LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-04-2006, 11:50 PM   #1
Niceman2005
Member
 
Registered: Nov 2004
Distribution: Fedora Core 2
Posts: 330

Rep: Reputation: 30
My DNAT/port fowardin isn't working


Dear friends,

I just tried to up what everyone tried to do, i want to forward port 80 access on one machine to another machine within the same LAN. ultimately i want to try to do it for access from outside, but currently i even fail in doing it within two machine in the same LAN.

I give the machine hosting webserver as LAN1 (LAN1DEV)
the other machine hosting the iptables is LAN2 (LAN2DEV)

so i have the rules:

iptables -t nat -A PREROUTING --dst LAN2 -p tcp --dport 80 -j DNAT --to-destination LAN1

iptables -t nat -A POSTROUTING -p tcp --dst LAN1 --dport 80 -j SNAT --to-source LAN2

$IPT -A FORWARD -p tcp -i $LAN2DEV -d LAN2 --dport 80 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p tcp -o $LAN1DEV -s LAN1 --sport 80 -m state --state NEW -j ACCEPT

echo "1" > /proc/sys/net/ipv4/ip_forward
/etc/sysctl.conf ipv4.ip_fwd has been set to 1

I thought i have done everything right...but its still not working...
is it have to do with the default gateway?

thanks for taking time helping!

Regards
Y
 
Old 09-05-2006, 12:11 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
First I don't see any rules in the FORWARD chain to allow traffic that is in the ESTABLISHED/RELATED states, but maybe you just omitted it from the post.

Second, I believe your POSTROUTING is incorrect. It would appear that you have the incoming traffic to LAN2 get DNAT'ed to LAN1, these packets are then SNAT'ed to appear to come from LAN2 (as they leave LAN2 to LAN1). That's not how you want to do it. It's important that the incoming packets still have the original source address when they get sent from LAN2 to LAN1, that way when LAN1 sends back a reply it gets addressed to the original source. If the reply is instead addressed to LAN2, then LAN2 gets confused when it gets the reply packet and doesn't know to forward it (the conntrack table will have an enty for the original host and LAN1). The key with SNATing is to change the source address on the reply packet when it is leaving LAN2 to go to the original host. So you'd want to change the rule to:

iptables -t nat -A POSTROUTING -p tcp --src LAN1 --dport 80 -j SNAT --to-source LAN2
 
Old 09-05-2006, 10:07 PM   #3
Niceman2005
Member
 
Registered: Nov 2004
Distribution: Fedora Core 2
Posts: 330

Original Poster
Rep: Reputation: 30
Dear Captain,

Thanks for your help, i got it working now. Now i try to do the same thing for external access, i have these rules:


where 192.168.0.100 is my webserver in my LAN


$IPT -t nat -A PREROUTING -p tcp -i $EXTDEV -d $EXTIP --dport 80 -j DNAT --to 192.168.0.100:80

$IPT -A FORWARD -p tcp -i $EXTDEV -o INTDEV -d 192.168.0.100 -m state --state NEW --dport 80 -j ACCEPT


I thought with these two rules,should be enough to direct access from external to my internal webserver?
It didn't work. Hope anyone can help, thanks!

Regards
Y
 
Old 09-06-2006, 07:15 AM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Both of those rules look correct, so that looks like it should work (though you didn't show any SNAT rules or an outgoing FORWARD rule). Can you post the entire ruleset so that we can see everything in context, you may have some other rules that are causing problems.
 
Old 09-07-2006, 12:04 AM   #5
Niceman2005
Member
 
Registered: Nov 2004
Distribution: Fedora Core 2
Posts: 330

Original Poster
Rep: Reputation: 30
Hi friends,

Below is the firewall script. Ok, actually the main aim is to allow external access to a webbased cctv server with IP 192.168.9.3. From the local LAN inside the firewall, we can just type 192.168.9.3 to get to the cctv webbased interface, so i tried to allow anyone from outside able to type the external IP of the firewall machine then access our webbased CCTV hosted on 192.168.9.3. In this case i hope they can just type 66.88.77.55:8080 (Have set the DNAT to be at port 8080 direct to port 80 of LAN CCTV server) then direct them to the cctv web interface.

THE CCTV uses port 9000,9001,9002,9003 and 80. I have set up DNAT for all these ports and forwarding rules.
As for the CCTV server itself, i have set its default gateway to my firewall LAN IP 192.168.9.100.
I believed i have set everything right to be able to access the cctv web based interface from outside but it didn't work .....
i looked right left up down still couldn't get it working..
hope if spot any mistake pls correct me...thanks a lot!!!




# First External Interface Streamyx
EXTDEV="eth0"
EXTIP=`66.88.77.55`
#EXTBASE=""
#EXTBCAST=""
#EXTGATE=""

# BO Interface BackOffice
BODEV="eth1"
BOIP="192.168.9.100
BOGATE="192.168.9.254"

CCTVIP="192.168.9.3"


#Prerouting chain

if [ "$CCTVIP" != "" ]
then
$IPT -t nat -A PREROUTING -i $EXTDEV -p tcp -d $EXTIP --dport 8080 -j DNAT --to-destination $CCTVIP
fi

if [ "$CCTVIP" != "" ]
then
$IPT -t nat -A PREROUTING -i $EXTDEV -p tcp -d $EXTIP --dport 9000 -j DNAT --to-destination $CCTVIP
fi

if [ "$CCTVIP" != "" ]
then
$IPT -t nat -A PREROUTING -i $EXTDEV -p tcp -d $EXTIP --dport 9001 -j DNAT --to-destination $CCTVIP
fi

if [ "$CCTVIP" != "" ]
then
$IPT -t nat -A PREROUTING -i $EXTDEV -p tcp -d $EXTIP --dport 9002 -j DNAT --to-destination $CCTVIP
fi

if [ "$CCTVIP" != "" ]
then
$IPT -t nat -A PREROUTING -i $EXTDEV -p tcp -d $EXTIP --dport 9003 -jDNAT --to-destination $CCTVIP
fi


$IPT -A FORWARD -i $EXTDEV -o $BODEV -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $EXTDEV -o $BODEV -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $BODEV -o $EXTDEV -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $BODEV -o $EXTDEV -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD -i $EXTDEV -o $BODEV -d 192.168.9.3 -p tcp --dport 9000 -j ACCEPT
$IPT -A FORWARD -i $EXTDEV -o $BODEV -d 192.168.9.3 -p tcp --dport 9001 -j ACCEPT
$IPT -A FORWARD -i $EXTDEV -o $BODEV -d 192.168.9.3 -p tcp --dport 9002 -j ACCEPT
$IPT -A FORWARD -i $EXTDEV -o $BODEV -d 192.168.9.3 -p tcp --dport 9003 -j ACCEPT

$IPT -A FORWARD -i $EXTDEV -o $BODEV -d 192.168.9.3 -p tcp --dport 80 -j ACCEPT

$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -j DROP

$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 443 -j ACCEPT
$IPT -A OUTPUT -p udp --dport 53 -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -j DROP

echo "* IPTABLES RULES ARE ASSIGNED SUCCESSFULLY *"
iptables-save > /etc/sysconfig/iptables
 
Old 09-08-2006, 09:33 AM   #6
amitsharma_26
Member
 
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777

Rep: Reputation: 31
Quote:
Originally Posted by Niceman2005
where 192.168.0.100 is my webserver in my LAN
Listen dear,
You got to understand basic one thing,
If you have got your Firewall box acting as a gateway at your 192.168.0.100 box --> then you do not need any postrouting/SNATing rule.

And if in case you do not have this firewall box's LAN ethernet IP as its gateway; then you got to run PRE-ROUTINg & POSTROUTING both.

And during the same process;
PREROUTING chain happens @ first & then
FORWARD chain comes
& then FINALLY POSTROUTING.

So you got to look after your FORWARD chain as well.

Tell me first thing.. Whether yoou have got your FIREWALL box's LAN IP as the gateway ip @ 192.168.0.100 or not ?


Though i suggest.. amitsharma.linuxbloggers.com/portforwarding.htm
http://amitsharma.linuxbloggers.com/portforwarding.htm will sure give you a great help at this.

With best regards,
Amit..
www.amitsharma.linuxbloggers.com

Last edited by amitsharma_26; 09-16-2006 at 04:16 PM.
 
Old 09-10-2006, 09:46 AM   #7
Niceman2005
Member
 
Registered: Nov 2004
Distribution: Fedora Core 2
Posts: 330

Original Poster
Rep: Reputation: 30
Dear amitsharma_26

thanks a lot for your kind assitance. In regards to your question, yes I have set the gateway for 192.168.0.100 as my firewall lan IP.

So, its similar to the case for the 1st scenario from the website you provided. So I should have got it right from the rules I wrote from previous thread:

$IPT -t nat -A PREROUTING -p tcp -i $EXTDEV -d $EXTIP --dport 80 -j DNAT --to 192.168.0.100:80

$IPT -A FORWARD -p tcp -i $EXTDEV -o INTDEV -d 192.168.0.100 -m state --state NEW --dport 80 -j ACCEPT

IPT -A FORWARD -i $EXTDEV -o $BODEV -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD -i $BODEV -o $EXTDEV -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT

thanks !
 
Old 09-10-2006, 10:06 AM   #8
amitsharma_26
Member
 
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777

Rep: Reputation: 31
Quote:
Originally Posted by Niceman2005

$IPT -A FORWARD -p tcp -i $EXTDEV -o INTDEV -d 192.168.0.100 -m state --state NEW --dport 80 -j ACCEPT

IPT -A FORWARD -i $EXTDEV -o $BODEV -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD -i $BODEV -o $EXTDEV -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT

thanks !
what is this interface $BODEV ?

prerouting rule & the first forwarding rule are absolutely fine; but as i am not aware abt that $BODEV interface n hence i can not comment on the last 2 rules.

BTW are you still facing any problems with these above rules ?
 
Old 09-10-2006, 08:06 PM   #9
Niceman2005
Member
 
Registered: Nov 2004
Distribution: Fedora Core 2
Posts: 330

Original Poster
Rep: Reputation: 30
Dear amitsharma_26

I am really sorry, i copied the wrong script (The bodev should be intdev)...following is the one after correction.

$IPT -t nat -A PREROUTING -p tcp -i $EXTDEV -d $EXTIP --dport 80 -j DNAT --to 192.168.0.100:80

$IPT -A FORWARD -p tcp -i $EXTDEV -o INTDEV -d 192.168.0.100 -m state --state NEW --dport 80 -j ACCEPT

IPT -A FORWARD -i $EXTDEV -o $INTDEV -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD -i $INTDEV -o $EXTDEV -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT

Really sorry. thanks a lot once again for your help.

Regards
Y
 
Old 09-10-2006, 08:44 PM   #10
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by Niceman2005
Dear amitsharma_26

I am really sorry, i copied the wrong script (The bodev should be intdev)...following is the one after correction.

$IPT -t nat -A PREROUTING -p tcp -i $EXTDEV -d $EXTIP --dport 80 -j DNAT --to 192.168.0.100:80

$IPT -A FORWARD -p tcp -i $EXTDEV -o INTDEV -d 192.168.0.100 -m state --state NEW --dport 80 -j ACCEPT

IPT -A FORWARD -i $EXTDEV -o $INTDEV -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD -i $INTDEV -o $EXTDEV -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT

Really sorry. thanks a lot once again for your help.

Regards
Y
hi, just wanted to let you know that these rules can be simplified as follows:
Code:
$IPT -t nat -A PREROUTING -i $EXTDEV -p TCP --dport 80 \
-j DNAT --to 192.168.0.100

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD -i $EXTDEV -o $INTDEV -p TCP -d 192.168.0.100 \
--dport 80 -m state --state NEW -j ACCEPT

$IPT -t nat -A POSTROUTING -o $EXTDEV -j SNAT --to $EXTIP

Last edited by win32sux; 09-10-2006 at 08:46 PM.
 
Old 09-10-2006, 08:51 PM   #11
Niceman2005
Member
 
Registered: Nov 2004
Distribution: Fedora Core 2
Posts: 330

Original Poster
Rep: Reputation: 30
Thanks a lot friend!
 
Old 09-11-2006, 03:15 AM   #12
amitsharma_26
Member
 
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777

Rep: Reputation: 31
Quote:
Originally Posted by win32sux
hi, just wanted to let you know that these rules can be simplified as follows:
Code:
$IPT -t nat -A PREROUTING -i $EXTDEV -p TCP --dport 80 \
-j DNAT --to 192.168.0.100

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD -i $EXTDEV -o $INTDEV -p TCP -d 192.168.0.100 \
--dport 80 -m state --state NEW -j ACCEPT

$IPT -t nat -A POSTROUTING -o $EXTDEV -j SNAT --to $EXTIP
What is the need of a POSTROUTING rule in the above case ? Can any one justify it ?
Lan hosted webserver already has the firewall acting as its gateway.

Rest of the three rules are enough for you to host your lan based webserver for the internet clients.
 
Old 09-11-2006, 03:29 AM   #13
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by amitsharma_26
What is the need of a POSTROUTING rule in the above case ? Can any one justify it ?
Lan hosted webserver already has the firewall acting as its gateway.

Rest of the three rules are enough for you to host your lan based webserver for the internet clients.
hi... could you please elaborate a little about why you think the rule isn't needed?? even though i provided it only for clarity's sake, i cannot understand why it wouldn't be needed... why would you want packets going out through the firewall to maintain their internal IPs?? just wondering...

BTW, i assumed these rules were running on a firewall/gateway in front of a web server on a LAN... let me know if that is not the case...

Last edited by win32sux; 09-11-2006 at 03:31 AM.
 
Old 09-11-2006, 04:54 AM   #14
Niceman2005
Member
 
Registered: Nov 2004
Distribution: Fedora Core 2
Posts: 330

Original Poster
Rep: Reputation: 30
Dear friends,

Wondering for my DNAT statement,
$IPT -t nat -A PREROUTING -i $EXTDEV -p TCP --dport 80 \
-j DNAT --to 192.168.0.100

as for the dport port number, can i just put anything such as 900 or 800? If i don't want it to be port 80...

thanks~
 
Old 09-11-2006, 05:04 AM   #15
amitsharma_26
Member
 
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777

Rep: Reputation: 31
Quote:
Originally Posted by Niceman2005

$IPT -t nat -A PREROUTING -i $EXTDEV -p TCP --dport 80 \
-j DNAT --to 192.168.0.100

as for the dport port number, can i just put anything such as 900 or 800? If i don't want it to be port 80...
Yes. But in this case all of your queries (from clients) for browsing $EXTDEV should also point out this different port, e.g. "http://$EXTDEV:<custom-port>" @ the client side.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to specify a port range for DNAT Menestrel Linux - Networking 3 05-31-2006 07:21 AM
Problems with iptables DNAT to private IP, different port tisource Linux - Networking 1 04-13-2006 04:43 PM
Port Forwarding using iptables-DNAT radupastia Linux - Networking 2 07-18-2003 03:14 AM
IPTables - DNAT, SNAT, port forwarding FunkFlex Linux - Security 2 01-15-2002 08:18 PM
DNAT Help(port forwarding) jrmann1999 Linux - Networking 1 08-09-2001 11:58 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:02 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration