port translation

port translation

[Romain Moyne]

Hello,

I'm French and my english is bad ;)

I have a http server (debian 3.0) behind a router (debian 3.0). I have a 
problem when I want to log the visitor's IP of my website with PHP or 
Perl or all language. I have always the IP of my router ! Somebody tell 
me that I must do port translation but I have searched and I haven't 
fand anything.
Can you help me ?
This is the rules of my router :

iptables -t nat -A PREROUTING -d MyIP -p tcp --dport 80 -j DNAT 
--to-destination 192.168.0.3:80

Romain

Re: [despammed] port translation

[Andreas Kretschmer]

am  Sun, dem 11.01.2004, um 11:21:17 +0100 mailte Romain Moyne folgendes:
> Hello,
> 
> I'm French and my english is bad ;)

I'm German and my english is bad, too ;-)

> I have a http server (debian 3.0) behind a router (debian 3.0). I have a 
> problem when I want to log the visitor's IP of my website with PHP or 
> Perl or all language. I have always the IP of my router ! Somebody tell 
> me that I must do port translation but I have searched and I haven't 
> fand anything.
> Can you help me ?
> This is the rules of my router :
> 
> iptables -t nat -A PREROUTING -d MyIP -p tcp --dport 80 -j DNAT 
> --to-destination 192.168.0.3:80

With this rule you make a 'DNAT', the WebServer can only see the
Source-IP from your router.

You can install a WebServer or an Proxy for your Webserver on the
router, than you can see the visitor's IP and you can log this.

A other way is to analyse the logged packets on the router.


Andreas
-- 
Diese Message wurde erstellt mit freundlicher Unterstützung eines freilau-
fenden Pinguins aus artgerechter Freilandhaltung.   Er ist garantiert frei
von Micro$oft'schen Viren. (#97922 http://counter.li.org)     GPG 7F4584DA
Was, Sie wissen nicht, wo Kaufbach ist? Hier: N 51.05082°, E 13.56889° ;-)

Re: [despammed] port translation

[Romain Moyne]

Andreas Kretschmer a écrit :

>am  Sun, dem 11.01.2004, um 11:21:17 +0100 mailte Romain Moyne folgendes:
>  
>
>>Hello,
>>
>>I'm French and my english is bad ;)
>>    
>>
>
>I'm German and my english is bad, too ;-)
>
>  
>
>>I have a http server (debian 3.0) behind a router (debian 3.0). I have a 
>>problem when I want to log the visitor's IP of my website with PHP or 
>>Perl or all language. I have always the IP of my router ! Somebody tell 
>>me that I must do port translation but I have searched and I haven't 
>>fand anything.
>>Can you help me ?
>>This is the rules of my router :
>>
>>iptables -t nat -A PREROUTING -d MyIP -p tcp --dport 80 -j DNAT 
>>--to-destination 192.168.0.3:80
>>    
>>
>
>With this rule you make a 'DNAT', the WebServer can only see the
>Source-IP from your router.
>
>You can install a WebServer or an Proxy for your Webserver on the
>router, than you can see the visitor's IP and you can log this.
>
>A other way is to analyse the logged packets on the router.
>
>
>Andreas
>  
>
There isn't another possibility ? I must install a proxy ? (a proxy with 
a pentium 133Mhz will run bad ?)

Re: [despammed] port translation

[Andreas Kretschmer]

am  Sun, dem 11.01.2004, um 12:03:57 +0100 mailte Romain Moyne folgendes:
> Andreas Kretschmer a écrit :
> >>iptables -t nat -A PREROUTING -d MyIP -p tcp --dport 80 -j DNAT 
> >>--to-destination 192.168.0.3:80
> >>   
> >>
> >
> >With this rule you make a 'DNAT', the WebServer can only see the
> >Source-IP from your router.
> >
> >You can install a WebServer or an Proxy for your Webserver on the
> >router, than you can see the visitor's IP and you can log this.
> >
> >A other way is to analyse the logged packets on the router.
> >
> >
> >Andreas
> > 
> >
> There isn't another possibility ? I must install a proxy ? (a proxy with 
> a pentium 133Mhz will run bad ?)

You can use "... -j ULOG" bevor the PREROUTING-Rule to an
userspace-program for logging and analyze the packets.

If you have enougt memory, you can also use a proxy without caching.


Sorry, but I have no experience with ULOG-target, and I can't say more
about the average through a Proxy like Squid, but I think, with 64 MByte
RAM this is no problem.


Andreas
-- 
Diese Message wurde erstellt mit freundlicher Unterstützung eines freilau-
fenden Pinguins aus artgerechter Freilandhaltung.   Er ist garantiert frei
von Micro$oft'schen Viren. (#97922 http://counter.li.org)     GPG 7F4584DA
Was, Sie wissen nicht, wo Kaufbach ist? Hier: N 51.05082°, E 13.56889° ;-)

Re: port translation

[Antony Stone]

On Sunday 11 January 2004 10:21 am, Romain Moyne wrote:

> Hello,
>
> I'm French and my english is bad ;)
>
> I have a http server (debian 3.0) behind a router (debian 3.0). I have a
> problem when I want to log the visitor's IP of my website with PHP or
> Perl or all language. I have always the IP of my router ! Somebody tell
> me that I must do port translation but I have searched and I haven't
> fand anything.
> Can you help me ?
> This is the rules of my router :
>
> iptables -t nat -A PREROUTING -d MyIP -p tcp --dport 80 -j DNAT
> --to-destination 192.168.0.3:80

Do you have another rule, in your POSTROUTING chain, for allowing packets out 
of your network?   Something such as:

iptables -A POSTROUTING -t nat -j MASQUERADE

or maybe

iptables -A POSTROUTING -t nat -j SNAT --to MyIP

If you do, then simply change this rule to specify the external interface of 
your firewall, so that it doesn't do SNAT on packets coming in towards your 
webserver.   For example:

iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
or
iptables -A POSTROUTING -t nat -o eth0 -j SNAT --to MyIP

assuming that eth0 is your external interface.

Antony.

-- 
My New Year's resolution is not to make any resolutions I can't keep.

I'm wondering whether I've failed already.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: port translation

[Cedric Blancher]

Le dim 11/01/2004 à 11:21, Romain Moyne a écrit :
> I have a http server (debian 3.0) behind a router (debian 3.0). I have a 
> problem when I want to log the visitor's IP of my website with PHP or 
> Perl or all language. I have always the IP of my router ! Somebody tell 
> me that I must do port translation but I have searched and I haven't 
> fand anything.
> Can you help me ?
> This is the rules of my router :
> iptables -t nat -A PREROUTING -d MyIP -p tcp --dport 80 -j DNAT 
> --to-destination 192.168.0.3:80

You have a problem here. This single rule does not prevent your
webserver from seeing client IP as source, as you only modify
destination IP.

You may have a SNAT rule in POSTROUTING chain that is not restricting
enough and also SNAT incoming traffic to your router's IP when it should
not.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread! 

Re: port translation

[Romain Moyne]

Cedric Blancher a écrit :

>Le dim 11/01/2004 à 11:21, Romain Moyne a écrit :
>  
>
>>I have a http server (debian 3.0) behind a router (debian 3.0). I have a 
>>problem when I want to log the visitor's IP of my website with PHP or 
>>Perl or all language. I have always the IP of my router ! Somebody tell 
>>me that I must do port translation but I have searched and I haven't 
>>fand anything.
>>Can you help me ?
>>This is the rules of my router :
>>iptables -t nat -A PREROUTING -d MyIP -p tcp --dport 80 -j DNAT 
>>--to-destination 192.168.0.3:80
>>    
>>
>
>You have a problem here. This single rule does not prevent your
>webserver from seeing client IP as source, as you only modify
>destination IP.
>
>You may have a SNAT rule in POSTROUTING chain that is not restricting
>enough and also SNAT incoming traffic to your router's IP when it should
>not.
>
>  
>
Ok. I begin to understand... Now I have corrected my rules :
iptables -t nat -A POSTROUTING -j SNAT -o ppp0 --to-source My_ip_on_internet

But now I have a new problem : My router, my http server and my 
workstation are connected with a hub.

                      ppp0                                             
              eth0
INTERNET--------------------192.168.0.1(router) 
---------------------------192.168.0.3 (http server)
                                                                      
                     |
                                                                      
                     |
                                                                      
                     |
                                                                        
  192.168.0.2 (workstation)

I can't access to my webserver with my workstation and it very painful....
Can you still help me ? :-D

Romain

Re: port translation

[Antony Stone]

On Sunday 11 January 2004 12:53 pm, Romain Moyne wrote:

> Ok. I begin to understand... Now I have corrected my rules :
> iptables -t nat -A POSTROUTING -j SNAT -o ppp0 --to-source
> My_ip_on_internet

That looks better.

> But now I have a new problem : My router, my http server and my
> workstation are connected with a hub.
>
>                       ppp0
>               eth0
> INTERNET--------------------192.168.0.1(router)
> ---------------------------192.168.0.3 (http server)
>   192.168.0.2 (workstation)
>
> I can't access to my webserver with my workstation and it very painful....

Are you trying to access the webserver by IP address or by hostname?

If by IP address, make sure it is the private (real) address.

If by hostname, make sure your DNS correctly resolves internal queries to the 
internal address and external queries to the external address.

The correct solution to this problem, of course, is that you should have your 
web server on a separate ("DMZ") interface, because it is accessible from 
both the internal and external networks, and should be kept separate from 
both, for both security and routing reasons.

Regards,

Antony.

-- 
Most people are aware that the Universe is big.

 - Paul Davies, Professor of Theoretical Physics

                                                     Please reply to the list;
                                                           please don't CC me.

Re: port translation

[Cedric Blancher]

Le dim 11/01/2004 à 13:53, Romain Moyne a écrit :
> Ok. I begin to understand... Now I have corrected my rules :
> iptables -t nat -A POSTROUTING -j SNAT -o ppp0 --to-source My_ip_on_internet

OK, fine. Now it should work ;)

> But now I have a new problem : My router, my http server and my 
> workstation are connected with a hub.
[Snip ASCII art]
> I can't access to my webserver with my workstation and it very painful....
> Can you still help me ? :-D

To complete Antony's answer, trying to reach your webserver from your
LAN with its public IP is a common issue that constitue a FAQ.

We will describe what happens when your workstation (WS) tries to
connect to your Webserver (WB) via your router (R) public IP (PPP0).

	WS sends a SYN to R, port 80
		SYN : WS -> PPP0

	R receive the SYN and DNAT it to WB, port 80
		SYN : WS -> WB

	WB receive the SYN and answers.
		SYN,ACK : WB -> WS

But, as WB and WS are on the same network, WB answers directly to WS,
without using R as gateway. So, WS receive a SYN,ACK from WB, but was
waiting for a SYN,ACK from PPP0. That's why the connection fails.

To address this issue, you have to SNAT this kind of connection on the
router so WB answers through R :

	iptables -t nat -A POSTROUTING -s $LAN -d $WB -j SNAT --to $ETH0

I completly agree Antony's advice on DMZ use. From security point of
vue, redirecting a service within LAN is a major architectural flaw.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread! 

Re: port translation

[Romain Moyne]

Cedric Blancher a écrit :

>Le dim 11/01/2004 à 13:53, Romain Moyne a écrit :
>  
>
>>Ok. I begin to understand... Now I have corrected my rules :
>>iptables -t nat -A POSTROUTING -j SNAT -o ppp0 --to-source My_ip_on_internet
>>    
>>
>
>OK, fine. Now it should work ;)
>
>  
>
>>But now I have a new problem : My router, my http server and my 
>>workstation are connected with a hub.
>>    
>>
>[Snip ASCII art]
>  
>
>>I can't access to my webserver with my workstation and it very painful....
>>Can you still help me ? :-D
>>    
>>
>
>To complete Antony's answer, trying to reach your webserver from your
>LAN with its public IP is a common issue that constitue a FAQ.
>
>We will describe what happens when your workstation (WS) tries to
>connect to your Webserver (WB) via your router (R) public IP (PPP0).
>
>	WS sends a SYN to R, port 80
>		SYN : WS -> PPP0
>
>	R receive the SYN and DNAT it to WB, port 80
>		SYN : WS -> WB
>
>	WB receive the SYN and answers.
>		SYN,ACK : WB -> WS
>
>But, as WB and WS are on the same network, WB answers directly to WS,
>without using R as gateway. So, WS receive a SYN,ACK from WB, but was
>waiting for a SYN,ACK from PPP0. That's why the connection fails.
>
>To address this issue, you have to SNAT this kind of connection on the
>router so WB answers through R :
>
>	iptables -t nat -A POSTROUTING -s $LAN -d $WB -j SNAT --to $ETH0
>  
>
What must I write instead of $LAN and $ETH0 ?

>I completly agree Antony's advice on DMZ use. From security point of
>vue, redirecting a service within LAN is a major architectural flaw.
>
>  
>

Re: port translation

[Antony Stone]

On Sunday 11 January 2004 1:45 pm, Romain Moyne wrote:

> Cedric Blancher a écrit :
>
> >	iptables -t nat -A POSTROUTING -s $LAN -d $WB -j SNAT --to $ETH0
>
> What must I write instead of $LAN and $ETH0 ?

$LAN is the network range of the machines you might have packets coming from 
(note it is the source address in the above rule) and $ETH0 is the IP address 
of the interface on your netfilter machine.

Perhaps $LAN=192.168.0.0/24 and $ETH0=192.168.0.1 for your network?

Antony.

-- 
Never write it in Perl if you can do it in Awk.
Never do it in Awk if sed can handle it.
Never use sed when tr can do the job.
Never invoke tr when cat is sufficient.
Avoid using cat whenever possible.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: port translation

[Romain Moyne]

Antony Stone a écrit :

>On Sunday 11 January 2004 1:45 pm, Romain Moyne wrote:
>
>  
>
>>Cedric Blancher a écrit :
>>
>>    
>>
>>>	iptables -t nat -A POSTROUTING -s $LAN -d $WB -j SNAT --to $ETH0
>>>      
>>>
>>What must I write instead of $LAN and $ETH0 ?
>>    
>>
>
>$LAN is the network range of the machines you might have packets coming from 
>(note it is the source address in the above rule) and $ETH0 is the IP address 
>of the interface on your netfilter machine.
>
>Perhaps $LAN=192.168.0.0/24 and $ETH0=192.168.0.1 for your network?
>
>Antony.
>
>  
>
Thanks to everybody ! It works fine now ;)
Thanks you

Romain

Re: port translation

[Bill Davidsen]

Romain Moyne wrote:
> Hello,
> 
> I'm French and my english is bad ;)
> 
> I have a http server (debian 3.0) behind a router (debian 3.0). I have a 
> problem when I want to log the visitor's IP of my website with PHP or 
> Perl or all language. I have always the IP of my router ! Somebody tell 
> me that I must do port translation but I have searched and I haven't 
> fand anything.
> Can you help me ?
> This is the rules of my router :
> 
> iptables -t nat -A PREROUTING -d MyIP -p tcp --dport 80 -j DNAT 
> --to-destination 192.168.0.3:80

Something wrong here... you would see the IP of the router if you were 
doing MASQUERADE, but not with DNAT. I have a similar setup, and my mail 
server filters LOTS of addresses by IP.

You should be sure you don't have a leftover MASQUERADE (or SNAT) rule 
which is being used, then run tcpdump on the internal NIC of the router 
and catch the packets as they leave. DNAT does just what you want, and I 
have a fair number of machines running as routers which don't have this 
problem.

-- 
bill davidsen <davidsen@tmr.com>
   CTO TMR Associates, Inc
   Doing interesting things with small computers since 1979