LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 02-07-2013, 08:10 PM   #1
rodrigoraval
LQ Newbie
 
Registered: Feb 2013
Posts: 4

Rep: Reputation: Disabled
Open and redirect ports on slackware for cameras server


Hello, I have one Slackware server with the following configuration: eth0:hot ip (pppoe), eth1:192.168.2.1, eth2:192.168.0.1.
I have another machine on the network, that I have my camera system (Geovision), 192.168.0.2, running windows XP.
There are 3 situations:
1-Redirect ports 3550,4550 e 90 to IP 192.168.0.2 (cameras) for when I need to access the cameras from internet.
2-Redirect ports 3550,4550 e 90 to Ip 192.168.0.2 (cameras) for when I need to access the cameras from inside network
3-Open ports 5546-5549 for the XP Machine connect to Center V2, (monitoring central) I used the following rules:
#opening ports 5546/47/48/49
iptables -A INPUT -p tcp --dport 5546 -j ACCEPT
iptables -A INPUT -p tcp --dport 5547 -j ACCEPT
iptables -A INPUT -p tcp --dport 5548 -j ACCEPT
iptables -A INPUT -p tcp --dport 5549 -j ACCEPT

#Redirect (situation 1), Access the cameras from internet:
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 3550 -j DNAT --to-dest 192.168.0.2
iptables -A FORWARD -p tcp -i ppp0 --dport 3550 -d 192.168.0.2 -j ACCEPT
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 4550 -j DNAT --to-dest 192.168.0.2
iptables -A FORWARD -p tcp -i ppp0 --dport 4550 -d 192.168.0.2 -j ACCEPT
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 90 -j DNAT --to-dest 192.168.0.2
iptables -A FORWARD -p tcp -i ppp0 --dport 90 -d 192.168.0.2 -j ACCEPT

#Redirect (Situation2), access the cameras from inside network:
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 3550 -j DNAT --to-dest 192.168.0.2
iptables -A FORWARD -p tcp -i eth2 --dport 3550 -d 192.168.0.2 -j ACCEPT
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 4550 -j DNAT --to-dest 192.168.0.2
iptables -A FORWARD -p tcp -i eth2 --dport 4550 -d 192.168.0.2 -j ACCEPT
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 90 -j DNAT --to-dest 192.168.0.2
iptables -A FORWARD -p tcp -i eth2 --dport 90 -d 192.168.0.2 -j ACCEPT

# CenterV2 Redirect
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5546 -j DNAT --to-dest 192.168.0.2
iptables -A FORWARD -p tcp -i ppp0 --dport 5546 -d 192.168.0.2 -j ACCEPT
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5547 -j DNAT --to-dest 192.168.0.2
iptables -A FORWARD -p tcp -i ppp0 --dport 5547 -d 192.168.0.2 -j ACCEPT
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5548 -j DNAT --to-dest 192.168.0.2
iptables -A FORWARD -p tcp -i ppp0 --dport 5548 -d 192.168.0.2 -j ACCEPT
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5549 -j DNAT --to-dest 192.168.0.2
iptables -A FORWARD -p tcp -i ppp0 --dport 5549 -d 192.168.0.2 -j ACCEPT


#Share internet internet
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o ppp0 -j MASQUERADE

#Proxy Transparent
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3128

Here ends /etc/rc.d/rc.local

On situation 1,everything works fine, I can access the cameras from internet
On situation 2, I cant access the cameras from inside network
On situation 3, The server (XP) cant connect to CenterV2

Running nmap,I cant see the ports (5546-5549) open.

nmap -sS -O 127.0.0.1

Starting Nmap 4.60 ( http://nmap.org ) at 2013-02-07 23:43 BRST
Interesting ports on localhost (127.0.0.1):
Not shown: 1702 closed ports
PORT STATE SERVICE
22/tcp open ssh
37/tcp open time
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
113/tcp open auth
139/tcp open netbios-ssn
445/tcp open microsoft-ds
548/tcp open afpovertcp
631/tcp open ipp
953/tcp open rndc
3128/tcp open squid-http
8000/tcp open http-alt

iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:5546 to:192.168.0.2
DNAT tcp -- anywhere anywhere tcp dpt:5547 to:192.168.0.2
DNAT tcp -- anywhere anywhere tcp dpt:5548 to:192.168.0.2
DNAT tcp -- anywhere anywhere tcp dpt:5549 to:192.168.0.2
REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 3128

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.0.0/24 anywhere
MASQUERADE all -- 192.168.2.0/24 anywhere
MASQUERADE all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Any help on this? Thanks.
 
Old 02-07-2013, 09:14 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,314

Rep: Reputation: Disabled
The first 4 lines are redundant. When ports are redirected by rules in the NAT table, packets never hit the INPUT chain of the filter table. Instead, they are processed by the FORWARD chain, as the destination IP has already been altered by the time the packet reaches the filter table.

Your attempts to redirect traffic to ports on the Slackware gateway will fail when the ports are accessed by computers on the same local network as the camera server ("situation 2"). The reason is simple: Since the source address is local, the camera server will reply directly instead of sending the packets through the gateway. This means the packets are never "de-NATed". You can work around this by NATing the source address ("hairpin NAT"):
Code:
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j DNAT --to-source 192.168.0.1
The redirection rules for TCP ports 5546-5549 will only work for traffic entering the ppp0 interface, which means it will only work if the machine accessing these ports do so from the Internet.

The way you describe your setup, it sounds like the XP system with Geovision and the camera server is the same computer. In that case, I don't see why it would need NAT rules on the gateway to access services running locally.
 
Old 02-08-2013, 04:17 AM   #3
rodrigoraval
LQ Newbie
 
Registered: Feb 2013
Posts: 4

Original Poster
Rep: Reputation: Disabled
Situation3

Yes, the Windows XP is running the camera system, 192.168.0.2, that requires ports 5546-5549 to communicate with CenterV2 (on internet 189.31.x.x) The service running on this system requires this ports open to talk to the centerv2. In my view, I should OPEN the ports, and redirect the traffic on this port trough ppp to windows xp machine (192.168.0.2) as I did with:

# CenterV2 Redirect
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5546 -j DNAT --to-dest 192.168.0.2
iptables -A FORWARD -p tcp -i ppp0 --dport 5546 -d 192.168.0.2 -j ACCEPT
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5547 -j DNAT --to-dest 192.168.0.2
iptables -A FORWARD -p tcp -i ppp0 --dport 5547 -d 192.168.0.2 -j ACCEPT
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5548 -j DNAT --to-dest 192.168.0.2
iptables -A FORWARD -p tcp -i ppp0 --dport 5548 -d 192.168.0.2 -j ACCEPT
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5549 -j DNAT --to-dest 192.168.0.2
iptables -A FORWARD -p tcp -i ppp0 --dport 5549 -d 192.168.0.2 -j ACCEPT

I didn't get what is wrong on it, could you pleae describe better? Thanks.
 
Old 02-08-2013, 07:14 AM   #4
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,314

Rep: Reputation: Disabled
You only need to redirect ports if the communication is initiated from the outside. If CenterV2 is trying to communicate with your XP system via your public IP address then yes, you will need to forward ports.

If it's the other way around, you just have to make sure the FORWARD chain in the filter table allows the traffic. You already have the necessary NAT rule in the POSTROUTING chain.
 
Old 02-08-2013, 07:23 AM   #5
rodrigoraval
LQ Newbie
 
Registered: Feb 2013
Posts: 4

Original Poster
Rep: Reputation: Disabled
Redirect ports

Ok, got it, so... I don't need to redirect ports if the communication with Center V2 starts from the Xp machine... but are the rules:
#opening ports 5546/47/48/49
iptables -A INPUT -p tcp --dport 5546 -j ACCEPT
iptables -A INPUT -p tcp --dport 5547 -j ACCEPT
iptables -A INPUT -p tcp --dport 5548 -j ACCEPT
iptables -A INPUT -p tcp --dport 5549 -j ACCEPT

correct ? Should be working just with these rules or its necessary to add another rule on iptables ?
 
Old 02-08-2013, 09:15 AM   #6
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,314

Rep: Reputation: Disabled
Quote:
Originally Posted by rodrigoraval View Post
Ok, got it, so... I don't need to redirect ports if the communication with Center V2 starts from the Xp machine... but are the rules:
#opening ports 5546/47/48/49
iptables -A INPUT -p tcp --dport 5546 -j ACCEPT
iptables -A INPUT -p tcp --dport 5547 -j ACCEPT
iptables -A INPUT -p tcp --dport 5548 -j ACCEPT
iptables -A INPUT -p tcp --dport 5549 -j ACCEPT

correct ? Should be working just with these rules or its necessary to add another rule on iptables ?
These rules say that ports 5546-5549 on the gateway are open. The INPUT chain is only for traffic destined for the system itself, not for traffic passing through it, and not for redirected ports.

Do you have services running on these ports on the Slackware gateway? If not, you can remove these rules.
 
Old 02-08-2013, 08:22 PM   #7
rodrigoraval
LQ Newbie
 
Registered: Feb 2013
Posts: 4

Original Poster
Rep: Reputation: Disabled
Redirect ports

Ok, but now the gold question, which rules are necessary to open the ports used for the XP machine to communicate with CenterV2 ?
Just a reminder, there is no request from internet for this, Windows XP starts communicating with CenterV2 through ports 5546-5549.
How is this supposed to work? How to open these ports for this service? Thanks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how? redirect apache2 outbound ports to specific ports w/iptables? nowshining Linux - Security 5 05-27-2008 02:46 AM
Cannot Open Mail Server Ports 25, 110, and 220. Other Ports will open. Binxter Linux - Newbie 9 11-29-2007 02:03 AM
gphoto(gtkam) doesn't show ports for serial cameras (ttyS0) TechSonic Linux - Hardware 2 04-08-2006 02:36 AM
slackware default open ports perfect_circle Slackware 16 03-01-2005 10:02 AM
Slackware n()()b and closing open ports/services osx Slackware 8 03-10-2003 12:51 PM


All times are GMT -5. The time now is 05:58 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration