Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

IPTables Forwarding Problem
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Seather
Apprentice
Apprentice


Joined: 23 May 2003
Posts: 194
Location: South Africa
PostPosted: Sun Jan 22, 2006 8:54 am    Post subject: IPTables Forwarding Problem Reply with quote
I am trying to forward incoming traffic on a machine to another machine on the inside of the network. I have this working on my router at home, but on my hosting server for some reason it doesn't work.

This is what is supposed to happen: http requests on port 1800 to publicip on eth2 is supposed to be forwarded to the internal webserver 192.168.0.101 on port 80.

This is my firewall script:

Code:
#!/bin/bash

# Location of iptables
IPTABLES="/sbin/iptables"

# Flush tables and set policies
echo "Clearing any existing rules and setting default policy.."
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -F INPUT
$IPTABLES -t filter -P OUTPUT ACCEPT
$IPTABLES -t filter -F OUTPUT
$IPTABLES -t filter -P FORWARD ACCEPT
$IPTABLES -t filter -F FORWARD
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -F POSTROUTING
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -F OUTPUT

# Enable IP forwarding
echo "Enabling Forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward

# Allow established stuff in
$IPTABLES -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow all from local and to local
$IPTABLES -t filter -A INPUT -s 127.0.0.1 -j ACCEPT
$IPTABLES -t filter -A INPUT -d 127.0.0.1 -j ACCEPT

# Allow all from local lan and to local lan
$IPTABLES -t filter -A INPUT -s 192.168.0.34 -j ACCEPT
$IPTABLES -t filter -A INPUT -d 192.168.0.34 -j ACCEPT

# Allow all icmp inputs
$IPTABLES -t filter -A INPUT -p icmp -j ACCEPT

# Allow services
$IPTABLES -t filter -A INPUT -p tcp -m multiport --dports 143,220,993,110,995,6667,22,53,80,443,25,199,21,1800 -j ACCEPT
$IPTABLES -t filter -A INPUT -p udp -m multiport --dports 143,993,22,53,80,443,1194,1800 -j ACCEPT

# Forwarding
$IPTABLES -t nat -A PREROUTING -i eth2 -p tcp --dport 1800 -j DNAT --to 192.168.0.101:80
$IPTABLES -I FORWARD -i eth2 -d 192.168.0.101 -p tcp --dport 1800 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


Yet for some reason it doesn't work? Can anyone help me with this, and how do I debug this?

If I change the line:
Code:
$IPTABLES -t nat -A PREROUTING -i eth2 -p tcp --dport 1800 -j DNAT --to 192.168.0.101:80


To:
Code:
$IPTABLES -t nat -A PREROUTING -i eth2 -p tcp --dport 1800 -j LOG


It does show up in syslog as:
Code:
 Jan 22 10:49:47 server kernel: IN=eth2 OUT= MAC=00:02:b3:02:d3:b2:00:12:80:7a:8f:fb:08:00 SRC=165.146.3.253 DST=publicip LEN=60 TOS=0x10 PREC=0x20 TTL=54 ID=25835 DF PROTO=TCP SPT=57133 DPT=1800 WINDOW=5840 RES=0x00 SYN URGP=0
Jan 22 10:49:47 server kernel: IN=eth2 OUT= MAC=00:02:b3:02:d3:b2:00:12:80:7a:8f:fb:08:00 SRC=165.146.3.253 DST=publicip LEN=60 TOS=0x10 PREC=0x20 TTL=54 ID=25835 DF PROTO=TCP SPT=57133 DPT=1800 WINDOW=5840 RES=0x00 SYN URGP=0


When trying to run nmap, I got this:
Code:
seather@lucy ~ $ nmap -sT -p 1800 publicip

Starting nmap 3.83.DC13 ( http://www.insecure.org/nmap/ ) at 2006-01-22 10:53 SAST
Interesting ports on tyrmida.com (publicip):
PORT     STATE    SERVICE
1800/tcp filtered unknown

Nmap finished: 1 IP address (1 host up) scanned in 10.334 seconds


Anyone that can help, if even just a little bit?

Thanks
Back to top
View user's profile Send private message
Seather
Apprentice
Apprentice


Joined: 23 May 2003
Posts: 194
Location: South Africa
PostPosted: Sun Jan 22, 2006 9:05 am    Post subject: Reply with quote
I have found maybe a little bit further of a diagnosis.

This does work:
Code:
# Forwarding
$IPTABLES -t nat -A PREROUTING -i eth2 -p tcp --dport 1800 -j DNAT --to publicip:80
$IPTABLES -I FORWARD -i eth2 -d publicip -p tcp --dport 1800 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


However of course, that is reaching the webserver running on the machine that is supposed to do the forwarding of course. Interestingly enough, when I change publicip to 127.0.0.1 (wget http://127.0.0.1 works on the machine), it stops working.
Back to top
View user's profile Send private message
Seather
Apprentice
Apprentice


Joined: 23 May 2003
Posts: 194
Location: South Africa
PostPosted: Sun Jan 22, 2006 9:33 am    Post subject: Reply with quote
I've tried debugging with tcpdump, this is what I did:

On forwarding machine
[code]
tcpdump -i eth0 > output.eth0
tcpdump -i eth2 > output.eth2
[code]

Then on my machine at home
[code]
seather@lucy ~ $ telnet 196.38.18.69 1800
Trying 196.38.18.69...
^]

seather@lucy ~ $
[/code]

Then killing tcpdump on the forwarding machine and running this
[code]
cat output.eth* | sort > output
(cat output | grep 192.168.0 && cat output) | grep dsl | sort | grep -v netbios | grep -v ssh | grep -v 1194
[/code]

The result was:
[code]
11:24:50.007860 IP dsl-146-3-253.telkomadsl.co.za.50274 > [IPADDRESS' DOMAIN NAME].1800: S 1226437319:1226437319(0) win 5840 <mss 1412,sackOK,timestamp 80440809[|tcp]>
11:24:50.007934 IP dsl-146-3-253.telkomadsl.co.za.50274 > 192.168.0.101.http: S 1226437319:1226437319(0) win 5840 <mss 1412,sackOK,timestamp 80440809[|tcp]>
11:24:50.007934 IP dsl-146-3-253.telkomadsl.co.za.50274 > 192.168.0.101.http: S 1226437319:1226437319(0) win 5840 <mss 1412,sackOK,timestamp 80440809[|tcp]>
11:24:53.003596 IP dsl-146-3-253.telkomadsl.co.za.50274 > 192.168.0.101.http: S 1226437319:1226437319(0) win 5840 <mss 1412,sackOK,timestamp 80441559[|tcp]>
11:24:53.003596 IP dsl-146-3-253.telkomadsl.co.za.50274 > 192.168.0.101.http: S 1226437319:1226437319(0) win 5840 <mss 1412,sackOK,timestamp 80441559[|tcp]>
11:24:59.003842 IP dsl-146-3-253.telkomadsl.co.za.50274 > 192.168.0.101.http: S 1226437319:1226437319(0) win 5840 <mss 1412,sackOK,timestamp 80443059[|tcp]>
11:24:59.003842 IP dsl-146-3-253.telkomadsl.co.za.50274 > 192.168.0.101.http: S 1226437319:1226437319(0) win 5840 <mss 1412,sackOK,timestamp 80443059[|tcp]>
[/code]

Keep in mind that dsl-146-3-253.telkomadsl.co.za is me (for the moment anyway). That is all I got, now I'm not the brightest when it comes to reading output of tcpdump, but it looks as if the forwarding works but it doesn't come back or something?

I don't know!

(And I have no idea how I managed to break the forums' BBCode either!)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy