* Port forwarding with iptables
@ 2004-09-01 15:47 KUCKAERTZ Régis - NVISION
0 siblings, 0 replies; 11+ messages in thread
From: KUCKAERTZ Régis - NVISION @ 2004-09-01 15:47 UTC (permalink / raw)
To: netfilter-devel
Hello,
Our ISP only allows connections coming from a well-defined list of IP
addresses. Since we must be able to log on to our servers no matter where we
are, I just thought using iptables on one host having one of the authorized
IP addresses would be the solution.
So I went on reading iptables docs and howtos, but as you might guess I
couldn't stand how to do it exactly. Let's put it correctly stated: every
incoming connection to, say, port 3999 of my host ($HOST_IP) should be
forwarded to port 123 of the protected server ($SERVER_IP). I tried the
following two rules:
$IPTABLES -t nat -A PREROUTING -p tcp --dst $HOST_IP --dport 3999 -j DNAT
--to-destination $SERVER_IP:123
This one should do the forwarding
$IPTABLES -t nat -a POSTROUTING -p tcp --dst $SERVER_IP --dport 123 -j
MASQUERADE
... and this one should masquerade
As I'm new to iptables, I don't know at that time every aspect that I must
be careful of, so as a first tip can anybody tell me what would the exact
solution be?
I have set IP forwarding to 1 in /proc/sys/net/ipv4/ip_forward
Best regards,
Régis KUCKAERTZ
-----------------------------------------
NVISION sa - Luxembourg
Internet Services & Network Programming
50, rue des Prés
L-7333 Steinsel
Tél: (+352) 26 34 09 08
Fax: (+352) 26 34 09 07
http://www.nvision.lu/
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Port forwarding with iptables
[not found] <200409020414.i824Eh7e032212@xanadu.marasystems.com>
@ 2004-09-02 8:28 ` Henrik Nordstrom
0 siblings, 0 replies; 11+ messages in thread
From: Henrik Nordstrom @ 2004-09-02 8:28 UTC (permalink / raw)
To: KUCKAERTZ Régis - NVISION; +Cc: netfilter-devel
On Wed, 1 Sep 2004, [iso-8859-1] KUCKAERTZ Régis - NVISION wrote:
> $IPTABLES -t nat -A PREROUTING -p tcp --dst $HOST_IP --dport 3999 -j DNAT
> --to-destination $SERVER_IP:123
Ok.
> This one should do the forwarding
>
> $IPTABLES -t nat -a POSTROUTING -p tcp --dst $SERVER_IP --dport 123 -j
> MASQUERADE
>
> ... and this one should masquerade
This should probably be a SNAT.
Please describe your network in a little more detail. Is the station where
you are running NAT a router (two network cards, ISP on one side, internal
stations on other side) or just a host on the network?
Are you trying to connect from the Internet to internal stations/servers
in your Network, or the other way around?
Regards
Henrik
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Port forwarding with iptables
@ 2004-09-02 7:24 Martijn Lievaart
0 siblings, 0 replies; 11+ messages in thread
From: Martijn Lievaart @ 2004-09-02 7:24 UTC (permalink / raw)
To: KUCKAERTZ Régis - NVISION; +Cc: netfilter-devel
KUCKAERTZ Régis - NVISION wrote:
>Hello,
>
>Our ISP only allows connections coming from a well-defined list of IP
>addresses. Since we must be able to log on to our servers no matter where we
>are, I just thought using iptables on one host having one of the authorized
>IP addresses would be the solution.
>
>So I went on reading iptables docs and howtos, but as you might guess I
>couldn't stand how to do it exactly. Let's put it correctly stated: every
>incoming connection to, say, port 3999 of my host ($HOST_IP) should be
>forwarded to port 123 of the protected server ($SERVER_IP). I tried the
>following two rules:
>
>$IPTABLES -t nat -A PREROUTING -p tcp --dst $HOST_IP --dport 3999 -j DNAT
>--to-destination $SERVER_IP:123
>
> This one should do the forwarding
>
>
This one looks fine.
>$IPTABLES -t nat -a POSTROUTING -p tcp --dst $SERVER_IP --dport 123 -j
>MASQUERADE
>
> ... and this one should masquerade
>
>
That looks non sensical, what are you trying to accomplish? Drop this
line of thought. MASQUERADE is for when you connect through a
dynamically assigned IP address, e.g. dial-up.
What you need is a rule in FORWARD to allow the packets to pass.
Assuming you accept ESTABLISHED (and RELATED) packets somewhere, so the
replies are handled automagically, you just need to add a rule like
# by now the packet has been updated with a new destination, allow it in.
$IPTABLES -A FORWARD -p tcp --dst $SERVER_IP --dport 123 -j ACCEPT
BTW, these kind of questions are better directed to the user list, not the development list.
Cheers,
M4
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Port Forwarding with iptables
2004-08-20 10:15 ` Nick Drage
@ 2004-08-23 3:04 ` Wilson Mak
0 siblings, 0 replies; 11+ messages in thread
From: Wilson Mak @ 2004-08-23 3:04 UTC (permalink / raw)
To: Nick Drage; +Cc: netfilter
Nick Drage wrote:
>On Fri, Aug 20, 2004 at 06:06:38PM +0800, Wilson Mak wrote:
>
>
>>Nick Drage wrote:
>>
>>
>
>Excuse the short answer...
>
>
>
>>Thanks for all who help on this issue. I mis-type the rule here. Yes
>>you guys are right, the rule should be: -d 10.1.0.12. But still it
>>doesn't work. Do I need to enable something in the kernel when using
>>Port-Forwarding?
>>
>>
>
>Try:
>
>echo 1 > /proc/sys/net/ipv4/ip_forward
>
>If you google for that you should find an explanation :)
>
>
>
Yap! I did set this bit to 1. Any other stuffs I missed? That's
absolutely weird. It used to work perfectly with ipchains plus
ipmasqadm. Actually, the packets did forward to the internal server ( I
capture the packets with ethereal), but looks like the response packets
can't get through the NAT box.
Thanks,
Wilson
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Port Forwarding with iptables
2004-08-20 10:06 ` Wilson Mak
@ 2004-08-20 10:15 ` Nick Drage
2004-08-23 3:04 ` Wilson Mak
0 siblings, 1 reply; 11+ messages in thread
From: Nick Drage @ 2004-08-20 10:15 UTC (permalink / raw)
To: netfilter
On Fri, Aug 20, 2004 at 06:06:38PM +0800, Wilson Mak wrote:
> Nick Drage wrote:
Excuse the short answer...
> Thanks for all who help on this issue. I mis-type the rule here. Yes
> you guys are right, the rule should be: -d 10.1.0.12. But still it
> doesn't work. Do I need to enable something in the kernel when using
> Port-Forwarding?
Try:
echo 1 > /proc/sys/net/ipv4/ip_forward
If you google for that you should find an explanation :)
--
"I think a church with a lightning rod shows a decided lack of confidence"
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Port Forwarding with iptables
2004-08-19 11:22 ` Nick Drage
@ 2004-08-20 10:06 ` Wilson Mak
2004-08-20 10:15 ` Nick Drage
0 siblings, 1 reply; 11+ messages in thread
From: Wilson Mak @ 2004-08-20 10:06 UTC (permalink / raw)
To: Nick Drage; +Cc: netfilter
Nick Drage wrote:
>On Thu, Aug 19, 2004 at 06:57:59PM +0800, Wilson Mak wrote:
>
>
>>Hi all,
>>
>>I like to do the portforwarding with iptables(forward web traffic of an
>>alias IP - <ext ip> to internal web server). Here is what I have:
>>
>>iptables -t nat -A PREROUTING -i eth0 -d <ext ip> -p tcp --dport 80 -j
>>DNAT --to 10.1.0.12:80
>>iptables -A INPUT -p tcp -i eth0 -d <ext ip> --dport 80 -m state
>>--state NEW -j ACCEPT
>>iptables -A FORWARD -p tcp -i eth0 -o eth1 -d <ext ip> --dport 80 -m
>>state --state NEW -j ACCEPT
>>
>>However, it keep droping the packets when getting to the NAT box.
>>
>>Logs
>>====
>>(With iptables -A FORWARD -d 10.1.0.12 -j LOG; iptable -A FORWARD -j DROP)
>>
>>kernel: IN=eth0 OUT=eth1 SRC=202.xxx.122.xxx DST=10.1.0.12 LEN=48
>>TOS=0x00 PREC=0x00 TTL=120 ID=6491 DF PROTO=TCP SPT=4023 DPT=80
>>WINDOW=64240 RES=0x00 SYN URGP=0
>>
>>Any clues? Did I miss something here?
>>
>>
>
>( caveat, this is a quick email during a lunch break at work, so it's
>all "best guess" )
>
>The rules in the PREROUTING table are executed before those in the
>FORWARD table, so the packet has a destination of 10.1.0.12 when it hits
>the FORWARD table. So your third line should be
>
>iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 10.1.0.12 --dport 80 -m
>state --state NEW -j ACCEPT
>
>Let me know how you get on :)
>
>
>
>
Thanks for all who help on this issue. I mis-type the rule here. Yes
you guys are right, the rule should be: -d 10.1.0.12. But still it
doesn't work. Do I need to enable something in the kernel when using
Port-Forwarding?
Here are what I have now
===================
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -t nat -A PREROUTING -i eth0 -d <ext ip - an alias ip> -p tcp
--dport 80 -j DNAT --to 10.1.0.12:80
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 10.1.0.12 --dport 80 -m
state --state NEW -j ACCEPT
iptables -A FORWARD -t filter -i eth1 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Many thanks,
Wilson
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Port Forwarding with iptables
2004-08-19 10:57 Wilson Mak
2004-08-19 11:15 ` George Alexandru Dragoi
2004-08-19 11:22 ` Nick Drage
@ 2004-08-19 16:39 ` Alejandro Flores
2 siblings, 0 replies; 11+ messages in thread
From: Alejandro Flores @ 2004-08-19 16:39 UTC (permalink / raw)
To: Wilson Mak; +Cc: netfilter
Hello Wilson,
> iptables -t nat -A PREROUTING -i eth0 -d <ext ip> -p tcp --dport 80 -j
> DNAT --to 10.1.0.12:80
That's ok.
> iptables -A INPUT -p tcp -i eth0 -d <ext ip> --dport 80 -m state
> --state NEW -j ACCEPT
This rule is only necessary if you have a webserver running on you
firewall.
> iptables -A FORWARD -p tcp -i eth0 -o eth1 -d <ext ip> --dport 80 -m
> state --state NEW -j ACCEPT
Ops. You made a mistake. You have added a rule which changes the
destination IP address to your internal webserver, remember? Your
forward rule must specify the internal address as destination.
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 10.1.0.12/32 --dport 80
--syn -j ACCEPT
Regards,
--
--
Alejandro Flores
http://www.triforsec.com.br/
http://www.defenselayer.com/
http://www.nabucodonosor.com/
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Port Forwarding with iptables
2004-08-19 10:57 Wilson Mak
2004-08-19 11:15 ` George Alexandru Dragoi
@ 2004-08-19 11:22 ` Nick Drage
2004-08-20 10:06 ` Wilson Mak
2004-08-19 16:39 ` Alejandro Flores
2 siblings, 1 reply; 11+ messages in thread
From: Nick Drage @ 2004-08-19 11:22 UTC (permalink / raw)
To: netfilter
On Thu, Aug 19, 2004 at 06:57:59PM +0800, Wilson Mak wrote:
> Hi all,
>
> I like to do the portforwarding with iptables(forward web traffic of an
> alias IP - <ext ip> to internal web server). Here is what I have:
>
> iptables -t nat -A PREROUTING -i eth0 -d <ext ip> -p tcp --dport 80 -j
> DNAT --to 10.1.0.12:80
> iptables -A INPUT -p tcp -i eth0 -d <ext ip> --dport 80 -m state
> --state NEW -j ACCEPT
> iptables -A FORWARD -p tcp -i eth0 -o eth1 -d <ext ip> --dport 80 -m
> state --state NEW -j ACCEPT
>
> However, it keep droping the packets when getting to the NAT box.
>
> Logs
> ====
> (With iptables -A FORWARD -d 10.1.0.12 -j LOG; iptable -A FORWARD -j DROP)
>
> kernel: IN=eth0 OUT=eth1 SRC=202.xxx.122.xxx DST=10.1.0.12 LEN=48
> TOS=0x00 PREC=0x00 TTL=120 ID=6491 DF PROTO=TCP SPT=4023 DPT=80
> WINDOW=64240 RES=0x00 SYN URGP=0
>
> Any clues? Did I miss something here?
( caveat, this is a quick email during a lunch break at work, so it's
all "best guess" )
The rules in the PREROUTING table are executed before those in the
FORWARD table, so the packet has a destination of 10.1.0.12 when it hits
the FORWARD table. So your third line should be
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 10.1.0.12 --dport 80 -m
state --state NEW -j ACCEPT
Let me know how you get on :)
--
"I think a church with a lightning rod shows a decided lack of confidence"
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Port Forwarding with iptables
2004-08-19 10:57 Wilson Mak
@ 2004-08-19 11:15 ` George Alexandru Dragoi
2004-08-19 11:22 ` Nick Drage
2004-08-19 16:39 ` Alejandro Flores
2 siblings, 0 replies; 11+ messages in thread
From: George Alexandru Dragoi @ 2004-08-19 11:15 UTC (permalink / raw)
To: netfilter
On Thu, 19 Aug 2004 18:57:59 +0800, Wilson Mak
<wilson.mak@digitalview.com> wrote:
> Hi all,
>
> I like to do the portforwarding with iptables(forward web traffic of an
> alias IP - <ext ip> to internal web server). Here is what I have:
>
> iptables -t nat -A PREROUTING -i eth0 -d <ext ip> -p tcp --dport 80 -j
> DNAT --to 10.1.0.12:80
> iptables -A INPUT -p tcp -i eth0 -d <ext ip> --dport 80 -m state
> --state NEW -j ACCEPT
> iptables -A FORWARD -p tcp -i eth0 -o eth1 -d <ext ip> --dport 80 -m
> state --state NEW -j ACCEPT
Take a look at -d param
> However, it keep droping the packets when getting to the NAT box.
>
> Logs
> ====
> (With iptables -A FORWARD -d 10.1.0.12 -j LOG; iptable -A FORWARD -j DROP)
>
> kernel: IN=eth0 OUT=eth1 SRC=202.xxx.122.xxx DST=10.1.0.12 LEN=48
> TOS=0x00 PREC=0x00 TTL=120 ID=6491 DF PROTO=TCP SPT=4023 DPT=80
> WINDOW=64240 RES=0x00 SYN URGP=0
Now look at DST,
Q: Do they match? :)
> Any clues? Did I miss something here?
>
> Thanks,
> Wilson
>
>
--
Bla bla
^ permalink raw reply [flat|nested] 11+ messages in thread
* RE: Port Forwarding with iptables
@ 2004-08-19 11:13 Jason Opperisano
0 siblings, 0 replies; 11+ messages in thread
From: Jason Opperisano @ 2004-08-19 11:13 UTC (permalink / raw)
To: netfilter
> Hi all,
>
> I like to do the portforwarding with iptables(forward web traffic of an
> alias IP - <ext ip> to internal web server). Here is what I have:
>
> iptables -t nat -A PREROUTING -i eth0 -d <ext ip> -p tcp --dport 80 -j
> DNAT --to 10.1.0.12:80
ok
> iptables -A INPUT -p tcp -i eth0 -d <ext ip> --dport 80 -m state
> --state NEW -j ACCEPT
um--nope. the packets are going to be FORWARD-ed--they will never be seen by the INPUT chain.
> iptables -A FORWARD -p tcp -i eth0 -o eth1 -d <ext ip> --dport 80 -m
> state --state NEW -j ACCEPT
hmm...let's hold off on this for a sec...
> However, it keep droping the packets when getting to the NAT box.
>
> Logs
> ====
> (With iptables -A FORWARD -d 10.1.0.12 -j LOG; iptable -A FORWARD -j DROP)
>
> kernel: IN=eth0 OUT=eth1 SRC=202.xxx.122.xxx DST=10.1.0.12 LEN=48
> TOS=0x00 PREC=0x00 TTL=120 ID=6491 DF PROTO=TCP SPT=4023 DPT=80
> WINDOW=64240 RES=0x00 SYN URGP=0
>
> Any clues? Did I miss something here?
yeah--read that log entry. now look at your FORWARD rule. now read that log entry again. got it?
no? ok... look at the "-d <ext ip>" in the rule and the "DST=10.1.0.12" in the log entry.
DNAT happens in PREROUTING; as in, "before routing"--so any FORWARD rules will see the DNAT-ed address, not the original dest IP. try:
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 10.1.0.12 \
--dport 80 -m state --state NEW -j ACCEPT
hopefully you also something along the lines of this somewhere as well:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-j
^ permalink raw reply [flat|nested] 11+ messages in thread
* Port Forwarding with iptables
@ 2004-08-19 10:57 Wilson Mak
2004-08-19 11:15 ` George Alexandru Dragoi
` (2 more replies)
0 siblings, 3 replies; 11+ messages in thread
From: Wilson Mak @ 2004-08-19 10:57 UTC (permalink / raw)
To: netfilter
Hi all,
I like to do the portforwarding with iptables(forward web traffic of an
alias IP - <ext ip> to internal web server). Here is what I have:
iptables -t nat -A PREROUTING -i eth0 -d <ext ip> -p tcp --dport 80 -j
DNAT --to 10.1.0.12:80
iptables -A INPUT -p tcp -i eth0 -d <ext ip> --dport 80 -m state
--state NEW -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d <ext ip> --dport 80 -m
state --state NEW -j ACCEPT
However, it keep droping the packets when getting to the NAT box.
Logs
====
(With iptables -A FORWARD -d 10.1.0.12 -j LOG; iptable -A FORWARD -j DROP)
kernel: IN=eth0 OUT=eth1 SRC=202.xxx.122.xxx DST=10.1.0.12 LEN=48
TOS=0x00 PREC=0x00 TTL=120 ID=6491 DF PROTO=TCP SPT=4023 DPT=80
WINDOW=64240 RES=0x00 SYN URGP=0
Any clues? Did I miss something here?
Thanks,
Wilson
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2004-09-02 8:28 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2004-09-01 15:47 Port forwarding with iptables KUCKAERTZ Régis - NVISION
[not found] <200409020414.i824Eh7e032212@xanadu.marasystems.com>
2004-09-02 8:28 ` Henrik Nordstrom
-- strict thread matches above, loose matches on Subject: below --
2004-09-02 7:24 Martijn Lievaart
2004-08-19 11:13 Port Forwarding " Jason Opperisano
2004-08-19 10:57 Wilson Mak
2004-08-19 11:15 ` George Alexandru Dragoi
2004-08-19 11:22 ` Nick Drage
2004-08-20 10:06 ` Wilson Mak
2004-08-20 10:15 ` Nick Drage
2004-08-23 3:04 ` Wilson Mak
2004-08-19 16:39 ` Alejandro Flores
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.