LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-23-2004, 03:59 PM   #1
kemplej
Member
 
Registered: Dec 2003
Posts: 235

Rep: Reputation: 30
Very Stupid Question about Iptables & Portforwarding


What lines would I add to portforward all port 25 trafic to a mail server on (200.0.0.254)?
 
Old 06-23-2004, 05:07 PM   #2
ToniT
Senior Member
 
Registered: Oct 2003
Location: Zurich, Switzerland
Distribution: Debian/unstable
Posts: 1,357

Rep: Reputation: 47
a) All traffic that is send to your server,
b) passing through your server
or c) sent by your server?

In first case:
Code:
iptables --table nat --append PREROUTING --destination yourIpAddr -p tcp --destination-port 25 --jump DNAT --to-destination 200.0.0.254:25
In the second:
Code:
iptables --table nat --append PREROUTING -p tcp --destination-port 25 --jump DNAT --to-destination 200.0.0.254:25
Or in the third
Code:
iptables --table nat --append OUTPUT -p tcp --destination-port 25 --jump DNAT --to-destination 200.0.0.254:25
In the first two cases you have to also allow packets to be forwarded through your box.
That is /proc/sys/net/ipv4/ip_forward has to be 1 and
a) policy for FORWARD chain has to be accept
or b) you have to explicitly allow forwarding to host in question to port 25:
Code:
iptables --append FORWARD -p tcp --destination 200.0.0.254 --destination-port 25 --jump ACCEPT
 
Old 06-24-2004, 01:17 PM   #3
kemplej
Member
 
Registered: Dec 2003
Posts: 235

Original Poster
Rep: Reputation: 30
Ok thanks for the advice however its still not working.

Is there something wrong with this script that would prevent port forwarding ?
*******************************************************************************************
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
iptables="/usr/local/sbin/iptables"
echo 1 > /proc/sys/net/ipv4/ip_forward
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT
$iptables -F FORWARD

$iptables -F -t nat
$iptables -P FORWARD DROP
$iptables -A FORWARD -i eth1 -j ACCEPT
$iptables -A INPUT -i eth1 -j ACCEPT
$iptables -A OUTPUT -o eth1 -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A POSTROUTING -s 200.0.0.0/24 -o eth0 -j SNAT --to-source 192.168.100.5

$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
$iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

$iptables -A INPUT -p tcp --dport 22 -j ACCEPT

$iptables --append FORWARD -p tcp --destination 200.0.0.254 --destination-port 80 --jump ACCEPT
$iptables --table nat --append PREROUTING --destination 192.168.100.5 -p tcp --85 --jump DNAT --to-destination 200.0.0.254:80
*******************************************************************************************

I've tried all sorts of rule creator but yet still nothing.
 
Old 06-24-2004, 02:46 PM   #4
ToniT
Senior Member
 
Registered: Oct 2003
Location: Zurich, Switzerland
Distribution: Debian/unstable
Posts: 1,357

Rep: Reputation: 47
You are not giving enough information, so I try to guess some things here:
-Your box is working as a router between your LAN and internet.
-Internal IP address of the box is 192.168.100.5, and it is in eth1.
-You have an other external IP address in eth0 and it is connected to the internet (via ADSL box, Cable modem, or similar).
-200.0.0.254 is an address outside your LAN and thus physically behind eth0.

If those are correct, line:
$iptables -t nat -A POSTROUTING -s 200.0.0.0/24 -o eth0 -j SNAT --to-source 192.168.100.5
is incorrect, because it tries to use internal ip address in talking to outside.
Replace it with something like:
Code:
$iptables -t nat -A POSTROUTING -s 200.0.0.0/24 -o eth0 -j SNAT --to-source external.ip.addr
(with the correct external.ip.addres) or if the ip address is dynamic, you can use
Code:
$iptables --t nat -A POSTROUTING -o eth0 -j MASQUERADE

Last edited by ToniT; 06-24-2004 at 02:48 PM.
 
Old 06-25-2004, 11:08 AM   #5
kemplej
Member
 
Registered: Dec 2003
Posts: 235

Original Poster
Rep: Reputation: 30
Thanks for the help. Let me explain this a bit better. We have 2 sites. One is for a IDS box..the other site we are using as a test site.


Main site looks like this
[internet] --> [cisco router] --> [IDS BOX] ---> [switch] --> [LAN]

IDS BOX info:
eth0 - 192.168.100.5
eth1 - 192.168.1.5
Backup Site:
[internet] --> [linksys router] --> [switch] --> [test box] + [LAN]

We change the backup site so it looks like
[internet] --> [linksys] -- > [switch] --> [test box] + [lan]
^--[Box on a 192.168.100.* subnet]
I change eth0 to 192.168.100.5 and set the box on a 192.168.100.* subnet to use 192.168.100.5 as its gateway.
I change eth1 to 200.0.0.250

Reason why we're doing this.

On the main site we were able to get all traffic to passthrough however we could NOT forward port 25 to their email server. The cisco tech sets the router to forward all port 25 requests to the IDS box and he wants the IDS box to forward the request to the mail server.

So intead of going onto the site and guessing at how to make it work we wanted to test to see if we could get port 25 requests to forward to our local mailserver on our TEST SITE. We have tried various iptable rules creator however the only one that we could get NAT to work was quicktables.

Sorry for any confusion but thats the whole story.
 
Old 06-26-2004, 12:11 PM   #6
ToniT
Senior Member
 
Registered: Oct 2003
Location: Zurich, Switzerland
Distribution: Debian/unstable
Posts: 1,357

Rep: Reputation: 47
I'm somewhat confused now..

Ok, so your main configuration is (physically):
[Internet] <->
{Some external IP} [cisco router] {Internal IP 192.168.1.something}
<- subnet (A) 192.168.1.0/24 ->
{192.168.1.5/eth1} [IDS box (what does IDS mean, anyway?)] {192.168.100.5/eth0}
<- subnet (B) 192.168.100.0/24 ->... (B) {ip addresses 192.168.100.something} [other machines..]

But you are not touching to it, but instead you have:
Internet <- ->
{Some external IP} [linksys router] {Internal IP 192.168.100.something}
<- subnet (A) 192.168.100.0/24 ->*

*(A) {192.168.100.5/eth0} [test box] {200.0.0.250/eth1} <- subnet (B) 200.0.0.0/24 -> (B) {200.0.0.254} [mail server]

*...(A) {192.168.100.something} [other machines]

Legend:
-the star here represents a switch having 3+ machines connected,
-"<-...->" is a wire or a collection of wires physically connected (eg. by a switch)
-"{...}" network interface
-"[...]" a machine
-"..." 1 or more instances


Is this correct description of your network setup?
So, what do you want to do? If I follow you correctly,
you either
a) want all connections made from other machines (ones in 192.168.100/24 subnet) in the test configuration to anywhere:25 to be forwarded to mail server.
or
b) forward all connections arriving from linksys router (from internet) to your testbox to be forwarded to the mail server.
c) or something else?

How to do
a)
-other machines must have the testbox as their default gateway.
Code:
iptables --table nat --append PREROUTING -p tcp -i eth0 --destination-port 25 --jump DNAT --to-destination 200.0.0.254:25
iptables --append FORWARD -i eth0 -p tcp --destination-port 25 --jump ACCEPT
b)
-The router has to deliver packets to the testbox to interface eth0
Code:
iptables --table nat --append PREROUTING -p tcp -i eth0 --destination 192.168.100.5 --destination-port 25 --jump DNAT --to-destination 200.0.0.254:25
iptables --append FORWARD -i eth0 -p tcp --destination-port 25 --jump ACCEPT
 
Old 06-28-2004, 12:21 PM   #7
kemplej
Member
 
Registered: Dec 2003
Posts: 235

Original Poster
Rep: Reputation: 30
Still does not work. This is my script am I missing a syntax or something really stupid?


#!/bin/sh
#
# generated by ./quicktables-2.3 on 2004.06.28.13
#

# set a few variables
echo ""
echo " setting global variables"
echo ""
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
iptables="/usr/local/sbin/iptables"

# adjust /proc
echo " applying general security settings to /proc filesystem"
echo ""
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi

# flush any existing chains and set default policies
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT

# setup nat
echo " applying nat rules"
echo ""
$iptables -F FORWARD$iptables -F -t nat
$iptables -P FORWARD DROP
$iptables -A FORWARD -i eth1 -j ACCEPT
$iptables -A INPUT -i eth1 -j ACCEPT
$iptables -A OUTPUT -o eth1 -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A POSTROUTING -s 200.0.0.0/24 -o eth0 -j SNAT --to-source 192.168.100.5
# allow all packets on the loopback interface
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT

# allow established and related packets back in
$iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# icmp
echo " applying icmp rules"
echo ""
$iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
$iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# open ports to the firewall
echo " applying the open port(s) to the firewall rules"
echo ""
$iptables -A INPUT -p tcp --dport 22 -j ACCEPT
$iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# open and forward ports to the internal machine(s)
echo " applying port forwarding rules"
echo ""
$iptables --table nat --append PREROUTING -p tcp -i eth0 --destination-port 25 --jump DNAT --to-destination 200.0.0.254:25
$iptables --append FORWARD -i eth0 -p tcp --destination-port 25 --jump ACCEPT

# logging
echo " applying logging rules"
echo ""
$iptables -A INPUT -i eth0 -p tcp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "tcp connection: "
$iptables -A INPUT -i eth0 -p udp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "udp connection: "

# drop all other packets
echo " applying default drop policies"
echo ""
$iptables -A INPUT -i eth0 -p tcp --dport 0:65535 -j DROP
$iptables -A INPUT -i eth0 -p udp --dport 0:65535 -j DROP

echo "### quicktables is loaded ###"
echo ""
 
Old 06-28-2004, 04:09 PM   #8
ToniT
Senior Member
 
Registered: Oct 2003
Location: Zurich, Switzerland
Distribution: Debian/unstable
Posts: 1,357

Rep: Reputation: 47
There is enter between the lines
"$iptables -F FORWARD" and "$iptables -F -t nat"?

What does the "ifconfig" and "route" output?
Do you get any "tcp connection: " log messages when you try to connect to testbox port 25? (you shouldn't; they should be forwarded to mailserver)

Try putting loglines like
Code:
iptables --append FORWARD --jump LOG --log-level debug
before port 25 forwarding rules (DNAT) to see how forwarding is working.

You are aware that all the traffic sent from mailserver is actually masquerared as coming from the testbox?
 
Old 06-30-2004, 08:23 AM   #9
kemplej
Member
 
Registered: Dec 2003
Posts: 235

Original Poster
Rep: Reputation: 30
ifconfig output:
eth0 Link encap:Ethernet HWaddr 00:40:05:3A:67:F1
inet addr:192.168.100.5 Bcast:192.168.100.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:124 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:18416 (17.9 Kb) TX bytes:462 (462.0 b)
Interrupt:9 Base address:0xdc00

eth1 Link encap:Ethernet HWaddr 00:40:05:3D:6B:85
inet addr:200.0.0.250 Bcast:200.0.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:548 errors:0 dropped:0 overruns:0 frame:0
TX packets:337 errors:0 dropped:0 overruns:0 carrier:0
collisions:10 txqueuelen:1000
RX bytes:63085 (61.6 Kb) TX bytes:64369 (62.8 Kb)
Interrupt:11 Base address:0xf800

route output:
root@testbox2:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.100.0 * 255.255.255.0 U 0 0 0 eth0
localnet * 255.255.255.0 U 0 0 0 eth1
loopback * 255.0.0.0 U 0 0 0 lo
default 200.0.0.105 0.0.0.0 UG 1 0 0 eth1

I see this in /var/log/debug:
Jun 30 08:12:02 testbox2 kernel: IN=eth0 OUT=eth1 SRC=192.168.100.7 DST=200.0.0.254 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=5910 PROTO=ICMP TYPE=8 CODE=0 ID==512 SEQ=1024
Jun 30 08:12:03 testbox2 kernel: IN=eth0 OUT=eth1 SRC=192.168.100.7 DST=200.0.0.254 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=5911 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=1280
Jun 30 08:12:04 testbox2 kernel: IN=eth0 OUT=eth1 SRC=192.168.100.7 DST=200.0.0.254 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=5912 PROTO=ICMP TYPE=8 CODE=0 ID==512 SEQ=1536
Jun 30 08:12:05 testbox2 kernel: IN=eth0 OUT=eth1 SRC=192.168.100.7 DST=200.0.0.254 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=5913 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=1792
 
Old 06-30-2004, 08:37 AM   #10
ToniT
Senior Member
 
Registered: Oct 2003
Location: Zurich, Switzerland
Distribution: Debian/unstable
Posts: 1,357

Rep: Reputation: 47
The log messages look like you are trying to ping the mailserver from some box in the lan that is behind the testbox. That shouldn't work, because you have not accepted forwarding from interface eth0.

What should work is trying to "telnet 192.168.1.5 25" from eg. 192.168.1.7 and you should actually be connected to the mailserver.
 
Old 06-30-2004, 02:26 PM   #11
kemplej
Member
 
Registered: Dec 2003
Posts: 235

Original Poster
Rep: Reputation: 30
So even with 192.168.100.7's gateway set to 192.168.100.5 its still considered behind the box?
 
Old 06-30-2004, 07:34 PM   #12
ToniT
Senior Member
 
Registered: Oct 2003
Location: Zurich, Switzerland
Distribution: Debian/unstable
Posts: 1,357

Rep: Reputation: 47
yes. It sends all packages whose destination is not in it's own subnet (see the diagram) to the default gateway (that is, 192.168.100.5). If some SNAT/masquerading happens, then the original source is not necessary seen anymore; if some DNAT happens, then the packet is not necessarily sent to the original destination.

Do you just want that: (every package that is sent from some other machine (eg. 7)) && (are originally marked to be sent to destination 200.0.0.254) ==> will be delivered to that mailserver?
If so, you don't necessarily need a single rule into your iptables.
For testbox: just check that your ip forwarding is enabled (echo 1 > /proc/sys/net/ipv4/ip_forward) and you don't explicitly block forwarding in iptables (eg. FORWARD chain is empty and its default policy is to ACCEPT).
For client: It has a default gateway set to the testbox and address 200.0.0.254 is outside of its subnet (according to the netmask).
 
Old 07-02-2004, 01:43 PM   #13
kemplej
Member
 
Registered: Dec 2003
Posts: 235

Original Poster
Rep: Reputation: 30
When you mean forward policy chain set to default & empty you mean this? (part of the output of iptables -L):
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
 
Old 07-02-2004, 02:00 PM   #14
ToniT
Senior Member
 
Registered: Oct 2003
Location: Zurich, Switzerland
Distribution: Debian/unstable
Posts: 1,357

Rep: Reputation: 47
Without -v flag in iptables I can't be certain what that table there does, but seems that there is no DROP rules and the default policy is ACCEPT, so it looks fine.
 
Old 07-06-2004, 10:07 AM   #15
kemplej
Member
 
Registered: Dec 2003
Posts: 235

Original Poster
Rep: Reputation: 30
still not working. Would it happen to be because in my test lab all 3 machines (client,firewall,other server) are on the same switch?

Would the firewall script I posted work in the actually envio?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Kinda stupid question - slackware & 64-bit processors mmarkvillanueva Slackware 14 10-26-2005 01:48 AM
Stupid question about Windows & Linux zahadumy Linux - General 6 06-01-2005 11:04 AM
IPTABLES and PortForwarding ComFox Linux - Networking 1 09-09-2002 04:37 PM
iptables and portforwarding gseven1 Linux - Networking 1 02-22-2002 10:20 AM
Portforwarding with Iptables toxic Linux - Security 2 02-14-2002 11:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:26 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration