| View previous topic :: View next topic |
| Author |
Message |
Jacobs
Apprentice
Joined: 29 Apr 2003
Posts: 174
Location: Czech republic
|
 Posted: Thu Nov 20, 2003 12:08 pm Post subject: iptables problem |
 |
|
Hi, I've the following problem - I have a linux box set up as a router and NAT for a small network.
internet -- <ext_IP> my_box <int_IP> -- intranet
In the intranet there is a mail server. I'm forwarding ports 25 and 110 from both intranet and internet. Now what I need is to set up the port-forwarding the way that if clients from intranet use the <ext_IP>:25 the box will forward it to the mail server
(I cannot use the internal IP because of the DNS manners - I want the laptop users to be able to set up their mail clients that they can use DNS name of my box from both intranet and internet)
Now this is what I've tried:
| Code: | $IPTABLES -t nat -A PREROUTING -i $int_dev -p tcp \
-d $ext_ip \
--dport 25 -j DNAT --to $mailserver:25
|
($int_dev is the eth device on the intranet side)
This thing however does not work. Why is that??? This rule obviously matches the packets that I want it to match (I tried telnet and logging), so the trick must be in the forwarding...
Just btw forwarding via the int_IP works smoothly.
Thanks for any help |
|
| Back to top |
|
 |
gravis
Apprentice
Joined: 18 Apr 2002
Posts: 176
Location: Compiègne, France
|
| Posted: Thu Nov 20, 2003 2:17 pm Post subject: |
|
|
Try shorewall, it will help with this kind of stuff
|
|
| Back to top |
|
|
eNut
n00b
Joined: 13 Jun 2003
Posts: 36
|
| Posted: Thu Nov 20, 2003 3:17 pm Post subject: |
|
|
You should add a rule to your Forward chain:
| Code: |
$IPTABLES -A FORWARD -i $int_dev -d $ext_ip -p tcp --dport 25 -j ACCEPT
|
That should do it. |
|
| Back to top |
|
|
Jacobs
Apprentice
Joined: 29 Apr 2003
Posts: 174
Location: Czech republic
|
| Posted: Thu Nov 20, 2003 10:23 pm Post subject: |
|
|
eNut: I don't have opportunity to try that right now, but I don't get it anyway.
I thought that my PREROUTING rule changes the destination of the packet from $ext_ip to $mailserver, so why is destination in this rule $ext_ip??
I always thought that changes that I make in PREROUTING are committed before entering the FORWARD chain - right?
(btw I have a rule in my FW saying the same as the one you suggested, just the destination is $mailserver) |
|
| Back to top |
|
|
eNut
n00b
Joined: 13 Jun 2003
Posts: 36
|
| Posted: Fri Nov 21, 2003 6:59 pm Post subject: |
|
|
Ah. You're right. I mistyped that line. Here are the two entries in my firewall for forwarding an arbitrary port X:
| Code: |
# Allow forwarding of new and existing port X connections
#
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport X -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
#Enable PORTFW of this port X traffic
#
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport X \
-j DNAT --to $PORTFWIP:X
|
In your case I would prob modify the lines to read
| Code: |
# Allow forwarding of new and existing port X connections on all interfaces
#
$IPTABLES -A FORWARD -p tcp --dport X -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
#Enable PORTFW of this port X traffic
#
$IPTABLES -A PREROUTING -t nat -p tcp --dport X \
-j DNAT --to $PORTFWIP:X
|
That should get all packets with a port 25 destination from the internal and external interfaces.
Sorry for the confusion  |
|
| Back to top |
|
|
Jacobs
Apprentice
Joined: 29 Apr 2003
Posts: 174
Location: Czech republic
|
| Posted: Mon Nov 24, 2003 11:51 am Post subject: |
|
|
Well that's exactly what I have on my firewall... 
I think the problem is, that I want to forward packets that are actually targeted for the ext_ip, but they are comming over int_device (but the rules count with this).
Let's say that someone in the int_net sends packet to ext_ip:80 and I want my fwall to forward it to $mailserver:80 - I make the rules _exactly_ the samy way like eNut's, but the packets just don' get forwarded.
Or maybe they are forwarded just in one way (int_net->mailserver) and the replies got lost on fwall... Really strange - I'm gonna send you my rules tomorrow... |
|
| Back to top |
|
|
ozonator
Guru
Joined: 11 Jun 2003
Posts: 591
Location: Ontario, Canada
|
| Posted: Mon Nov 24, 2003 5:47 pm Post subject: |
|
|
I struggled with this a bit recently, forwarding ssh connections on an arbitrary external port to an internal box, but did get it to work without too much trouble. Here's a suggestion for your situation:
| Code: | $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 -j DNAT --to-destination $MAILSERVER:80
$IPTABLES -A FORWARD -p tcp --dport 80 -d $MAILSERVER -j ACCEPT |
Now, you're likely thinking this is pretty much the same as what you have, and it is almost (but not completely) identical. The difference is that I use --to-destination, not --to as an argument to DNAT in the PREROUTING rule. The man page for iptables only mentions --to-ports, --to-source, and --to-destination arguments, and nowhere does it mention '--to'. DNAT, in particular, takes only --to-destination. That might be the source of the problem you're having, though eNut's experience seems to suggest otherwise.
In any case, these rules work for me (at least with port numbers modified for forwarding some external port to an internal port 22). Whether you need the second line depends on the default policy of your FORWARD chain; mine is DENY, hence the need for the explicit acceptance of those forwarded packets. Also, if you prefer, you can add stateful bits to the FORWARD line (as in other rules people suggested already in this thread). |
|
| Back to top |
|
|
xpunkrockryanx
Tux's lil' helper
Joined: 22 Sep 2002
Posts: 87
Location: College Place, WA, USA
|
| Posted: Tue Nov 25, 2003 1:37 am Post subject: |
|
|
| ozonator wrote: | | Now, you're likely thinking this is pretty much the same as what you have, and it is almost (but not completely) identical. The difference is that I use --to-destination, not --to as an argument to DNAT in the PREROUTING rule. The man page for iptables only mentions --to-ports, --to-source, and --to-destination arguments, and nowhere does it mention '--to'. DNAT, in particular, takes only --to-destination. |
from what i understand, you can truncate the double-dashed arguments as long as they remain unique and iptables will understand what you mean, so --to should be the same as --to-destination in practice (somebody correct me if i'm wrong here).
also, i think ozonator missed the original posters (Jacobs) point. Jacobs has the port forwarding working correctly, but he wants to be able to establish connections from other machines on the inside of the firewall to the server machine using the firewall's external ip address.
i was recently working on this problem also, and i found a solution that has worked, although i'm not absolutely positive that it's the proper way to do it. however, as far as i can tell, it's accurate, but if anybody out there with more knowledge than myself would care to affirm this i'd appreciate it.
basically, it looks like you (Jacobs) have half of it right so far.
first, you set the actual DNAT entry to create the port forward for anybody connecting from the outside: | Code: | iptables -t nat -A PREROUTING -p tcp -i $ext_dev \
--dport $ext_port -j DNAT --to $server_ip:$int_port |
next, you add the DNAT entry to forward traffic that originated on the internal network back in to the internal network: | Code: | iptables -t nat -A PREROUTING -p tcp -i $int_dev\
-d $firewall_ext_ip --dport $ext_port -j DNAT --to $server_ip:$int_port |
that's the part you got. i was stuck there also trying to figure out why it wouldn't work. well i was reading throught the Linux 2.4 NAT HOWTO and found this page. it seems that what i (we) were missing is that once packets reach the server, they still have the destination address of the host on the internal network, so they send them directly to that host (not through the firewall). the host sees the response packets coming from an internal addresss, but since it had initiated the connection to the external ip, that's where it's expecting the packets to come from, so it drops the responses that come from the internal address. what you have to do to correct this is to add an SNAT entry to change the source address to be that of the firewall's internal interface. then, the server will send all packets back to the firewall, and they'll get returned correctly to the originating host: | Code: | iptables -t nat -A POSTROUTING -d $server_ip\
-s $network_address/$network_bits -p tcp --dport $int_port\
-j SNAT --to $firewall_int_ip |
in my example, i had different external and internal ports, but for yours, you'd use 25 for both. also, $network_address would be something like 192.168.1.0 or 10.1.1.0, and $network_bits would be 24 for a 255.255.255.0 subnet in case you didn't already know what those were. hope that helps!
-ryan |
|
| Back to top |
|
|
ozonator
Guru
Joined: 11 Jun 2003
Posts: 591
Location: Ontario, Canada
|
| Posted: Tue Nov 25, 2003 4:50 am Post subject: |
|
|
| Ryan, you're right, I did miss that aspect of the original question, which is a situation that I haven't needed to handle here before (Jacobs, sorry about that). Now that I got that bit, the solution you're suggesting makes sense, and seems like a reasonable one; I look forward to hearing whether it works. Thanks, too, for the explanation of the 'double-dashed' arguments to iptables -- I notice that shorthand being used in the netfilter doc you linked, so it must be okay. I've learned a couple of things here, besides getting a reminder to re-read the intial question before posting. |
|
| Back to top |
|
|
To
Veteran
Joined: 12 Apr 2003
Posts: 1145
Location: Coimbra, Portugal
|
| Posted: Tue Nov 25, 2003 9:53 am Post subject: |
|
|
| gravis wrote: | Try shorewall, it will help with this kind of stuff
|
While you play a bit with iptables you can start by using shorewall, easy configuration and it's a decent peace of software.
Tó
_________________
------------------------------------------------
Linux Gandalf 3.2.35-grsec
Gentoo Base System version 2.2
------------------------------------------------ |
|
| Back to top |
|
|
Jacobs
Apprentice
Joined: 29 Apr 2003
Posts: 174
Location: Czech republic
|
| Posted: Tue Nov 25, 2003 12:17 pm Post subject: |
|
|
Ryan: Thanks a lot - your explanation totally makes sense. I found by myself that if I masquerade the packets on their way out, it works, but I didn't have a clue why the hell is that
On the other hand I'm a little bit sad about it, cuz I'd like to see people's original IP addresses when they're communicating with my mailserver.
Well, I guess there's no better way to do this.
Thanx again Ryan.
To: Well, shorewall is just a kind of frontend for iptables and I don't see a good reason for me to use it (if I'm not a iptables beginner) - or is there some? |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
