Port forwarding with iptables on Fedora

fychan · 04-13-2004, 04:33 AM

Right, before I start, I really must emphasise the fact that I really am a Linux newbie. About as new as you can get :P

I was running a Windows 2K box as my server/gateway, but have since decided to move to Linux. I have a comprehensive website written in ColdFusion on the 2K box, but don't have the Linux version of CF at the moment, but would like to keep my website up online until I have moved it into PHP or got a Linux version of CF... whatever.

I've been told that I can set my Linux box up to "bounce" requests on port 80 to my 2K machine and thus return the web pages to browsers "invisibly" by either using Apache or iptables, so I've been looking into the latter. I've come across loads of posts about this sort of thing (i.e. /questions/showthread.php?s=&forumid=3&threadid=161490), and have tried implementing them, but I am getting "Connection refused" errors in my browser, and I can't work out where the problem is lying, and was hoping someone could look at this lot and tell me where I'm going wrong...

Some background:
192.168.143.87 = Win2K box.
80.1.240.91 = new Fedora installed box, with Apache running on port 81
eth0 = external interface
eth1 = local network

I really don't know what is useful to anyone, so I've just dumped the whole lot.... Sorry

iptables -t nat -L

Code:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere            tcp dpt:http to:192.168.143.87:80

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  192.168.143.0/24     anywhere
MASQUERADE  all  --  192.168.85.0/24      anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

iptables -L

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination
INETIN     all  --  anywhere             anywhere
ACCEPT     all  --  192.168.143.0/24     anywhere
ACCEPT     all  --  192.168.85.0/24      anywhere
ACCEPT     all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
INETIN     all  --  anywhere             anywhere
INETIN     all  --  anywhere             anywhere
INETOUT    all  --  anywhere             anywhere
INETOUT    all  --  anywhere             anywhere
ACCEPT     all  --  192.168.143.0/24     anywhere
ACCEPT     all  --  192.168.85.0/24      anywhere
ACCEPT     tcp  --  anywhere             192.168.143.87      tcp dpt:http

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
INETOUT    all  --  anywhere             anywhere

Chain DMZIN (0 references)
target     prot opt source               destination

Chain DMZOUT (0 references)
target     prot opt source               destination

Chain INETIN (3 references)
target     prot opt source               destination
TREJECT    all  --  anywhere             anywhere            state INVALID
TREJECT    icmp --  anywhere             anywhere            icmp redirect
TREJECT    icmp --  anywhere             anywhere            icmp router-advertisement
TREJECT    icmp --  anywhere             anywhere            icmp router-solicitation
TREJECT    icmp --  anywhere             anywhere            icmp type 15
TREJECT    icmp --  anywhere             anywhere            icmp type 16
TREJECT    icmp --  anywhere             anywhere            icmp address-mask-request
TREJECT    icmp --  anywhere             anywhere            icmp address-mask-reply
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request limit: avg 1/sec burst 5
TREJECT    icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     icmp --  anywhere             anywhere            icmp !echo-request
TCPACCEPT  tcp  --  anywhere             anywhere            tcp dpt:ssh
UDPACCEPT  udp  --  anywhere             anywhere            udp dpt:bootpc
UDPACCEPT  udp  --  anywhere             anywhere            udp dpt:6112
UDPACCEPT  udp  --  anywhere             anywhere            udp dpt:6119
UDPACCEPT  udp  --  anywhere             anywhere            udp dpt:4000
ACCEPT     all  --  anywhere             anywhere            state ESTABLISHED
TCPACCEPT  tcp  --  anywhere             anywhere            tcp dpts:1024:65535 state RELATED
UDPACCEPT  udp  --  anywhere             anywhere            udp dpts:1024:65535 state RELATED
TREJECT    all  --  anywhere             anywhere

Chain INETOUT (3 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain LDROP (0 references)
target     prot opt source               destination
LOG        tcp  --  anywhere             anywhere            limit: avg 2/sec burst 5 LOG level info prefix `TCP Dropped '
LOG        udp  --  anywhere             anywhere            limit: avg 2/sec burst 5 LOG level info prefix `UDP Dropped '
LOG        icmp --  anywhere             anywhere            limit: avg 2/sec burst 5 LOG level info prefix `ICMP Dropped '
LOG        all  -f  anywhere             anywhere            limit: avg 2/sec burst 5 LOG level warning prefix `FRAGMENT Dropped '
DROP       all  --  anywhere             anywhere

Chain LREJECT (0 references)
target     prot opt source               destination
LOG        tcp  --  anywhere             anywhere            limit: avg 2/sec burst 5 LOG level info prefix `TCP Rejected '
LOG        udp  --  anywhere             anywhere            limit: avg 2/sec burst 5 LOG level info prefix `UDP Rejected '
LOG        icmp --  anywhere             anywhere            limit: avg 2/sec burst 5 LOG level info prefix `ICMP Rejected '
LOG        all  -f  anywhere             anywhere            limit: avg 2/sec burst 5 LOG level warning prefix `FRAGMENT Rejected '
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain LTREJECT (0 references)
target     prot opt source               destination
LOG        tcp  --  anywhere             anywhere            limit: avg 2/sec burst 5 LOG level info prefix `TCP Rejected '
LOG        udp  --  anywhere             anywhere            limit: avg 2/sec burst 5 LOG level info prefix `UDP Rejected '
LOG        icmp --  anywhere             anywhere            limit: avg 2/sec burst 5 LOG level info prefix `ICMP Rejected '
LOG        all  -f  anywhere             anywhere            limit: avg 2/sec burst 5 LOG level warning prefix `FRAGMENT Rejected '
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable
DROP       icmp --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain PREROUTING (0 references)
target     prot opt source               destination

Chain TCPACCEPT (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp flags:SYN,RST,ACK/SYN limit: avg 20/sec burst 5
LOG        tcp  --  anywhere             anywhere            tcp flags:SYN,RST,ACK/SYN limit: avg 2/sec burst 5 LOG level warning prefix `Possible SynFlood '
TREJECT    tcp  --  anywhere             anywhere            tcp flags:SYN,RST,ACK/SYN
ACCEPT     tcp  --  anywhere             anywhere            tcp flags:!SYN,RST,ACK/SYN
LOG        all  --  anywhere             anywhere            limit: avg 2/sec burst 5 LOG level warning prefix `Mismatch in TCPACCEPT '
TREJECT    all  --  anywhere             anywhere

Chain TREJECT (13 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable
DROP       icmp --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain UDPACCEPT (5 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            limit: avg 2/sec burst 5 LOG level warning prefix `Mismatch on UDPACCEPT '
TREJECT    all  --  anywhere             anywhere

Chain ULDROP (0 references)
target     prot opt source               destination
ULOG       tcp  --  anywhere             anywhere            limit: avg 2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LDROP_TCP' queue_threshold 1
ULOG       udp  --  anywhere             anywhere            limit: avg 2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LDROP_UDP' queue_threshold 1
ULOG       icmp --  anywhere             anywhere            limit: avg 2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LDROP_ICMP' queue_threshold 1
ULOG       all  -f  anywhere             anywhere            limit: avg 2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LDROP_FRAG' queue_threshold 1
DROP       all  --  anywhere             anywhere

Chain ULREJECT (0 references)
target     prot opt source               destination
ULOG       tcp  --  anywhere             anywhere            limit: avg 2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LREJECT_TCP' queue_threshold 1
ULOG       udp  --  anywhere             anywhere            limit: avg 2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LREJECT_UDP' queue_threshold 1
ULOG       icmp --  anywhere             anywhere            limit: avg 2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LREJECT_UDP' queue_threshold 1
ULOG       all  -f  anywhere             anywhere            limit: avg 2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LREJECT_FRAG' queue_threshold 1
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain ULTREJECT (0 references)
target     prot opt source               destination
ULOG       tcp  --  anywhere             anywhere            limit: avg 2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LTREJECT_TCP' queue_threshold 1
ULOG       udp  --  anywhere             anywhere            limit: avg 2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LTREJECT_UDP' queue_threshold 1
ULOG       icmp --  anywhere             anywhere            limit: avg 2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LTREJECT_ICMP' queue_threshold 1
ULOG       all  -f  anywhere             anywhere            limit: avg 2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LTREJECT_FRAG' queue_threshold 1
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable
DROP       icmp --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

maxut · 04-13-2004, 10:34 AM

how can we see the trouble?? if i send u like this output, could u see the trouble?

try the following URL
http://iptables-script.dk/index1.php

fychan · 04-13-2004, 11:17 AM

I'm sorry, like I said, I'm a newbie, and I don't know what the problem is, or where it lies. So I don't know what will / would be useful.

I'm just stuck with a problem which I don't have a clue how to solve. Sorry.

artur · 04-13-2004, 11:49 AM

is forwarding enabled? try
cat /proc/sys/net/ipv4/ip_forward
to check. Should be = 1, if not, do
echo 1 > /proc/sys/net/ipv4/ip_forward

posting more details about your network would help. Do you have two ethernet interfaces on your linux box? Use tcpdump on both interfaces to see what happens to the packets. Would be interesting to know which box says "Connection refused". Is it the linux box or windoze?

What does netstat -anp --inet display?