Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
09-04-2006, 11:50 PM
|
#1
|
Member
Registered: Nov 2004
Distribution: Fedora Core 2
Posts: 330
Rep:
|
My DNAT/port fowardin isn't working
Dear friends,
I just tried to up what everyone tried to do, i want to forward port 80 access on one machine to another machine within the same LAN. ultimately i want to try to do it for access from outside, but currently i even fail in doing it within two machine in the same LAN.
I give the machine hosting webserver as LAN1 (LAN1DEV)
the other machine hosting the iptables is LAN2 (LAN2DEV)
so i have the rules:
iptables -t nat -A PREROUTING --dst LAN2 -p tcp --dport 80 -j DNAT --to-destination LAN1
iptables -t nat -A POSTROUTING -p tcp --dst LAN1 --dport 80 -j SNAT --to-source LAN2
$IPT -A FORWARD -p tcp -i $LAN2DEV -d LAN2 --dport 80 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p tcp -o $LAN1DEV -s LAN1 --sport 80 -m state --state NEW -j ACCEPT
echo "1" > /proc/sys/net/ipv4/ip_forward
/etc/sysctl.conf ipv4.ip_fwd has been set to 1
I thought i have done everything right...but its still not working...
is it have to do with the default gateway?
thanks for taking time helping!
Regards
Y
|
|
|
09-05-2006, 12:11 AM
|
#2
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
First I don't see any rules in the FORWARD chain to allow traffic that is in the ESTABLISHED/RELATED states, but maybe you just omitted it from the post.
Second, I believe your POSTROUTING is incorrect. It would appear that you have the incoming traffic to LAN2 get DNAT'ed to LAN1, these packets are then SNAT'ed to appear to come from LAN2 (as they leave LAN2 to LAN1). That's not how you want to do it. It's important that the incoming packets still have the original source address when they get sent from LAN2 to LAN1, that way when LAN1 sends back a reply it gets addressed to the original source. If the reply is instead addressed to LAN2, then LAN2 gets confused when it gets the reply packet and doesn't know to forward it (the conntrack table will have an enty for the original host and LAN1). The key with SNATing is to change the source address on the reply packet when it is leaving LAN2 to go to the original host. So you'd want to change the rule to:
iptables -t nat -A POSTROUTING -p tcp --src LAN1 --dport 80 -j SNAT --to-source LAN2
|
|
|
09-05-2006, 10:07 PM
|
#3
|
Member
Registered: Nov 2004
Distribution: Fedora Core 2
Posts: 330
Original Poster
Rep:
|
Dear Captain,
Thanks for your help, i got it working now. Now i try to do the same thing for external access, i have these rules:
where 192.168.0.100 is my webserver in my LAN
$IPT -t nat -A PREROUTING -p tcp -i $EXTDEV -d $EXTIP --dport 80 -j DNAT --to 192.168.0.100:80
$IPT -A FORWARD -p tcp -i $EXTDEV -o INTDEV -d 192.168.0.100 -m state --state NEW --dport 80 -j ACCEPT
I thought with these two rules,should be enough to direct access from external to my internal webserver?
It didn't work. Hope anyone can help, thanks!
Regards
Y
|
|
|
09-06-2006, 07:15 AM
|
#4
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Both of those rules look correct, so that looks like it should work (though you didn't show any SNAT rules or an outgoing FORWARD rule). Can you post the entire ruleset so that we can see everything in context, you may have some other rules that are causing problems.
|
|
|
09-07-2006, 12:04 AM
|
#5
|
Member
Registered: Nov 2004
Distribution: Fedora Core 2
Posts: 330
Original Poster
Rep:
|
Hi friends,
Below is the firewall script. Ok, actually the main aim is to allow external access to a webbased cctv server with IP 192.168.9.3. From the local LAN inside the firewall, we can just type 192.168.9.3 to get to the cctv webbased interface, so i tried to allow anyone from outside able to type the external IP of the firewall machine then access our webbased CCTV hosted on 192.168.9.3. In this case i hope they can just type 66.88.77.55:8080 (Have set the DNAT to be at port 8080 direct to port 80 of LAN CCTV server) then direct them to the cctv web interface.
THE CCTV uses port 9000,9001,9002,9003 and 80. I have set up DNAT for all these ports and forwarding rules.
As for the CCTV server itself, i have set its default gateway to my firewall LAN IP 192.168.9.100.
I believed i have set everything right to be able to access the cctv web based interface from outside but it didn't work .....
i looked right left up down still couldn't get it working..
hope if spot any mistake pls correct me...thanks a lot!!!
# First External Interface Streamyx
EXTDEV="eth0"
EXTIP=`66.88.77.55`
#EXTBASE=""
#EXTBCAST=""
#EXTGATE=""
# BO Interface BackOffice
BODEV="eth1"
BOIP="192.168.9.100
BOGATE="192.168.9.254"
CCTVIP="192.168.9.3"
#Prerouting chain
if [ "$CCTVIP" != "" ]
then
$IPT -t nat -A PREROUTING -i $EXTDEV -p tcp -d $EXTIP --dport 8080 -j DNAT --to-destination $CCTVIP
fi
if [ "$CCTVIP" != "" ]
then
$IPT -t nat -A PREROUTING -i $EXTDEV -p tcp -d $EXTIP --dport 9000 -j DNAT --to-destination $CCTVIP
fi
if [ "$CCTVIP" != "" ]
then
$IPT -t nat -A PREROUTING -i $EXTDEV -p tcp -d $EXTIP --dport 9001 -j DNAT --to-destination $CCTVIP
fi
if [ "$CCTVIP" != "" ]
then
$IPT -t nat -A PREROUTING -i $EXTDEV -p tcp -d $EXTIP --dport 9002 -j DNAT --to-destination $CCTVIP
fi
if [ "$CCTVIP" != "" ]
then
$IPT -t nat -A PREROUTING -i $EXTDEV -p tcp -d $EXTIP --dport 9003 -jDNAT --to-destination $CCTVIP
fi
$IPT -A FORWARD -i $EXTDEV -o $BODEV -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $EXTDEV -o $BODEV -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $BODEV -o $EXTDEV -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $BODEV -o $EXTDEV -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $EXTDEV -o $BODEV -d 192.168.9.3 -p tcp --dport 9000 -j ACCEPT
$IPT -A FORWARD -i $EXTDEV -o $BODEV -d 192.168.9.3 -p tcp --dport 9001 -j ACCEPT
$IPT -A FORWARD -i $EXTDEV -o $BODEV -d 192.168.9.3 -p tcp --dport 9002 -j ACCEPT
$IPT -A FORWARD -i $EXTDEV -o $BODEV -d 192.168.9.3 -p tcp --dport 9003 -j ACCEPT
$IPT -A FORWARD -i $EXTDEV -o $BODEV -d 192.168.9.3 -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -j DROP
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 443 -j ACCEPT
$IPT -A OUTPUT -p udp --dport 53 -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -j DROP
echo "* IPTABLES RULES ARE ASSIGNED SUCCESSFULLY *"
iptables-save > /etc/sysconfig/iptables
|
|
|
09-08-2006, 09:33 AM
|
#6
|
Member
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777
Rep:
|
Quote:
Originally Posted by Niceman2005
where 192.168.0.100 is my webserver in my LAN
|
Listen dear,
You got to understand basic one thing,
If you have got your Firewall box acting as a gateway at your 192.168.0.100 box --> then you do not need any postrouting/SNATing rule.
And if in case you do not have this firewall box's LAN ethernet IP as its gateway; then you got to run PRE-ROUTINg & POSTROUTING both.
And during the same process;
PREROUTING chain happens @ first & then
FORWARD chain comes
& then FINALLY POSTROUTING.
So you got to look after your FORWARD chain as well.
Tell me first thing.. Whether yoou have got your FIREWALL box's LAN IP as the gateway ip @ 192.168.0.100 or not ?
Though i suggest.. amitsharma.linuxbloggers.com/portforwarding.htm
http://amitsharma.linuxbloggers.com/portforwarding.htm will sure give you a great help at this.
With best regards,
Amit..
www.amitsharma.linuxbloggers.com
Last edited by amitsharma_26; 09-16-2006 at 04:16 PM.
|
|
|
09-10-2006, 09:46 AM
|
#7
|
Member
Registered: Nov 2004
Distribution: Fedora Core 2
Posts: 330
Original Poster
Rep:
|
Dear amitsharma_26
thanks a lot for your kind assitance. In regards to your question, yes I have set the gateway for 192.168.0.100 as my firewall lan IP.
So, its similar to the case for the 1st scenario from the website you provided. So I should have got it right from the rules I wrote from previous thread:
$IPT -t nat -A PREROUTING -p tcp -i $EXTDEV -d $EXTIP --dport 80 -j DNAT --to 192.168.0.100:80
$IPT -A FORWARD -p tcp -i $EXTDEV -o INTDEV -d 192.168.0.100 -m state --state NEW --dport 80 -j ACCEPT
IPT -A FORWARD -i $EXTDEV -o $BODEV -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $BODEV -o $EXTDEV -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
thanks !
|
|
|
09-10-2006, 10:06 AM
|
#8
|
Member
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777
Rep:
|
Quote:
Originally Posted by Niceman2005
$IPT -A FORWARD -p tcp -i $EXTDEV -o INTDEV -d 192.168.0.100 -m state --state NEW --dport 80 -j ACCEPT
IPT -A FORWARD -i $EXTDEV -o $BODEV -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $BODEV -o $EXTDEV -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
thanks !
|
what is this interface $BODEV ?
prerouting rule & the first forwarding rule are absolutely fine; but as i am not aware abt that $BODEV interface n hence i can not comment on the last 2 rules.
BTW are you still facing any problems with these above rules ?
|
|
|
09-10-2006, 08:06 PM
|
#9
|
Member
Registered: Nov 2004
Distribution: Fedora Core 2
Posts: 330
Original Poster
Rep:
|
Dear amitsharma_26
I am really sorry, i copied the wrong script (The bodev should be intdev)...following is the one after correction.
$IPT -t nat -A PREROUTING -p tcp -i $EXTDEV -d $EXTIP --dport 80 -j DNAT --to 192.168.0.100:80
$IPT -A FORWARD -p tcp -i $EXTDEV -o INTDEV -d 192.168.0.100 -m state --state NEW --dport 80 -j ACCEPT
IPT -A FORWARD -i $EXTDEV -o $INTDEV -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $INTDEV -o $EXTDEV -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
Really sorry. thanks a lot once again for your help.
Regards
Y
|
|
|
09-10-2006, 08:44 PM
|
#10
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by Niceman2005
Dear amitsharma_26
I am really sorry, i copied the wrong script (The bodev should be intdev)...following is the one after correction.
$IPT -t nat -A PREROUTING -p tcp -i $EXTDEV -d $EXTIP --dport 80 -j DNAT --to 192.168.0.100:80
$IPT -A FORWARD -p tcp -i $EXTDEV -o INTDEV -d 192.168.0.100 -m state --state NEW --dport 80 -j ACCEPT
IPT -A FORWARD -i $EXTDEV -o $INTDEV -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $INTDEV -o $EXTDEV -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
Really sorry. thanks a lot once again for your help.
Regards
Y
|
hi, just wanted to let you know that these rules can be simplified as follows:
Code:
$IPT -t nat -A PREROUTING -i $EXTDEV -p TCP --dport 80 \
-j DNAT --to 192.168.0.100
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $EXTDEV -o $INTDEV -p TCP -d 192.168.0.100 \
--dport 80 -m state --state NEW -j ACCEPT
$IPT -t nat -A POSTROUTING -o $EXTDEV -j SNAT --to $EXTIP
Last edited by win32sux; 09-10-2006 at 08:46 PM.
|
|
|
09-10-2006, 08:51 PM
|
#11
|
Member
Registered: Nov 2004
Distribution: Fedora Core 2
Posts: 330
Original Poster
Rep:
|
Thanks a lot friend!
|
|
|
09-11-2006, 03:15 AM
|
#12
|
Member
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777
Rep:
|
Quote:
Originally Posted by win32sux
hi, just wanted to let you know that these rules can be simplified as follows:
Code:
$IPT -t nat -A PREROUTING -i $EXTDEV -p TCP --dport 80 \
-j DNAT --to 192.168.0.100
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $EXTDEV -o $INTDEV -p TCP -d 192.168.0.100 \
--dport 80 -m state --state NEW -j ACCEPT
$IPT -t nat -A POSTROUTING -o $EXTDEV -j SNAT --to $EXTIP
|
What is the need of a POSTROUTING rule in the above case ? Can any one justify it ?
Lan hosted webserver already has the firewall acting as its gateway.
Rest of the three rules are enough for you to host your lan based webserver for the internet clients.
|
|
|
09-11-2006, 03:29 AM
|
#13
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by amitsharma_26
What is the need of a POSTROUTING rule in the above case ? Can any one justify it ?
Lan hosted webserver already has the firewall acting as its gateway.
Rest of the three rules are enough for you to host your lan based webserver for the internet clients.
|
hi... could you please elaborate a little about why you think the rule isn't needed?? even though i provided it only for clarity's sake, i cannot understand why it wouldn't be needed... why would you want packets going out through the firewall to maintain their internal IPs?? just wondering...
BTW, i assumed these rules were running on a firewall/gateway in front of a web server on a LAN... let me know if that is not the case...
Last edited by win32sux; 09-11-2006 at 03:31 AM.
|
|
|
09-11-2006, 04:54 AM
|
#14
|
Member
Registered: Nov 2004
Distribution: Fedora Core 2
Posts: 330
Original Poster
Rep:
|
Dear friends,
Wondering for my DNAT statement,
$IPT -t nat -A PREROUTING -i $EXTDEV -p TCP --dport 80 \
-j DNAT --to 192.168.0.100
as for the dport port number, can i just put anything such as 900 or 800? If i don't want it to be port 80...
thanks~
|
|
|
09-11-2006, 05:04 AM
|
#15
|
Member
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777
Rep:
|
Quote:
Originally Posted by Niceman2005
$IPT -t nat -A PREROUTING -i $EXTDEV -p TCP --dport 80 \
-j DNAT --to 192.168.0.100
as for the dport port number, can i just put anything such as 900 or 800? If i don't want it to be port 80...
|
Yes. But in this case all of your queries (from clients) for browsing $EXTDEV should also point out this different port, e.g. "http://$EXTDEV:<custom-port>" @ the client side.
|
|
|
All times are GMT -5. The time now is 12:02 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|