Port forwarding with iptables

Port forwarding with iptables

[KUCKAERTZ Régis - NVISION]

Hello,

Our ISP only allows connections coming from a well-defined list of IP
addresses. Since we must be able to log on to our servers no matter where we
are, I just thought using iptables on one host having one of the authorized
IP addresses would be the solution.

So I went on reading iptables docs and howtos, but as you might guess I
couldn't stand how to do it exactly. Let's put it correctly stated: every
incoming connection to, say, port 3999 of my host ($HOST_IP) should be
forwarded to port 123 of the protected server ($SERVER_IP). I tried the
following two rules:

$IPTABLES -t nat -A PREROUTING -p tcp --dst $HOST_IP --dport 3999 -j DNAT
--to-destination $SERVER_IP:123

   This one should do the forwarding

$IPTABLES -t nat -a POSTROUTING -p tcp --dst $SERVER_IP --dport 123 -j
MASQUERADE

   ... and this one should masquerade

As I'm new to iptables, I don't know at that time every aspect that I must
be careful of, so as a first tip can anybody tell me what would the exact
solution be?

I have set IP forwarding to 1 in /proc/sys/net/ipv4/ip_forward

Best regards,
Régis KUCKAERTZ
-----------------------------------------
NVISION sa - Luxembourg
Internet Services & Network Programming

50, rue des Prés
L-7333 Steinsel
Tél: (+352) 26 34 09 08
Fax: (+352) 26 34 09 07
http://www.nvision.lu/

Re: Port forwarding with iptables

[Henrik Nordstrom]

On Wed, 1 Sep 2004, [iso-8859-1] KUCKAERTZ Régis - NVISION wrote:

> $IPTABLES -t nat -A PREROUTING -p tcp --dst $HOST_IP --dport 3999 -j DNAT
> --to-destination $SERVER_IP:123

Ok.

>   This one should do the forwarding
>
> $IPTABLES -t nat -a POSTROUTING -p tcp --dst $SERVER_IP --dport 123 -j
> MASQUERADE
>
>   ... and this one should masquerade

This should probably be a SNAT.

Please describe your network in a little more detail. Is the station where 
you are running NAT a router (two network cards, ISP on one side, internal 
stations on other side) or just a host on the network?

Are you trying to connect from the Internet to internal stations/servers 
in your Network, or the other way around?

Regards
Henrik

Re: Port forwarding with iptables

[Martijn Lievaart]

KUCKAERTZ Régis - NVISION wrote:

>Hello,
>
>Our ISP only allows connections coming from a well-defined list of IP
>addresses. Since we must be able to log on to our servers no matter where we
>are, I just thought using iptables on one host having one of the authorized
>IP addresses would be the solution.
>
>So I went on reading iptables docs and howtos, but as you might guess I
>couldn't stand how to do it exactly. Let's put it correctly stated: every
>incoming connection to, say, port 3999 of my host ($HOST_IP) should be
>forwarded to port 123 of the protected server ($SERVER_IP). I tried the
>following two rules:
>
>$IPTABLES -t nat -A PREROUTING -p tcp --dst $HOST_IP --dport 3999 -j DNAT
>--to-destination $SERVER_IP:123
>
>   This one should do the forwarding
>
>

This one looks fine.

>$IPTABLES -t nat -a POSTROUTING -p tcp --dst $SERVER_IP --dport 123 -j
>MASQUERADE
>
>   ... and this one should masquerade
>
>

That looks non sensical, what are you trying to accomplish? Drop this
line of thought. MASQUERADE is for when you connect through a
dynamically assigned IP address, e.g. dial-up.

What you need is a rule in FORWARD to allow the packets to pass.
Assuming you accept ESTABLISHED (and RELATED) packets somewhere, so the
replies are handled automagically, you just need to add a rule like

# by now the packet has been updated with a new destination, allow it in.

$IPTABLES -A FORWARD -p tcp --dst $SERVER_IP --dport 123 -j ACCEPT

BTW, these kind of questions are better directed to the user list, not the development list.

Cheers,
M4

Re: Port Forwarding with iptables

[Wilson Mak]

Nick Drage wrote:

>On Fri, Aug 20, 2004 at 06:06:38PM +0800, Wilson Mak wrote:
>  
>
>>Nick Drage wrote:
>>    
>>
>
>Excuse the short answer...
>
>  
>
>>Thanks for all who help on this issue.  I mis-type the rule here.  Yes 
>>you guys are right, the rule should be: -d 10.1.0.12.  But still it 
>>doesn't work.  Do I need to enable something in the kernel when using 
>>Port-Forwarding?
>>    
>>
>
>Try:
>
>echo 1 > /proc/sys/net/ipv4/ip_forward
>
>If you google for that you should find an explanation :)
>
>  
>
Yap! I did set this bit to 1.  Any other stuffs I missed?  That's 
absolutely weird.  It used to work perfectly with ipchains plus 
ipmasqadm.  Actually, the packets did forward to the internal server ( I 
capture the packets with ethereal), but looks like the response packets 
can't get through the NAT box.

Thanks,
Wilson

Re: Port Forwarding with iptables

[Nick Drage]

On Fri, Aug 20, 2004 at 06:06:38PM +0800, Wilson Mak wrote:
> Nick Drage wrote:

Excuse the short answer...

> Thanks for all who help on this issue.  I mis-type the rule here.  Yes 
> you guys are right, the rule should be: -d 10.1.0.12.  But still it 
> doesn't work.  Do I need to enable something in the kernel when using 
> Port-Forwarding?

Try:

echo 1 > /proc/sys/net/ipv4/ip_forward

If you google for that you should find an explanation :)

-- 
"I think a church with a lightning rod shows a decided lack of confidence"

Re: Port Forwarding with iptables

[Wilson Mak]

Nick Drage wrote:

>On Thu, Aug 19, 2004 at 06:57:59PM +0800, Wilson Mak wrote:
>  
>
>>Hi all,
>>
>>I like to do the portforwarding with iptables(forward web traffic of an 
>>alias IP - <ext ip> to internal web server).  Here is what I have:
>>
>>iptables -t nat -A PREROUTING -i eth0 -d <ext ip> -p tcp --dport 80 -j
>>DNAT --to 10.1.0.12:80
>>iptables -A INPUT -p tcp -i eth0 -d <ext ip> --dport 80 -m state
>>--state NEW -j ACCEPT
>>iptables -A FORWARD -p tcp -i eth0 -o eth1 -d <ext ip> --dport 80 -m
>>state --state NEW -j ACCEPT
>>
>>However, it keep droping the packets when getting to the NAT box.
>>
>>Logs
>>====
>>(With iptables -A FORWARD -d 10.1.0.12 -j LOG; iptable -A FORWARD -j DROP)
>>
>>kernel: IN=eth0 OUT=eth1 SRC=202.xxx.122.xxx DST=10.1.0.12 LEN=48
>>TOS=0x00 PREC=0x00 TTL=120 ID=6491 DF PROTO=TCP SPT=4023 DPT=80
>>WINDOW=64240 RES=0x00 SYN URGP=0
>>
>>Any clues?  Did I miss something here?
>>    
>>
>
>( caveat, this is a quick email during a lunch break at work, so it's
>all "best guess" )
>
>The rules in the PREROUTING table are executed before those in the
>FORWARD table, so the packet has a destination of 10.1.0.12 when it hits
>the FORWARD table.  So your third line should be
>
>iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 10.1.0.12 --dport 80 -m
>state --state NEW -j ACCEPT
>
>Let me know how you get on :)
>
>
>  
>
Thanks for all who help on this issue.  I mis-type the rule here.  Yes 
you guys are right, the rule should be: -d 10.1.0.12.  But still it 
doesn't work.  Do I need to enable something in the kernel when using 
Port-Forwarding?

Here are what I have now
===================
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -t nat -A PREROUTING -i eth0 -d <ext ip - an alias ip>  -p tcp 
--dport 80 -j DNAT --to 10.1.0.12:80
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 10.1.0.12 --dport 80 -m 
state --state NEW -j ACCEPT
iptables -A FORWARD -t filter -i eth1 -m state --state 
NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state --state 
ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Many thanks,
Wilson  

Re: Port Forwarding with iptables

[Alejandro Flores]

	Hello Wilson,

> iptables -t nat -A PREROUTING -i eth0 -d <ext ip> -p tcp --dport 80 -j
> DNAT --to 10.1.0.12:80

	That's ok.

> iptables -A INPUT -p tcp -i eth0 -d <ext ip> --dport 80 -m state
> --state NEW -j ACCEPT

	This rule is only necessary if you have a webserver running on you
firewall. 

> iptables -A FORWARD -p tcp -i eth0 -o eth1 -d <ext ip> --dport 80 -m
> state --state NEW -j ACCEPT

	Ops. You made a mistake. You have added a rule which changes the
destination IP address to your internal webserver, remember? Your
forward rule must specify the internal address as destination.
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 10.1.0.12/32 --dport 80
--syn -j ACCEPT

Regards,
-- 
--
Alejandro Flores
http://www.triforsec.com.br/
http://www.defenselayer.com/
http://www.nabucodonosor.com/

Re: Port Forwarding with iptables

[Nick Drage]

On Thu, Aug 19, 2004 at 06:57:59PM +0800, Wilson Mak wrote:
> Hi all,
> 
> I like to do the portforwarding with iptables(forward web traffic of an 
> alias IP - <ext ip> to internal web server).  Here is what I have:
> 
> iptables -t nat -A PREROUTING -i eth0 -d <ext ip> -p tcp --dport 80 -j
> DNAT --to 10.1.0.12:80
> iptables -A INPUT -p tcp -i eth0 -d <ext ip> --dport 80 -m state
> --state NEW -j ACCEPT
> iptables -A FORWARD -p tcp -i eth0 -o eth1 -d <ext ip> --dport 80 -m
> state --state NEW -j ACCEPT
> 
> However, it keep droping the packets when getting to the NAT box.
> 
> Logs
> ====
> (With iptables -A FORWARD -d 10.1.0.12 -j LOG; iptable -A FORWARD -j DROP)
> 
> kernel: IN=eth0 OUT=eth1 SRC=202.xxx.122.xxx DST=10.1.0.12 LEN=48
> TOS=0x00 PREC=0x00 TTL=120 ID=6491 DF PROTO=TCP SPT=4023 DPT=80
> WINDOW=64240 RES=0x00 SYN URGP=0
> 
> Any clues?  Did I miss something here?

( caveat, this is a quick email during a lunch break at work, so it's
all "best guess" )

The rules in the PREROUTING table are executed before those in the
FORWARD table, so the packet has a destination of 10.1.0.12 when it hits
the FORWARD table.  So your third line should be

iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 10.1.0.12 --dport 80 -m
state --state NEW -j ACCEPT

Let me know how you get on :)


-- 
"I think a church with a lightning rod shows a decided lack of confidence"

Re: Port Forwarding with iptables

[George Alexandru Dragoi]

On Thu, 19 Aug 2004 18:57:59 +0800, Wilson Mak
<wilson.mak@digitalview.com> wrote:
> Hi all,
> 
> I like to do the portforwarding with iptables(forward web traffic of an
> alias IP - <ext ip> to internal web server).  Here is what I have:
> 
> iptables -t nat -A PREROUTING -i eth0 -d <ext ip> -p tcp --dport 80 -j
> DNAT --to 10.1.0.12:80
> iptables -A INPUT -p tcp -i eth0 -d <ext ip> --dport 80 -m state
> --state NEW -j ACCEPT
> iptables -A FORWARD -p tcp -i eth0 -o eth1 -d <ext ip> --dport 80 -m
> state --state NEW -j ACCEPT
Take a look at -d param



> However, it keep droping the packets when getting to the NAT box.
> 
> Logs
> ====
> (With iptables -A FORWARD -d 10.1.0.12 -j LOG; iptable -A FORWARD -j DROP)
> 
> kernel: IN=eth0 OUT=eth1 SRC=202.xxx.122.xxx DST=10.1.0.12 LEN=48
> TOS=0x00 PREC=0x00 TTL=120 ID=6491 DF PROTO=TCP SPT=4023 DPT=80
> WINDOW=64240 RES=0x00 SYN URGP=0
Now look at DST,

Q: Do they match? :)

 
> Any clues?  Did I miss something here?
> 
> Thanks,
> Wilson
> 
> 


-- 
Bla bla

RE: Port Forwarding with iptables

[Jason Opperisano]

> Hi all,
>
> I like to do the portforwarding with iptables(forward web traffic of an
> alias IP - <ext ip> to internal web server).  Here is what I have:
>
> iptables -t nat -A PREROUTING -i eth0 -d <ext ip> -p tcp --dport 80 -j
> DNAT --to 10.1.0.12:80

ok

> iptables -A INPUT -p tcp -i eth0 -d <ext ip> --dport 80 -m state
> --state NEW -j ACCEPT

um--nope.  the packets are going to be FORWARD-ed--they will never be seen by the INPUT chain.

> iptables -A FORWARD -p tcp -i eth0 -o eth1 -d <ext ip> --dport 80 -m
> state --state NEW -j ACCEPT

hmm...let's hold off on this for a sec...

> However, it keep droping the packets when getting to the NAT box.
>
> Logs
> ====
> (With iptables -A FORWARD -d 10.1.0.12 -j LOG; iptable -A FORWARD -j DROP)
>
> kernel: IN=eth0 OUT=eth1 SRC=202.xxx.122.xxx DST=10.1.0.12 LEN=48
> TOS=0x00 PREC=0x00 TTL=120 ID=6491 DF PROTO=TCP SPT=4023 DPT=80
> WINDOW=64240 RES=0x00 SYN URGP=0
>
> Any clues?  Did I miss something here?

yeah--read that log entry.  now look at your FORWARD rule.  now read that log entry again.  got it?

no?  ok...  look at the "-d <ext ip>" in the rule and the "DST=10.1.0.12" in the log entry.

DNAT happens in PREROUTING; as in, "before routing"--so any FORWARD rules will see the DNAT-ed address, not the original dest IP.  try:

  iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 10.1.0.12 \
    --dport 80 -m state --state NEW -j ACCEPT

hopefully you also something along the lines of this somewhere as well:

  iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

-j

Port Forwarding with iptables

[Wilson Mak]

Hi all,

I like to do the portforwarding with iptables(forward web traffic of an 
alias IP - <ext ip> to internal web server).  Here is what I have:

iptables -t nat -A PREROUTING -i eth0 -d <ext ip> -p tcp --dport 80 -j
DNAT --to 10.1.0.12:80
iptables -A INPUT -p tcp -i eth0 -d <ext ip> --dport 80 -m state
--state NEW -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d <ext ip> --dport 80 -m
state --state NEW -j ACCEPT

However, it keep droping the packets when getting to the NAT box.

Logs
====
(With iptables -A FORWARD -d 10.1.0.12 -j LOG; iptable -A FORWARD -j DROP)

kernel: IN=eth0 OUT=eth1 SRC=202.xxx.122.xxx DST=10.1.0.12 LEN=48
TOS=0x00 PREC=0x00 TTL=120 ID=6491 DF PROTO=TCP SPT=4023 DPT=80
WINDOW=64240 RES=0x00 SYN URGP=0

Any clues?  Did I miss something here?

Thanks,
Wilson