[prev in list] [next in list] [prev in thread] [next in thread]
List: netfilter
Subject: [Fwd: Port Forwarding/ Debuggin woes]
From: Richard Davis <rdavis () professo ! net>
Date: 2001-01-31 22:31:15
[Download RAW message or body]
Richard Davis wrote:
> Maybe I'm not compiling proper modules into the kernel, but I thought such
> an oversight would not allow me to even add the rules to the nat table or
> list the nat table successfully. I have added the following modules along
> with these chains:
>
> #!/bin/sh -x
> echo "1" >/proc/sys/net/ipv4/ip_forward
> modprobe ip_tables
> modprobe ip_conntrack
> modprobe iptable_nat
> modprobe ipt_MASQUERADE
> modprobe ipt_LOG
>
> cd /usr/local/sbin
> ./iptables -F -t filter
> ./iptables -F -t nat
> ./iptables -P FORWARD ACCEPT
> ./iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
> ./iptables -A PREROUTING -i eth1 -t nat -j DNAT -p tcp -d 209.140.186.6
> --dport 21064 --to-destination 10.1.1.2:21064
> ./iptables -A OUTPUT -t nat -j DNAT -p tcp -d 209.140.186.6 --dport 21064
> --to-destination 10.1.1.2:21064
> ./iptables -A OUTPUT -t nat -j LOG --log-level 3 --log-prefix OUTPUT
> ./iptables -A PREROUTING -t nat -j LOG --log-level 3 --log-prefix
> PREROUTING
> ./iptables -A INPUT -i eth0 -t filter -s 10.1.1.2 -j LOG --log-level 3
> --log-prefix INPUT
> ./iptables -A POSTROUTING -t nat -j LOG --log-level 3 --log-prefix
> POSTROUTING
> ./iptables -A PREROUTING -t nat -i eth1 -d 209.140.186.6 -j ACCEPT
> ./iptables -A POSTROUTING -t nat -o eth0 -j ACCEPT
> ./iptables -A POSTROUTING -o eth1 -t nat -s 10.1.1.2 -p tcp --dport 21064
> -j SNAT --to 209.140.186.6
> iptables -A FORWARD -i eth1 -p tcp --dport 21064 -d 10.1.1.2 -j ACCEPT
>
> When I look at logging after doing a telnet 209.140.186.6 21064 from an
> external box, I see the packet leaving on the postrouting chain for the
> redirection. In turn, I see a packet returning from 10.1.1.2 21064, but
> the destination address is eth0, 10.1.1.254! The packet is coming back to
> the right port, but stops at the internal interface of the firewall. Does
> anyone know what I need to do to make sure that the firewall routes the
> reply packet back to the box from which I did the telnet? I can't figure
> out how the DNAT would route the packet on the way to its source, but not
> be able to route back the replies. I have read post after post on this.
> I have checked the FAQ and all the documentation I could find. I have even
> asked friends. No one knows why it's hanging. I would be deeply grateful
> to anyone who could point me in the right direction to fixing this problem.
>
> Richard Davis
>
> Richard Davis wrote:
>
> > If anyone can help, I would greatly appreciate it. I am trying to
> > convert a rinetd/ipchains setup to iptables only. Normal masquerading
> > (SNAT) works fine. I am trying to forward packets from the external
> > interface on the firewall, eth1 (209.xx.xx.xx) at port 21064 to port 80
> > inside (a box on the internal network with ip 10.1.1.103). The internal
> > ip of the firewall is 10.1.1.254 (eth0). Normal masquerading works
> > fine. It seems to me that the port forwarding is happening, and the
> > packets are picked up at the destination, but the reply never makes it
> > back. I am really stumped on this. I'm not sure what further debugging
> > steps to take or alternative to use in remedying the problem.
> >
> > The results below were produced from trying "telnet 209.xx.xx.xx 21064"
> > on 10.1.1.103. The results are more or less the same with the same
> > command being run on 209.xx.xx.xx.
> >
> > >From 10.1.1.103's tcpdump
> >
> > 20:01:35.797163 eth0 > 10.1.1.103.1588 > 209.140.186.6.21064: S
> > 1818764537:1818764537(0) win 32120 <mss 1460,sackOK,timestamp 42307277
> > 0,nop,wscale 0> (DF)
> > 20:01:35.797298 eth0 < 10.1.1.103.1588 > 10.1.1.103.80: S
> > 1818764537:1818764537(0) win 32120 <mss 1460,sackOK,timestamp 42307277
> > 0,nop,wscale 0> (DF)
> >
> > >From 209.140.186.6's tcpdump
> >
> > 11:20:20.727569 eth0 < 10.1.1.103.1588 > 10.1.1.103.www: S
> > 3655631249:3655631249(0) win 32120 <mss 1460,sackOK,timestamp 47777352
> > 0,nop,wscale 0> (DF)
> > 11:20:20.727633 eth0 > 10.1.1.103.1588 > 10.1.1.103.www: S
> > 3655631249:3655631249(0) win 32120 <mss 1460,sackOK,timestamp 47777352
> > 0,nop,wscale 0>
> > (DF)
> >
> > >From kernel logging on 209.140.186.6
> >
> > Jan 30 20:48:21 initfirewall kernel: IN= OUT=eth0
> > SRC=10.1.1.103 DST=10.1.1.103 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=23459
> > DF PROTO=TCP SPT=1588 DPT=80 WINDOW=32120 RES=0x00 SYN URGP=0
> > ...
> > ...
> > ...
> > Jan 31 11:07:02 initfirewall kernel: IN=eth0 OUT= MAC=...
> > SRC=10.1.1.103 DST=209.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=64
> > ID=34963 DF PROTO=TCP SPT=1017 DPT=22 WINDOW=32120 RES=0x00 SYN URGP=0
> >
> > Here are the interfaces on 209.xx.xx.xx
> >
> > eth0 Link encap:Ethernet HWaddr ...
> > inet addr:10.1.1.254 Bcast:10.1.1.255 Mask:255.255.255.0
> > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> > RX packets:51194 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:9522 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:100
> > Interrupt:5
> >
> > eth1 Link encap:Ethernet HWaddr ......
> > inet addr:209.xx.xx.xx Bcast:209.xx.xx.255
> > Mask:255.255.255.0
> > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> > RX packets:79402 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:11357 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:100
> > Interrupt:5 Base address:0x2000
> >
> > lo Link encap:Local Loopback
> > inet addr:127.0.0.1 Mask:255.0.0.0
> > UP LOOPBACK RUNNING MTU:3904 Metric:1
> > RX packets:101 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:101 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:0
> >
> > Here are the interfaces on 10.1.1.103
> >
> > eth0 Link encap:Ethernet HWaddr ...
> > inet addr:10.1.1.103 Bcast:10.1.1.255 Mask:255.255.255.0
> > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> > RX packets:11957170 errors:0 dropped:0 overruns:1 frame:0
> > TX packets:219605 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:100
> > Interrupt:5 Base address:0xe800
> >
> > lo Link encap:Local Loopback
> > inet addr:127.0.0.1 Mask:255.0.0.0
> > UP LOOPBACK RUNNING MTU:3924 Metric:1
> > RX packets:135 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:135 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:0
> >
> > vmnet1 Link encap:Ethernet HWaddr ...
> > inet addr:192.168.179.1 Bcast:192.168.179.255
> > Mask:255.255.255.0
> > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> > RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:1369 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:100
> >
> > Here are the iptables rules on 209.xx.xx.xx
> >
> > filter
> >
> > Chain INPUT (policy ACCEPT)
> > target prot opt source destination
> >
> > Chain FORWARD (policy ACCEPT)
> > target prot opt source destination
> >
> > Chain OUTPUT (policy ACCEPT)
> > target prot opt source destination
> >
> > nat
> >
> > Chain PREROUTING (policy ACCEPT)
> > target prot opt source destination
> > DNAT tcp -- anywhere 209.xx.xx.xx tcp dpt:21064
> > to:10.1.1.103:80
> > LOG all -- anywhere anywhere LOG level
> > error
> > ACCEPT all -- anywhere 209.xx.xx.xx
> >
> > Chain POSTROUTING (policy ACCEPT)
> > target prot opt source destination
> > MASQUERADE all -- anywhere anywhere
> > LOG all -- anywhere anywhere LOG level
> > error
> > ACCEPT all -- anywhere anywhere
> >
> > SNAT tcp -- 10.1.0.0/16 dvlppc5.professo.lantcp dpt:www
> > to:10.1.1.254
> >
> > Chain OUTPUT (policy ACCEPT)
> > target prot opt source destination
> > DNAT tcp -- anywhere 209.xx.xx.xx tcp dpt:21064
> > to:10.1.1.103:80
> > LOG all -- anywhere anywhere LOG level
> > error
> >
> > I added the wierd snat rule, because of something I read in the iptables
> > FAQ about situations in which an internal host is trying to get an
> > external port that is port-forwarded back inside. This snat rule did
> > not remedy the problem.
> >
> > Thanks,
> >
> > Richard Davis
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic