LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Server doesn't work with port forwarding enables (https://www.linuxquestions.org/questions/linux-networking-3/server-doesnt-work-with-port-forwarding-enables-194701/)

Dawyea 06-17-2004 04:48 PM

Server doesn't work with port forwarding enables
 
I have a Linux box set up as a gateway for my internal network. I'm using the same machine as an Apache webserver. I am able to connect to my server remotely if I disable port forwarding; however, if port forwarding is enabled, it won't work. I have computers behind the gateway that must access the internet, so I can't disable port forwarding. Any help would be appreciated. Thanks

peter_robb 06-17-2004 05:10 PM

What firewall rules do you have?
do iptables-save to show all active rules..

When you say 'connect', what do you mean? ssh, http, ping ? etc

Dawyea 06-17-2004 06:14 PM

I mean connecting with http on port 80. Here are my rules, where xxx.xxx.xxx.xxx is the ip address of eth0. They were generated using Firewall Builder.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:RULE_1 - [0:0]
:RULE_9 - [0:0]
:eth0_In_RULE_0 - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth0 -j eth0_In_RULE_0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 192.168.1.1 -p tcp -m tcp --dport 2542 -m state --state NEW -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 2542 -m state --state NEW -j ACCEPT
-A INPUT -d 192.168.1.1 -p tcp -m tcp --dport 7001 -m state --state NEW -j RULE_1
-A INPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 7001 -m state --state NEW -j RULE_1
-A INPUT -d 192.168.1.1 -p tcp -m tcp --dport 10071 -m state --state NEW -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 10071 -m state --state NEW -j ACCEPT
-A INPUT -d 192.168.1.1 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -d 192.168.1.1 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.1 -d 192.168.1.1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.1 -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.8/255.255.255.248 -d 192.168.1.1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.8/255.255.255.248 -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.4/255.255.255.252 -d 192.168.1.1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.4/255.255.255.252 -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.2/255.255.255.254 -d 192.168.1.1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.2/255.255.255.254 -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.16/255.255.255.248 -d 192.168.1.1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.16/255.255.255.248 -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.24 -d 192.168.1.1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.24 -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.0.0 -m state --state NEW -j ACCEPT
-A INPUT -j RULE_9
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.0.0/255.255.0.0 -i eth0 -j eth0_In_RULE_0
-A FORWARD -s 192.168.0.0/255.255.0.0 -m state --state NEW -j ACCEPT
-A FORWARD -j RULE_9
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 192.168.1.1 -p tcp -m tcp --dport 2542 -m state --state NEW -j ACCEPT
-A OUTPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 2542 -m state --state NEW -j ACCEPT
-A OUTPUT -d 192.168.1.1 -p tcp -m tcp --dport 7001 -m state --state NEW -j RULE_1
-A OUTPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 7001 -m state --state NEW -j RULE_1
-A OUTPUT -d 192.168.1.1 -p tcp -m tcp --dport 10071 -m state --state NEW -j ACCEPT
-A OUTPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 10071 -m state --state NEW -j ACCEPT
-A OUTPUT -s 192.168.1.1 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -d 192.168.1.1 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A OUTPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A OUTPUT -d 192.168.1.1 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -s 192.168.1.1 -d 192.168.1.1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A OUTPUT -s 192.168.1.1 -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A OUTPUT -s 192.168.1.1 -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -s 192.168.1.1 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -s 192.168.0.0/255.255.0.0 -m state --state NEW -j ACCEPT
-A OUTPUT -j RULE_9
-A RULE_1 -j LOG --log-prefix "RULE 1 -- ACCEPT " --log-level 6
-A RULE_1 -j ACCEPT
-A RULE_9 -j LOG --log-prefix "RULE 9 -- DENY " --log-level 6
-A RULE_9 -j DROP
-A eth0_In_RULE_0 -j LOG --log-prefix "RULE 0 -- DENY " --log-level 6
-A eth0_In_RULE_0 -j DROP
COMMIT
# Completed on Thu Jun 17 16:07:15 2004
# Generated by iptables-save v1.2.9 on Thu Jun 17 16:07:15 2004
*nat
:PREROUTING ACCEPT [2694:263377]
:POSTROUTING ACCEPT [4666:283825]
:OUTPUT ACCEPT [5030:310941]
:Cid40D1FB72.0 - [0:0]
-A PREROUTING -d 192.168.1.1 -p tcp -m tcp --dport 10071 -j Cid40D1FB72.0
-A PREROUTING -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 10071 -j Cid40D1FB72.0
-A POSTROUTING -s 192.168.0.0/255.255.0.0 -o eth0 -j SNAT --to-source xxx.xxx.xxx.xxx
-A Cid40D1FB72.0 -s 192.168.1.8/255.255.255.248 -j RETURN
-A Cid40D1FB72.0 -s 192.168.1.4/255.255.255.252 -j RETURN
-A Cid40D1FB72.0 -s 192.168.1.2/255.255.255.254 -j RETURN
-A Cid40D1FB72.0 -s 192.168.1.1 -j RETURN
-A Cid40D1FB72.0 -s 192.168.1.16/255.255.255.248 -j RETURN
-A Cid40D1FB72.0 -s 192.168.1.24 -j RETURN
-A Cid40D1FB72.0 -p tcp -m tcp --dport 10071 -j DNAT --to-destination 192.168.1.100
COMMIT

peter_robb 06-17-2004 07:21 PM

YUK...
very messy rules..
Lots of duplicated rules and bad netmasks...
No interface specifications either..

Let me look at them in the morning...
There is something else apart from the rules not working tho'..

Dawyea 06-17-2004 07:30 PM

Here is a much simpler set of rules I was using previously. I still had the same problem with these rules.

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

Dawyea 06-18-2004 02:12 PM

I decided to disable my Linux machine's routing capabilities and hooked it up to a linksys router. I disabled packet forwarding and set the linux box up as a DMZ host, but it still won't work. I also tried to use the router's port forwarding capabilities (which I successfully used several months ago) to forward all port 80 traffic to the linux system, but that doesn't even work anymore. I would greatly appreciate any help you could give me. Thanks a lot!

Dawyea 06-18-2004 05:23 PM

Does anyone at least have an idea how I can see what's happening to the data so I can narrow the problem down? Thanks

peter_robb 06-19-2004 10:57 AM

Ok,
clear out the iptables rules, do service iptables stop

then do iptables -t nat -A PREROUTING -j LOG --log-prefix "incoming "
and tail -f /var/log/messages to watch the LOG entries
This will show incoming connections on any interface..

Also you can use tcpdump -i eth0
more details are in man tcpdump


All times are GMT -5. The time now is 01:12 PM.