LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-18-2005, 09:56 AM   #1
wesleywestervel
LQ Newbie
 
Registered: Aug 2004
Posts: 13

Rep: Reputation: 0
[IPTABLES] FORWARD problem :(


Hi, i just got some assistance on iptables since i'm new to it but i really need to solve this problem since it's driving me nuts.
I'm running FEDORA CORE 4.

I have 1 client pc that want's to connect with the webserver, but since the werbserver is behind a firewall, it is not possible.
I've added these two lines but no succes:

-A FORWARD -i eth0 -o eth1 -d 10.0.0.2 -p tcp --dport 80 -j ACCEPT
(shows up when i do an "iptables -L")

-A PREROUTING -t nat -p tcp -i eth0 --dport 80 -j DNAT --to 10.0.0.2:80
(doesn't show up when i do an "iptables -L" and also doenst work with -t nat etc etc).

!!DETAILS INCLUDED IN THE PICTURE!!
here is a situation of my environment:
http://home.planet.nl/~west2985/situation.JPG

1 more question
I can't seem to find a clear answer about the difference between prerouting and postrouting
My thoughts were that they are needed to rout and 1 is for incoming an 1 for outgoing

Thnx in advance
 
Old 06-18-2005, 10:49 AM   #2
Half_Elf
LQ Guru
 
Registered: Sep 2001
Location: Montreal, Canada
Distribution: Slackware; Debian; Gentoo...
Posts: 2,163

Rep: Reputation: 46
First, you should use some network debug tools (like : iptraf, tcpdump, ethercap) to find out where does the connection drop. That kind of problem is quite easier to debug when you use right tools

Second, you forgot something important : the connection will be forwarded from eth0 to eth1, right, but it also need to _come back_ or you won't get any answer. Make sure you enabled forward from eth1 to eth0 too, it might help. Also, I could say your forward rule is a bit too tight, I mean, it would be far easier to accept "any" forward but to tell the router to DNAT just certain request.
Oh and I think there is a mistake in your DNAT command, are you sure you don't get any error message using this one? it should be :
Code:
-A PREROUTING -t nat -p tcp -i eth0 --dport 80 -j DNAT --to-destination 10.0.0.2:80
About PREROUTING/POSTROUTING. I agree they are quite confusing. To keep it simple, think of them like this :
PREROUTING is the _very_ first rule that is checked, iptables check this even before INPUT.
POSTROUTING is the very last rules checked.

I hope I helped, I feel my iptables is a bit rusty now
 
Old 06-18-2005, 11:03 AM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
if what you are trying to achieve is that when the client on 192.168.0.2 tries to access 192.168.0.1:80 he is automatically forwarded to 10.0.0.2:80 then this should do the trick:
Code:
iptables -P FORWARD DROP

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 80 -d 10.0.0.2 \
-m state --state NEW -j ACCEPT

iptables -t nat -A PREROUTING -p TCP -i eth0 --dport 80 \
-j DNAT --to-destination 10.0.0.2

iptables -t nat -A POSTROUTING -o eth0 \
-j SNAT --to-source 192.168.0.1

Last edited by win32sux; 06-18-2005 at 11:07 AM.
 
Old 06-18-2005, 11:08 AM   #4
wesleywestervel
LQ Newbie
 
Registered: Aug 2004
Posts: 13

Original Poster
Rep: Reputation: 0
thnx so much for the quick reply, I can test this on monday since it's a school project.

I will get back at this on monday to let you know if it worked!
Untill then, thnx so much.
 
Old 06-18-2005, 01:20 PM   #5
wesleywestervel
LQ Newbie
 
Registered: Aug 2004
Posts: 13

Original Poster
Rep: Reputation: 0
can you help me translate the lines you juste gave me since i want to understand what i'm doing
#
iptables -P FORWARD DROP

dropt all forwared traffic
#
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

allows established and related traffic that is need to be forwarded
#
iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 80 -d 10.0.0.2 \
-m state --state NEW -j ACCEPT

here i go wrong, doe this mean that all traffic comming from eth0 will be forwarded to port 80 with ip 10.0.0.2 on eth 1 ? or does this mean that traffic from eth0 is allowed to be forwarded to eth1 with dport 80 and destination 10.0.0.2
#
iptables -t nat -A PREROUTING -p TCP -i eth0 --dport 80 \
-j DNAT --to-destination 10.0.0.2

this would mean that if a port 80 request commes in from eth 0 it wil be routed to 10.0.0.2, but how does it know that i should use eth 1 ?
#
iptables -t nat -A POSTROUTING -o eth0 \
-j SNAT --to-source 192.168.0.1

this would meant that traffic is routed to eth0 if the source was 192.168.0.1(where it came in)

Last edited by wesleywestervel; 06-18-2005 at 01:21 PM.
 
Old 06-18-2005, 02:06 PM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally posted by wesleywestervel
can you help me translate the lines you juste gave me since i want to understand what i'm doing
no problem!! here you go, buddy:

Code:
# Let's set the default policy of the FORWARD chain to DROP
# (This is so that any packet which isn't matched by any of our rules
# will hit the DROP target when it reaches the end of said chain):
iptables -P FORWARD DROP

# Let's allow the forwarding of packets which are part of a
# connection which has already been established, or are
# part of another connection which is related to it:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Let's allow the forwarding of TCP packets which entered through
# eth0 and will exit through eth1 with destination port 80 and
# destination IP 10.0.0.2 AND ARE STARTING A *NEW* CONNECTION:
iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 80 -d 10.0.0.2 \
-m state --state NEW -j ACCEPT

# Let's change the destination address on any packet that
# comes in through eth0 with protocol TCP and destination
# port 80 to 10.0.0.2 (since we aren't changing the destination
# port we don't need to specify it, but if for example we wanted
# to make the destination port 7777 we'd specify 10.0.0.2:7777):
iptables -t nat -A PREROUTING -p TCP -i eth0 --dport 80 \
-j DNAT --to-destination 10.0.0.2

# Let's change the source address on any routed packet
# exiting through eth0 to make it look like it is
# coming from this box - we do this by giving it the IP
# address of our outgoing interface:
iptables -t nat -A POSTROUTING -o eth0 \
-j SNAT --to-source 192.168.0.1

Last edited by win32sux; 06-18-2005 at 02:08 PM.
 
Old 06-18-2005, 02:14 PM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
BTW, it might be a good idea to specify the destination address in the PREROUTING rule:
Code:
iptables -t nat -A PREROUTING -p TCP -i eth0 --dport 80 \
-d 192.168.0.1 -j DNAT --to-destination 10.0.0.2
also, if you only want the client with IP 192.168.0.2 to connect to the web server then specify that source IP in the FORWARD rule:
Code:
iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 80 -d 10.0.0.2 \
-s 192.168.0.2 -m state --state NEW -j ACCEPT
 
Old 06-20-2005, 02:31 AM   #8
wesleywestervel
LQ Newbie
 
Registered: Aug 2004
Posts: 13

Original Poster
Rep: Reputation: 0
Wow these are very clear explantions. But if you won't mind I would like to ask you another question. The whole point i'm working on IPTABLES is that I have to build
a transparent FIREWALL for a school project.

What i would like to know is:
How would i set the firewall that if the client types in his brows 10.0.0.2(webserver that is behand firewall) the firewall would let the request through and sends it to eth 1(the eth where the webserver is connected to) and after that the reqest is sent back from 10.0.0.2 to the client that send that request(the packet should not get the ip from the firewall cause the client would bounce that packe cuase he thinks it is a bogus packet thnx in advance.

My thoughts are these:

iptables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 80 -d 10.0.0.2 \
-m state --state NEW -j ACCEPT
iptables -t nat -A PREROUTING -p TCP -i eth0 --dport 80 \
-j DNAT --to-destination 10.0.0.2
iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 80 \
-j DNAT --to-destination 192.168.0.1

after this no idea
But after the things above my quess is the packet that is send back to the clinet will get the ip of the firewall

Last edited by wesleywestervel; 06-20-2005 at 02:35 AM.
 
Old 06-20-2005, 05:25 AM   #9
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
The client sending packets to the firewall never knows the ip of the webserver, only the firewall's external number on eth0.. The PREROUTING rule send packets from the external number to the internal number. It also remembers to translate the internal number back to the external number when replying..

To make sure packets originating from behind the firewall get the external number, add this rule..

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

This will change the ip number from 10.0.02 to the external firewall number.
This process is called masquerading and is used if the external firewall ip number is dynamic.

If it is a static ip number, we use a NAT instead

iptables -t nat - POSTROUTING -o eth0 -j SNAT --to-source x.x.x.x

There are more cpu instruction required for MASQUERADE so it is slower than SNAT.

There is a full tutorial available at http://iptables-tutorial.frozentux.n...-tutorial.html

Your rules suggested need some massaging too..
with -p definitions, use lowercase letters, ie -p tcp

The last of your rules isn't necessary, and wouldn't work, coz the source port is 80 in a reply, the destination port could be anything..
The NAT does the reply translation.

When you want to list rules, just do iptables-save

Last edited by peter_robb; 06-20-2005 at 05:35 AM.
 
Old 06-20-2005, 07:55 AM   #10
wesleywestervel
LQ Newbie
 
Registered: Aug 2004
Posts: 13

Original Poster
Rep: Reputation: 0
But what your saying is that it isn't possible to acces a computer that is behind the firewall by his ip ? ( i don't try to accees the webserver bij the ip of the firewall but by his own ip ).
Isn't there a rule that says:

all traffic wit destinatoin for webserver(80) is forwarded to ethx ?

thnx for the url btw

Last edited by wesleywestervel; 06-20-2005 at 07:59 AM.
 
Old 06-20-2005, 08:24 AM   #11
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Correct. You would have to set up a static route table in the client pc to show where to find a non-routed ip number, in this case giving the firewall external ip number as the gateway to the subnet. That's very manual, adding entries to each pc that wants to connect. What's needed is an automatic solution.
That's what this dnat does, forwards the port to the internal server, regardless of the destination ip number it receives in the ip packet.
The rule could be made more specific, eg only for specific destination ip numbers, but only packets with the external firewall ip number would ever arrive, so the rule is more general.
 
Old 06-20-2005, 02:42 PM   #12
wesleywestervel
LQ Newbie
 
Registered: Aug 2004
Posts: 13

Original Poster
Rep: Reputation: 0
No mather what i try it won't work :S

i have ip forwarding on
i configured iptables with the rules you gave me

Do i need to configure something else on my private network ?
Do i need to define a rout ?

There is no gateway present

i know i may seem annoying keeping asking why it's not working but i really want to get it working the right way.

Last edited by wesleywestervel; 06-20-2005 at 02:48 PM.
 
Old 06-20-2005, 02:48 PM   #13
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Can you describe your network in some more detail please..
 
Old 06-20-2005, 03:12 PM   #14
wesleywestervel
LQ Newbie
 
Registered: Aug 2004
Posts: 13

Original Poster
Rep: Reputation: 0
http://home.planet.nl/~west2985/situation.JPG

client:
Windows xp machine with a nic and the ip 192.168.0.2/24

Firewall:
redhat fedora 4 machine
2 nics both 3com
eth0:192.168.0.1
eth1: 10.0.0.1

webserver:
redhat fedora 4 machine
eth0: 10.0.0.2
runing apche

the client is conected with a cat5 cable to a switch, from that swith (switch 1) the firewall is connected to eth 0 with a cat5.
From eth1 the firewall is connected with a cat 5 cable to ANOTHER switch and on that sitch is also the webserver conected.
 
Old 06-20-2005, 04:49 PM   #15
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Ok, with that configuration, the client needs to browse http://servername
The client needs to have in /etc/hosts
192.168.0.1 servername

The firewall needs only this rule to work..
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 10.0.0.2

The webserver needs to have a domain with servername configured, and
a network gateway setting 10.0.0.1 to know where to send replies.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
adsl+iptables+port forward+"-m tcp" strange problem icry0000 Linux - Networking 3 07-31-2005 09:31 PM
Iptables FORWARD or NAT. problem. aronnok Linux - Networking 0 01-30-2005 04:57 AM
iptables, port forward problem... wildwolf Linux - Security 11 01-12-2004 07:38 AM
iptables FORWARD ArnaudVR Linux - Security 6 07-07-2003 05:05 PM
iptables port forward problem weazy Linux - Networking 4 03-31-2003 02:49 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:48 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration