Cannot get DNAT and FORWARD to work

dwynter · 12-18-2005, 04:41 AM

Hi,

I am using Centos 4.1 and have set up 2 servers in a hosting centre. One is the firewall machine and the other a database server attched to the firewall machine via a LAN. I want to DNAT packets coming in on 3 different ports from my machine across the internet and forward them to the database machine. So far I have -j LOG'd them reaching the database machine (I had iptables running there too so I could -j LOG them but have turned that off for the moment), but don't know where they are getting lost on the way back through the firewall machine. I have tested the connections from the firewall machine to the database machine when logged in via ssh to the firewall machine on the ports I need so know that they are accepted, I assume with the firewall machines ip addr as the SRC.

My problem is that I don't know where these returning packets from the database machine enter the iptables on that firewall machine, I have tried logging the PREROUTING on the eth0 (the LAN attached NIC) on those ports, but see nothing. Does ip_conntrack somehow grabs these packets or do they go through the normal tables and chains? eth1 is the NIC with the public ip addr.

Here is the iptables-save version of the script

# Generated by iptables-save v1.2.11 on Fri Dec 16 18:25:35 2005
*nat
:PREROUTING ACCEPT [54:5904]
:POSTROUTING ACCEPT [5:288]
:OUTPUT ACCEPT [4:240]
-A PREROUTING -i eth0 -p tcp -j LOG --log-prefix "Preroute "
-A PREROUTING -d xxx.xxx.82.xxx -i eth1 -p tcp -m multiport --dports 722,3306,3307 -j DNAT --to-destination 192.168.0.20
-A POSTROUTING -o eth1 -j LOG --log-prefix "Postroute "
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Fri Dec 16 18:25:35 2005
# Generated by iptables-save v1.2.11 on Fri Dec 16 18:25:35 2005
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth0 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -j DROP
-A INPUT -p ipv6-crypt -j ACCEPT
-A INPUT -p ipv6-auth -j ACCEPT
-A INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -p udp -m udp --dport 631 -j ACCEPT
-A INPUT -d xxx.xxx.82.xxx -i eth1 -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -d xxx.xxx.82.xxx -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 5/sec -j ACCEPT
-A INPUT -p tcp -m multiport --dports 21,22,25,443,80,8080 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -d 192.168.0.0/255.255.255.0 -i eth1 -o eth0 -p tcp -m multiport --dports 722,3306,3307 -m state --state NEW -j LOG --log-prefix "FWD "
-A FORWARD -d 192.168.0.0/255.255.255.0 -i eth1 -o eth0 -p tcp -m multiport --dports 722,3306,3307 -m state --state NEW -j ACCEPT
-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -j LOG --log-prefix "All dropped "
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s xxx.xxx.82.xxx -d 192.168.0.0/255.255.255.0 -o eth0 -j ACCEPT
-A OUTPUT -s 192.168.0.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -o eth0 -j ACCEPT
-A OUTPUT -d 192.168.0.0/255.255.255.0 -o eth1 -j DROP
-A OUTPUT -s xxx.xxx.82.xxx -o eth1 -j ACCEPT
-A OUTPUT -j DROP
COMMIT

This is the only logged output I see when I attempt a connection on port 3306 from my machine across the internet. 192.168.0.20 is the database machine and 192.168.0.21 is the firewall machine.

[root@web1 sysconfig]# cat /var/log/messages
Dec 16 18:23:03 web1 kernel: FWD IN=eth1 OUT=eth0 SRC=82.xxx.5.xxx DST=192.168.0.20 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=45581 DF PROTO=TCP SPT=1937 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 16 18:23:06 web1 kernel: FWD IN=eth1 OUT=eth0 SRC=82.xxx.5.xxx DST=192.168.0.20 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=45582 DF PROTO=TCP SPT=1937 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 16 18:23:12 web1 kernel: FWD IN=eth1 OUT=eth0 SRC=82.xxx.5.xxx DST=192.168.0.20 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=45585 DF PROTO=TCP SPT=1937 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0

Advice on next step to debug this or even where my iptables is wrong most welcome.

Thanks,

David

Capt_Caveman · 12-18-2005, 11:51 AM

Try adding some more logging rules. Especially put one before this rule:
-A FORWARD -i eth0 -o eth1 -j ACCEPT
and see if you can catch some of the outgoing reply traffic. Using tcpdump on the externel interface to watch outgoing traffic might be informative as well. Also you mentioned logging on the database machine, did it log the incoming forwarded packets?