anywhere            tcp dpt:pop3 redir ports 8110
    1    48 REDIRECT   tcp  --  any    any     anywhere             anywhere            tcp dpt:smtp redir ports 8110

centosboy · 06-17-2010, 05:16 AM

Quote:

Originally Posted by linuxlover.chaitanya

Hello all,

There is this server where in I want to use port redirection using iptables. For port redirection I have used nat table with PREROUTING chain and REDIRECT option.
Like:

Code:

iptables -t nat -A PREROUTING -p tcp --dport pop3 -j REDIRECT --to-port 8110

It just does not work. I have tried to redirect other ports as well but nothing works.
Where am I missing?

iptables -t nat -L -v output:

Code:

Chain PREROUTING (policy ACCEPT 1111 packets, 83779 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 REDIRECT   tcp  --  any    any     anywhere             anywhere            tcp dpt:pop3 redir ports 8110
    1    48 REDIRECT   tcp  --  any    any     anywhere             anywhere            tcp dpt:smtp redir ports 8110

do you have an INPUT rule that is allowing port 110?
are you allowing INPUT to port 8110?

You need to paste ALL of your iptables rules

linuxlover.chaitanya · 06-17-2010, 05:45 AM

Yes, I am allowing all the ports that I need. The incoming ports and the ports to which I need to redirect, are open and accepting the connections.
I am not exactly a newbie so I do not need a spoon fed solution, just direction where I should be looking. I am out of my wits now. I can not see anything.

centosboy · 06-18-2010, 05:31 AM

Quote:

Originally Posted by linuxlover.chaitanya

Yes, I am allowing all the ports that I need. The incoming ports and the ports to which I need to redirect, are open and accepting the connections.
I am not exactly a newbie so I do not need a spoon fed solution, just direction where I should be looking. I am out of my wits now. I can not see anything.

I dont know then...

Code:

iptables -I  PREROUTING -t nat -p tcp   --dport 110 -j REDIRECT --to-ports 25

worked fine when i tested...
Only solution now then is to create a chain for anything that isnt allowed to be dropped, and then see what, if anything is being added to this log when you attempt connections

linuxlover.chaitanya · 06-18-2010, 06:42 AM

I am now putting up a test machine with similar packages but running Ubuntu server rather than CentOS5.5. Most of the packages that are not default would be installed with apt. That might help a bit. I do not know.
I also have asked one of my friends to make a test scenario at his office and see if he also has issues with port redirection. Will receive some inputs from him as well. Till then I am putting my hope behind my new machine. Will keep you posted.
Thanks for looking and trying. I know this is just a small uncomplicated rule that should not have given too much trouble. But it seems CentOS5 is behaving like this.

centosboy · 06-18-2010, 07:19 AM

Quote:

Originally Posted by linuxlover.chaitanya

I am now putting up a test machine with similar packages but running Ubuntu server rather than CentOS5.5. Most of the packages that are not default would be installed with apt. That might help a bit. I do not know.
I also have asked one of my friends to make a test scenario at his office and see if he also has issues with port redirection. Will receive some inputs from him as well. Till then I am putting my hope behind my new machine. Will keep you posted.
Thanks for looking and trying. I know this is just a small uncomplicated rule that should not have given too much trouble. But it seems CentOS5 is behaving like this.

Hmm..ok.

I tested on centos.
what i did.

10.220.241.18 is the source ip. (windows)
10.220.241.237 is the destination (centos 5.3)

on 10.220.241.237

Code:

iptables -I INPUT -s 10.220.241.18 -j ACCEPT
iptables -I  PREROUTING -t nat -p tcp   --dport 110 -j REDIRECT --to-ports 25

then i started up postfix and made sure it listened on the external address as by default it starts up and listens on localhost.

on 10.220.241.18

Code:

telnet 10.220.241.237 110

and this gives me

Code:

220 servername ESMTP Postfix

centosboy · 06-18-2010, 07:22 AM

Quote:

Originally Posted by centosboy

Hmm..ok.

I tested on centos.
what i did.

10.220.241.18 is the source ip. (windows)
10.220.241.237 is the destination (centos 5.3)

on 10.220.241.237

Code:

iptables -I INPUT -s 10.220.241.18 -j ACCEPT
iptables -I  PREROUTING -t nat -p tcp   --dport 110 -j REDIRECT --to-ports 25

then i started up postfix and made sure it listened on the external address as by default it starts up and listens on localhost.

on 10.220.241.18

Code:

telnet 10.220.241.237 110

and this gives me

Code:

220 servername ESMTP Postfix

2 main things to note.

The host you are testing from is allowed the correct access to the destination.

The redirect ports are actually listening on the correct interface and this is proved by connecting directly to them.

linuxlover.chaitanya · 06-24-2010, 12:16 AM

Sorry for being late. Was on holiday for friend's wedding.
I can see that the ports are listening and can telnet. I am still not sure why this is not working.
Let me see.
And if nothing works, then I will probably put some ebox appliance or something.
Will keep you posted about it. Todays the first day at office after holiday. Will need some time.
Thanks for taking interest anyhow.

linuxlover.chaitanya · 06-24-2010, 02:23 AM

This is from the local machine:

Code:

[root@squid etc]# telnet 192.168.2.1 pop3
Trying 192.168.2.1...
Connected to squid.ib.com.local (192.168.2.1).
Escape character is '^]'.
220 squid.ib.com.local ESMTP Sendmail 8.13.8/8.13.8; Thu, 24 Jun 2010 12:38:53 +0530
^]

Interesting. It is redirecting the connections from pop to smtp. But not from pop to 8110?

centosboy · 06-24-2010, 02:52 AM

can you get to 8110 directly from remote machine?

linuxlover.chaitanya · 06-24-2010, 05:46 AM

I would say yes.

Code:

chaitanya@IBDesk06:~$ telnet 192.168.2.1 8110
Trying 192.168.2.1...
Connected to 192.168.2.1.
Escape character is '^]'.
Connection closed by foreign host.

centosboy · 06-25-2010, 02:28 AM

Quote:

Originally Posted by linuxlover.chaitanya

I would say yes.

Code:

chaitanya@IBDesk06:~$ telnet 192.168.2.1 8110
Trying 192.168.2.1...
Connected to 192.168.2.1.
Escape character is '^]'.
Connection closed by foreign host.

i meant from this same machine

Code:

[root@squid etc]#

best to do all testing from the same machine....
is there anything showing up in the drop logs - (assuming you have set up logging with iptables) when an attempt to port redirect fails?

linuxlover.chaitanya · 06-25-2010, 05:44 AM

It is accepting connections even on the same machine. I am trying this on a test machine. So it will take some time before I can do that. Will keep you posted.

linuxlover.chaitanya · 06-28-2010, 12:57 AM

Well let me give some more information that I forgot till now. This machine that I am trying port forwarding is behind a ADSL modem and D-Link wireless router.
So you could take it as:

Code:

Adsl modem ---> Wireless router -----> my system ------>lan

The wireless router does have some ethernet ports for wires connection and can act as a hub.
If this information makes difference. Though it should not. I have tried connecting directly to the adsl modem.

centosboy · 06-28-2010, 03:35 PM

Quote:

Originally Posted by linuxlover.chaitanya

Well let me give some more information that I forgot till now. This machine that I am trying port forwarding is behind a ADSL modem and D-Link wireless router.
So you could take it as:

Code:

Adsl modem ---> Wireless router -----> my system ------>lan

The wireless router does have some ethernet ports for wires connection and can act as a hub.
If this information makes difference. Though it should not. I have tried connecting directly to the adsl modem.

well i must admit...my testing was with 3 machines on my lan, 2 running centos 5.3 and 1 with windows.
i guess a process of elimination determines if it is any devices in the network causing the issue or iptables itself (which i doubt)