Iptables NAT routing problem

marpel · 05-08-2006, 09:13 AM

Hi all.
I've a linux box with iptables and kernel 2.4

This linux has only one NIC with public IP say x.x.x.120
The linux box is connected to the Internal LAN (192.168.10.0) with a firewall (not linux).

Now, my problem is to forward http request to public linux IP x.x.x.120 to the internal server 192.168.10.1.
The problem is that the linux box is not directly connected to the internal lan and i cannot route ont the same nic!!

Any suggestion??
Thanks

win32sux · 05-08-2006, 10:44 AM

Quote:

Originally Posted by marpel

Hi all.
I've a linux box with iptables and kernel 2.4

This linux has only one NIC with public IP say x.x.x.120
The linux box is connected to the Internal LAN (192.168.10.0) with a firewall (not linux).

Now, my problem is to forward http request to public linux IP x.x.x.120 to the internal server 192.168.10.1.
The problem is that the linux box is not directly connected to the internal lan and i cannot route ont the same nic!!

Any suggestion??
Thanks

hi... could you explain your setup a little more clearly please?? it's hard to understand it from what you've posted... for example, what's the differece between the "linux box" and the "linux"?? plus there's a non-linux firewall, so it seems like we're talking about three different boxes then?? perhaps you could draw a diagram like this (bad) example:

Code:

[ Internet ] --> [ Non-Linux Firewall ] --> [ Linux Server ]
                                       \--> [ Linux PC ]

note that this is just a lame attempt at drawing something based on what i'm interpreting your setup might be like, but like i said i really don't know...

either way, the port-forwarding will usually need to happen on the box which is connected to the WAN... optimally, the only box connected to your WAN would be your firewall, which in this case is non-linux, so iptables wouldn't be used...

sorry that my post isn't more helpful, but as soon as i get a clear understanding of your situation i will do my best to help you out...

marpel · 05-08-2006, 11:44 AM

You're right.
I explain:

Internet -> Firewall (not linux and not managed by me) -> DMZ (my linux box say 212.x.x.x)

The same firewall (not linux) has another NIC connected to the LAN 192.168.1.0

So, my linux box is not connected directly with LAN, but throught this firewall (not linux) and has only one NIC.

I've to:

- configure my linux box to forward ftp traffic to a Server on the LAN 192.168.1.0

- The problem is that routing on the same NIC doesn't work!!!

I cannot add a NIC on the linux box to connect directly to the LAN without pass throught the not linux firewall

Any suggestion??
Thanks

marpel · 05-08-2006, 11:48 AM

I miss something...
The Linux Box IP is public, so actually i've no problem to connect from any Client to Linux Box.
The problem is to forward the traffic to the LAN...

win32sux · 05-08-2006, 11:57 AM

Quote:

Originally Posted by marpel

You're right.
I explain:

Internet -> Firewall (not linux and not managed by me) -> DMZ (my linux box say 212.x.x.x)

The same firewall (not linux) has another NIC connected to the LAN 192.168.1.0

So, my linux box is not connected directly with LAN, but throught this firewall (not linux) and has only one NIC.

I've to:

- configure my linux box to forward ftp traffic to a Server on the LAN 192.168.1.0

- The problem is that routing on the same NIC doesn't work!!!

I cannot add a NIC on the linux box to connect directly to the LAN without pass throught the not linux firewall

Any suggestion??
Thanks

okay, i see now... well, i think it's simple actually... just enable forwarding on the DMZ linux box, and then configure it to forward FTP connections to the LAN... something like this on the linux box should work:

Code:

iptables -P FORWARD DROP

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -p TCP -i eth0 --dport 21 \
-j DNAT --to-destination 192.168.1.112

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -p TCP --dport 21 \
-m state --state NEW -j ACCEPT

keep in mind that the non-linux firewall will have to be configured to allow connections from the DMZ into the LAN - something which is usually NOT the case, as it sorta defeats the purpose of a DMZ zone...

also make sure you have your ip_conntrack_ftp and ip_nat_ftp modules loaded unless you've built ftp nat netfilter support into your kernel...

marpel · 05-08-2006, 12:13 PM

In this way it does not work

The problem is the routing!
The ftp request enter from eth0 on linux box
The forward go out on eth0 on the linux box
this is a problem for NAT.

win32sux · 05-08-2006, 12:20 PM

Quote:

Originally Posted by marpel

In this way it does not work

The problem is the routing!
The ftp request enter from eth0 on linux box
The forward go out on eth0 on the linux box
this is a problem for NAT.

add a log rule to the end of the chain and post what it shows:

Code:

iptables -P FORWARD DROP

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -p TCP -i eth0 --dport 21 \
-j DNAT --to-destination 192.168.1.112

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -p TCP --dport 21 \
-m state --state NEW -j ACCEPT

iptables -A FORWARD -j LOG --log-prefix "FORWARD DROP: "

AFAIK it doesn't matter if the packet is exiting the same interface it came-in from...

win32sux · 05-08-2006, 12:23 PM

BTW, i posted the DNAT part, but i forgot the SNAT/Masquerade rule... it would look like this:

Code:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

so to your FTP server in the LAN zone it would look like the connections are all originating from your linux box in the DMZ...

marpel · 05-09-2006, 04:15 AM

The message is

kernel: FORWARD DROP: IN=eth1 OUT=eth1 SRC=172.20.40.5 DST=192.168.2.3 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=13282 DF PROTO=TCP SPT=1340 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0

172.20.0.0 is LAN of linux box (172.20.10.6 is linux box IP)
192.168.2.0 is LAN of web server (192.168.2.3 is IP)
My request comes from a client 172.20.40.5 on the LAN of linux box.

I also tried to put

$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT ACCEPT

But i get the same DROP message!!

marpel · 05-09-2006, 04:51 AM

Ok now my linux box don't DROP

But the problem exist anyway....

I explain my tests:

From my linux box (172.20.10.6) i do:

GET http://192.168.2.3 (web server)

and with tcpdump on eth1 of linux box i get:

11:36:46.670876 0:8:2:f1:58:c7 0:5:1c:20:c3:7a ip 74: 172.20.10.6.32840 > 192.168.2.3.http: S 1642849799:1642849799(0) win 5840 <mss 1460,sackOK,timestamp 112842582 0,nop,wscale 0> (DF)
11:36:46.671135 0:5:1c:20:c3:7a 0:8:2:f1:58:c7 ip 74: 192.168.2.3.http > 172.20.10.6.32840: S 3425539147:3425539147(0) ack 1642849800 win 5792 <mss 1460,sackOK,timestamp 1149309265 112842582,nop,wscale 0> (DF)
11:36:46.671176 0:8:2:f1:58:c7 0:5:1c:20:c3:7a ip 66: 172.20.10.6.32840 > 192.168.2.3.http: . ack 1 win 5840 <nop,nop,timestamp 112842582 1149309265> (DF)
11:36:46.676850 0:8:2:f1:58:c7 0:5:1c:20:c3:7a ip 152: 172.20.10.6.32840 > 192.168.2.3.http: P 1:87(86) ack 1 win 5840 <nop,nop,timestamp 112842582 1149309265> (DF)
11:36:46.677062 0:5:1c:20:c3:7a 0:8:2:f1:58:c7 ip 66: 192.168.2.3.http > 172.20.10.6.32840: . ack 87 win 5792 <nop,nop,timestamp 1149309268 112842582> (DF)
11:36:46.678138 0:5:1c:20:c3:7a 0:8:2:f1:58:c7 ip 1514: 192.168.2.3.http > 172.20.10.6.32840: . 1:1449(1448) ack 87 win 5792 <nop,nop,timestamp 1149309268 112842582> (DF)
11:36:46.678166 0:8:2:f1:58:c7 0:5:1c:20:c3:7a ip 66: 172.20.10.6.32840 > 192.168.2.3.http: . ack 1449 win 8688 <nop,nop,timestamp 112842582 1149309268> (DF)
11:36:46.678140 0:5:1c:20:c3:7a 0:8:2:f1:58:c7 ip 920: 192.168.2.3.http > 172.20.10.6.32840: P 1449:2303(854) ack 87 win 5792 <nop,nop,timestamp 1149309268 112842582> (DF)
11:36:46.678179 0:8:2:f1:58:c7 0:5:1c:20:c3:7a ip 66: 172.20.10.6.32840 > 192.168.2.3.http: . ack 2303 win 11584 <nop,nop,timestamp 112842582 1149309268> (DF)
11:36:46.678142 0:5:1c:20:c3:7a 0:8:2:f1:58:c7 ip 66: 192.168.2.3.http > 172.20.10.6.32840: F 2303:2303(0) ack 87 win 5792 <nop,nop,timestamp 1149309268 112842582> (DF)
11:36:46.699812 0:8:2:f1:58:c7 0:5:1c:20:c3:7a ip 66: 172.20.10.6.32840 > 192.168.2.3.http: F 87:87(0) ack 2304 win 11584 <nop,nop,timestamp 112842585 1149309268> (DF)
11:36:46.700018 0:5:1c:20:c3:7a 0:8:2:f1:58:c7 ip 66: 192.168.2.3.http > 172.20.10.6.32840: . ack 88 win 5792 <nop,nop,timestamp 1149309280 112842585> (DF)

And it works!!!

From the client 172.20.40.5 i do

GET http://172.20.10.6

and from tcpdump on linux box i get only:

11:36:17.131621 0:8:2:f1:58:c7 0:5:1c:20:c3:7a ip 62: 172.20.40.5.1411 > 192.168.2.3.http: S 3433121819:3433121819(0) win 16384 <mss 1260,nop,nop,sackOK> (DF)
11:36:20.098297 0:8:2:f1:58:c7 0:5:1c:20:c3:7a ip 62: 172.20.40.5.1411 > 192.168.2.3.http: S 3433121819:3433121819(0) win 16384 <mss 1260,nop,nop,sackOK> (DF)

and it doen't work!!!
But the DNAT seems to work!
Help!

win32sux · 05-09-2006, 07:23 AM

Quote:

Originally Posted by marpel

The message is

kernel: FORWARD DROP: IN=eth1 OUT=eth1 SRC=172.20.40.5 DST=192.168.2.3 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=13282 DF PROTO=TCP SPT=1340 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0

172.20.0.0 is LAN of linux box (172.20.10.6 is linux box IP)
192.168.2.0 is LAN of web server (192.168.2.3 is IP)
My request comes from a client 172.20.40.5 on the LAN of linux box.

I also tried to put

$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT ACCEPT

But i get the same DROP message!!

well, the DROP you are getting seems to be caused by the SYN packet not finding an accept rule for --dport 80 packets of state NEW... perhaps you aren't clearing your chains when you write your new rules?? you should make sure your routing chains are cleared before you try your new setup...

Code:

iptables -F FORWARD
iptables -F -t nat
iptables -F -t mangle
iptables -X -t nat
iptables -X -t mangle

having said that, you originally said you wanted to forward FTP traffic coming into the DMZ from the WAN to the LAN... but now you are saying the linux box is on the LAN... first you said the linux box wasn't connected to any LAN... you've also changed the IP addresses now...

Quote:

Originally Posted by marpel

Ok now my linux box don't DROP

But the problem exist anyway....

I explain my tests:

From my linux box (172.20.10.6) i do:

GET http://192.168.2.3 (web server)

and with tcpdump on eth1 of linux box i get:

11:36:46.670876 0:8:2:f1:58:c7 0:5:1c:20:c3:7a ip 74: 172.20.10.6.32840 > 192.168.2.3.http: S 1642849799:1642849799(0) win 5840 <mss 1460,sackOK,timestamp 112842582 0,nop,wscale 0> (DF)
11:36:46.671135 0:5:1c:20:c3:7a 0:8:2:f1:58:c7 ip 74: 192.168.2.3.http > 172.20.10.6.32840: S 3425539147:3425539147(0) ack 1642849800 win 5792 <mss 1460,sackOK,timestamp 1149309265 112842582,nop,wscale 0> (DF)
11:36:46.671176 0:8:2:f1:58:c7 0:5:1c:20:c3:7a ip 66: 172.20.10.6.32840 > 192.168.2.3.http: . ack 1 win 5840 <nop,nop,timestamp 112842582 1149309265> (DF)
11:36:46.676850 0:8:2:f1:58:c7 0:5:1c:20:c3:7a ip 152: 172.20.10.6.32840 > 192.168.2.3.http: P 1:87(86) ack 1 win 5840 <nop,nop,timestamp 112842582 1149309265> (DF)
11:36:46.677062 0:5:1c:20:c3:7a 0:8:2:f1:58:c7 ip 66: 192.168.2.3.http > 172.20.10.6.32840: . ack 87 win 5792 <nop,nop,timestamp 1149309268 112842582> (DF)
11:36:46.678138 0:5:1c:20:c3:7a 0:8:2:f1:58:c7 ip 1514: 192.168.2.3.http > 172.20.10.6.32840: . 1:1449(1448) ack 87 win 5792 <nop,nop,timestamp 1149309268 112842582> (DF)
11:36:46.678166 0:8:2:f1:58:c7 0:5:1c:20:c3:7a ip 66: 172.20.10.6.32840 > 192.168.2.3.http: . ack 1449 win 8688 <nop,nop,timestamp 112842582 1149309268> (DF)
11:36:46.678140 0:5:1c:20:c3:7a 0:8:2:f1:58:c7 ip 920: 192.168.2.3.http > 172.20.10.6.32840: P 1449:2303(854) ack 87 win 5792 <nop,nop,timestamp 1149309268 112842582> (DF)
11:36:46.678179 0:8:2:f1:58:c7 0:5:1c:20:c3:7a ip 66: 172.20.10.6.32840 > 192.168.2.3.http: . ack 2303 win 11584 <nop,nop,timestamp 112842582 1149309268> (DF)
11:36:46.678142 0:5:1c:20:c3:7a 0:8:2:f1:58:c7 ip 66: 192.168.2.3.http > 172.20.10.6.32840: F 2303:2303(0) ack 87 win 5792 <nop,nop,timestamp 1149309268 112842582> (DF)
11:36:46.699812 0:8:2:f1:58:c7 0:5:1c:20:c3:7a ip 66: 172.20.10.6.32840 > 192.168.2.3.http: F 87:87(0) ack 2304 win 11584 <nop,nop,timestamp 112842585 1149309268> (DF)
11:36:46.700018 0:5:1c:20:c3:7a 0:8:2:f1:58:c7 ip 66: 192.168.2.3.http > 172.20.10.6.32840: . ack 88 win 5792 <nop,nop,timestamp 1149309280 112842585> (DF)

And it works!!!

From the client 172.20.40.5 i do

GET http://172.20.10.6

and from tcpdump on linux box i get only:

11:36:17.131621 0:8:2:f1:58:c7 0:5:1c:20:c3:7a ip 62: 172.20.40.5.1411 > 192.168.2.3.http: S 3433121819:3433121819(0) win 16384 <mss 1260,nop,nop,sackOK> (DF)
11:36:20.098297 0:8:2:f1:58:c7 0:5:1c:20:c3:7a ip 62: 172.20.40.5.1411 > 192.168.2.3.http: S 3433121819:3433121819(0) win 16384 <mss 1260,nop,nop,sackOK> (DF)

and it doen't work!!!
But the DNAT seems to work!
Help!

do you have the proper iptables rules implemented?? post them:

Code:

iptables -v -n -L

iptables -t nat -v -n -L

i haven't looked at your tcpdump in detail, but like i said, the problem is likely caused because your SYN packets aren't matching with any rule for state NEW and hence they hit the policy at the of the chain...

in any case, since it seems to work fine for you when the connection is initiated from the linux box itself, you can pretty much rest assured that the issue is with your iptables rules... so post them and we'll have a look and see...