View previous topic :: View next topic |
Author |
Message |
spielc Guru
Joined: 20 Apr 2004 Posts: 452
|
Posted: Wed Feb 01, 2012 12:43 pm Post subject: [SOLVED] iptables: port forwarding with nat. |
|
|
Hi,
After about a week of reading tutorials alot of trial-and-error tests i have to admit that i'm unable to get iptables port-forwarding in combination with nat to work correctly.
A bit of background:
The router I am talking about is a Sheevaplug with two physical nics. eth0 is connected to the vdsl-modem (using PPPoE and such ppp0) and eth1 is connected to the lan. To make things even more complicated i have two OpenVPN-instances running on the machine using two tap-devices. As both vpns need access to different machines on our private network i have bridged eth1 and the two tap-devices. So far so good, this setup works, we can connect to the internet from the lan, vpns work...
Now i need to forward incoming traffic on port 26080 on the router to port 8080 on one of the machines from the lan. According to the Gentoo Home Router Guide all i need to do is to add the following rule to the nat-table:
Code: |
iptables -t nat -A PREROUTING -p tcp --dport 26080 -i ppp0 -j DNAT --to 192.168.2.30:8080
|
From what i've read this should be enough as i have a MASQUERADE-rule in the POSTROUTING chain of the nat-table.
Here's the output of iptables-save -c
Code: |
# Generated by iptables-save v1.4.11.1 on Wed Feb 1 13:15:44 2012
*raw
:PREROUTING ACCEPT [336265:256864207]
:OUTPUT ACCEPT [9756:1101524]
[66:7223] -A PREROUTING -p icmp -j TRACE
[311:44789] -A OUTPUT -p icmp -j TRACE
COMMIT
# Completed on Wed Feb 1 13:15:44 2012
# Generated by iptables-save v1.4.11.1 on Wed Feb 1 13:15:44 2012
*nat
:PREROUTING ACCEPT [293:41329]
:INPUT ACCEPT [55:3449]
:OUTPUT ACCEPT [33:2065]
:POSTROUTING ACCEPT [43:3655]
[1225028:81113949] -A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Wed Feb 1 13:15:44 2012
# Generated by iptables-save v1.4.11.1 on Wed Feb 1 13:15:44 2012
*mangle
:PREROUTING ACCEPT [105364366:73740951850]
:INPUT ACCEPT [3204495:404744888]
:FORWARD ACCEPT [101741178:73252162432]
:OUTPUT ACCEPT [3198766:931180232]
:POSTROUTING ACCEPT [104886136:74180895972]
[1012654:55992760] -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Feb 1 13:15:44 2012
# Generated by iptables-save v1.4.11.1 on Wed Feb 1 13:15:44 2012
*filter
:INPUT ACCEPT [129955:19544920]
:FORWARD ACCEPT [9830:549706]
:OUTPUT ACCEPT [303631:101201804]
[34:2616] -A INPUT -i lo -j ACCEPT
[1592451:178750222] -A INPUT -i br0 -j ACCEPT
[0:0] -A INPUT -i ppp0 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable
[37:2282] -A INPUT -i ppp0 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
[59333:3023391] -A INPUT ! -i br0 -p tcp -m tcp --dport 0:1023 -j DROP
[1046:83150] -A INPUT ! -i br0 -p udp -m udp --dport 0:1023 -j DROP
[394:31264] -A FORWARD -s 10.0.35.0/24 -d 192.168.0.0/16 -i br0 -j DROP
[892728:106171023] -A FORWARD -s 10.0.35.0/24 -i br0 -j ACCEPT
[1392730:2052405192] -A FORWARD -d 10.0.35.0/24 -i ppp0 -j ACCEPT
[56969732:63452220677] -A FORWARD -d 192.168.0.0/16 -i ppp0 -j ACCEPT
[40490039:6274773473] -A FORWARD -s 192.168.0.0/16 -i br0 -j ACCEPT
COMMIT
# Completed on Wed Feb 1 13:15:44 2012
|
if this looks familiar to you don't wonder i've based almost everything on the Gentoo Home Router Guide... And don't worry about the firewall being quite unsafe at the moment, i first want to get this thing going before i start locking everything down...
So is there anybody who has a clue what i'm overseeing here?
Thanks in advance,
Christoph
P.S. Another question: What do i have to do to get rules-tracing to work? I think i have loaded the necessary modules but whatever i do i don't get ANY output in my syslog
Here's the output of lsmod:
Code: |
Module Size Used by
nfnetlink_log 6751 0
nfnetlink 2305 1 nfnetlink_log
xt_TRACE 625 2
iptable_raw 841 1
ipt_LOG 6204 0
xt_state 889 0
af_packet 18276 2
pppoe 8806 2
pppox 1424 1 pppoe
ppp_generic 15293 6 pppoe,pppox
slhc 4421 1 ppp_generic
bridge 63602 0
stp 1234 1 bridge
llc 3051 2 bridge,stp
tun 12659 4
ipt_MASQUERADE 1320 1
iptable_nat 3129 1
nf_nat 12075 2 ipt_MASQUERADE,iptable_nat
nf_conntrack_ipv4 9933 3 iptable_nat,nf_nat
nf_conntrack 45097 5 xt_state,ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4
nf_defrag_ipv4 913 1 nf_conntrack_ipv4
xt_TCPMSS 2117 1
iptable_mangle 998 1
ipt_REJECT 1855 2
xt_tcpudp 1917 5
iptable_filter 914 1
ip_tables 9011 4 iptable_raw,iptable_nat,iptable_mangle,iptable_filter
x_tables 11080 12 xt_TRACE,iptable_raw,ipt_LOG,xt_state,ipt_MASQUERADE,iptable_nat,xt_TCPMSS,iptable_mangle,ipt_REJECT,xt_tcpudp,iptable_filter,ip_tables
nfs 293298 1
lockd 50010 1 nfs
auth_rpcgss 32124 1 nfs
sunrpc 171655 12 nfs,lockd,auth_rpcgss
8021q 13918 0
asix 11986 0
usbnet 12440 1 asix
mii 3357 2 asix,usbnet
ehci_hcd 33411 0
usbcore 106630 4 asix,usbnet,ehci_hcd
marvell 5259 0
mv643xx_eth 22080 0
rtc_mv 2634 0
libphy 13422 2 marvell,mv643xx_eth
mv_cesa 8986 0
unix 20834 40
|
_________________ Raise your beers up high...
Last edited by spielc on Mon Feb 06, 2012 7:03 pm; edited 2 times in total |
|
Back to top |
|
|
truc Advocate
Joined: 25 Jul 2005 Posts: 3199
|
Posted: Wed Feb 01, 2012 10:51 pm Post subject: |
|
|
Code: | *nat
:PREROUTING ACCEPT [293:41329]
:INPUT ACCEPT [55:3449]
:OUTPUT ACCEPT [33:2065]
:POSTROUTING ACCEPT [43:3655]
[1225028:81113949] -A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT | Can't see you dnat rule in here? _________________ The End of the Internet! |
|
Back to top |
|
|
spielc Guru
Joined: 20 Apr 2004 Posts: 452
|
Posted: Thu Feb 02, 2012 7:26 am Post subject: |
|
|
Duh! I seem to have removed the rule once again before i asked here... So here you go:
Code: |
# Generated by iptables-save v1.4.11.1 on Thu Feb 2 08:25:03 2012
*raw
:PREROUTING ACCEPT [899915:568045437]
:OUTPUT ACCEPT [33221:3174869]
[173:16239] -A PREROUTING -p icmp -j TRACE
[1663:230900] -A OUTPUT -p icmp -j TRACE
COMMIT
# Completed on Thu Feb 2 08:25:03 2012
# Generated by iptables-save v1.4.11.1 on Thu Feb 2 08:25:03 2012
*nat
:PREROUTING ACCEPT [1120:128776]
:INPUT ACCEPT [360:24101]
:OUTPUT ACCEPT [265:19998]
:POSTROUTING ACCEPT [283:25061]
[0:0] -A PREROUTING -i ppp0 -p tcp -m tcp --dport 26080 -j DNAT --to-destination 192.168.2.30:8080
[1239887:82191791] -A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Thu Feb 2 08:25:03 2012
# Generated by iptables-save v1.4.11.1 on Thu Feb 2 08:25:03 2012
*mangle
:PREROUTING ACCEPT [105928016:74052133080]
:INPUT ACCEPT [3238532:407867910]
:FORWARD ACCEPT [102287197:73559100154]
:OUTPUT ACCEPT [3222232:933253773]
:POSTROUTING ACCEPT [105455623:74489907901]
[1021154:56454820] -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Feb 2 08:25:03 2012
# Generated by iptables-save v1.4.11.1 on Thu Feb 2 08:25:03 2012
*filter
:INPUT ACCEPT [159:21226]
:FORWARD ACCEPT [2:64]
:OUTPUT ACCEPT [534:64738]
[39:3028] -A INPUT -i lo -j ACCEPT
[1616173:180697032] -A INPUT -i br0 -j ACCEPT
[0:0] -A INPUT -i ppp0 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable
[37:2282] -A INPUT -i ppp0 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
[59514:3032647] -A INPUT ! -i br0 -p tcp -m tcp --dport 0:1023 -j DROP
[1076:84571] -A INPUT ! -i br0 -p udp -m udp --dport 0:1023 -j DROP
[0:0] -A FORWARD -d 192.168.2.30/32 -p tcp -m tcp --dport 26080 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
[394:31264] -A FORWARD -s 10.0.35.0/24 -d 192.168.0.0/16 -i br0 -j DROP
[893450:106288218] -A FORWARD -s 10.0.35.0/24 -i br0 -j ACCEPT
[1392766:2052416410] -A FORWARD -d 10.0.35.0/24 -i ppp0 -j ACCEPT
[57250422:63720748268] -A FORWARD -d 192.168.0.0/16 -i ppp0 -j ACCEPT
[40753440:6313005739] -A FORWARD -s 192.168.0.0/16 -i br0 -j ACCEPT
COMMIT
# Completed on Thu Feb 2 08:25:03 2012
|
_________________ Raise your beers up high... |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21489
|
Posted: Fri Feb 03, 2012 3:15 am Post subject: |
|
|
spielc wrote: | Code: | [0:0] -A FORWARD -d 192.168.2.30/32 -p tcp -m tcp --dport 26080 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
|
| In this context, you must specify the TCP port as seen post-NAT. Since your NAT rule changes from 26080 on the Internet side to 8080 internally, you should use --dport 8080 here. |
|
Back to top |
|
|
spielc Guru
Joined: 20 Apr 2004 Posts: 452
|
Posted: Fri Feb 03, 2012 10:21 am Post subject: |
|
|
Hu wrote: | spielc wrote: | Code: | [0:0] -A FORWARD -d 192.168.2.30/32 -p tcp -m tcp --dport 26080 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
|
| In this context, you must specify the TCP port as seen post-NAT. Since your NAT rule changes from 26080 on the Internet side to 8080 internally, you should use --dport 8080 here. |
Okey i changed the corresponding rule
Code: |
[0:0] -A FORWARD -d 192.168.2.30/32 -p tcp -m tcp --dport 8080 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
|
but i am still unable to get a connection so i must be something missing here.
I have another more general question:
Do i even need the rule from above? Because if you look at the output from iptables-save -c shouldn't this case be covered by this rule?
Code: |
[57835076:64368677647] -A FORWARD -d 192.168.0.0/16 -i ppp0 -j ACCEPT
|
I think it would be really helpful if i could get rule-tracing to work somehow _________________ Raise your beers up high... |
|
Back to top |
|
|
spielc Guru
Joined: 20 Apr 2004 Posts: 452
|
Posted: Fri Feb 03, 2012 10:44 pm Post subject: |
|
|
Damn it... Now i kinda feel stupid... I just tried to access the page from outside our local network via the public ip of the router and voíla now it works
Thanks for your help guys...
P.S. It would still be cool if one of the iptables-gurus could answer the questions from my earlier posts in this thread. _________________ Raise your beers up high... |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21489
|
Posted: Sat Feb 04, 2012 12:09 am Post subject: |
|
|
Since you ultimately allow any traffic from ppp0 to be forwarded, the rule I noted above is not required as-is. However, since your configuration is insecure at the moment, I assumed you would be locking it down eventually and that the rule I noted would become important at that point. |
|
Back to top |
|
|
spielc Guru
Joined: 20 Apr 2004 Posts: 452
|
Posted: Mon Feb 06, 2012 7:03 pm Post subject: |
|
|
Hu wrote: | Since you ultimately allow any traffic from ppp0 to be forwarded, the rule I noted above is not required as-is. However, since your configuration is insecure at the moment, I assumed you would be locking it down eventually and that the rule I noted would become important at that point. |
Thanks for the explanation! _________________ Raise your beers up high... |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|