Problem with port forwarding

sbrenneis · n00b Joined: 08 Dec 2006 Posts: 9

I have a Gentoo server that I am using for a firewall/DMZ. It has two NICsOn my LAN, I have a Fedora system that is running jboss on port 8080. I want to forward port 8080 traffic to the internal server.

I have set up the following iptables rules on the Gentoo server:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 8080 -j DNAT --to 192.168.0.101:8080
iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 3690 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 10080 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 10081 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP

I have verified that nothing is running on port 8080 on the firewall/DMZ server, and I have verified that jboss is listening on port 8080 on the internal server. WHen i give the URL for the jboss console to my browser, it times out. I have had other people attempt to get to the URL as well.

Any ideas? I have no idea how to troubleshoot an iptables issue, as there are no logs that I know of.

Hu · Administrator Joined: 06 Mar 2007 Posts: 23100

Have you turned on IP forwarding? What is the output of iptables-save -c? Have you conducted your tests from outside? Your PREROUTING rule will only cover traffic coming from the Internet, so if you test this from inside the LAN, it will not work.

You can use the LOG target to record when traffic matches a rule. Additionally, each rule maintains counters of how many packets and bytes have matched it. You could also use tcpdump to monitor the interface to confirm that the request arrives from the Internet.

Bones McCracker · Veteran Joined: 14 Mar 2006 Posts: 1611 Location: U.S.A.

You might find these useful:

http://security.maruhn.com/
http://www.kalamazoolinux.org/presentations/20010417/conntrack.html
_________________

bbgermany · Posted: Fri Jun 19, 2009 6:40 am Post subject:

Instead of an input rule, you need a forward rule like this:

xtz · Posted: Fri Jun 19, 2009 6:49 am Post subject:

MASQUERADE is obsolete, a simple DNAT rule should do the work, since SNAT/DNAT work in both ways. Also, as bbgermany mentioned, it's the FORWARD table you need to modify - not the INPUT one.

Bones McCracker · Veteran Joined: 14 Mar 2006 Posts: 1611 Location: U.S.A.

the input table is for traffic destined for the firewall machine itself
the forward table is for everything else
_________________

sbrenneis · n00b Joined: 08 Dec 2006 Posts: 9

Thanks to all. The FORWARD table entry fixed it. I appreciate the help.

Bones McCracker · Veteran Joined: 14 Mar 2006 Posts: 1611 Location: U.S.A.

Spend some time with the resources at those links. They are very informative.
_________________

Hu · Administrator Joined: 06 Mar 2007 Posts: 23100

xtz · Posted: Mon Jun 22, 2009 12:02 pm Post subject:

Well, it could be done with SNAT/DNAT also (and some scripting)... but if the address changes on the fly, it surely will miss some packets, even if the scripts are run immediately. I guess MASQUERADE is better, if that is the situation. Thanks