I'm having some port forwarding issues issues with iptables. We are using iptables as a firewall with 2 nics and on ip alias. I'm trying to port forward on the alias ip eth0 = 65.x.x.1 eth0:1 = 65.x.x.2 eth1 = 192.168.x.x
I'm wanting to forward certain ports(80,5071...etc) that makes request on eth0:1 IP 65.x.x.2 to forward to internal IP 192.168.x.x. I have setup the following rules but I must be doing something wrong. iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 80 -j DNAT --to-destination 192.168.x.x:80 iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 5071 -j DNAT --to-destination 192.168.x.x:5071 iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 80 -j ACCEPT iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 5071 -j ACCEPT
Any help would be greatly appreciated. Thanks
Bo Lynch wrote:
I'm having some port forwarding issues issues with iptables. We are using iptables as a firewall with 2 nics and on ip alias. I'm trying to port forward on the alias ip eth0 = 65.x.x.1 eth0:1 = 65.x.x.2 eth1 = 192.168.x.x
I'm wanting to forward certain ports(80,5071...etc) that makes request on eth0:1 IP 65.x.x.2 to forward to internal IP 192.168.x.x. I have setup the following rules but I must be doing something wrong. iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 80 -j DNAT --to-destination 192.168.x.x:80 iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 5071 -j DNAT --to-destination 192.168.x.x:5071 iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 80 -j ACCEPT iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 5071 -j ACCEPT
Any help would be greatly appreciated. Thanks
Try
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 80 -j ACCEPT iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 5071 -j ACCEPT
On Mon, April 27, 2009 12:01 pm, Dan Carl wrote:
Bo Lynch wrote:
I'm having some port forwarding issues issues with iptables. We are using iptables as a firewall with 2 nics and on ip alias. I'm trying to port forward on the alias ip eth0 = 65.x.x.1 eth0:1 = 65.x.x.2 eth1 = 192.168.x.x
I'm wanting to forward certain ports(80,5071...etc) that makes request on eth0:1 IP 65.x.x.2 to forward to internal IP 192.168.x.x. I have setup the following rules but I must be doing something wrong. iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 80 -j DNAT --to-destination 192.168.x.x:80 iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 5071 -j DNAT --to-destination 192.168.x.x:5071 iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 80 -j ACCEPT iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 5071 -j ACCEPT
Any help would be greatly appreciated. Thanks
Try
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 80 -j ACCEPT iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 5071 -j ACCEPT
Tried that with no luck. Here is what my NAT looks like. [root@localhost ~]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere 65.161.127.70 tcp dpt:http to:192.168.1.3:80 DNAT tcp -- anywhere 65.161.127.70 tcp dpt:powerschool to:192.168.1.3:5071 DNAT tcp -- anywhere 65.161.127.70 tcp dpt:timbuktu to:192.168.1.3:407 DNAT tcp -- anywhere 65.161.127.70 tcp dpt:timbuktu-srv1 to:192.168.1.3:1417 DNAT tcp -- anywhere 65.161.127.70 tcp dpt:timbuktu-srv2 to:192.168.1.3:1418 DNAT tcp -- anywhere 65.161.127.70 tcp dpt:timbuktu-srv3 to:192.168.1.3:1419 DNAT tcp -- anywhere 65.161.127.70 tcp dpt:timbuktu-srv4 to:192.168.1.3:1420 DNAT tcp -- anywhere 65.161.127.70 tcp dpt:7880 to:192.168.1.3:7880 DNAT tcp -- anywhere 65.161.127.70 tcp dpt:https to:192.168.1.3:443 DNAT udp -- anywhere 65.161.127.70 udp dpt:timbuktu to:192.168.1.3:407 DNAT udp -- anywhere 65.161.127.70 udp dpt:timbuktu-srv1 to:192.168.1.3:1417 DNAT udp -- anywhere 65.161.127.70 udp dpt:timbuktu-srv2 to:192.168.1.3:1418 DNAT udp -- anywhere 65.161.127.70 udp dpt:timbuktu-srv3 to:192.168.1.3:1419 DNAT udp -- anywhere 65.161.127.70 udp dpt:timbuktu-srv4 to:192.168.1.3:1420 DNAT udp -- anywhere 65.161.127.70 udp dpt:7880 to:192.168.1.3:7880
To me it looks like it should work. When I try and do a telnet on the port number I get a connection refused. Is using an alias a problem? Bo Lynch
Quoting Bo Lynch blynch@ameliaschools.com:
On Mon, April 27, 2009 12:01 pm, Dan Carl wrote:
Bo Lynch wrote:
I'm having some port forwarding issues issues with iptables. We are using iptables as a firewall with 2 nics and on ip alias. I'm trying to port forward on the alias ip eth0 = 65.x.x.1 eth0:1 = 65.x.x.2 eth1 = 192.168.x.x
I'm wanting to forward certain ports(80,5071...etc) that makes request on eth0:1 IP 65.x.x.2 to forward to internal IP 192.168.x.x. I have setup the following rules but I must be doing something wrong. iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 80 -j DNAT --to-destination 192.168.x.x:80 iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 5071 -j DNAT --to-destination 192.168.x.x:5071 iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 80 -j ACCEPT iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 5071 -j ACCEPT
Any help would be greatly appreciated. Thanks
Try
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 80 -j ACCEPT iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 5071 -j ACCEPT
Tried that with no luck. Here is what my NAT looks like. [root@localhost ~]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere 65.161.127.70 tcp dpt:http to:192.168.1.3:80 DNAT tcp -- anywhere 65.161.127.70 tcp dpt:powerschool to:192.168.1.3:5071 DNAT tcp -- anywhere 65.161.127.70 tcp dpt:timbuktu to:192.168.1.3:407 DNAT tcp -- anywhere 65.161.127.70 tcp dpt:timbuktu-srv1 to:192.168.1.3:1417 DNAT tcp -- anywhere 65.161.127.70 tcp dpt:timbuktu-srv2 to:192.168.1.3:1418 DNAT tcp -- anywhere 65.161.127.70 tcp dpt:timbuktu-srv3 to:192.168.1.3:1419 DNAT tcp -- anywhere 65.161.127.70 tcp dpt:timbuktu-srv4 to:192.168.1.3:1420 DNAT tcp -- anywhere 65.161.127.70 tcp dpt:7880 to:192.168.1.3:7880 DNAT tcp -- anywhere 65.161.127.70 tcp dpt:https to:192.168.1.3:443 DNAT udp -- anywhere 65.161.127.70 udp dpt:timbuktu to:192.168.1.3:407 DNAT udp -- anywhere 65.161.127.70 udp dpt:timbuktu-srv1 to:192.168.1.3:1417 DNAT udp -- anywhere 65.161.127.70 udp dpt:timbuktu-srv2 to:192.168.1.3:1418 DNAT udp -- anywhere 65.161.127.70 udp dpt:timbuktu-srv3 to:192.168.1.3:1419 DNAT udp -- anywhere 65.161.127.70 udp dpt:timbuktu-srv4 to:192.168.1.3:1420 DNAT udp -- anywhere 65.161.127.70 udp dpt:7880 to:192.168.1.3:7880
To me it looks like it should work. When I try and do a telnet on the port number I get a connection refused. Is using an alias a problem?
Do you have ip forwarding enabled? Does 'cat /proc/sys/net/ipv4/ip_forward' show 1 or 0? Is there a service listening on the port you are forwarding to, and can you get to this service from a machine on the internal network?
2009/4/28 Bo Lynch blynch@ameliaschools.com
On Mon, April 27, 2009 12:01 pm, Dan Carl wrote:
Bo Lynch wrote:
I'm having some port forwarding issues issues with iptables. We are using iptables as a firewall with 2 nics and on ip alias. I'm trying to port forward on the alias ip eth0 = 65.x.x.1 eth0:1 = 65.x.x.2 eth1 = 192.168.x.x
I'm wanting to forward certain ports(80,5071...etc) that makes request on eth0:1 IP 65.x.x.2 to forward to internal IP 192.168.x.x. I have setup the following rules but I must be doing something wrong. iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 80 -j DNAT --to-destination 192.168.x.x:80 iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 5071 -j DNAT --to-destination 192.168.x.x:5071 iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 80 -j ACCEPT iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 5071 -j ACCEPT
Any help would be greatly appreciated. Thanks
Try
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 80 -j ACCEPT iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 5071 -j ACCEPT
Tried that with no luck. Here is what my NAT looks like. [root@localhost ~]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere 65.161.127.70 tcp dpt:http to:192.168.1.3:80
<snip>
To me it looks like it should work. When I try and do a telnet on the port number I get a connection refused. Is using an alias a problem?
It should, and does, work, even with an alias...
The fact you are getting connection refused suggests that the traffic is going somewhere and responses are getting back, rather than disappearing into a hole, which is good... Are you sure traffic to that address is getting to your eth0 interface and not going to another device or being blocked by your router? Capturing traffic using tcpdump while testing would confirm this, i.e. tcpdump -i any -n port 5071 would show packets coming in on eth0 and going out on eth1 if everything is working, or only coming in on eth0 if something within this box is preventing forwarding, or nothing at all which would show that the traffic wasn't even making it to your machine...
d
On Mon, April 27, 2009 12:50 pm, D Tucny wrote:
2009/4/28 Bo Lynch blynch@ameliaschools.com
On Mon, April 27, 2009 12:01 pm, Dan Carl wrote:
Bo Lynch wrote:
I'm having some port forwarding issues issues with iptables. We are using iptables as a firewall with 2 nics and on ip alias. I'm trying to port forward on the alias ip eth0 = 65.x.x.1 eth0:1 = 65.x.x.2 eth1 = 192.168.x.x
I'm wanting to forward certain ports(80,5071...etc) that makes
request
on eth0:1 IP 65.x.x.2 to forward to internal IP 192.168.x.x. I have
setup
the following rules but I must be doing something wrong. iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 80
-j
DNAT --to-destination 192.168.x.x:80 iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 5071
-j
DNAT --to-destination 192.168.x.x:5071 iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 80 -j
ACCEPT
iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 5071 -j
ACCEPT
Any help would be greatly appreciated. Thanks
Try
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 80
-j
ACCEPT iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 5071
-j
ACCEPT
Tried that with no luck. Here is what my NAT looks like. [root@localhost ~]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere 65.161.127.70 tcp dpt:http to:192.168.1.3:80
<snip>
To me it looks like it should work. When I try and do a telnet on the port number I get a connection refused. Is using an alias a problem?
It should, and does, work, even with an alias...
The fact you are getting connection refused suggests that the traffic is going somewhere and responses are getting back, rather than disappearing into a hole, which is good... Are you sure traffic to that address is getting to your eth0 interface and not going to another device or being blocked by your router? Capturing traffic using tcpdump while testing would confirm this, i.e. tcpdump -i any -n port 5071 would show packets coming in on eth0 and going out on eth1 if everything is working, or only coming in on eth0 if something within this box is preventing forwarding, or nothing at all which would show that the traffic wasn't even making it to your machine...
d _______________________________________________
I think I found the culprit but not sure if by taking this out it will be a risk. When I remove this statement things work.... iptables -A FORWARD -i eth0 -m state --state NEW, INVALID -j DROP
If I drop the NEW it works. Should I be concerned from I security stand point?
Quoting Bo Lynch blynch@ameliaschools.com:
On Mon, April 27, 2009 12:50 pm, D Tucny wrote:
2009/4/28 Bo Lynch blynch@ameliaschools.com
On Mon, April 27, 2009 12:01 pm, Dan Carl wrote:
Bo Lynch wrote:
I'm having some port forwarding issues issues with iptables. We are using iptables as a firewall with 2 nics and on ip alias. I'm trying to port forward on the alias ip eth0 = 65.x.x.1 eth0:1 = 65.x.x.2 eth1 = 192.168.x.x
I'm wanting to forward certain ports(80,5071...etc) that makes
request
on eth0:1 IP 65.x.x.2 to forward to internal IP 192.168.x.x. I have
setup
the following rules but I must be doing something wrong. iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 80
-j
DNAT --to-destination 192.168.x.x:80 iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 5071
-j
DNAT --to-destination 192.168.x.x:5071 iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 80 -j
ACCEPT
iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 5071 -j
ACCEPT
Any help would be greatly appreciated. Thanks
Try
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 80
-j
ACCEPT iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 5071
-j
ACCEPT
Tried that with no luck. Here is what my NAT looks like. [root@localhost ~]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere 65.161.127.70 tcp dpt:http to:192.168.1.3:80
<snip>
To me it looks like it should work. When I try and do a telnet on the port number I get a connection refused. Is using an alias a problem?
It should, and does, work, even with an alias...
The fact you are getting connection refused suggests that the traffic is going somewhere and responses are getting back, rather than disappearing into a hole, which is good... Are you sure traffic to that address is getting to your eth0 interface and not going to another device or being blocked by your router? Capturing traffic using tcpdump while testing would confirm this, i.e. tcpdump -i any -n port 5071 would show packets coming in on eth0 and going out on eth1 if everything is working, or only coming in on eth0 if something within this box is preventing forwarding, or nothing at all which would show that the traffic wasn't even making it to your machine...
d _______________________________________________
I think I found the culprit but not sure if by taking this out it will be a risk. When I remove this statement things work.... iptables -A FORWARD -i eth0 -m state --state NEW, INVALID -j DROP
If I drop the NEW it works. Should I be concerned from I security stand point?
If you don't drop the NEW, it won't work. It is fine to drop INVALID traffic.
Hi,
On Mon, Apr 27, 2009 at 16:01, Bo Lynch blynch@ameliaschools.com wrote:
I think I found the culprit but not sure if by taking this out it will be a risk. When I remove this statement things work.... iptables -A FORWARD -i eth0 -m state --state NEW, INVALID -j DROP
If I drop the NEW it works. Should I be concerned from I security stand point?
The point of that rule is to drop anything you did not handle before. That rule is supposed to be the last one in the list of rules.
The best solution in your case is probably to move your other rules above that one.
HTH, Filipe
2009/4/28 Filipe Brandenburger filbranden@gmail.com
Hi,
On Mon, Apr 27, 2009 at 16:01, Bo Lynch blynch@ameliaschools.com wrote:
I think I found the culprit but not sure if by taking this out it will be a risk. When I remove this statement things work.... iptables -A FORWARD -i eth0 -m state --state NEW, INVALID -j DROP
If I drop the NEW it works. Should I be concerned from I security stand point?
The point of that rule is to drop anything you did not handle before. That rule is supposed to be the last one in the list of rules.
The best solution in your case is probably to move your other rules above that one.
Indeed, that or using iptables -I to insert the other rules... or better yet, do as you say and put the new rules above the DROP and rather than using a script, use /etc/sysconfig/iptables for the configuration and use iptables-restore </etc/sysconfig/iptables to apply changes very fast...
What's odd though is that a DROP wouldn't result in a connection refused error, you'd need a REJECT for that, with DROP it would just be a timeout...
d
Bo Lynch wrote:
On Mon, April 27, 2009 12:01 pm, Dan Carl wrote:
Bo Lynch wrote:
I'm having some port forwarding issues issues with iptables. We are using iptables as a firewall with 2 nics and on ip alias. I'm trying to port forward on the alias ip eth0 = 65.x.x.1 eth0:1 = 65.x.x.2 eth1 = 192.168.x.x
I'm wanting to forward certain ports(80,5071...etc) that makes request on eth0:1 IP 65.x.x.2 to forward to internal IP 192.168.x.x. I have setup the following rules but I must be doing something wrong. iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 80 -j DNAT --to-destination 192.168.x.x:80 iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 5071 -j DNAT --to-destination 192.168.x.x:5071 iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 80 -j ACCEPT iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 5071 -j ACCEPT
Any help would be greatly appreciated. Thanks
Try
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 80 -j ACCEPT iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 5071 -j ACCEPT
Tried that with no luck. Here is what my NAT looks like. [root@localhost ~]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere 65.161.127.70 tcp dpt:http to:192.168.1.3:80 DNAT tcp -- anywhere 65.161.127.70 tcp dpt:powerschool to:192.168.1.3:5071 DNAT tcp -- anywhere 65.161.127.70 tcp dpt:timbuktu to:192.168.1.3:407 DNAT tcp -- anywhere 65.161.127.70 tcp dpt:timbuktu-srv1 to:192.168.1.3:1417 DNAT tcp -- anywhere 65.161.127.70 tcp dpt:timbuktu-srv2 to:192.168.1.3:1418 DNAT tcp -- anywhere 65.161.127.70 tcp dpt:timbuktu-srv3 to:192.168.1.3:1419 DNAT tcp -- anywhere 65.161.127.70 tcp dpt:timbuktu-srv4 to:192.168.1.3:1420 DNAT tcp -- anywhere 65.161.127.70 tcp dpt:7880 to:192.168.1.3:7880 DNAT tcp -- anywhere 65.161.127.70 tcp dpt:https to:192.168.1.3:443 DNAT udp -- anywhere 65.161.127.70 udp dpt:timbuktu to:192.168.1.3:407 DNAT udp -- anywhere 65.161.127.70 udp dpt:timbuktu-srv1 to:192.168.1.3:1417 DNAT udp -- anywhere 65.161.127.70 udp dpt:timbuktu-srv2 to:192.168.1.3:1418 DNAT udp -- anywhere 65.161.127.70 udp dpt:timbuktu-srv3 to:192.168.1.3:1419 DNAT udp -- anywhere 65.161.127.70 udp dpt:timbuktu-srv4 to:192.168.1.3:1420 DNAT udp -- anywhere 65.161.127.70 udp dpt:7880 to:192.168.1.3:7880
To me it looks like it should work. When I try and do a telnet on the port number I get a connection refused. Is using an alias a problem? Bo Lynch
It will work and does for me here.
Try putting this at the beginning of your script.
echo "1" > /proc/sys/net/ipv4/ip_forward IPTABLES=/sbin/iptables $IPTABLES -F $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X
Verify the alias is setup correctly with ifconfig.
Dan
-
Barry Brimer -
Bo Lynch -
D Tucny -
Dan Carl -
Filipe Brandenburger