Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] iptables: port forwarding with nat.
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
spielc
Guru
Guru


Joined: 20 Apr 2004
Posts: 452

PostPosted: Wed Feb 01, 2012 12:43 pm    Post subject: [SOLVED] iptables: port forwarding with nat. Reply with quote

Hi,

After about a week of reading tutorials alot of trial-and-error tests i have to admit that i'm unable to get iptables port-forwarding in combination with nat to work correctly.

A bit of background:

The router I am talking about is a Sheevaplug with two physical nics. eth0 is connected to the vdsl-modem (using PPPoE and such ppp0) and eth1 is connected to the lan. To make things even more complicated i have two OpenVPN-instances running on the machine using two tap-devices. As both vpns need access to different machines on our private network i have bridged eth1 and the two tap-devices. So far so good, this setup works, we can connect to the internet from the lan, vpns work...

Now i need to forward incoming traffic on port 26080 on the router to port 8080 on one of the machines from the lan. According to the Gentoo Home Router Guide all i need to do is to add the following rule to the nat-table:

Code:

iptables -t nat -A PREROUTING -p tcp --dport 26080 -i ppp0 -j DNAT --to 192.168.2.30:8080


From what i've read this should be enough as i have a MASQUERADE-rule in the POSTROUTING chain of the nat-table.

Here's the output of iptables-save -c

Code:

# Generated by iptables-save v1.4.11.1 on Wed Feb  1 13:15:44 2012
*raw
:PREROUTING ACCEPT [336265:256864207]
:OUTPUT ACCEPT [9756:1101524]
[66:7223] -A PREROUTING -p icmp -j TRACE
[311:44789] -A OUTPUT -p icmp -j TRACE
COMMIT
# Completed on Wed Feb  1 13:15:44 2012
# Generated by iptables-save v1.4.11.1 on Wed Feb  1 13:15:44 2012
*nat
:PREROUTING ACCEPT [293:41329]
:INPUT ACCEPT [55:3449]
:OUTPUT ACCEPT [33:2065]
:POSTROUTING ACCEPT [43:3655]
[1225028:81113949] -A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Wed Feb  1 13:15:44 2012
# Generated by iptables-save v1.4.11.1 on Wed Feb  1 13:15:44 2012
*mangle
:PREROUTING ACCEPT [105364366:73740951850]
:INPUT ACCEPT [3204495:404744888]
:FORWARD ACCEPT [101741178:73252162432]
:OUTPUT ACCEPT [3198766:931180232]
:POSTROUTING ACCEPT [104886136:74180895972]
[1012654:55992760] -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Feb  1 13:15:44 2012
# Generated by iptables-save v1.4.11.1 on Wed Feb  1 13:15:44 2012
*filter
:INPUT ACCEPT [129955:19544920]
:FORWARD ACCEPT [9830:549706]
:OUTPUT ACCEPT [303631:101201804]
[34:2616] -A INPUT -i lo -j ACCEPT
[1592451:178750222] -A INPUT -i br0 -j ACCEPT
[0:0] -A INPUT -i ppp0 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable
[37:2282] -A INPUT -i ppp0 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
[59333:3023391] -A INPUT ! -i br0 -p tcp -m tcp --dport 0:1023 -j DROP
[1046:83150] -A INPUT ! -i br0 -p udp -m udp --dport 0:1023 -j DROP
[394:31264] -A FORWARD -s 10.0.35.0/24 -d 192.168.0.0/16 -i br0 -j DROP
[892728:106171023] -A FORWARD -s 10.0.35.0/24 -i br0 -j ACCEPT
[1392730:2052405192] -A FORWARD -d 10.0.35.0/24 -i ppp0 -j ACCEPT
[56969732:63452220677] -A FORWARD -d 192.168.0.0/16 -i ppp0 -j ACCEPT
[40490039:6274773473] -A FORWARD -s 192.168.0.0/16 -i br0 -j ACCEPT
COMMIT
# Completed on Wed Feb  1 13:15:44 2012


if this looks familiar to you don't wonder i've based almost everything on the Gentoo Home Router Guide... ;) And don't worry about the firewall being quite unsafe at the moment, i first want to get this thing going before i start locking everything down...

So is there anybody who has a clue what i'm overseeing here?

Thanks in advance,

Christoph

P.S. Another question: What do i have to do to get rules-tracing to work? I think i have loaded the necessary modules but whatever i do i don't get ANY output in my syslog

Here's the output of lsmod:

Code:

Module                  Size  Used by
nfnetlink_log           6751  0
nfnetlink               2305  1 nfnetlink_log
xt_TRACE                 625  2
iptable_raw              841  1
ipt_LOG                 6204  0
xt_state                 889  0
af_packet              18276  2
pppoe                   8806  2
pppox                   1424  1 pppoe
ppp_generic            15293  6 pppoe,pppox
slhc                    4421  1 ppp_generic
bridge                 63602  0
stp                     1234  1 bridge
llc                     3051  2 bridge,stp
tun                    12659  4
ipt_MASQUERADE          1320  1
iptable_nat             3129  1
nf_nat                 12075  2 ipt_MASQUERADE,iptable_nat
nf_conntrack_ipv4       9933  3 iptable_nat,nf_nat
nf_conntrack           45097  5 xt_state,ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4
nf_defrag_ipv4           913  1 nf_conntrack_ipv4
xt_TCPMSS               2117  1
iptable_mangle           998  1
ipt_REJECT              1855  2
xt_tcpudp               1917  5
iptable_filter           914  1
ip_tables               9011  4 iptable_raw,iptable_nat,iptable_mangle,iptable_filter
x_tables               11080  12 xt_TRACE,iptable_raw,ipt_LOG,xt_state,ipt_MASQUERADE,iptable_nat,xt_TCPMSS,iptable_mangle,ipt_REJECT,xt_tcpudp,iptable_filter,ip_tables
nfs                   293298  1
lockd                  50010  1 nfs
auth_rpcgss            32124  1 nfs
sunrpc                171655  12 nfs,lockd,auth_rpcgss
8021q                  13918  0
asix                   11986  0
usbnet                 12440  1 asix
mii                     3357  2 asix,usbnet
ehci_hcd               33411  0
usbcore               106630  4 asix,usbnet,ehci_hcd
marvell                 5259  0
mv643xx_eth            22080  0
rtc_mv                  2634  0
libphy                 13422  2 marvell,mv643xx_eth
mv_cesa                 8986  0
unix                   20834  40

_________________
Raise your beers up high...


Last edited by spielc on Mon Feb 06, 2012 7:03 pm; edited 2 times in total
Back to top
View user's profile Send private message
truc
Advocate
Advocate


Joined: 25 Jul 2005
Posts: 3199

PostPosted: Wed Feb 01, 2012 10:51 pm    Post subject: Reply with quote

Code:
*nat
:PREROUTING ACCEPT [293:41329]
:INPUT ACCEPT [55:3449]
:OUTPUT ACCEPT [33:2065]
:POSTROUTING ACCEPT [43:3655]
[1225028:81113949] -A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
Can't see you dnat rule in here?
_________________
The End of the Internet!
Back to top
View user's profile Send private message
spielc
Guru
Guru


Joined: 20 Apr 2004
Posts: 452

PostPosted: Thu Feb 02, 2012 7:26 am    Post subject: Reply with quote

Duh! I seem to have removed the rule once again before i asked here... So here you go:

Code:

# Generated by iptables-save v1.4.11.1 on Thu Feb  2 08:25:03 2012
*raw
:PREROUTING ACCEPT [899915:568045437]
:OUTPUT ACCEPT [33221:3174869]
[173:16239] -A PREROUTING -p icmp -j TRACE
[1663:230900] -A OUTPUT -p icmp -j TRACE
COMMIT
# Completed on Thu Feb  2 08:25:03 2012
# Generated by iptables-save v1.4.11.1 on Thu Feb  2 08:25:03 2012
*nat
:PREROUTING ACCEPT [1120:128776]
:INPUT ACCEPT [360:24101]
:OUTPUT ACCEPT [265:19998]
:POSTROUTING ACCEPT [283:25061]
[0:0] -A PREROUTING -i ppp0 -p tcp -m tcp --dport 26080 -j DNAT --to-destination 192.168.2.30:8080
[1239887:82191791] -A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Thu Feb  2 08:25:03 2012
# Generated by iptables-save v1.4.11.1 on Thu Feb  2 08:25:03 2012
*mangle
:PREROUTING ACCEPT [105928016:74052133080]
:INPUT ACCEPT [3238532:407867910]
:FORWARD ACCEPT [102287197:73559100154]
:OUTPUT ACCEPT [3222232:933253773]
:POSTROUTING ACCEPT [105455623:74489907901]
[1021154:56454820] -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Feb  2 08:25:03 2012
# Generated by iptables-save v1.4.11.1 on Thu Feb  2 08:25:03 2012
*filter
:INPUT ACCEPT [159:21226]
:FORWARD ACCEPT [2:64]
:OUTPUT ACCEPT [534:64738]
[39:3028] -A INPUT -i lo -j ACCEPT
[1616173:180697032] -A INPUT -i br0 -j ACCEPT
[0:0] -A INPUT -i ppp0 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable
[37:2282] -A INPUT -i ppp0 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
[59514:3032647] -A INPUT ! -i br0 -p tcp -m tcp --dport 0:1023 -j DROP
[1076:84571] -A INPUT ! -i br0 -p udp -m udp --dport 0:1023 -j DROP
[0:0] -A FORWARD -d 192.168.2.30/32 -p tcp -m tcp --dport 26080 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
[394:31264] -A FORWARD -s 10.0.35.0/24 -d 192.168.0.0/16 -i br0 -j DROP
[893450:106288218] -A FORWARD -s 10.0.35.0/24 -i br0 -j ACCEPT
[1392766:2052416410] -A FORWARD -d 10.0.35.0/24 -i ppp0 -j ACCEPT
[57250422:63720748268] -A FORWARD -d 192.168.0.0/16 -i ppp0 -j ACCEPT
[40753440:6313005739] -A FORWARD -s 192.168.0.0/16 -i br0 -j ACCEPT
COMMIT
# Completed on Thu Feb  2 08:25:03 2012

_________________
Raise your beers up high...
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21489

PostPosted: Fri Feb 03, 2012 3:15 am    Post subject: Reply with quote

spielc wrote:
Code:
[0:0] -A FORWARD -d 192.168.2.30/32 -p tcp -m tcp --dport 26080 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
In this context, you must specify the TCP port as seen post-NAT. Since your NAT rule changes from 26080 on the Internet side to 8080 internally, you should use --dport 8080 here.
Back to top
View user's profile Send private message
spielc
Guru
Guru


Joined: 20 Apr 2004
Posts: 452

PostPosted: Fri Feb 03, 2012 10:21 am    Post subject: Reply with quote

Hu wrote:
spielc wrote:
Code:
[0:0] -A FORWARD -d 192.168.2.30/32 -p tcp -m tcp --dport 26080 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
In this context, you must specify the TCP port as seen post-NAT. Since your NAT rule changes from 26080 on the Internet side to 8080 internally, you should use --dport 8080 here.


Okey i changed the corresponding rule

Code:

[0:0] -A FORWARD -d 192.168.2.30/32 -p tcp -m tcp --dport 8080 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT


but i am still unable to get a connection so i must be something missing here.

I have another more general question:

Do i even need the rule from above? Because if you look at the output from iptables-save -c shouldn't this case be covered by this rule?

Code:

[57835076:64368677647] -A FORWARD -d 192.168.0.0/16 -i ppp0 -j ACCEPT


I think it would be really helpful if i could get rule-tracing to work somehow
_________________
Raise your beers up high...
Back to top
View user's profile Send private message
spielc
Guru
Guru


Joined: 20 Apr 2004
Posts: 452

PostPosted: Fri Feb 03, 2012 10:44 pm    Post subject: Reply with quote

Damn it... Now i kinda feel stupid... I just tried to access the page from outside our local network via the public ip of the router and voíla now it works

Thanks for your help guys...

P.S. It would still be cool if one of the iptables-gurus could answer the questions from my earlier posts in this thread.
_________________
Raise your beers up high...
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21489

PostPosted: Sat Feb 04, 2012 12:09 am    Post subject: Reply with quote

Since you ultimately allow any traffic from ppp0 to be forwarded, the rule I noted above is not required as-is. However, since your configuration is insecure at the moment, I assumed you would be locking it down eventually and that the rule I noted would become important at that point.
Back to top
View user's profile Send private message
spielc
Guru
Guru


Joined: 20 Apr 2004
Posts: 452

PostPosted: Mon Feb 06, 2012 7:03 pm    Post subject: Reply with quote

Hu wrote:
Since you ultimately allow any traffic from ppp0 to be forwarded, the rule I noted above is not required as-is. However, since your configuration is insecure at the moment, I assumed you would be locking it down eventually and that the rule I noted would become important at that point.


Thanks for the explanation!
_________________
Raise your beers up high...
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum