[CentOS] A little iptables help

Thu Sep 29 14:46:47 UTC 2005
Aleksandar Milivojevic <alex at milivojevic.org>

Quoting James Pifer <jep at obrien-pifer.com>:

> That being said it loaded fine. I can still ssh and hit http. The only
> problem is that the VNC forward stuff still doesn't work. Here's what it
> looks like applied.
>
> #iptables -L

Actually, to debug things, you would need output of "iptables -nvxL" and
"iptables -t nat -nvxL".  The former would list rules in filter table, and
later would list rules in nat table.  Both with counters, so you can see how
many packets (if any) were matched by those rules.  They would also show you
how many packets in each chain were matched by default policy for that chain
(wich is DROP for INPUT, OUPUT and FORWARD chains of filter table).

The "-L" option accepts optional argument, so you can also do things like
"iptables -nvxL FORWARD" or "iptables -nvxL VNC_FWD" to list only particular
chain and its counters.

> If I do an nmap scan all it returns is port 22 and port 80. Since it's
> port forwarded, should port 5900 show up as well? I'm doing the scan
> from 192.168.192.24.

You might find tcpdump to be a better friend in debugging firewall rules then
nmap.  Run it on the firewall machine.  It will show you what is going on the
ethernet wire.  Try running it in two terminals in parallel, in one terminal
you would run something like "tcpdump -i eth0 host xxx and port 5900".  In the
other window you would run "tcpdump -i eth1 host xxx and port 5900", where xxx
is the address of the source host.  The "host xxx and port 5900" is to filter
out the clutter, change it as needed.  If you see packets on eth0 but not on
eth1, then your firewall is "eating" them.  You shuold also see change in
destination address by comparing the output in those two terminal windows.

> I don't really understand the logging part. Is there a way I can turn on
> some logging to see the VNC requests coming in and see what it's doing
> with them?

The rules, as I sent them to you, will log all dropped packets to
/var/log/messages.  You'll see relatively long line saying it was 
logged by the
kernel, then from what chain (INPUT, OUTPUT or FORWARD), and than a (long)
summary of the dropped packet (type of packet, source, destination, ports (if
applicable), flags, and so on).  If your firewall is dropping anything, you
should see it in the logs.

If you want to see incomming VNC requests in log files, try putting this as
first rule in VNC_FWD chain:

   -A -j LOG_FWD

Note that this will log only the SYN packet (the first packet initiaing the
connection), so you don't have to worry about your logs getting too 
large. This is becasue you are jumping into VNC_FWD chain only when you 
see SYN packet
(the --syn option that expands to flags:SYN,RST,ACK/SYN in iptables -L 
output).

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.