[CentOS] Port Forwarding woes

Mon Apr 27 14:19:59 UTC 2009
Barry Brimer <lists at brimer.org>

Quoting Bo Lynch <blynch at ameliaschools.com>:

> On Mon, April 27, 2009 12:50 pm, D Tucny wrote:
> > 2009/4/28 Bo Lynch <blynch at ameliaschools.com>
> >
> >> On Mon, April 27, 2009 12:01 pm, Dan Carl wrote:
> >> > Bo Lynch wrote:
> >> >> I'm having some port forwarding issues issues with iptables.
> >> >> We are using iptables as a firewall with 2 nics and on ip alias.
> >> >> I'm trying to port forward on the alias ip
> >> >> eth0 = 65.x.x.1
> >> >> eth0:1 = 65.x.x.2
> >> >> eth1 = 192.168.x.x
> >> >>
> >> >> I'm wanting to forward certain ports(80,5071...etc) that makes
> >> request
> >> >> on
> >> >> eth0:1 IP 65.x.x.2 to forward to internal IP 192.168.x.x. I have
> >> setup
> >> >> the
> >> >> following rules but I must be doing something wrong.
> >> >> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 80
> >> -j
> >> >> DNAT --to-destination 192.168.x.x:80
> >> >> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 65.x.x.2 --dport 5071
> >> -j
> >> >> DNAT --to-destination 192.168.x.x:5071
> >> >> iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 80 -j
> >> ACCEPT
> >> >> iptables -A FORWARD -p tcp -i eth0 -d 192.168.x.x --dport 5071 -j
> >> ACCEPT
> >> >>
> >> >> Any help would be greatly appreciated.
> >> >> Thanks
> >> >>
> >> > Try
> >> >
> >> > iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 80
> >> -j
> >> > ACCEPT
> >> > iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.x.x --dport 5071
> >> -j
> >> > ACCEPT
> >> >
> >> >
> >> >
> >> Tried that with no luck. Here is what my NAT looks like.
> >> [root at localhost ~]# iptables -t nat -L
> >> Chain PREROUTING (policy ACCEPT)
> >> target     prot opt source               destination
> >> DNAT       tcp  --  anywhere             65.161.127.70       tcp
> >> dpt:http
> >> to:192.168.1.3:80
> >>
> >
> > <snip>
> >
> >
> >> To me it looks like it should work. When I try and do a telnet on the
> >> port
> >> number I get a connection refused. Is using an alias a problem?
> >>
> >
> > It should, and does, work, even with an alias...
> >
> > The fact you are getting connection refused suggests that the traffic is
> > going somewhere and responses are getting back, rather than disappearing
> > into a hole, which is good...
> > Are you sure traffic to that address is getting to your eth0 interface and
> > not going to another device or being blocked by your router?
> > Capturing traffic using tcpdump while testing would confirm this, i.e.
> > tcpdump -i any -n port 5071 would show packets coming in on eth0 and going
> > out on eth1 if everything is working, or only coming in on eth0 if
> > something
> > within this box is preventing forwarding, or nothing at all which would
> > show
> > that the traffic wasn't even making it to your machine...
> >
> > d
> > _______________________________________________
> I think I found the culprit but not sure if by taking this out it will be
> a risk. When I remove this statement things work....
> iptables -A FORWARD -i eth0 -m state --state NEW, INVALID -j DROP
>
> If I drop the NEW it works. Should I be concerned from I security stand
> point?

If you don't drop the NEW, it won't work.  It is fine to drop INVALID traffic.